One of the most common requests I hear when designing AML training for clients is for case studies (which I have blogged about recently) and for “lessons learned”. Alongside this, we have regulators regularly reminding us that their final notices (or regulatory decisions or whatever they call their findings when someone has been punished for AML shortcomings) should serve as quasi-guidance: for instance, in the recent finding against Betfred by the UK’s Gambling Commission, the public statement is concluded with a section of “Good practice – we consider that this case provides valuable learning for remote (online) and non-remote gambling operators”.
I am always more than happy to truffle out such lessons for clients to pass on to their staff, but a paper (titled “Deep Impact”) published in October 2019 by RUSI in London has made me pause for a moment. This is a “big picture” paper, considering whether we need to refocus our AML approach and base it on evidence and outcomes rather than on (in essence) the FATF’s Forty Recommendations. As the paper’s author Mathew Redhead explains, “despite substantial levels of private sector investment, doubts remain among practitioners and academics about whether the [FATF-based] model is effective, not only in terms of how well it is implemented, but in its impact on money-laundering metrics and wider costs and benefits”. Moreover, as the FATF-based AML model is now well-established and almost universally adopted by regulators, it is quite straightforward for them to levy penalties on institutions that fail to meet the standards – regardless of whether their failing leads to any money laundering. And the – perhaps inevitable – outcome is not favourable, if our stated aim is to create a hostile environment for money laundering and terrorist financing, as the RUSI paper continues: “Unfortunately, the potential punitive risk that goes with being ‘wrong’ continues to bias the private sector towards over-investment in preventative measures and over-reporting, despite regulatory advice to the contrary. This makes ‘real-life’ effectiveness for financial institutions a matter of balancing the costs and risks of regulatory action against the size and efficiency of their compliance functions. The ultimate focus is not therefore on the reduction of money laundering, but on protecting the institution and the bottom line.”
I suspect that the disconnect exists partly because it is so very difficult to measure money laundering while it is so very easy to measure money. (As this paper reminds us, “the UK’s National Strategic Assessment of Serious and Organised Crime 2019 repeated the previous year’s estimate that the volume of money laundering in the UK was in the ‘hundreds of billions of pounds’” [how many hundreds – do we mean £200,000,000,000 or £999,000,000,000?].) And if money laundering is hard to measure, then the effect of AML on that uncertain figure is all but impossible to gauge.
Conversely, expenditure, income and profit are all very easy to measure, alongside any other thing you can count. Regulated firms can report how much they have spent on AML, how many compliance staff they have, how many SARs they have made – and the regulator demands this information in annual financial crime returns. In their turn – and for the pleasing of their governments, who underwrite them – regulators tell us in their annual reports how many AML supervisory visits they have made, how many warnings they have issued, how many fines they have levied. Until we find a way to measure the uncountable, people will continue to measure the countable – and to punish those whose numbers are not right.
Gathered together, a diverse group of people involved in policy and practices fo payments would be able to make a credible estimate of how much ML is detected and how much passes by undetected.
That seems too easy, Alex – surely it’s been tried? What sort of payments do you mean?
Added to that the very widely drawn (especially in the UK) definition of ‘money laundering’ (so that a ‘money laundering’ offence may be committed where there is no money and no laundering) and it comes as no surprise that 450,000 Suspicious Activity Reports are submitted every year.
It does seem that the Reporting Sector would like to get more feedback on what happens to their STRs. This is surely measurable. A very simple and potentially automated measure would be a when any part of an STR has a positive hit with any part of a law enforcement database. I accept that it would be a crude indicator, with a high risk of false positives, but it would be a start. This measure does not confirm law enforcement interest or action, and so the risk of tip off is not relevant. For me, from a law enforcement perspective, the biggest single thing I want from an STR is a link with something I am already working one, or could work on if there was a positive hit. Of course I want a fully analysed STR that initiates a case, but frankly, that is unusual.
That’s a terrific idea, Tristram – and it doesn’t sound too difficult to programme into the system. Let’s hope that someone involved with the design of SAR Online is reading this…