I first started designing and delivering AML training in 1996. That’s a full quarter-century ago. And can you imagine how many times I have said, over those twenty-five years, things like “check regularly for PEPs – regulators are hot on EDD for PEPs” and “make sure you chase down any deficiencies in CDD as quickly as possible”. These are not new concepts. And yet still – still – we are seeing regulators taking businesses to task for the most basic of AML failings. We’re not talking about people wrestling with the finer points of defence SARs or struggling to define legal professional privilege – it’s the really basic, obvious, well-documented stuff, spelled out in everyone’s guidance, that is still being done wrong.
In a Guernsey finding at the very end of 2020, we read of a client who was “an ultra-high net worth individual from a high-risk country [who was] working with and being associated with individuals who were politically exposed, [while himself] being involved in the management and control of state (high-risk country) owned organisations linked to armaments, the extractive industry and IT services for the military” – and yet the business concerned “failed to identify the client as a PEP for the first ten years of the relationship”. To misquote Chandler from “Friends”, could the client BE more PEPpish?
Three weeks earlier the Maltese authorities had fined a “prestige” credit card provider for various AML failings: one client had declared an annual income of £150,000 and then over a few months made €1.2 million in payments – most “transferred into the company’s bank accounts from the company’s interrelated company incorporated in Hong Kong”, but no processes were in place to identify the source of those funds. Source of funds? Really?
And in June 2020 the UK’s FCA fined Commerzbank an eye-watering £37,805,400 for numerous shortcomings in its AML regime – made all the more baffling because “they occurred following visits by the Authority to Commerzbank London in 2012, 2015 and 2017 to discuss issues relating to its AML control framework, during which the Authority identified weaknesses that Commerzbank London was to address”. Again, these were not complicated issues: for instance, “2,226 existing clients were overdue refreshed KYC checks” and “[the bank’s] automated tool for monitoring money laundering risk on transactions for clients… did not have access to key information from certain of Commerzbank’s transaction systems”.
Hello? Is anyone listening? These are standard, basic AML requirements. Please don’t make me wonder whether I’ve wasted that quarter-century.
Happy new year Susan – let’s hope 2021 and the continued implementation in Guernsey of the new AML/CFT Handbook will mean that more firms take this chance to ensure they are doing all of the basics. In my experience, firms are often excellent on, say, 80% of the requirements but the remaining 20% of PPCs have issues which are often easily rectified by checking the fundamentals. I share your continued frustration – as I am sure do many other compliance specialists – as it also seems to take more than one of us pointing out the issues before action is taken.
Happy new year to you too, Dawn. The thing I find most baffling – on both sides of the equation (i.e. for both regulated entity and regulator) is how it goes on for so long! If someone tells you that you’re doing something wrong, you set it right quick smart – not wait a decade and then still get it wrong! I can’t imagine other regulator/regulated relationships being as forgiving – I’m sure that if I got my tax return wrong, HMRC wouldn’t give me a decade to sort it out. Shall I try it?
I agree Dawn. My starting position has always been and continues to be – You don’t need a Handbook to get the basics right. I believe firms need to be less reliant on the Regulator and more reliant on their own responsibilities to protect their business. Compliance culture is a thing.
The Commerzbank one is interesting – skimming the report, the Frankfurt head office seems to have been a significant part of the problem. Coincidentally, I see BaFin is under fire for various failings (“Why Germany should shut down BaFin” writes Patrick Jenkins in the FT).
Yes, it often turns out to be a problem coming right from the top – what is it they say about fish rotting from the head? If the AML tone is not there at the highest levels – including head office – then why would anyone else take it seriously? It’s not just the lack of example – it’s the suggestion that doing or not doing AML will be immaterial when it comes to any internal review or assessment of branches, departments or individuals.