I’m not going to attempt to foretell the impact that the current pandemic will have on our financial systems or on financial crime – there are many people much better qualified than I to do that. For instance, the tip-top think-tank RUSI has published a commentary on how organised crime – and the forces ranged against them – might react to the new environment. Anita Clifford of Bright Line Law has written a helpful piece on the implications of AML and CDD for a financial sector in home-working lock-down. And we already know that even FIUs are having to adjust to working in new ways.
Rather, what I want to consider today is the long-term impact that this unforeseen (for most of us) and devastating (for some of us) disruption will have on how we frame our future due diligence endeavours. First, in most jurisdictions the AML requirements are predicated on a risk-based approach: you adjust the level of due diligence, monitoring, training, etc. depending on the level of (money laundering and terrorist financing) risk presented by a situation – the type of client, or the size/origin of transaction, or the duties of the member of staff. Business continuity plans are coming into their own, but I am fairly sure that the majority of them were designed for a fire at the office, or the crashing of a key server, or the kidnap of the Board of directors (now, now, no wishful thinking) – I doubt many were designed with a global shutdown in mind. In other words, our concept of risk has taken a battering, and I can imagine that once we’re allowed back to work as normal, business risk assessments will be pulled out of storage for a careful examination in the light of the “new normal”.
And second, every person who goes on their first, baby AML course is told that they are obliged by law to report any suspicion of money laundering, and that this cannot be done for them by a computer (such as a transaction monitoring system) because computers have no hearts or souls and therefore can spot only the unusual, not the suspicious. So what now is “usual”? In the past, a reliable client who suddenly took out large sums of cash, or refused to come into the office in person, or changed his mind about investments or contracts on a daily basis would appear unusual – now, he’s merely being prudent. When the dust settles, how will we tell the difference between those whose finances and decisions went haywire because of the pandemic, and those who are simply using that as a cover story for illicit money movements?
Susan, Hope you are well in sunny(?) Cambridge. Interesting thoughts for a ‘locked down’ sunny but cool day. The new world (hopefully slightly more balanced and sensible than the old) is beginning to emerge! Maybe will move from believing that Tech is the ultimate solution to everything to realising that it is a toll for humans to use to their advantage but it is not the answer in all cases – that would/could be quite leap in the right direction –
Hello CDWOS – all is fine in yes, sunny Cambridge – thank you. I’ve just been reading an article about the spread of eID systems, so I think there may be an interesting dichotomy post-pandemic: both more and less technology!
I think this goes back to the difference between CDD and KYC. We are all over-focussed on due diligence, especially with the advent of electronic diligence databases and their approval by the regulators.
CDD, SCDD, ECDD etc are all about paper rather than knowledge. As an MLRO checking an internal SAR I need to understand a client’s risk appetite, investment profile, business model and work ethos; I am less concerned about whether we don’t have a recent copy of a utility bill.
One firm I work with (I’m a semi-retired compliance consultant and MLRO gun for hire) builds very detailed non-intrusive profiles of all the exposed persons they deal with. Not just the regulation PEPs-with-more-than-25% but every exposed person whether politically/commercially/media, and even if the connection is as remote as non-exec non-shareholder director of a 1% investor company. It’s not as onerous as it sounds and builds into a significant knowledge base. Profiles build up over time, are checked and updated regularly and are accessible at the click of a button.
The firm is in the process of extending this to all high-risk individual clients, and will eventually roll it out to every single client. The data collected is pure KYC and gives a behavioural benchmark to help the teams identify suspicious activity in the first place, and help the MLRO with the decision whether to externalise an internal SAR to the FIU.
I agree that extreme circumstances may change behaviours, but without the core KYC we will be drowning in IT-reported anomalies in no time.
Best regards from sunny Guernsey. Stay safe, drink wine.
Hello Mik, this sounds like an extremely enlightened approach – and I shall mull it for discussion in the next MLCO workshop. Slavish following of regulations has never served us well, and perhaps this removal of our familiar support systems will prompt us all to think of what we are actually trying to achieve (a deep understanding of our clients) and whether there might be a more efficient, more effective way to get there. Glad to hear that the sun is – as usual – shining on Guernsey!
I’m guessing that once the regulators are up and running again, they’ll be barraging financial services businesses with all manner of new questions and themes. So that will be another push toward flexibility and agility of software and process. (And if there’s still anyone getting by on semi-manual processing, it’ll be another nail in the spreadsheet.)
Looking out to the farther horizon, I’m torn between two possibilities. On the one hand, as Mik says, there’s great benefit in devolving responsibility to FSBs to know-their-customers. On the other hand, I suspect there will be an increasing demand for information to go straight to the regulators, so they can apply big-data techniques to look for trends and connections.
Interesting your last point raises 2 thoughts 1. If the information is going straight to the regulator why are we required to keep such detailed records & registers as the regulator holds all relevant information. We simply need access to it as and when. 2. Are they accountable and liable for all this data, sensitive, personal information that will be gathering and holding?? I won’t hold my breath on either point.
Of course when we get back to the ‘normal’ life in the ‘other’ island the focus will no doubt be heavily onto the IMF Evaluation visit 2021 & 2022 and don’t start me on MoneyVal/FATF evaluation of effectiveness – rows of dead and jailed to prove the law works!!
CDWOS, my interest was as head of dev at a software vendor – any trend toward centralisation of course has a major impact for product design.
As regulators committed to answering international requests (to a deadline), the registries wanted to hold more data – fully digitised (not simply as images of paper forms) and up-to-date.
In pursuit of this, I have seen two strategies from regulators. One is to offer APIs, allowing trust software to integrate. The other is for the regulator, together with a key RegTech developer, to build a central system that has a user interface but sometimes no API, that will allow you to query info, and that encourages “confirm this info is still valid” annual returns.
That second strategy is great for the key RegTech supplier, and less good for the trust software vendors.
Admittedly this is most apparent in reportable statutory data, and regulators aren’t yet trying to own everything the FSB knows. Nonetheless I think there’s a trend. IHateMoneyLaundering will be more up to date than me, but I think for example there are experiments with a central KYC register in India.
Many thanks for your contribution, Mark – and for your (flattering but misplaced) suggestion that I will be up to date with developments in India! I do try, but rely heavily on leads and links from other people. Please do comment again – all debate and discussion is good.
There is certainly a lot of concern being expressed, Cartebien, about whether we’ll be able to row back from “big government” once they get a taste of how easy it is to get their way without the interference of pesky citizens! You might be interested in this seven-minute interview with Lord Sumption, former justice of the UK’s Supreme Court: https://www.youtube.com/watch?v=JHE3OerDKEY
Intersting as usual, Susan
Prompts me to think you might be interested inthe FCA’s AML guidance to investment firms / advisers in current circs: https://fca.org.uk/publication/correspondence/dear-ceo-letter-coronavirus-update-firms-providing-services-retail-investors.pdf
Headed “Client identify verification needs to continue, but firms have flexibility within our rules” Covers remote verification and concludes “•seek additional verification once restrictions on movement are lifted for the relevant client group.”
Ruth Gilbert Insuring Change 01573 224692
From: I hate money laundering Reply: I hate money laundering Date: 1 April 2020 at 10:59:34 To: email@example.com Subject: [New post] Looking to the post-pandemic future
Hello Ruth, many thanks for the link – I shall take a look. I don’t want to criticise without reading, but my initial (Eeyore-ish) thought is that people could take a lot of advantage of this – clients claiming that they are still under restrictions when they are not, or firms claiming it, etc. We’ll all need to be very vigilant…