ReportTitle_SRQ&A2.jpg

Q&A: AML and sustainable compliance

February 2021  |  SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION

Financier Worldwide Magazine

February 2021 Issue


FW discusses AML and sustainable compliance with Jonathan Ritson-Candler at Latham & Watkins, Lisa Lee Lewis at Norton Rose Fulbright LLP, and Jennifer L. Sutton at Sullivan & Cromwell LLP.

FW: Reflecting on the last 12 months or so, what do you consider to be among the key developments affecting anti-money laundering (AML)? How intense is the pressure on companies to do more to counter financial crime?

Ritson-Candler: The pressure has never been greater with the clear direction of travel being that anti-money laundering (AML) and counter terrorism financing (CTF) is at the top of the regulatory agenda. There have been two key developments in the past 12 months that serve to illustrate this. The first is the entry into force of the Fifth Money Laundering Directive (MLD5) across the European Union (EU), including the UK. MLD5 supplements the Fourth Money Laundering Directive (MLD4) and brings a number of enhancements to bolster AML and CTF efforts. For example, MLD5 imposes a requirement on firms to flag any discrepancies they discover between their client due diligence and the persons with significant control register at Companies House. There are more granular enhanced due diligence obligations. It provides law enforcement authorities with the ability to request ownership information on bank accounts and safe deposit boxes, and a new centralised bank account portal run by HM Treasury to facilitate this. It also expands the scope of the key AML and CTF rules to apply to a broader universe of firms. The second key development is the marked increase in significant fines by regulators in the UK and EU for AML and CTF failings, such as those for Swedbank, Commerzbank and SEB. The final notices set out, in detail, the identified issues, and firms would be wise to review these and close any gaps. Taken together, the increasingly detailed regulatory requirements in MLD4 and MLD5, coupled with regulators’ interest in taking enforcement action for failures in AML and CTF compliance, should result in firms either re-evaluating their AML and CTF systems and controls – where they may have not been reviewed in some time – or, at least, running a gap analysis to check they are fully up to speed with the latest requirements and the takeaways from the fines.

Sutton: Key developments over the last 12 months include an increased emphasis on employing technology in financial crimes compliance and, in the US in particular, modernising the AML regime. Technology and modernisation are themes throughout the US Anti-Money Laundering Act of 2020, which the US Congress enacted on 1 January 2021 as part of the annual defence spending bill, after overriding a presidential veto. The Act will modernise and reform the country’s AML regime for the first time in decades. There is, and likely always will be, intense pressure on financial institutions to do more to counter financial crime – pressure that can seem even more acute when ‘doing more’ runs the risk of noncompliance with outdated regimes. The 2020 AML Act and other efforts at modernisation have the potential to afford financial institutions greater room to adapt in the face of such pressure.

Lewis: There has certainly been a continued focus and expectation on AML compliance. Aside from the challenges presented by the global pandemic, there has been a raft of new regulatory changes implemented over the last 12 months. From an EU perspective, 2020 was bookended by the implementation of MLD5 in January 2020 and the Sixth Money Laundering Directive (MLD6) in December 2020. The EU also updated its list of high-risk third countries in October 2020 and committed to a new comprehensive action plan in May 2021. This focuses on preventing money laundering and terrorism financing through six pillars and is anticipated to be delivered by the end of next year. In addition, we have also seen an increased appetite among prudential supervisors to consider the AML agenda in their supervisory remit, particularly in light of the European Banking Authority’s opinion setting out how prudential supervisors should consider money laundering and terrorist financing risks in their supervisory approach. The expanded remit of the scope of the EU MLDs, augmented with additional scrutiny from wider authoritative bodies, has placed an even greater pressure on a wider scope of firms from an AML compliance perspective.

With government stay at-home mandates and closures, customers are increasingly availing themselves of online banking solutions, leading to greater risks associated with customer due diligence and verification.
— Jennifer L. Sutton

FW: In what ways has the coronavirus (COVID-19) pandemic impacted AML risks, as well as related compliance processes and procedures? How are systems being adapted to respond to the pandemic environment?

Sutton: Law enforcement authorities have anticipated, and ultimately observed, a wide variety of coronavirus (COVID-19)-related financial crimes. They are seeing new schemes and novel spins on old schemes prompted by the pandemic. At the same time, with government stay‑at-home mandates and closures, customers are increasingly availing themselves of online banking solutions, leading to greater risks associated with customer due diligence and verification. Given these considerations, it is fair to say that both general financial crimes risk and demands on financial crimes compliance functions have rarely, if ever, been greater. Financial institutions are endeavouring to adapt AML systems and controls to account for these increased risks and demands, including by modifying systems and controls to address new typologies and trends and increasing AML compliance resources.

