AML Compliance Hanging on a Wire
With record-high fines and a leak more damaging than the Panama Papers, it’s time banks get their AML/CTF programmes back on track.
by by 
By Julia Chong
Between navigating the pandemic and workplace disruptions, it seems that banks are relegating anti-money laundering (AML) compliance to the backseat, a precarious position that could unravel much of banking’s progress since the global financial crisis.
The October edition of Global Enforcement Review, an annual publication by consultancy Duff & Phelps, revealed that the first half of 2020 (1H2020) has seen a surge in global AML fines –US$706 million compared to 2019’s full-year total of US$444 million. More worrying is that the fines were imposed for the same lapses over the past five years.
The trend is corroborated in a separate report by regulatory consultancy Fenergo that Asia-Pacific regulators imposed nearly US$4 billion in AML/Know-Your-Client-related fines in 1H2020 and warns that fraudulent activity arising from Covid-19-related initiatives may see further enforcement actions well into 2021.
The year has also seen some record penalties, leaving more than a dint in the industry’s hard-won battle to regain public trust.
On 20 February 2019, a landmark decision handed by the Paris Criminal Court found Swiss bank UBS AG guilty on charges of aggravated money laundering of the proceeds of tax evasion and illegally soliciting clients. The offence chalked a record fine of EUR4.5 billion, a penalty which exceeds the bank’s 2019 net profit of EUR3.8 billion. The bank has filed an appeal over the decision.
There is also the Wirecard scandal, dubbed ‘Germany’s Enron’, which came to a head in June (see story on page 25) after years of red flags.
Closer to home, in September 2020, Australia’s Westpac was hit hard as it negotiated with the country’s financial crime watchdog to pay an AUD1.3 billion fine for breaching AML rules more than 23 million times in transactions amounting to more than AUD11 billion.
The AML crackdown isn’t on banks alone. Earlier this year, the UK Gambling Commission meted a GBP3 million fine to Mr Green, an online betting company that is part of the William Hill betting empire, for serious “systemic failings” over money laundering checks. In one instance, the agency watchdog cited how the company accepted a photograph of a laptop screen showing an alleged cryptocurrency trading account as adequate proof-of-origin of money. On another occasion, the company failed to perform a customer due diligence check on a gambler who won GBP50,000, lost his winnings, and then deposited thousands more – flagging a possible case of addiction is a requirement under British law. Banks which finance the operation of casinos are expected to scrutinise their activities, including vetting casino AML processes, rejecting anonymous wire transfers, and information to assist the gaming industry in identifying risky transactions.
The FinCEN Files
The greatest damage in the AML sphere, however, goes beyond numbers.
In what has been dubbed ‘The FinCEN Files’, over 200,000 suspicious activity reports (SARs) valued at over US$2 trillion were leaked this September to online portal Buzzfeed, which passed on the files to the International Consortium of Investigative Journalists, the global network which exposed the Panama Papers.
The SARs, mandatory declarations triggered whenever bank staff detect potential criminal activity, were filed by global banks with the US Treasury’s Financial Crimes Enforcement Network (FinCEN) between 1999 and 2017. It contained the names of fraudsters, terrorists, and suspects of organised crime, including at least one individual who was brutally murdered over a Ponzi scheme and Russian oligarchs’ use of banks to avoid sanctions.
BBC states that the documents – which implicate financial institutions in more than 170 countries, governments, and supervisory agencies – show how the “world’s biggest banks have allowed criminals to move dirty money around the world”.
Following the revelation, US and Europe banking stocks nosedived and the security of AML and counter terrorism financing (AML/CTF) teams and front-line bank staff were compromised. It sparked fiery conversations as banking experts weighed in.
Rachel Woolley, director of financial crime at Fenergo, in an email response to CNBC, wrote: “Fines are on the up, over US$40 billion since the financial crisis, but is this really a deterrent to the financial institutions that facilitate money laundering? In comparison to the trillions of dollars that illegally move around, these look like a simple cost of doing business.”
“The days of hiding behind complexity and paper pushing are gone, the entire industry needs to collaborate more effectively in order to adhere to policy and prevent crime from entering the financial system.”
Also to CNBC, Tim Adams, President and CEO at Institute for International Finance, hoped the findings would get policymakers to enact urgent reforms to combat financial crime.
He said: “The findings of today’s reports once again emphasise the need to pursue intelligence-led changes for financial crime risk management – driven by meaningful improvements to public-private sector cooperation and cross-border information sharing, coupled with the use of technology – to enhance the global anti-financial crime framework.”
