By Samantha J Sheen, Director, Ex Ante Advisory Limited
The other day I came across a quote from Kofi Annan, the former UN Secretary General and a Nobel Prize winner, which reads: “Without good data, we are flying blind. If you can’t see it, you can’t solve it.”
This idea resonated with a recent case I had reviewed concerning a large, global bank which had transferred a group of existing high-risk customers to another of its businesses in a different jurisdiction. The transfer resulted in a significant increase to the anti-money laundering (AML) compliance work the business that received these customers had to perform. The work was grossly underestimated and little regard was given to how it would be resourced.
Existing problems with the business’s AML compliance function and aspects of its AML compliance programme had been identified by the bank’s group internal audit function shortly before the transfer took place.
Those problems were not addressed either before or after the transfer took place. The bank was subsequently fined by the local AML regulator, in part, for these failings.
Boards, Reports and AML Regulation Expectations
Boards rely upon the data provided to them in reports generated by external third-party reviewers and auditors to understand whether their firm’s AML compliance programme is effective. However, AML regulators are signalling that boards must do more beyond recording in their minutes that these reports were received and reviewed. Increasingly, board members are expected to not only understand the data reported, but to also know whether that data is ‘good’.
In recent times, AML cases such as Swedbank have held firms to account where their boards have received data about AML compliance deficiencies but failed to take timely action to resolve them.[2] The role played by a regulated firm’s audit function and external reviewer reports can be an important tool to alert a board to such deficiencies. “The climate issues faced are incredibly dynamic, so it’s imperative they are embedded within companies’ strategic and operational risk management processes and part of business-as-usual activity”
Anti-Money Laundering Compliance Programs – The Three Lines of Defence
It is generally a requirement of most AML regulations that a firm’s compliance programme consists of four components. There must be a first line of defence, which comprises the customer-facing functions, which are typically responsible for undertaking know-your-customer (KYC) checks on all new customers.
There is the second line of defence, which is made up of members of the AML compliance team and is responsible for formulating the policies and procedures necessary to implement regulatory requirements and the controls needed to effectively mitigate financial crime threats. This second-line function is also responsible for undertaking periodic testing of controls to ensure they are effective and appropriate for reducing financial crime risks.
Then, there is the third line of defence. In global, regulated firms, this will generally take the form of a dedicated internal audit team, supplemented by support from external auditors and specialist reviewers. For smaller firms, reliance might be placed on an external audit firm or an external reviewer with specialist knowledge in AML compliance programmes.
The third line is responsible for verifying whether the firm has identified and assessed the financial crime risks to which it could be exposed, the extent to which its AML procedures and processes address those risks and broader areas of concern that may impact upon the firm’s ability to effectively detect and prevent financial crime.
Sitting atop all of this is the oversight of the board or equivalent body. In essence, the board is responsible for ensuring that the firm’s AML compliance programme, and the three lines of defence, work as they should and issues of concern that could expose the business to financial crime risks are promptly addressed.
Historically, boards have not always covered themselves in glory when it comes to fulfilling this oversight function. In my experience, despite some boards working towards improving their oversight of the AML compliance programme, many continue to take the data reported to them by external auditors and reviewers at face value.
The evolving expectations of AML regulators, when it comes to boards’ treatment of data generated by these parties, is best illustrated in a case involving a bank with a branch operating in the USA.
The Case of Mashreq Bank
In 2018, Mashreq Bank, an international bank with more than 70 branches and assets of more than $34billion, agreed to a fine of $40million and other remedial measures with its AML regulator, in relation to the AML compliance programme of its branch in New York.
The bank operated several branches around the world, including in several jurisdictions considered to be at high risk for money laundering and terrorist financing. As such, the bank was expected to have an AML compliance programme that was ‘equal to the task of managing those risks’.[3]
The bank’s New York branch had been examined by the AML regulator once in 2016 and again the following year. During both visits, the AML regulator found the branch’s AML compliance programme to have deficiencies, most notably the way in which its transaction monitoring (TM) was undertaken. This was particularly significant, given that the bank had clearing volumes of $300billion per year.
The deficiencies in the branch’s TM programme led to a substantial backlog of transactions that needed to be reviewed. This was the equivalent to three months work, amounting to between 4,500 and 4,800 transactions that needed to be checked. The risk here was that the bank could have processed the proceeds of crime but would not have become aware of it until many months later.