Lewis: The COVID-19 pandemic brought about an unprecedented level of change and forced major disruption, particularly in the financial markets. Financial institutions have had to severely adapt their customer due diligence (CDD) and know your customer (KYC) processes to accommodate restrictions in face-to-face interactions and challenges in obtaining and verifying physical documentation. They also had to recalibrate transaction monitoring parameters to adequately and proportionately respond to changes in consumer behaviour and increased incidents and sophistication of fraud and cyber crime. As workforces have largely transitioned to a long-term working from home environment without the benefit of connectivity and seamless interaction with peers, this has led to a decreased ability to self-police within the first line of defence, as well as limitations in compliance oversight in the second line of defence.

Ritson-Candler: The challenges associated with working from home have resulted in some firms finding it more difficult to perform their typical periodic review of clients and ongoing monitoring. The UK Financial Conduct Authority (FCA) has published guidance for firms, stating that it recognises firms may need to reprioritise or reasonably delay certain AML and financial crime compliance activities, but should only do so on a risk basis and with a clear plan to return to business as usual review processes as soon as reasonably possible. Firms have, therefore, been grappling with balancing this against the heightened risk of criminals looking to take advantage of the pandemic to exploit any weaknesses in their AML and CTF policies and procedures.

FW: What impact is the regulatory environment – such as the EU’s Anti-Money Laundering Directives (AMLDs) – having on companies’ AML compliance efforts? What penalties do businesses face in the event of a breach?

Ritson-Candler: The EU has adopted MLD4, MLD5 and MLD6 – the latter entering into force on 3 December 2020, designed to strengthen and harmonise criminal penalties for money laundering and terrorist financing across the EU, and which the UK did not implement given that, essentially, the same criminal penalties are already in place – at a record pace in recent years. These Directives have required significant changes to domestic civil and criminal AML and CTF rules, which has left firms struggling to keep up, as well as member states, some of which have failed to implement the Directives in time. Given Brexit and the COVID-19 pandemic, some delay in implementing the new rules may be understandable. However, penalties for breaches of AML and CTF requirements range from up to 14 years imprisonment to unlimited fines, meaning firms should use best endeavours to ensure ongoing compliance. Therefore, the pace of regulatory change and the sharp increase in regulators’ appetite to pursue and enforce AML and CTF breaches – and the severe penalties available to regulators – means we are increasingly seeing AML and CTF issues as a ‘deal breaker’ diligence topic in M&A transactions. Similarly, we have seen particular interest from underwriters and the mainstream press in the event AML and CTF issues are discovered and later disclosed as risk factors in offering documentation in initial public offerings.

Lewis: There is much for firms to do just to remain compliant. From an MLD4 perspective, in July 2020, the European Commission (EC) referred three member states to the Court of Justice of the EU (CJEU) for failing to fully transpose MLD4 provisions into national law over three years after the July 2017 deadline. 2020 also saw the requirement for transposition of the fifth and sixth MLDs into national law in member states. In particular, MLD5 expanded the perimeter of AML regulation to letting agents, art market participants, cryptoasset exchange providers and custodian wallet providers. It also introduced specificity around the application of enhanced due diligence (EDD) measures and beneficial ownership identification. MLD6 introduced a harmonised and defined set of 22 money laundering predicate offences applicable across all member states, as well as sanctions at institutional level. All of these changes will need to be considered to inform not only core AML controls such as KYC and transaction monitoring, but also risk appetites and risk assessments, governance and oversight mechanisms, and training.

Sutton: The AML regulatory environment is constantly evolving. To be truly effective, institutions’ AML compliance efforts need to also constantly evolve. The EU’s MLD4, as amended, and the US’ 2020 AML Act reflect two of the most significant evolutions in the regulatory environment in recent memory. Years of work will be required to implement the 2020 AML Act’s provisions, and still additional years will be required for financial institutions to bring their compliance efforts into alignment. While we anticipate that appropriate implementation runways will be established, the consequences of breach can be severe. In the US, it is not uncommon to see criminal actions for AML-related violations with fines in the hundreds of millions of dollars, and there is no reason to believe that will change any time soon. In fact, the 2020 AML Act substantially heightens available fines for certain AML-related violations.

A range of global regulators and supervisory bodies have highlighted the need for greater collaboration and information sharing, both across different jurisdictions and between public and private sector market participants.
— Lisa Lee Lewis

FW: What advice would you offer to companies seeking to create a sustainable programme that ensures ongoing compliance with the evolving AML landscape? What are the main issues and challenges that need to be overcome?

