The uptick in money laundering scandals continued in 2019 and, as has been the case during the past two decades, US regulatory bodies and authorities were most aggressive in enforcing US anti-money laundering (AML) and sanctions laws across the globe.
When assessing AML risks and exposures, global financial institutions must continue being mindful of the US regulatory landscape and the broad authority that US banking regulators and authorities assert and exercise around the globe. Maintaining this mindfulness is even more challenging for some boards of directors of financial institutions headquartered outside the US. A natural tendency of boards and senior management is to structure AML and sanctions compliance predominantly according to the respective national standards of their headquarters, often opening themselves up to significant regulatory exposure in the US.
This exposure might be more evident in the case of a global financial institution with a US branch, which potentially opens the entire financial institution to US regulatory scrutiny. But even without a branch or subsidiary, a non-US bank may be exposed to civil or criminal risk for transactions conducted in US dollars and cleared in the US.
Ignored warnings
During the past decade, there have been numerous newspaper headlines and enforcement actions revealing US regulators’ increased scrutiny of financial institutions’ boards of directors and senior management for failing to correct alleged compliance shortcomings.
Active board involvement plays a crucial role in the adoption and implementation of effective enterprise AML-compliance programmes. In the past decade, several regulatory enforcement actions have called for the establishment of AML-compliance committees composed of outside directors and also called for oversight of boards of directors in remedial efforts, as well as the hiring of so-called ‘independent compliance monitors’. Enforcement actions have also held board members personally accountable for financial institutions’ lack of compliance and, in some cases, have exposed companies to shareholder litigation risk, due to a decline in shareholder value.
US regulatory bodies have made this point clear through enforcement actions that often cite language such as: “The board shall ensure that the bank achieves and thereafter maintains compliance with this order, including, without limitation, successful implementation of the BSA (Bank Secrecy Act)/AML action plan. The board shall further ensure that, upon implementation of the BSA/AML action plan, the bank achieves and maintains an effective BSA/AML compliance programme.”[1] And, again, telling a board to: “maintain a compliance committee of at least three directors, of which at least two may not be employees or officers of the bank or any of its subsidiaries or affiliates…. The compliance committee shall be responsible for monitoring and coordinating the bank’s adherence to the provisions of this order.’[2]
Boards of financial institutions should have considered themselves forewarned when the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory on this topic in 2014.[3] The FinCEN advisory gives guidance to financial institutions and their boards. In particular, the advisory reconfirms the notion that a financial institution can improve AML compliance culture by ensuring the following key elements are present and enforced by the board of directors:
- Leadership is engaged
- Compliance is not compromised by revenue interests
- Information is shared throughout the organisation
- Leadership provides adequate human and technological resources
- The compliance programme is effective and has been tested by an independent and competent party
- Both leadership and management understand how their various AML reports are used
Becoming and staying compliant – identifying, measuring and quantifying risk
Basic key considerations for members of boards, in order to execute their duties effectively, are to understand the financial institution’s business and the associated AML risks, as well as the evolving regulatory and enforcement environment.
While management is responsible for the implementation of sufficient AML controls, directors should play a key role in the identification of AML risks, based on the financial institution’s particular business and actively oversee management’s adherence to the financial institution’s risk strategy and risk appetite.
However, not all financial institutions are identifying and measuring their AML risks effectively or correctly, resulting in inadequate controls and, ultimately, potential compliance failures. Financial institutions should assess their potential risk exposure across the entire organisation, across their counterparties and affiliates, and with regards to the products their affiliates use.
For example, recent money laundering scandals across the globe illustrate that some financial institutions are still treating their affiliates as part of the same organisation, and not much consideration is given to potential AML risks as they conduct business with affiliates. It may be necessary for some boards to provide more oversight to senior management on how AML risk is measured and ultimately quantified.