The bank had hired an external party (reviewer) to review its TM programme and help it implement a more effective TM system. The AML regulator, when it returned in 2017, found that the problems it first spotted in 2016 had not been resolved. Worse, the backlog of reviews had increased to the equivalent of five months work. The reviewer had done very little work to resolve the original problems.
The AML regulator concluded that the bank’s oversight of the reviewer was deficient in that it failed to detect the extent of the work, or lack thereof, undertaken to resolve its TM problems. But things did not end there. The AML regulator also found that the bank’s head office had failed to provide sufficient oversight of an external auditor it had hired in 2017 to conduct the New York branch’s 2017 AML audit and evaluate the AML remedial work undertaken.[4]
The external auditor’s report had rated the branch’s AML compliance programme as ‘generally adequate’. However, the external auditor’s report had omitted or failed to identify numerous issues uncovered by the AML regulator, including the substantial backlog of TM reviews.
The AML regulator determined the bank had failed to take steps to verify whether the external auditor had done a fulsome review of the branch’s AML compliance programme by asking the auditor to produce workpapers to demonstrate that adequate testing of the programme had been undertaken. Other problems with the external auditor’s report included:
- Its report on the bank’s efforts to remediate its AML compliance programme lacked narrative conclusions and, instead, merely pointed to its workpapers for further details (which, as noted above, were not reviewed)
- The size of the samples taken to review certain alerts related to sanctions screening was too small
- Rather than performing independent testing to validate the remedial measures the bank’s management reported were completed, the external auditor merely signed off on documentation provided by management attesting to these measures
The bank, despite being reported as demonstrating ‘a keen interest in, and commitment to, remediating the shortcomings’, found itself agreeing to a large fine and other required actions. These included the engagement of a different third-party reviewer of the AML regulator’s own choosing to assist it in addressing its AML compliance programme’s deficiencies. A separate consultant was to be engaged to sort out the bank’s TM programme.
Engaging Boards
The Mashreq Bank case provides a potent illustration of why boards need to take a more active role in reviewing the data provided by external parties that are fulfilling the role of the third line of defence. Board members can mitigate against the types of risks identified in the case summarised here by:
Ensuring there is clear accountability within the firm for overseeing the work undertaken by an external reviewer or auditor. This should include an escalation process if there are reasons to doubt the quality of completeness of the work being undertaken. Ensure that the ‘tone from the top’ is to receive the work agreed and not to simply push to receive a written report and tick the review exercise as ‘done’.
Engaging in robust challenge of external reviewer and audit reports. Request explanations about how conclusions have been arrived at, sources of data relied upon and the basis upon which recommendations for further work are based. Determine whether a sufficient degree of AML knowledge is reflected in the findings and recommendations provided.
Challenging the wisdom of assigning remediation work to the second line of defence. Request an assessment of existing resourcing and expertise within the firm to perform the required work. Encourage candour about available resourcing and expertise and explore whether the timelines set to complete the work are realistic.
Concluding Thoughts
As AML regulators are increasingly looking to boards to take a more active role in the oversight of their firm’s AML compliance programmes, they must ensure the data they receive is reliable and accurate. Reviews undertaken by external parties to support the third line of defence can provide valuable information about the health of the firm’s financial crime prevention controls. Ultimately, however, it is the responsibility of the board to ensure it does not fly blind in relying on this information. At the end of the day, the board must be confident that the data it is seeing is reliable, in order to properly see the problems that need solving.
About the Author:
Samantha Sheen is currently the founder and Director of Ex Ante Advisory Services Limited, an advisory services firm providing assistance to regulators and financial institutions in a variety of areas related to the prevention of financial crime in Europe. Samantha is a financial crime prevention professional with over 15 years of practical experience in compliance. Sam holds a number of qualifications and is recognised as a subject matter expert in the field of financial crime. Sam’s previous work experience includes working as MLRO, Data Protection Officer and CCO and Group Head of AML for various financial institutions, both offshore and in Europe. Originally from Montreal, Quebec Canada, Samantha holds a Bachelors of Public Administration, LLB, qualifying as a barrister and solicitor and holds her Masters in Business, specialising in risk management.