Lewis: Firstly, firms need to be continually horizon scanning to keep on top of legal and regulatory AML developments, both at a local and global level, including market practices. They should then perform a gap analysis to understand the implications of any of these in the context of their business and jurisdictions and create a prioritised action plan in order to deliver the uplifts identified. This may inform the need for reactive reviews which could be beneficial given the evolving regulatory environment to gain valuable insight into the root causes of any gaps identified and prioritise control framework enhancement activity to address these. Secondly, interplay between the different roles in an organisation is crucial to mitigate issues with regard to delineation of responsibility and segregation of duties. Those bringing in business should be equipped with the tools and knowledge to understand and own financial crime risk, as a first line of defence. The compliance function should act in both an advisory and oversight capacity, and also perform regular monitoring and reviews to gain comfort that policies and procedures are being executed in the intended manner, as a second line of defence. The internal audit function, as a final, third line of defence, should also perform regular, independent reviews of anti-financial crime systems and controls. Firms could also consider gaining external advice and assurance to help provide third-party checks and balances and insights into market practices. Finally, investment in technology is likely to be a case of when, not if. This is particularly pertinent in larger institutions which often operate using fragmented, disparate and legacy systems.

Sutton: A number of factors contribute to an AML programme’s sustainability, including, to name a few, human resources, technology, processes and procedures, culture and governance. The factors applicable to a particular institution should all be considered and properly balanced; an imbalance has the potential to impede sustainability. For example, simply adding human resources alone ad infinitum will not contribute to sustainability. Striking the appropriate balance can be challenging. Among other reasons, the technology and processes and procedures in place at financial institutions often evolved over many years to address specific audit or regulator-identified gaps or issues. These solutions may not have been intended to be long term, yet frequently that is what they have become, including due to concerns that transitioning to more strategic long-term solutions, absent explicit regulatory sign-off, could present compliance risk. To truly foster sustainable AML compliance, institutions need to be afforded the flexibility to strike the proper balance.

Ritson-Candler: First and foremost, it is important to ensure AML and CTF risk assessments are up-to-date and reviewed at least annually. MLD4 set out the express obligation to have a risk assessment in place that informs a firm’s risk-based approach to managing money laundering and terrorist financing risk – from CDD to ongoing monitoring. Without a thorough risk assessment, it will be difficult for a firm to say to a regulator that it complies with AML and CTF obligations. Otherwise, to have money laundering and terrorist financing as an ongoing agenda item for legal and compliance teams, and to keep on top of different sources of guidance – both national and international, such as guidance from the Financial Action Task Force (FATF) and the Joint Money Laundering Steering Group (JMLSG) in order for firms to demonstrate that they are tracking a rapidly evolving landscape.

FW: What benefits are new technologies – such as artificial intelligence, machine learning and cognitive processes – bringing to AML processes? How are they assisting companies to achieve sustainable compliance?

Sutton: As criminals become more sophisticated and employ new technologies and techniques to move illicit funds, it is becoming increasingly difficult for financial institutions to effectively monitor, detect and report potentially unlawful activity using traditional approaches. This negatively affects the ability of financial institutions to appropriately assess risk and has a direct and tangible impact on sustainability. A less-than-effective programme that does not adequately account for risks simply is not sustainable. New approaches, such as robotics, cognitive automation, artificial intelligence (AI), including machine learning (ML), and other new technologies have tremendous potential to improve AML programme effectiveness and the risk assessment process. For this potential to be realised, though, regulators, law enforcement and national security authorities must work together and, critically, with financial institutions to both support, including through information sharing mechanisms, and employ these new technologies.

Ritson-Candler: We have seen firms utilise certain technology solutions for AML purposes for some time – for example, third-party software to run politically exposed persons (PEP) and sanctions screens and generate alerts on new and existing clients, as well as to run adverse media searches. We have also seen FinTech firms use virtual data capture solutions for onboarding clients and gathering identification and verification information. Given the shift to remote working and social distancing brought about by COVID-19, we expect to see more and more ‘established’ firms using similar technology to streamline and automate some of their AML and CTF processes, and to avoid the backlogs that attracted criticism in certain recent fines.

Lewis: Technological developments are already, and will likely continue to be, hugely beneficial in the compliance space, for both process optimisation and risk management perspectives. There has been significant development in concepts such as AI and ML, particularly in an alert management context. Further, regulators globally have largely demonstrated support and endorsement for investment in these types of technologies. However, this does not mean firms should be moving toward making sole use of online software tools or third-party digital identity providers. Ultimately, firms need to be comfortable that they understand who the customer is, that the evidence obtained reflects that of the customer’s risk profile, that the decision-making process is adequately documented irrespective of the type of technology used, and that staff regularly receive appropriate training.

