The patterns of AML compliance failures, and what they mean for your own firm
It is often said that a definition of madness is doing the same things repeatedly and expecting a different result. This may seem a world away from supervisory enforcement of financial crime compliance, and yet, going by recent such actions, there is clear evidence that the same failings and the same problems arise across multiple actions.
In 2022, there were ten enforcements globally against financial institutions that led to fines in excess of $10 million. At a lower level there have been multiple fines against financial institutions, not by any means just against banks. In particular, there have been serious actions against several cryptocurrency businesses, payment service providers, exchange houses and gambling enterprises.
Added to this has been the often stated, and now real expectation that individuals, as well as corporations, are facing potential criminal prosecution when financial crime compliance failures are egregious.
Why does this matter?
For those of us working in financial services, in the UK or elsewhere, it is important to understand how and why enforcement action is taken against firms. This helps us assess our own firm’s AML controls against the key areas of failure highlighted in the cases, and decide whether the firm is at risk of falling short in one or many of these areas.
What are the recurring areas of failure?
Regulators, such as the UK Financial Conduct Authority, expect firms to assess their controls in the light of enforcement themes and, if necessary, remediate any potential failings or control weaknesses.
This article focuses on a few key areas of recurring failure highlighted in recent AML-related enforcement actions. However, it is important to note that the list is not exhaustive, and readers should undertake their own review of recent enforcement actions as part of their ongoing review of the firm’s AML controls.
Possibly the most common and significant recurring theme is a failure to understand and/or to apply the true meaning of a risk-based approach. This begins with failings relating to the business risk assessment, in which failures of methodology, identification, evaluation and mitigation are paramount.
Not surprisingly, this extends to client risk assessments, which have been deemed inadequate on many occasions. This includes failures to understand the risks attached to high-risk customers, such as Politically Exposed Persons (PEPs), high-risk jurisdictions and complex business structures. This is not just a problem at onboarding, but persists throughout the lifecycle of customer relationships.
One of the purposes of the business risk assessment is to establish or to ensure the comprehensiveness and appropriateness of mitigating controls, such as at onboarding and ongoing due diligence and monitoring.
CDD and monitoring
Given the findings in relation to business risk assessments, it should be no surprise then that another recurring theme in enforcement actions is that Customer Due Diligence (CDD) procedures are also coming up short.
Often, enforcement cases cover general failings in relation to CDD and EDD, but specific areas of weakness have also been highlighted, for example in relation to source of wealth and source of funds.
A related issue is ongoing monitoring, which is another area of failure that appears in several enforcement actions, be that system-enabled monitoring or monitoring by staff, particularly by front line staff. A particular point of failure has continued to be a lack of understanding of the relative roles of the three lines of defence, most obviously between the respective roles of the first and second lines.
Senior management and training
The role of senior management continues to feature in enforcement cases. Senior management are required to ensure that their firm has put in place an AML compliance programme that addresses all applicable money laundering and terrorist financing risks. In addition, senior management must be able to articulate both the risks and mitigating controls, and must take steps to ensure that those controls are operating effectively.
Perhaps not surprisingly, another area that recurs in enforcement actions is inadequate, insufficiently frequent and unfocused training for senior management and staff. Training (identified by the US FinCEN as one of the five pillars of an effective compliance programme) is a key factor in helping a firm to avoid enforcement actions.
How to assess your own firm
It is vital that your firm’s AML risk assessments and controls are appropriate and effective. Firms should consider a number of questions when assessing their controls, including:
- Does your business risk assessment follow a well-considered, fully documented and consistently applied methodology that is appropriate for the type, nature, and scale of your firm’s business?
- Is your business risk assessment up to date? Consider the rapidly changing nature of the business world, regulation, and your own business.
- Do your AML policies and procedures reflect what is in your business risk assessment?
- Do staff within each of the three lines of defence thoroughly understand their role in AML compliance, and can you evidence that?
- Can senior management identify the key money laundering, terrorist financing and proliferation financing risks associated with their firm? Do senior management receive the right information on the operation and monitoring of these controls, and do they challenge what they are told? Are those challenges documented?
- Are customer risk assessments carried out in line with the outcomes and requirements of the business risk assessment?
- Do your staff understand that risk is on a continuum, even though your firm might use the categories of low, medium, and high risk?
- Do your staff understand the relative risks that may attach to customers ranked as high risk? For example, whilst PEPs are always subject to EDD in the UK, firms are expected to take a differentiated approach that considers the risks that an individual PEP poses.
- Do your staff ensure that the full business of a corporate customer is properly understood and recorded?
- Can your staff articulate their responsibilities in terms of reporting suspicions? Do they know what ’suspicion’ means and to whom they should report?
- Do your staff receive regular, role-focused training, which is practical, engaging and based on real life experiences?
Firms should consider these issues when assessing their controls, and take any steps to rectify any weaknesses identified. Of course, it is important to remember that each firm is unique, and, therefore, firms will need to consider any additional questions specific to their business.
There are two underlying themes which differentiate a firm when it comes to ensuring effective AML compliance. These arise time and again in enforcement actions:
- The best defence against money laundering and terrorist financing, is the experience and intelligence of your own staff. It is vital to ensure that your staff do not follow a ‘tick box’ approach to compliance, but rather that they consider each client relationship fully, assess and mitigate risk appropriately, and ensure that substance always takes precedence over form.
- A strong compliance culture is vital to an effective AML regime. Culture, and related conduct, are created and enforced by senior management, through what they say, how they behave, how they treat their staff and how staff are rewarded.
Ultimately, these two themes provide the bedrock on which a firm can build its specific AML controls and procedures.
For further information on how to assess the financial crime risk in your firm, take a look at our Virtual Compliance Mentor, which contains a range of videos on key FCC topics. Alternatively, view our range of digital, virtual and face to face financial crime courses.
About the Author
Bruce has been working in financial services for nearly 40 years, 25 of these as a learning professional focusing on compliance for a wide range of financial services companies, mainly through the analysis, design, creation and implementation of global training programmes for Tier 1 Banks and FTSE 100 companies. He has been Global Head of Compliance Learning for such firms three times and has provided compliance learning consultancy to similar companies many times.
Bruce has also provided compliance training and consultancy in other fields such as real estate, industrial supply chains, charities, payment services providers, gambling and casinos and many others.
A former Director of Training for CISI, Bruce has extensive experience of compliance and financial services-related qualifications and qualified as a Chartered Accountant with Price Waterhouse (as it was then known).
Bruce provides excellent training events on compliance, with a specific focus on financial crime, including all aspects of anti-money laundering, anti-bribery and corruption, fraud and sanctions.