The first quarter of 2019 and most of 2018 were marked by an uptick in money laundering scandals. More surprising is the fact that it has been more than three years after the Panama Papers scandal made headlines. Offshore secrecy and the use of offshore structures, which dominated the banking clientele in the Baltics (so-called non-resident clients), should have been at the forefront of all board of directors’ minds globally, but especially those with a large non-resident customer basis.
Notwithstanding the number of articles written in the press about banks being involved in these scandals, one must wonder why boards of directors have not questioned management more proactively, conducted internal investigations to determine their exposure to ongoing and anticipated scandals and developed contingency plans in case of shareholder and regulatory inquiries.
It seems, however, that board members at some banks have adopted a ‘head in the sand’ approach, rather than actively managing the crisis that not only comes with reputational issues but also adversely impacts shareholders – as evident in the decline of share prices at some European financial institutions.
The irreparable cost of inaction
Since the release of the Panama Papers and the broad coverage received in the media, financial institutions around the world would have been well advised to review their current client portfolios and determine their exposure not only to entities revealed through the Papers but also to their client portfolios in general.
While an offshore structure, such as a personal investment company or trust, may not itself be indicative of illicit activity, some shell companies and other complex structures cited in the Panama Papers have been accused of being used as vehicles for money laundering, payments of bribes, tax evasion and other illicit activities in the past.
These structures, which tend to lack transparency in formation and operation, can provide an opportunity for entities to move money without having to disclose their true identities or the nature or purpose of the transactions. The use of offshore accounts highlights why financial institutions need to have adequate controls and procedures in place. It has become increasingly important that institutions review their accounts with a holistic view to quantify their exposure and risk, and determine with whom they are ultimately doing business and that the activity involving such accounts is consistent with previous due diligence. Some financial institutions considered taking prompt action and among other things:
- Determined whether Panamanian or other offshore structures held at the institution and, depending on the level of their respective exposure, conducted appropriate internal investigations
- Reviewed and, if necessary, revised customer due diligence, effectively performing a ‘true-up’ of the know-your-customer (KYC) information collected and the due diligence conducted
- Depending on their risk appetite, exposure determined, exited certain relationships or ‘de-risked’ their relationships with other financial institutions known to maintain relationships not consummate with their risk appetite
However, as the recent money laundering scandals in the Baltics and Scandinavia
point to, not all financial institutions asked themselves whether their current clients should be seen as ‘friends, foes, or enemy within’. Those financial institutions are
now paying the price for past inactions, since as reporting on certain regions and banks intensifies, it is becoming harder for management and boards of directors to properly respond to media reports, regulatory inquiries and probes, and management and boards are finding themselves in the peculiar situation of no longer being in charge of their destiny. They are now discovering that ‘a penny of prevention is worth a pound of cure’ holds true.
Missed warning signs
For the past decade, numerous headlines and enforcement actions showed increased scrutiny of regulatory bodies, particularly of US regulators, on financial institutions’ boards of directors and senior management for failing to correct alleged compliance shortcomings. As a result, the issues of individual accountability for anti-money laundering (AML) violations continued to gain traction.
Board involvement plays an important role in the adoption and implementation of effective enterprise-wide AML compliance programmes. Several regulatory enforcement actions in the past decade have called for the establishment of AML compliance committees composed of outside directors and direct oversight of boards of directors in remedial efforts, as well as the hiring of so-called ‘independent compliance monitors’. Actions have also held board members personally accountable for financial institutions’ lack of compliance and, in some cases, have resulted in exposure to shareholder litigation risk, due to a decline in shareholder value.
Tone at the top
Tone at the top remains as vital as ever in preventing and detecting wrongdoing. It remains one of the main ingredients that can make or break an AML compliance programme. Ultimately, the responsibility for establishing a financial institution’s strategic vision rests with the board of directors and senior management. As part of that vision, it is vital that financial institutions establish AML risk compliance tolerances, but also a deep understanding of risk exposure. This also includes establishing proper incentives – including compensation measures – to meet needed goals. Under current US regulations of both the Bank Secrecy Act and the USA PATRIOT Act of 2001, the board of directors of a financial institution is required to approve an enterprise-wide AML compliance programme that, at a minimum, includes the following:[1]
- Policies, procedures and controls that mitigate the institution’s money laundering risks
- A designated AML-compliance officer with sufficient, board-conferred authority across the institution to implement the mitigating policies, procedures and controls
- Ongoing and adequate training for employees of the institution
- Ongoing independent testing and auditing
However, in order to comply with more than just the technical regulatory requirements, a board should, on an ongoing basis, consider that it is also ultimately responsible for the financial institution’s AML compliance efforts as executed by management and should on an ongoing basis question management’s effort in this area. Similarly, the board should be responsible for establishing a culture of compliance that serves (1) to reduce the risk of potential regulatory action based on lack of board oversight and (2) to minimise shareholder litigation risk.
