The publication on September 20 by the International Consortium of Investigative Journalists (ICIJ) of information stemming from one of the US anti-money laundering watchdog has created a new wave of outrage around the globe. A number of internationally active banks are named and shamed, politicians in various countries are calling for parliament hearings and banking reforms, AML regulators and public prosecutors are requested to take actions, and customers are challenged in their trust towards their banks. Before sharing few reflections, let’s try first to understand what we are talking about, at the risk of over simplifying a rather technical and complex topic.
Data
In line with Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) requirements, banks are required to exercise continuous vigilance about the activities and operations of their clients. When they detect indicia that lead to a suspicion of money laundering or financing of terrorism, they are due to file a suspicious activity report (SAR) to their Financial Intelligence Unit (FIU), which is entrusted with analyzing the combined intelligence gathered and with taking appropriate measures. FinCEN serves as FIU for the United States.
In this specific case, ICIJ had access to a number of SARs filed to FinCEN by the US banks based on their AML/CTF detective activities. Although ICIJ mentions on its site that "Suspicious activity reports reflect concerns by watchdogs within banks and financial institutions, and are not necessarily indicative of any criminal conduct or other wrongdoing », there is a high likelihood that many operations involving « dirty » money are revealed in this investigation due to the very nature of said reports.
Nested correspondent banking accounts
The scope of the ICIJ investigation covers activities provided by banks (named « correspondent banks) to other banks (named respondent banks). Correspondent banks execute and process transactions for customers of respondent banks. Correspondent banks generally do not have direct business relationships with these customers, which may be other banks established in jurisdictions other than that of the correspondent bank. This type of services is called «nesting correspondent banking » i.e. the use of a bank’s correspondent relationship by a number of respondent banks through their relationships with the bank’s direct respondent bank to conduct transactions and obtain access to other financial services.
Because of the structure of this activity and the limited information available regarding the nature or purposes of the underlying transactions, correspondent banks are particularly exposed to money laundering and financing of terrorism risks; they very much depend on the strength of the AML/CFT programs of the respondent banks, which themselves also rely on the AML/CFT programs of their own respondent banks.
What went wrong ?
Many things. In a nutshell, there are essentially 3 types of banks mentioned in the FinCEN files : (1) the US correspondent banks that have filed the SARs to FinCEN, (2) the banks that have made available their account at the US correspondent banks to be used by their client-banks, and (3) the latter banks that have initiated the transactions involving suspicions of money laundering or financing of terrorism.
This does not mean that the banks having filed the SARs are necessarily exempt from criticisms : the investigation reports that some of those banks have filed SARs years after the suspicious transactions were executed, depriving authorities from important pieces of intelligence that could have been used to stop criminals. FinCEN’s (lack of) follow up given to SARs is also under scrutiny. And last, the investigation does not say much if the second category of banks have filed SARs with their own FIU. Although everything is a matter of nuances, the overall picture is far from being rosy.
Looking backward, looking forward
- First of all: more and better should be done by all who are active in AML/CFT. No one will argue about that; the detection ratio of 2% out of USD 2 trillions of dirty money flowing through the financial system every year speaks for itself.
- It would be probably too easy to say that what is disclosed now by ICIJ is a picture of the past. It is however certain that since 2017, a lot of excellent work has been done by many professionals to strengthen the prevention, detection and response capabilities of banks in the fight against money laundering and terrorism financing.
- Too little, too late ? Looking with hindsight (and in silo) would probably lead to that conclusion. However, AML/CFT - although always high on the agenda of most compliance programs - was not the only critical challenge to be addressed by banks during that period. The financial crisis of mid-2008 continued for years to impact the profitability and financial strength of many banks. The tsunami of regulations that followed the crisis - requiring timely and effective implementation - triggered trades-off to be made in regulatory budgets that were already under pressure. The attention given then by many authorities and regulators in the financial crime area on sanctions & embargoes, with significant fines imposed along the way, contributed heavily in the prioritization process of the (scarce) compliance resources to be allocated in that area.
- De-risking is often considered by many as the answer i.e. stopping an activity based on a revised risk appetite that takes into account exposure to reputational and liability risks, amount of financial penalties imposed by supervisory/law enforcement authorities, and increased compliance costs associated with implementing conflicting regulatory requirements. This is however not welcomed by regulators that consider de-risking as being a too easy way to avoid responsibility and that could trigger collateral damages. It is the reason why FATF issued its guidance on correspondent banking services in October 2016. In this document, FATF expressed its concerns about situations where financial institutions terminate or restrict business relationships with entire countries or classes of customer in order to avoid, rather than manage, risks in line with the risk-based approach. It is feared that de-risking could drive financial transactions into less/non-regulated channels, reducing transparency of financial flows and creating financial exclusion. In its guidance, FATF reminds banks that it is not required to conduct customer due diligence on the customers of their customer (KYCC), limiting their questions on underlying transactions to their direct client i.e. the respondent bank. In such a context where de-risking is only a remote option, banks are - by design - caught between a rock and a hard place.
- Talking about dilemmas, banks are at a disadvantage to communicate properly over this matter as they are obliged to keep confidential any information relating to specific cases and can only comment in general terms on their AML/CFT activities because of the sensitivity of the topic. This has been reminded by FinCEN in its reaction to the ICIJ publication, mentioning that the unauthorized disclosure of SARs is a US crime that can compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports. While this could be frustrating for the journalists who would like to get additional details or be in a position to nuance their article, most readers of newspapers might have the impression that banks' generic explanatory statements in this kind of situations might be a way to avoid facing their responsibility, which in turn could contribute to intellectual shortcuts like bankers = criminals. This very limitation of sharing information on specific cases, even between authorities and banks, has been identified as one of the (many) weaknesses of the system. Several initiatives at national and international levels are currently under way to facilitate such sharing so as to build on the collective knowledge and expertise of the AML/CFT actors. This gives some confidence that the future will be different from the past.
- Another hope comes from the availability of new technologies, which make wonders when good data are available and algorithms calibrated smartly and reviewed regularly. Now seems the right time to take the first steps to implement real-time pre-transaction monitoring with blocking capabilities, similar to what is already applied in the fraud and sanction areas. This would require having in place detailed transactions & activities profile for each client, determined at the time of account opening, with pre-defined patterns of « normal » behavior that would stop any transaction that would not match said patterns, triggering additional questions and due diligence measures. Although rather complex to put in place from an operational point of view, this would significantly enhance the effectiveness of the prevention framework and force documentation and transparency by the clients ex ante, avoiding that banks run after the facts i.e. when the dirty money has already moved into unaccessible territories.
So what next ?
Compliance is not an activity; it is an outcome.
At the start of the fight against Financial Crimes, banks were deemed to be part of the solution by contributing to the intelligence-gathering process of those who have the specific mandate to find and stop criminals. With the increasing number of negative press and the significant amount of fines imposed due to lack of sufficient compliance with formal requirements, public perception has moved towards the (wrong) assumption that banks are the main cause of the problem.
A more effective approach is to move towards defining a single shared goal for all stakeholders i.e. finding criminals.
This requires a shift in the design of the control framework and in regulators’ supervisory practices. We are currently far from an agile approach since each category of contributors has a specific duty to fulfill that is not leveraging on the collective knowledge and intelligence available.
In other words, we need to embrace what McKinsey calls a "global investigator-centered strategy" to achieve meaningful results.
It is about time to move the focus from mere regulatory compliance ("do things right") towards outcome-led compliance ("do the right things »).