One of the trickier aspects of the MLRO’s job is the juggling act they have to perform to keep everyone happy – staff, Board (or whatever their firm’s top layer of control is called), regulators and investigators. Although this can be done, it takes a stern resolve, a stiff spine and a clear understanding of just who is entitled to just what. And one of the regular points of conflict is the sharing of information about SARs with the Board.
Some MLROs – notably, those working within FCA-regulated firms – are required to make an annual report to their Board, and most MLROs of my acquaintance (regardless of their sector or jurisdiction) choose to do this. Part of any MLRO annual report to the Board is going to be information about SARs – number of internal reports received and number of external disclosures made (which gives a conversion rate), and observations about any discernible patterns (e.g. the majority of reports are made by one member of staff in the take-on team, or no-one in the Birmingham office has even made a report, or a growing proportion of reports feature clients who are PEPs). Looking at it from the other side, Boards are required to make sure that they are conducting sufficient oversight of their firm’s AML/CFT regime, which will include checking that the reporting/disclosing system is working well. Where the conflict arises is when the Board demands to know more than the MLRO wishes – or is permitted – to say. Directors will sometimes want to see specific SARs, or will ask for the names of clients reported to the FIU. And this type of request triggers the “tipping off klaxon” with which all MLROs are fitted on appointment (a painless but necessary procedure).
Thankfully, this conflict is increasingly being recognised by regulators and by FIUs, and MLROs are being offered more guidance on just what they can and cannot (or should and should not) share – which gives them something to show their Board to explain their course of action. For instance, the JMLSG in the UK has produced a template for the MLRO’s annual report, which, in the section on reporting, suggests the following content:
- Internal reporting
- Summarise the number of internal reports made by business area. Distinguish between the number of reports picked up by central monitoring units and staff.
- Number of ‘false positives’ generated where internal reports were not forwarded to [the FIU]. Whether this has increased or decreased since the last report.
- Summarise the circumstances that may have led to increased/decreased reporting and consider any significant trends in reporting.
- Summarise any quality checks that are made by the Nominated Officer in the area of reporting.
- External reporting
- Note whether there have been any money laundering cases that have arisen where reports have not been made.
- Provide a breakdown by business area of reports passed on to [the FIU], and the number of reports that have not been made.
- Consider any significant trends in reporting that might require the Nominated Officer to change system parameters for suspicious transaction reporting. Indicate whether such changes have been actioned or are requested.
- Any feedback from [the FIU] on reporting, individually or by sector.
This makes it clear that the MLRO should be sharing anonymised, general information with the Board, post facto – and the Board should not expect to receive identifying information (about either reporting individuals or reported-on clients), and certainly should not expect to be involved in reviewing or (heaven forfend) approving the submission of SARs. Some MLROs – particularly those new to the job, or those working with particularly dominant directors – might feel obliged to share more than is necessary, or indeed safe. To them I say bon courage – the law is on your side.