Perhaps it is not surprising, then, that in August 2014, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory on this topic.[2] One observation from the FinCEN advisory is that it has become particularly important that senior management and board members at financial institutions of all sizes maintain strong cultures of compliance.
The FinCEN advisory pinpoints several deficiencies that were identified in recent AML-related enforcement actions that offer important insights for financial institutions and their management and boards. In particular, it reaffirms the notion that a financial institution can improve AML compliance culture by ensuring the following elements exist:
- Leadership is engaged
- Compliance is not compromised by revenue interests
- Information is shared throughout the organisation
- Leadership provides adequate human and technological resources
- The compliance programme is effective and has been tested by an independent and competent party
- Both leadership and management understand how their various AML reports are used
While the FinCEN advisory sent a strong message to financial institutions – namely, that an entire organisation, from staff to board members, may be held accountable AML compliance failures – perhaps, more importantly, the advisory was intended to serve as a reminder of the importance for institutions to conduct reviews of their AML engagements of senior management and boards of directors to learn whether those engagements adhere only to the strict interpretation of the letter of the law or whether a true culture of compliance is in place.
While at the time the advisory did not contain any specific new guidance that has not been promulgated previously in speeches or enforcement actions, industry practitioners considered this advisory a ‘warning shot over the bow’ to many financial institutions that senior management and boards will be held accountable to a larger degree than historically.
Tone at the top is not enough!
There is virtually no financial institution that would not claim to be compliant with AML rules and regulations in their particular jurisdiction. However, while setting the right tone at the top is important, regulatory bodies will not only consider the tone at the top, but actions taken from the top in their consideration of both whether to sanction a financial institution, or the severity of monetary and non-monetary sanctions, such as the appointment of an independent monitor. Boards and senior management should set the tone for their organisations by creating a culture of compliance.
On the other hand, if compliance officers are bootstrapped and cannot obtain adequate support and resources, then it’s likely that the financial institution’s leadership is not seriously engaged in AML compliance and tone can become lip service.
Boards of directors should keep in mind that they have a duty to ensure that their financial institutions reach not only their financial goals but also their regulatory compliance and corporate governance goals. Considering recent enforcement actions, in which certain AML compliance officers were personally sanctioned and other scandals surrounding financial institutions led to the resignation of CEOs and board members, senior management teams and boards of directors should deepen their involvement in AML efforts rather than employing a check-the-box mindset.
Lack of war games and contingency planning
While most financial institutions globally conduct some form of an AML risk assessment, focussed on customers, products and different lines of businesses, few financial institutions consider ‘regulatory or enforcement risk’ as part of their risk assessment and even fewer ‘pressure’ test their AML compliance programmes or conduct ‘war games’ for ‘what if’ scenarios.
Historically, many financial institutions believed that de-risking, or exiting certain relationships was seen as a quick fix to, hopefully, address concerns and/or historical non-compliance by simply exiting customers. De-risking over the years, however, introduced a significant level of opacity and lack of transparency into the global financial system, since the termination of relationships forced entities and individuals into less regulated/unregulated channels or to conduct business with financial institutions whose levels of AML compliance were not top of mind of senior management, but business trumped any compliance concerns.
De-risking, contrary to the term itself, for some financial institutions actually created greater challenges in adequately identifying AML risks, by adding an intermediary layer between themselves and the de-risked customer, hoping for safe harbour as business continued, albeit through one or more additional layers between themselves and the ultimate customer. Probably the most notable example can be found in the notice of proposed rulemaking (NPRM) issued by FinCEN on 13 February 2018 for ABLV Bank. [3]
ABLV Bank at the time of the NPRM did not maintain direct US correspondent relationships with financial institutions, but through nested and indirect relationships, the bank was still able to execute US dollar transactions that were potentially not being recognised as being ABLV’s transactions, or were not given the required attention such transactions should have received.
According to FinCEN’s NPRM: “ABLV executives, shareholders and employees have institutionalised money laundering as a pillar of the bank’s business practices. ABLV management orchestrates and permits the bank and its employees to engage in money laundering schemes. Management solicits the high-risk shell company activity that enables the bank and its customers to launder funds, maintains inadequate controls over high-risk shell company accounts and is complicit in the circumvention of AML/CFT controls at the bank. As a result, multiple actors have exploited the bank in furtherance of illicit financial activity, including transactions for parties connected to US and UN- designated entities, some of which are involved in North Korea’s procurement or export of ballistic missiles. In addition, ABLV management seeks to obstruct enforcement of Latvian AML/CFT rules.
