Emerging anti-money laundering risk for non-financial institutions
September 2018 | PROFESSIONAL INSIGHT | FRAUD & CORRUPTION
Financier Worldwide Magazine
September 2018 Issue
Do you know who pays for your products? Banks and other financial institutions have been grappling with issues of knowing their customers for years. But what about non-financial institutions which receive payments from unverified third parties for goods and services provided? This question has come to the fore in the wake of recent global money laundering scandals, which drew attention to complex international webs of money transfers designed to conceal ownership information. Manufacturers, distributors and other non-financial institutions increasingly find themselves in the cross-hairs of would-be money launderers. As a result, they find themselves subject to reputational risk, potential entanglement in expensive investigations and the challenge of how to scale and scope an anti-money laundering (AML) compliance response that reflects the risk but at the same time is practical for a company that operates cross-border and wants to receive payment for legitimate business activities. Publicly-listed companies may face additional risks to the extent the issue is viewed by regulators or external auditors as affecting internal controls for financial reporting or the company’s disclosures regarding its compliance and control environment more generally.
As information continues to emerge regarding Danske Bank’s alleged facilitation of the laundering of more than $8bn in funds originating in Europe and Asia, many non-financial institutions will likely find themselves caught up in the payment web. Involved companies – whether they transferred the funds or retained them – will no doubt face pressure to explain why and how they accepted tainted funds. Whereas a decade ago banks were seen as the main industry at risk for illicit money transfers, recent global money laundering scandals have demonstrated that non-financial institutions should be cautious in receiving payments from third parties, as well. Companies, which are not subject to the same stringent know your customer (KYC) regulations as financial institutions, are struggling to calibrate the appropriate level of due diligence and other steps they can take aimed at identifying third-party account payors. This calibration is important, not just because of possible enforcement action, but because of the possible reputational harm that comes from being the recipient of publicly disclosed laundered funds.
Calibrating due diligence
Companies are choosing to address (or not address) these enforcement and reputational risks in a variety of ways. On the more aggressive end, companies may point to the absence of regulation and accept payments from any sources for products legitimately provided. However, this approach is short-sighted because companies subject to jurisdiction in the US or another country with an active AML enforcement regime can find themselves embroiled in the growing number of AML investigations or even subject to enforcement actions to the extent regulators view them as participants in money laundering or wilfully blind to illegal activity. Companies are grappling with difficulties identifying the sources of funds in a variety of commercial (as opposed to banking) settings. The attendant risks are especially high if such institutions issue refunds, make any sort of return payments to the third-party payors or engage in transactions where product is not delivered or that otherwise bear the trappings of trade-based money laundering schemes.
On the most conservative end, companies will reject payments from non-vetted third parties. This approach comes at a potentially huge financial cost resulting from lost accounts receivable or a significant increase in compliance and monitoring expense for companies with customers all over the world.
Most companies will likely end up between these two ends of the aggressiveness spectrum as they undertake a review of their processes. This middle ground is where companies have the opportunity to tailor creative solutions for their unique business models. While there are concrete steps companies can, and often should, take as a general matter, every business faces different risks and realities. The response to this issue should be tailored to the particular risk profile of the company.
When to conduct due diligence
A threshold question is when due diligence should be conducted in a third-party payor situation and how to arrange the customer relationship to account for that necessity. One option is that companies could do more when on-boarding a new customer to identify permissible third-party payors. For example, a company could ask a customer to identify potential payors on an account, and, depending on the level of due diligence anticipated for each, limit the customer to a certain number of payors, and enter into an agreement with the customer regarding steps to be taken if a payment comes in from a party not previously listed. To allay the financial burden, the company could consider charging customers for third-party payor vetting. The company could decide whether to conduct due diligence on third-party payors at onboarding, or only if such anticipated payors actually make payments. Both have their benefits – the first approach clears the way for payments, while the second could minimise costs for the company if the third parties do not effectuate payment. Another option is that a company could also seek representations or certifications to accompany any payments by third parties. For example, a company could add certain representations by customers to its purchase orders and require those purchase orders to be submitted with payment, or could require that a third-party payor acknowledge an online certification if submitting a payment electronically.
How much due diligence?
In calibrating the amount of due diligence required for third-party payors, a general rule of thumb is that third-party payors should be subject to at least the same level of due diligence as customers, especially those to whom the company would be extending credit. As part of the onboarding process, or as part of later due diligence on a third-party payor, the company could also require customers to confirm and vouch for any third-party payors. Together, these steps would, in addition to providing some AML comfort, assist in protecting the company from being taken advantage of financially.
Of course, the company should be particularly cautious when sending money out, such as when issuing a refund on a project, or returning an overpayment.
Reputational risk and the expense of increasingly involved and protracted AML investigations, outweigh the costs and time of performing due diligence on third-party payors. Such due diligence and general caution regarding third-party payors, even if not explicitly required at the moment, is expected by enforcement agencies, consistent with internal controls requirements for US-listed companies, and represents a best practices approach. However, given the lack of government standards in this area, variations among companies as to size, complexity and the predominance of third-party payors in the business model, the ultimate solution for a company should be carefully tailored to take into account the company’s unique considerations.
Ann Sultan is counsel and William P. Barry is a member at Miller & Chevalier. Ms Sultan can be contacted on +1 (202) 626 1474 or by email: asultan@milchev.com. Mr Barry can be contacted on +1 (202) 626 5974 or by email: wbarry@milchev.com.
© Financier Worldwide
BY
Ann Sultan and William P. Barry
Miller & Chevalier