Making AML count

One of the most common requests I hear when designing AML training for clients is for case studies (which I have blogged about recently) and for “lessons learned”.  Alongside this, we have regulators regularly reminding us that their final notices (or regulatory decisions or whatever they call their findings when someone has been punished for AML shortcomings) should serve as quasi-guidance: for instance, in the recent finding against Betfred by the UK’s Gambling Commission, the public statement is concluded with a section of “Good practice – we consider that this case provides valuable learning for remote (online) and non-remote gambling operators”.

I am always more than happy to truffle out such lessons for clients to pass on to their staff, but a paper (titled “Deep Impact”) published in October 2019 by RUSI in London has made me pause for a moment.  This is a “big picture” paper, considering whether we need to refocus our AML approach and base it on evidence and outcomes rather than on (in essence) the FATF’s Forty Recommendations.  As the paper’s author Mathew Redhead explains, “despite substantial levels of private sector investment, doubts remain among practitioners and academics about whether the [FATF-based] model is effective, not only in terms of how well it is implemented, but in its impact on money-laundering metrics and wider costs and benefits”.  Moreover, as the FATF-based AML model is now well-established and almost universally adopted by regulators, it is quite straightforward for them to levy penalties on institutions that fail to meet the standards – regardless of whether their failing leads to any money laundering.  And the – perhaps inevitable – outcome is not favourable, if our stated aim is to create a hostile environment for money laundering and terrorist financing, as the RUSI paper continues: “Unfortunately, the potential punitive risk that goes with being ‘wrong’ continues to bias the private sector towards over-investment in preventative measures and over-reporting, despite regulatory advice to the contrary.  This makes ‘real-life’ effectiveness for financial institutions a matter of balancing the costs and risks of regulatory action against the size and efficiency of their compliance functions.  The ultimate focus is not therefore on the reduction of money laundering, but on protecting the institution and the bottom line.”

I suspect that the disconnect exists partly because it is so very difficult to measure money laundering while it is so very easy to measure money.  (As this paper reminds us, “the UK’s National Strategic Assessment of Serious and Organised Crime 2019 repeated the previous year’s estimate that the volume of money laundering in the UK was in the ‘hundreds of billions of pounds’” [how many hundreds – do we mean £200,000,000,000 or £999,000,000,000?].)  And if money laundering is hard to measure, then the effect of AML on that uncertain figure is all but impossible to gauge.

Conversely, expenditure, income and profit are all very easy to measure, alongside any other thing you can count.  Regulated firms can report how much they have spent on AML, how many compliance staff they have, how many SARs they have made – and the regulator demands this information in annual financial crime returns.  In their turn – and for the pleasing of their governments, who underwrite them – regulators tell us in their annual reports how many AML supervisory visits they have made, how many warnings they have issued, how many fines they have levied.  Until we find a way to measure the uncountable, people will continue to measure the countable – and to punish those whose numbers are not right.