Changing Compliance Culture - Moving Towards an Outcomes-Based Approach

Is it time for compliance culture to shift entirely?

The risk-based approach (RBA) to AML/CFT efforts has been in effect for years. But the financial impact of dark money and organized crime is still a significant shadow on the global financial system. Would a move to an outcomes-based approach (OBA) be more effective?

Does Anyone Use RBA?

One reason often touted for using an outcomes-based approach is that an RBA has never truly been taken by any jurisdiction.

‘A risk-based approach means that countries, competent authorities, and banks identify, assess, and understand the money laundering and terrorist financing risk to which they are exposed, and take the appropriate mitigation measures in accordance with the level of risk’

That’s the FATF definition of an RBA, which is the only one that ultimately matters in order to be effective. Whether or not authorities are competent in certain jurisdictions is up for debate, given the grey and black (Non-Cooperative Countries or Territories) lists, but even using those which are whitelisted and deemed competent by FATF causes issues.

The limitations on ‘appropriate mitigation measures’ is unclear. The RBA does not appear to be effective at tackling actual financial crime as it stands, potentially due to this limiting clause.

Part of this is because criminals are constantly developing new and innovative ways to get around new money laundering controls, but there’s also the issue of how those controls are implemented. The UK managed to receive a glowing Mutual Evaluation Report (MER) from FATF in 2018 despite an estimated £100 billion laundered through the nation each year. On top of being recognized as a global resting place for dirty money.

But that may suggest more is at fault with FATF’s MERs than the RBA itself. The widespread use of a risk-based approach to compliance is reliant on the rules detailed in legislation. For example, suspicious activity report (SAR) filing is a requirement for every financial institution (FI), compliance officers cannot ignore suspicious activity and eliminate it from FIs compliance procedures simply because it fits into the company’s risk appetite.

SARs have recognized failings, Deputy High Court Judge, Professor David Ormerod QC once commented: “The reporting scheme isn’t working as well as it should. Enforcement agencies are struggling with a significant number of low-quality reports and criminals could be slipping through the net.”

And it’s not a failing only found in the UK. SARs in the USA also have a low filing threshold, while it’s good to log these incidents – thousands of reports are filed without ever being acted upon. Delivering a thick file SAR with significant detail and investigation is far more useful to Financial Intelligence Units (FIU) that will then be able to act on the information with some measure of success.

RBAs are not practiced in the way that they were intended when designed. The lack of clarity around the extent of money laundering and financial crime plays a role in this. Without a clear idea of the scale of the issue, it makes an RBA more difficult to implement as deciding on the rules that are relied on is based on information that may not be as accurate as it needs to be.

What About an Outcomes-Based Approach?

Outcomes-based risk management is focused on the consequence of a compliance framework without concern for overly prescriptive rules. It allows FIs to focus on broad goals rather than be caught up in the minutiae. Under an outcomes-based approach, FIs would have to demonstrate the delivery of specific outcomes, which may be more effective at tackling financial crime than sticking to rules that struggle to detect money laundering.

The approach has been suggested by a few in the UK as a potential benefit of Brexit. Freedom from the EU legislature means that the UK no longer has to apply an RBA if it chooses not to. As no jurisdictions currently operate under an OBA, it would be an interesting regulatory experiment – the UK has long been in favor of self-determination by companies, the success of the Financial Conduct Authority’s (FCA) sandboxes is both evidence of that and the reason for it.

An outcomes-based take on regulation would make a powerful statement to the world and it would certainly differentiate the market. The EU has expressed concern at the possibility of the UK using an OBA and is a reason cited by the European Security and Markets Authority (ESMA) Chair, Steve Maijoor for ESMA to supervise non-EU firms. However, any progress towards an OBA would be incremental and there would be no “bonfire of regulations” when the UK is fully decoupled from the EU, as Chris Woolard, FCA Executive Director of Strategy, reassured concerned parties.

It remains to be seen if the UK fully embraces an OBA. But even if it does, it faces the same issues as every other approach to regulation – it requires a thorough understanding of the criminal activity it’s trying to improve upon. And given the estimated size of the dark money market, with $2 trillion passing through the global financial system each year, that understanding is not yet possible.

Hong Kong and Singapore are strong examples of nations which are moving towards an OBA with great effect. Regulators have set high level objectives such as reliable systems and fair treatment of customers and all firms are simply expected to deliver on those goals. In these areas the individual differences between FIs is being recognised and so a move away from the currently prescriptive nature of an RBA has allowed these financial hubs to thrive.

What If It Fails?

There are risks and potential failings for both approaches to compliance. But given that the RBA has been tried for a decade without significant impact, perhaps it’s time to try another system.

In its current incarnation, RBAs are akin to locking the stable door after the horse has bolted. Filing a SAR is a defensive procedure, done once a pattern of behavior has been established, failing to interdict potential financial crime.

But often a SAR is filed, sent to senior compliance staff and then possibly sent over to an FIU. They may use it for an investigation, but the SAR is more likely to disappear into an archive somewhere.

At least under an outcomes-based approach, compliance officers would be made aware of the impact of their work with some real immediacy. And more importantly, it’s may reveal a system that has a real effect on the damages of financial crime.