I have been called pedantic, but that’s not strictly accurate. The fact is that I make my living from – and spend much of my leisure time with – words. Most compliance-y people are good at detail: at school we were the ones who always did what the teacher said (“Read all the way through all the questions before starting”) and as working people we’re the ones who fill in all the forms fully and correctly. Moreover, we know the importance of words. Precise and specific words. This matters greatly when wrestling with legislation and when dealing with regulators.
Let’s take a look at legislation first. I’m in the UK, so I will refer to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, but feel free to grab your own domestic AML legislation to play along. I’m turning, feverishly, to Regulation 28, which sets our “Customer due diligence measures”, and it says this: “The relevant person must – (a) identify the customer… (b) verify the customer’s identity…; and (c) assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction.” Later on, in Regulation 35, and with reference to PEPs and EDD, it says this: “A relevant person [with a PEP client] must… take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person.” Can you see those words? We have “identify”, “verify”, “assess”, “obtain information on” and “establish”. I’m not going to go into a great dissection of their specific meaning (that’s for training, not a blog post), but it’s important simply to see that they are different. The people who drafted and approved the legislation chose them carefully (assessment is not verification, and obtaining information is not establishing), and we must obey them.
And now let’s have a little think about regulator-speak. As you almost certainly know, you can open any AML/CFT guidance – take your pick from at least half a dozen versions in the UK – and you will soon spy three levels of obligation: must, should and could/may/might. If something is expressed using the word “must”, you as MLRO have no choice: it’s either straight from the legislation (and not doing it is a criminal offence) or it’s a regulatory obligation (and not doing it puts you at risk of losing your licence). If something is couched in the woolly words – could, may, might – then it’s up to you: it’s a suggestion, but if you have a preferred alternative, then so be it. But it’s the middle one that catches people out: the “should”. If a regulator says that you “should” do something, the expectation is that you will do it and if you don’t, you will explain clearly why you have not done it – conform or confirm, if you will. Too many firms think that “should” and “could” are equivalent – it’s a dangerous stance. And I have chosen that word carefully.