It isn’t enough that banks cover their own tracks. With the FinCEN leaks as prime reference, at some point in time, financial service firms and governing bodies will be held accountable for failure to report or detect suspected AML/CTF breaches. If not through trial by court, then at the very least, in the court of public opinion.
No Dramatic Progress
Basel AML Index, published annually by the Basel Institute on Governance, a not-for-profit Swiss foundation to combat corruption, ranks 141 countries according to their risk of money laundering and terrorist financing (ML/TF). It’s important to note that the calculated ML/TF score measures the risk of ML/TF in these countries, i.e. vulnerability and capacities to counter ML/TF activities, and is not reflective of the actual amount of ML/TF activity in a country.
In the 2020 edition of the AML Index, the needle hardly budged as the global average risk score of 5.22 wasn’t far off from last year’s 5.39. An area in which all countries scored poorly is the quality of AML/CTF supervision. The report highlights areas that contribute to ineffective supervision:
- Limited powers to sanction non-compliance by civil or administrative means. This leaves only criminal prosecution, for which the bar is typically high;
- Limited resources, including qualified staff, processes, IT systems and tools;
- Risk-based approach is not applied, meaning supervision is not commensurate with the risks and size of the financial centre and the number and intensity of reviews are not aligned with existing risks;
- Poor coordination between competent authorities on supervision, with individual agencies focused only on their sectors; and
- Insufficient guidance on ML/TF risks provided by supervisory body to reporting entities.
East Asia and the Pacific scored 5.46, slightly above the global average. Hong Kong, Japan, Singapore, and Taiwan face the largest issues with financial secrecy and nearly half of all countries in the region are listed as major money laundering destinations. The report also highlights these areas of concern for the region:
- Weakest areas relate to the quality of AML/CTF frameworks;
- Underperformance with respect to public transparency and accountability; and
- Future reforms must focus on technical and legal adjustments as well as effective implementation.
Virtual Spotlight
Of particular importance, says the foundation, is that “supervision by competent authorities of financial institutions, designated non-financial businesses and professions, and virtual asset service providers (VASPs) is a major factor affecting AML/CTF risk and resilience.”
It is timely then that one of the Financial Action Task Force’s (FATF) latest reports, Virtual Assets—Red Flag Indicators of Money Laundering and Terrorist Financing, was released on 14 September 2020 as a reference for public and private sectors to identify, detect, and prevent criminal, ML and TF activities associated with virtual assets (VAs).
VAs are defined as “any digital representation of value that can be digitally traded, transferred or used for payment. It does not include the digital representation of fiat currencies”. The latest standard focuses on ensuring that transference of such digital assets are on par and held to the same level of safeguards as other assets in the financial sector.
For more details, we advise readers to look into the FATF’s Recommendation 15 and its corresponding Interpretive Note as well as Recommendation 16 on wire transfers. The latter outlines a ‘travel rule’ clause requiring member nations to ensure all crypto exchanges share real-identity information with transmittal counterparties or face increased AML/CTF monitoring.
On the regulatory front, Germany and India have pushed ahead with positive developments, and South Korea is the recent to come onboard. On November 3, the country proposed the following revisions to its Act on Reporting and Using Specified Financial Transaction Information, aligning its AML requirements with the FATF standards:
> Definition of VASPs as business entities which engage in the VA purchase and sale, exchange, transfer, safekeeping, administration of virtual assets, or involving the intermediation or brokering of virtual asset transactions.
> Definition of VAs as digital tokens with economic value that can be digitally traded or transferred, which explicitly excludes digital tokens that cannot be exchangeable for fiat currencies, commodities and services and whose purpose of use is limited by the issuer.
> ‘Travel rule’ to apply to VASPs whereby the originating VASP must provide the beneficiary with information about the VA transfer.
> VASPs to use real-name accounts in their financial transactions and adhere to the following additional requirements in order to open real-name accounts with financial institutions (FIs): separation of customers’ deposit, obtain a certificate of Information Security Management System from the Korea Internet & Security Agency, no record of fines or penalty in the past five years, and submit to assessment of ML risks conducted by FIs.
> VASPs must undergo money laundering risk assessments by banks to open an account.
The final revisions are scheduled to come into effect on 25 March 2021, with the exception of the travel rule which will only apply from 25 March 2022 to allow VASPs sufficient time to introduce common solutions for information sharing.
Despite this, authorities are mindful that regulation must be balanced in order to encourage innovative technologies such as blockchain – the foundation of cryptocurrency and virtual assets – to flourish.