One often-cited frustration by members of boards is that AML risk assessments are too often conducted utilising a simple checklist approach, rather than a dynamic assessment of the financial institution’s bank operation and the AML risk and regulatory exposure posed. Such assessments sometimes provide the board with ‘dated’ and ‘stale’ information, based on historical trends and statistics, rather than a current assessment of the AML risk.
By asking some key questions aimed at taking a fresh look at inherent as well as perceived risks, boards can become more risk-intelligent even before the financial institution conducts a formal AML risk assessment. Some key considerations include:
- Does senior management set the tone through active engagement and involvement in AML compliance (executing on the board’s strategy)?
- Does our financial institution possess a culture of compliance that exists throughout the organisation?
- Do we have silos that inhibit our taking a more integrated compliance approach?
- Has management established incentives to incorporate AML compliance objectives across the organisation?
- Are the financial institution’s reporting, technological, and other systems integrated geographically?
- Do silos present compliance challenges that can lead to regulatory investigations and subsequent enforcement actions?
- Does management take a holistic view of customers across geographies and the risks associated with them?
- Are management’s compliance monitoring and testing efforts sufficient to identify potential weaknesses?
When these questions are asked and answered, boards will be in a better position to more proactively manage AML risks.
Accurate AML risk identification and quantification are the cornerstones for a robust AML compliance programme, without which most compliance efforts will provide a false sense of security and will result in potentially significant regulatory exposure.
Expectations
Although ultimate responsibility for AML compliance lies with the board of directors, their role should consist of active oversight and strategy setting, while the day-to-day management and implementation of the AML programme rests with the designated AML compliance officer.
It’s necessary that members of boards have a good understanding of the AML programme requirements, whose key components are:
- Policies, procedures and controls
- To mitigate the money-laundering risks posed by the institution
- Designate an AML compliance officer with sufficient board-granted authority across the institution to implement the policies, procedures and controls
- Ongoing and adequate training for all employees of the financial institution
- Independent testing/auditing on an ongoing basis
Boards need to be vigilant not to step back too far back from day-to-day compliance matters or to adopt a ‘head-in-the-sand policy’ that leaves AML compliance solely in the hands of senior management. However, having knowledge and understanding of the AML programme requirements and corresponding risks does not imply that directors are expected to be AML-compliance experts.
Many recent AML-related articles have called for individual board members to be held accountable for board actions, and they also revealed that AML compliance failures have forced directors to resign.
In addition, several regulatory enforcement actions in the past years have called for the establishment of AML compliance committees comprised of outside directors. And several of these regulatory enforcement actions also held board members personally accountable for financial institutions’ lack of compliance and exposed board members individually to civil litigation risks.
Moving forward
As recent scandals show, AML compliance continues to be a significant challenge for financial institutions and their boards globally. Some boards appear to be taking AML compliance matters more seriously than others, depending on their actual, or perceived US regulatory exposure. However, because some countries outside the US historically have practised different, less stringent AML enforcement and/or historically lack the comprehensive anti-AML rules and regulations established in the US, boards at some financial institutions are not yet fully engaged and are often caught off guard by aggressive US enforcement actions.
‘ACCURATE AML RISK IDENTIFICATION AND QUANTIFICATION ARE THE CORNERSTONES FOR A ROBUST AML COMPLIANCE PROGRAMME, WITHOUT WHICH MOST COMPLIANCE EFFORTS WILL PROVIDE A FALSE SENSE OF SECURITY’
Recent AML enforcement actions and investigations reveal the exposure that non-US financial institutions may face, risk that increases with the existence of a US branch. When evaluating their regulatory exposure, multinational financial institutions with a US presence should be alert about their various business lines that interact with the US.
While financial institutions without a US branch are not directly exposed to US financial regulators, they are not insusceptible to US criminal or civil inquiries for conduct abroad where there is a US nexus, such as transactions cleared through the US.
A time to act
Given this exposure, it is the right time for a number of boards to take a hard look at their AML-compliance strategy and how senior management executes the strategy set by the board.