|
Since the Vienna Convention in 1988 Anti Money Laundering (AML) regulation has proceeded to get
tougher. The question that should be asked however is "tougher on whom?"
Is the
AML regime truly having an impact on the money laundering it has been devised to
combat or is it merely penalising those organisations that operate in the
financial services industry – and now other sectors – whose services the money
launderers abuse?
Indeed is the regulation designed to deter, detect, catch
and/or punish launderers and will it ever achieve these noble goals?
The scale of the problem
The estimates of the scale of money laundering vary depending on the body
questioned however each agrees on the magnitude of the problem at hand.
The
International Monetary Fund estimates that between 2-5% of the world's gross
domestic product is laundered every year through the global financial system.
That equates to between $500 billion and $1.5 trillion. The US Government puts
this figure at $3 trillion, whilst the UK Government puts it at £200 billion.
Within the UK alone the Home Office estimates that dirty money represents about
2% of gross domestic product or approximately £18 billion per annum.
Clearly, whichever figure one wishes to adopt as being the most accurate, it
does not disguise the fact that money laundering represents a substantial
problem for the world's financial institutions.
The need for caution
Although it would be easy given these statistics to push for a much tougher
regulatory regime, one must bear in mind what is at stake. The UK's financial
services sector is fundamental to the success of the British economy.
It has
grown based on its liberal and innovative thinking and the liquidity it creates
in both new and existing markets. Ironically it is these very aspects that
contribute to the appeal of the UK market to the money launderer, the sheer
number of transactions, their complexity and speed, the diversity of
institutions and of products, the level of international trade and the openness.
Each of these characteristics is a reason for the success of the UK financial
services sector and also a key influence on the level of money laundering it
supports.
Clearly therefore, although tougher money laundering regulation is needed, its
introduction needs to be balanced to ensure it does not unduly inhibit those
characteristics such as speed, liquidity and innovation which have made the UK
market what it is today.
Current UK AML regulations
The current UK AML regulations have evolved over a number of years, beginning
life in 1986 as the Drug Trafficking Offences Act and more recently seeing the
implementation of the UK Money Laundering Regulations 2003.
The purpose of these
anti money laundering controls as stated by the Financial Services Authority
(FSA) is to deter, detect, investigate and prosecute crime, fraud and terrorism.
The current regulations focus primarily on the Placement stage of money
laundering.
This entails undertaking Know Your Customer (KYC) and Know Your
Business (KYB) activities, the former to confirm a customer's identity at the
start of a business relationship and ensure they are appropriate to do business
with and the latter to understand the nature of the business the customer wishes to
conduct sufficiently to be able to spot and report abnormal transaction
patterns.
In doing this the FSA expects firms to adopt a 'risk based' approach,
placing the onus on senior management to identify, assess, mitigate and monitor
their money laundering risks on a continual basis.
Regulations in practice
Risk assessment, by definition, is subjective and therefore under a risk-based
approach there is clearly scope for conflict with the FSA during any audit.
The
lack of absolute prescription on what is expected of firms is further clouded by
the fact that the 2003 Joint Money Laundering Steering Group (JMLSG) guidance
notes, effective from 1 March 2004, confirm that the previous facility for firms
to discuss cases of doubt with their FSA Supervisor has been removed.
In
reality, although the FSA states that the intention of AML policy is to deter,
detect and reduce money laundering, it is understood that to some, the overall
objective is simply to comply with UK and international standards at the minimum
cost and with the minimum impact on business.
Under a risk-based approach there
is clearly opportunity for cutting corners. For example, although the FSA will
penalise organisations for failure to store and maintain KYC information, a
number of financial service organisations still rely on the Bank of England
sanctions list as their primary method for validating the legitimacy of a
customer.
As Rob Mitchell of World-Check explains: "The Bank of England sanctions
list is not comprehensive on the associates, friends and family of listed
individuals; nor the coverage of known criminals, launderers or terrorists and
hence cannot be expected, if used in isolation, to ensure money laundering
avoidance."
In isolation, KYC is not fool proof. Fake identities can be obtained by those
that wish to hide their own; real identities of individuals, friends and
families can be used if smurfing/structuring approaches are adopted; staff
members can be bribed to turn a blind eye; seemingly legitimate businesses can
be used as fronts for laundering money by under-reporting invoices and
over-reporting sales.
Clearly where high-risk products are involved, KYB is required to understand the nature of the business the customer
wishes to conduct sufficiently to be able to spot and report abnormal
transaction patterns. However such activity, where done, is still relatively
manual, with primarily only the larger players investing in automated
transaction monitoring solutions. To date this has been considered sufficient
but if the goal were detection rather than compliance then is this really
enough?
In a regulated activity where the level of systems support is arguably
inadequate, the Proceeds of Crime Act 2002 (PoCA) has put the onus of detection
clearly and firmly on the staff members themselves with their failure to report
being an offence.