It is important to note that a risk-based approach does not imply that banks should automatically view VAs and VASPs with suspicion. The FATF advises:
“It is important that FIs apply the risk-based approach properly and do not resort to the wholesale termination or exclusion of customer relationships within the VASP sector without a proper risk assessment.
“An effective risk-based approach will reflect the nature, diversity, and maturity of a country’s VASP sector, the risk profile of the sector, the risk profile of individual VASPs operating in the sector and the legal and regulatory approach in the country, taking into account the cross-border, Internet-based nature and global reach of most VA activities.
“Just as illicit actors can abuse any institution that engages in financial activities, illicit actors can abuse VASPs engaging in VA activities, for ML, TF, sanctions evasion, fraud, and other nefarious purposes.”
Dig Deeper
Many have highlighted the use of regtech – a portmanteau of the words ‘regulatory’ and ‘technology’ covering innovations which assist financial institutions in reaching regulatory compliance – to rein in illicit behaviour. Deployment of technologies such as artificial intelligence, Big Data, cloud computing, and machine learning, has gained prominence as tighter and more complex legislative frameworks, like the Revised Markets in Financial Instruments Directive or MiFID II, come on stream.
From biometric anti-fraud measures to automated customer due diligence procedures, technology has upped the ante by optimising compliance and minimising human error. However, like every other technological tool, it is only as good as the one who wields it. Studies have proven that artificial intelligence, machine learning, and Big Data are subject to bias and discrimination, plus its interconnectedness brings with it increased concentration risk and vulnerability to single points of failure. Also, technological speed is no substitute for human experience, intuition, and the personal touch that is needed in managing relationships.
Compliance lapses merely scratch the surface of a much deeper problem. Some questions that bankers must ask themselves: Are we pushing the right reforms? Is there a missing link in our analysis? Do we have the right stuff (people as well as processes) to hold us accountable for our practices?
If the answer is ‘no’ to any of the above, then it’s time to dig your heels in, and dig deep.
GERMANY’S ENRON: THE WIRECARD SCANDAL
Wirecard was founded in 1999 to provide a payment platform for certain, shall we say ‘adult’, industries. Perhaps unsurprisingly, they grew rapidly and by 2005 they had moved to a plush new head office in Munich and secured a listing on the Frankfurt stock exchange with annual revenues of circa EUR49 million.
In 2006, they completed the consolidation of Wirecard Bank AG and rebranded their corporate identity to a TecDAX listing. Wirecard Asia Pacific was established in 2007, with the same year marking the start of their issuing business, their annual revenue exceeding EUR100 million. The next five years saw further expansion in Europe coupled with significant growth in Asia Pacific and annual revenues rising to EUR395 million in 2012.
As far back as 2008, questions were being asked about Wirecard’s alleged balance sheet ‘irregularities’ by the then head of a German shareholder association, however nothing significant transpired. In 2010, Wirecard hired a new chief operating officer who promised global expansion, which was funded by EUR500 million of capital raised from Wirecard shareholders. Things continued until 2015 when the Financial Times saw fit to publish the first item in their series entitled ‘House of Wirecard’ which referenced ‘inconsistencies’ in Wirecard’s group accounts.
In April 2020, things start to get interesting. An auditor for accountancy firm Ernst & Young found evidence of ‘questionable accounting practices’. Fast forward to 22 June 2020 when it was revealed by Wirecard’s management board that quite a lot of money was missing, their statement read “…on the basis of further examination, there is a prevailing likelihood that the bank trust account balances in the amount of EUR1.9 billion do not exist”. Oops!
This revelation saw Wirecard’s share value plummet by over 72% and in turn forced the resignation of CEO Markus Braun, to be replaced by James Freis, who had only joined the company the evening before. Two banks in the Philippines, that were allegedly holding the money, issued statements saying they did not have the funds and never did and to top it all, credit ratings firm Moody’s removed Wirecard’s rating altogether having previously demoted it to B3 from Baa3 just three days earlier. On 25 June, Wirecard filed for bankruptcy citing “over-indebtedness”.
It would appear that Wirecard were also none too picky about who they chose to do business with. It transpired in 2017 that Wirecard had been processing payments for online Maltese casino CenturionBet, which was later revealed to have been used to launder money by the Calabrian ’Ndrangheta, a none too pleasant mafia-type organisation. Granted this would have represented a very small percentage of Wirecard’s annual turnover, however it speaks to their business model and wider compliance function, or possibly lack thereof.
Source: Excerpt from RDC, a Moody’s Analytics company.
Julia Chong is a Singapore-based writer with Akasaa. She specialises in compliance and risk management issues in finance.