“AML COMPLIANCE REMAINS A SIGNIFICANT CHALLENGE FOR FINANCIAL INSTITUTIONS GLOBALLY, WITH NOTABLE DIFFERENCES BETWEEN REGIONS”
“Through 2017, ABLV executives and management have used bribery to influence Latvian officials when challenging enforcement actions and perceived threats to their high-risk business. ABLV’s business practices enable the provision of financial services to clients seeking to evade financial regulatory requirements. Bank executives and employees are complicit in their clients’ illicit financial activities, including money laundering and the use of shell companies to conceal the true nature of illicit transactions and the identities of those responsible. ABLV is considered innovative and forward leaning in its approaches to circumventing financial regulations. The bank proactively pushes money laundering and regulatory circumvention schemes to its client base and ensures that fraudulent documentation produced to support financial schemes, some of which is produced by bank employees. In 2014, ABLV was involved in the theft of over $1billion in assets from three Moldovan banks, BC Unibank S.A., Banca Sociala S.A. and Banca de Economii S.A., in which criminals took over the three Moldovan banks using a non-transparent ownership structure, partly financed by loans from offshore entities banking at ABLV. Separately, ABLV previously developed a scheme to assist customers in circumventing foreign currency controls, in which the bank disguised illegal currency trades as international trade transactions using fraudulent documentation and shell company accounts.”[4]
Despite complying with the proposed prohibition on covered financial institutions from opening or maintaining correspondent accounts in the US for ABLV Bank, financial institutions globally with prior exposure to ABLV Bank, should have deployed their contingency plan for regulatory preparedness and response, assuming such a plan existed, which based on press reports over the past 12 months do not seem commonplace.[5]
Most financial institutions have contingency plans in place for data intrusion, Ponzi schemes, natural disasters, health pandemic emergencies, branch robberies, terror threats and attacks, cyberattacks and other risk to their continued operations. But very few have sensible contingency and action plans as in the place for significant regulatory events, like in the case of ABLV Bank, or money laundering scandals, causing delayed, if any, response, or premature statements by CEOs that no issues exist, often leading to a further escalation of the actual problems. Boards and senior management should consider, at a minimum, adopting robust plans to react adequately and in an organised way to regulatory events or events. such as the Panama Papers or the NPRM of FinCEN regarding ABLV Bank. Such plans should, at a minimum consider the following:
- Qualified internal and external resources are available in case of a particular event to conduct a very robust internal investigation to determine our exposure
- Risk exposures previously identified internally and thought off as having been adequately covered by internal controls
- Response to regulatory bodies and the production of records subsequently requested
- Response to shareholders
- Response to media inquiries and media management
However, most as common with plans, most situations generally do not go according to plan and financial institutions should consider alternate measures, along with pressure testing existing plans that may be in place through the use of war games/what-if scenarios, to determine the potentially worst outcome for the financial institution and to develop potential methods by which they may mitigate any adverse impact on the financial institution.
The future
AML compliance remains a significant challenge for financial institutions globally, with notable differences between regions. As financial institutions become more complex and more interconnected across jurisdictions and as rules and regulations continue to evolve and the enforcement of those rules and regulations is being taken more seriously by various regulatory bodies, financial institutions will need to devote considerable resources to AML compliance matters, both for their ongoing operations, and for contingency planning purposes.
Some boards appear to be taking AML compliance matters more seriously and are investing significant resources in the design and implementation of policies, procedures, systems, controls and training that will enable them to meet their compliance requirements more efficiently and cost-effectively. However, based on historical enforcement differences and/or the lack of comprehensive rules and regulations in parts of the world historically, we may conclude that boards at some financial institutions are not yet fully engaged and senior management is playing catch-up in some areas.
The race to keep up with differing compliance standards has redrawn the competitive landscape for banks. Those that can get AML compliance right will undoubtedly emerge as winners in the increasingly global competitive landscape, while those banks that continue relying on solely strict legal interpretation of rules and regulations and/or past inaction of regulatory bodies, might find themselves in the limelight of the popular press, followed by severely intensified regulatory scrutiny, prosecution efforts and the lack of correspondent relationships in the future as their counterparties ‘de-risk’ too risky relationships.
Footnotes:
1.Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act
2.FIN-2014-A007 – https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a007
3.FinCEN Names ABLV Bank of Latvia an Institution of Primary Money Laundering Concern and Proposes Section 311 Special Measure
5.As defined by Section 312 of the USA PATRIOT Act