Recently we attended the Financial Crime and Compliance Summit at KPMG hosted by The Compliance Register. The event highlighted the challenges faced by the compliance professionals at the center of some of the biggest compliance stories of the year. In this post we will discuss two main pitfalls – the perception of risk and company culture – that contributed to regulatory failings.
Perception of Risk
Guidance from regulators such as the FCA place huge emphasis on the need for companies to pursue a risk based approach for their AML procedures. A risk based approach requires companies to produce a risk assessment which details the relevant risk exposure to their business, which is updated regularly.
Unfortunately regulators continue to see companies failing to adequately recognize the AML risks to their businesses. The prosecutions against both Nordea Bank and the Bank of Beirut cited a lack of an adequate risk assessment as a central problem at both of these banks. Nordea was especially criticized for lacking an adequate risk management system.
Companies in Europe need to be aware that what constitutes a sufficient risk assessment is about to change, due the introduction in 2017 of AMLD4. Obliged entities must be aware of changes to the explicit list of risk factors and understand the money laundering risks when outsourcing. In the US, New York regulators are also clarifying their approach to a risk based approach with the new NYS DFS Rule 504. Watchlist monitoring for example, will have to be conducted by identifying the risks specific to the regulated industry. Businesses will then have to alter their list monitoring activity accordingly.
One way companies can improve their AML risk assessment and tailor subsequent programs is by better managing their screening of Politically Exposed Persons (PEPs). By identifying the most high risk PEPs within their business, companies can rank PEPs in order of whom needs to be most closely monitored. Coutts Bank was fined in December $2.4 million for insufficient CDD checks on 24 PEPs. It is also important to be aware that the status of domestic PEPs is changing, AMLD4 increases the minimum threshold for who constitutes as a PEP and at what level EDD needs to be performed.
Firms can enhance the way they screen and rank PEPs for financial crime risk by using adverse media for further insights. This can uncover valuable information on customers which can be vital in building an accurate risk profile on a client. ComplyAdvantage works with many firms to help them screen for a broader set of risks. Our Adverse Media solution automatically identifies if customers have been mentioned in the media in a negative context at onboarding or during ongoing monitoring. Thus they can be confident their reputation is better protected.
Within companies, compliance failings tend to emanate from two levels – the most senior level and from the compliance team itself.
A key finding of the 2015/16 FCA SAMLP report was that senior management and board members do not give AML compliance the attention it requires. By not acknowledging the importance of AML compliance at the senior level a “tick box” culture is often created. Although this may placate the regulators it means that employees do not actively search for and identify new risks. What is more concerning is the common theme in the cases of Falcon Bank and Bank of Beirut where employees either did not comply with regulations or deliberately misled regulators due to pressure “from the top”.
The recent case of Sonali Bank shows the extent to which regulators are prepared to penalize MLROs and compliance teams when they make serious errors. In this case the MLRO was under resourced and received little support from the board. However, failings to comply with even basic AML producers, policies and oversight requirements led to gross AML compliance failings at every level. It is essential that those with compliance responsibilities are properly supported by their companies and educated to an appropriate level to carry out their responsibilities. For start-ups it is essential that from the outset they approach compliance with the right attitude – see our previous blog post on financial crime risks to FinTechs.
Don’t be Complacent about Compliance
By acknowledging the difficulty in maintaining an effective compliance regime, companies can protect themselves from potentially becoming complacent towards compliance. It is key to always pursue a dynamic approach to AML compliance, one that is continuously reviewed and improved – as money laundering risks and regulation in this field rarely stay static for long.