Calling time out on AML outsourcing?

On 19 June 2014 – and after plenty of rumours – the Guernsey Financial Services Commission issued a public statement about a local fiduciary firm, Willow Trust Limited.  Although still not as detailed as the notices issued by, for instance, the Financial Conduct Authority in the UK, this public statement did give us a little more to chew over – after all, the issuing of such a statement not only serves to shame the subject but is definitely also intended “pour encourager les autres”.  And les autres need to know details in order to be suitably encouraged in the right direction.

As seems to be the pattern recently (I’m thinking of Habib Bank, Coutts and Guaranty Trust Bank), Willow’s AML failings were around risk assessment and the reviewing thereof.  In the case of Willow (and in the words of the GFSC): “Willow’s relationship risk assessments considered the identity of the customers, beneficial owners and underlying principals but insufficient consideration was given to the nature of the products or services provided to the customer, the purpose and intended nature of the business relationship or the type, volume and value of activity.  [Moreover] Willow failed to review the risk assessments of its business relationships with sufficient regularity.”  In this emphasis on review, I suspect the GFSC is hearing the approaching rumble of the evaluators from MONEYVAL, due on the island in October…

But as a provider of AML-related services myself, it was some of the other comments in the statement that caught my eye: “The Board was aware of the issue of the increasing backlog of file reviews and obtained the advice of external compliance consultants to advise on effecting improvements to its procedures to seek to ensure its compliance with its regulatory measures.  However this failed to address the existing issues adequately.  [And] in 2009 Willow appointed external compliance advisers who consistently reported to the Board that the Company continued to remain compliant with its regulatory obligations.  Notwithstanding, the Board of Willow acknowledges that it remains responsible for the review of its compliance with the Regulations as required by Regulation 15.”  Ay, there’s the rub with outsourcing.  You can give away the task but not the responsibility.  It’s a bit like trusting someone else to do up your seatbelt for you, when both you and he know that, if there is a crash, it will be you catapulting through the windscreen while he stands on the hard shoulder.  Are there some functions that are just too risky, too impact-ful, to be entrusted to someone outside your firm?  And is AML one of them?

This entry was posted in AML, Due diligence, Money laundering and tagged , , , , , . Bookmark the permalink.

4 Responses to Calling time out on AML outsourcing?

  1. Roy McCarthy says:

    Hmm, maybe compliance advisors should be regulated.

  2. I couldn’t possibly comment, Roy! Actually, I wouldn’t be opposed to this, but I think – as always – the difficulty would be finding a regulator willing to take on the extra work.
    Best wishes from Susan

  3. Mik Underdown says:

    Hmm…… I think we need to pick out the difference between outsource and audit. Having a third-party compliance monitoring or audit consultant is one thing. Outsourcing your AML is another. Not sure I’d sleep at night if someone else was doing it all.

    And as for regulating the compliance guys, what about regulating the regulators. Is there an OFREG? It’s a bit like asking why there’s only one monopolies commission. What would we call that, OFOFF?

    I keep quoting Juvenal’s “et quis custodiet ipsos custodes?”. Who regulates the regulator who regulates the regulator who regulates us?

    And Susan, you’re bang on the money re Willow. We’re already all feeling the MONEYVAL effect in Guernsey; I wonder who’s next.

  4. Hello Mik, and welcome.

    You raise an interesting point here, about outsource versus audit. I of all people can see that it is worthwhile to get an external eye cast over your AML regime, but – as the Handbook says – the regulated business remains responsible for compliance.

    As I have always pictured it (and indeed done it, on occasion), the business recruits an external consultant – having first checked that they are fully qualified (by experience, not necessarily by academics – yet) to do such work. The consultant does the checking and puts in recommendations – and personally I would be uneasy if an audit of this nature produced no recommendations, as even the most diligent MLRO and team cannot easily keep up with all changes and developments that will affect their AML regime. The Board of the business then looks at those findings, and acts promptly upon them – or documents carefully why they are not implementing the recommended changes.

    Crucially, I would expect this external checking to be a rare occurrence – perhaps once every four or five years – with annual checks being done internally. In that way, anything the external consultant has missed (or chooses not to mention…) will be picked up fairly quickly. What do others think?

    As for OFREG, if it ever gets off the ground, I’m applying for a job!

    Best wishes from Susan

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.