Consequently staff members are being asked to fulfil an
obligation with insufficient tools to do so. Should they fail in this task they
face punishment as per the PoCA unless the 'no training' defence is used.
Clearly any risk averse individual in such a situation will report rather than
ignore even the most tentatively suspicious activity. Although this could be
described as increased diligence, it still creates an increased workload on the
Money Laundering Reporting Officer (MLRO), which can result in valid suspicions
being missed, and/or an increase in suspicious activities being passed to the
National Criminal Intelligence Service's (NCIS's) Economic Crime Unit (ECU).
It could be argued that this increase simply represents the widening of the
regulatory regime as, although money service businesses had the obligation to
report suspicions prior to 2001, the Amending Directive effectively enforced
this obligation through their registration and subsequent inspection. However
this view does not appear to be supported by the following statistics, which
indicate that the biggest increase has been with the banks themselves.
It would be foolish to argue that the overall increase in reporting is totally
negative. Part of the increase can clearly be attributed to greater vigilance,
however part could also be construed as over vigilance. Where the balance lies
is hard to tell.
Although, with over-reporting comes increased costs, reduced quality and
increased effort to follow up. When one considers that Suspicious Activity
Report (SAR) assessments undertaken by the NCIS take an average of three months
and that during 2002, the backlog of SARs grew from 19,000 to 58,000 and is
accelerating, it is clear that with their current staffing complement NCIS
cannot cope with these volumes.
The net result is that reports are going
unaddressed and feedback to MLROs is limited, if at all.
Consequently the system fails to learn as it becomes increasingly overloaded
with SARs that have resulted from what could arguably be described as a pursuit
of absolute compliance over and above detection.
As a result the NCIS is unable
to act, as the central intelligence conduit and it cannot fulfil a role akin to
a virus detection hub, which provides immunity to all shortly after the first
infection.
The future
Clearly the current system is flawed, but then this is not saying anything that
was not already known. The FSA for its part had realised the issues building
within the ECU and consequently an overhaul of the SARS reporting regime is now
underway.
Furthermore the proposed UK-wide Serious Organised Crime Agency could
potentially provide additional resources for this task. In addition, the FSA
issued DP22, Reducing Money Laundering Risk, Know Your Customer and Anti Money
Laundering, industry responses to which should be known soon.
Although these steps will address many of the issues raised above, they will not
address the fundamental issue of over-reporting which will undoubtedly continue
to increase in the coming years. Although this could potentially be addressed by
improved training, an area continually targeted by FSA as being weak, it is
unlikely that training alone will overcome this problem.
Instead one needs to go
back to the root cause, i.e. the emphasis on the individual to identify
suspicious activity without providing them with sufficient tools to do the job.
The most appropriate and clearly the most obvious way to overcome this problem
would be to provide the individuals with the tools they need. Consequently,
regulation should not simply focus on the expectations on the individual but
should also obligate the organisation to procure the appropriate systems to
support them.
Specifically regulation should require organisations to procure
automatic transaction monitoring systems capable of taking the burden of
identifying suspicious activity away from the individual. Additionally it should
ensure that where data sources such as World-Check exist that they are used,
otherwise confirming a customer's identity is a relatively pointless exercise.
It is interesting to note that the FSA is looking
to develop a 'Close & Continuous Model' as an extension of their risk-based
approach to regulation. Under this model the FSA will seek detailed knowledge of
the management and control functions within each organisation it inspects in
order to determine the extent to which reliance can be placed on them.
Where the
FSA has confidence in the internal functions it will reduce its own regulatory
effort accordingly, where it has not the level of regulation and hence the
associated costs and penalty risks will continue.
Clearly therefore this model suggests an increase in self-regulation is favoured
by the FSA and that it will not be changing regulations, at least in the
short-term, to reflect the needs outlined above.
However that does not
necessarily mean that such developments will not occur. The FSA has already
indicated its eagerness to see KYB used to monitor an organisation's
transactions.
Clearly any moves an organisation makes in this direction could
only be seen as favourable when considering the quality of its own
self-regulation.
A similar argument holds true for the use of a customer filter with negative
vetting and improvements to training through solutions that assess the
compliance knowledge of staff. If organisations fail to move in this direction
it is unclear whether the regulator will provide additional disincentives such
as increased fines on offending organisations that it deems to be
inappropriately addressing the risks.
But one has to question how far it can go in this direction, as after all,
the current regulations and the risk-based approach are still subjective and
hence open to interpretation.
However clearly the regulator still retains the option to impose these
requirements on organisations in future regulation should they fail to move
sufficiently in this direction of their own accord.
Stephen Stead is
a founder director of SECOR Consulting
Source:
Credit Control Journal
|