With the UK having left the EU, a key watch point will be for any future divergence between the UK’s domestic AML and CTF regime – both criminal and civil – and the EU rules.
— Jonathan Ritson-Candler

FW: What are your predictions for the AML compliance landscape in 2021 and beyond? How are regulations likely to evolve?

Lewis: EU AML legislation over the last few years has continued to emphasise the application of a risk-based approach. We would expect this trend to continue on a global level, with regulators expecting firms to demonstrate how they make decisions on a risk-sensitive basis, for example in a KYC context. We see this being augmented through a continued regulatory focus on execution and operational effectiveness of AML systems and controls, rather than just relying on a robust design. Legislative developments are also expected to run parallel with technological and societal developments and trends. For example, we are expecting to see new cryptocurrency legislation and guidance coming down the track from the EU, and medicinal cannabis AML issues continue to grow particularly in the US and Canada. Additionally, a range of global regulators and supervisory bodies have highlighted the need for greater collaboration and information sharing, both across different jurisdictions and between public and private sector market participants. This approach is also reflected in the EU AML legislation as well as being advocated globally by the FATF. Intelligence-led approaches are therefore expected to be translated into further legislation to help combat money laundering, and its predicate offences, from a holistic and global perspective.

Ritson-Candler: With the UK having left the EU, a key watch point will be for any future divergence between the UK’s domestic AML and CTF regime – both criminal and civil – and the EU rules. The EU and UK rules will ostensibly be the same immediately following the end of the transition period, but the UK will have the ability to develop its own rules which may move away from the EU approach over time. This will create additional nuances for both firms and clients that will need to navigate these differences. Similarly, UK firms that currently rely on the CDD performed by EU regulated firms will no longer be able to do so – which may mean a material change to their in-house onboarding processes is required. Other than the effects of Brexit, we foresee the rules only becoming more detailed and more harmonised at EU level. The EC is considering implementing a single EU AML and CTF rulebook and creating an EU level AML and CTF supervisor.

Sutton: Most financial institutions have settled into the ‘new norm’ associated with operating amid a global pandemic and widely available vaccines are on the horizon, so there likely will not be significant further COVID-19-related adjustments or developments in 2021. In light of the 2020 AML Act’s enactment in the US, we will likely see the US Treasury and the Financial Crimes Enforcement Network (FinCEN) play a much more active role in AML supervision and regulation and a series of rulemakings to implement the Act’s numerous substantive provisions. Core AML regulations will need to be revisited, with a view to the Act’s purposes. We are also likely to see continued efforts by FinCEN and other regulators to modernise and clarify aspects of the AML regime, a continued emphasis on technology and additional efforts to improve information sharing. Of course, there will likely also continue to be instances of significant penalties for AML lapses.

FW: What do companies need to do to ensure their AML protocols are adequate and sustainable, to maintain compliance on an ongoing basis?

Sutton: A number of factors contribute to an AML programme’s sustainability. To facilitate sustainability, those factors should all be properly balanced. A preliminary step financial institutions can take to foster sustainability might include conducting a sustainability assessment. As part of the assessment, the institution might identify factors relevant to the institution, assess any imbalances, and consider mechanisms to address those imbalances. Measures might include increasing, or decreasing, human resources, deploying new, or retiring old, technologies or policies and procedures, and fostering a culture that supports sustainability. Again, striking the appropriate balance can be challenging, and a key to doing so is ensuring that financial institutions are afforded the flexibility needed to strike that balance.

Ritson-Candler: My key recommendation would be to stop thinking of AML and CTF compliance as limited to a ‘box-ticking’ exercise to be completed as part of onboarding a new client. Regulators expect firms to have money laundering and terrorist financing risk at the forefront of their minds at all times and for staff throughout the firm – not just in legal and compliance – to be AML and CTF ‘culture carriers’. In light of the recent pace of change to the substantive rules, plus the noticeable uptick in the focus from regulators, staff should consider AML and CTF among the key pieces of ‘regulatory change’ from the past couple of years and feel comfortable speaking to these topics in the same way as they would the impact of the revamped version of the Markets in Financial Instruments Directive (MiFID II) or Brexit on their business.

Lewis: To ensure AML protocols are adequate and sustainable companies often need to go back to basics or remind themselves of the core principles and requirements. This might mean companies revisit the way the four-eyes principle is applied, or use a fresh pair of eyes to assess the adequacy and effectiveness of core focus areas, such as risk assessments, transaction monitoring, documentation, reporting, escalation, testing and training. Importantly, companies should ensure the foundational governance framework embedded within teams, departments, committees and the board can together act as an enabler of enhancements and allow for greater sustainability. It is therefore vital to bear in mind the companies’ operational resilience protocols, particularly in light of the changing nature of the pandemic, to ensure practices, systems and controls can keep pace with external changes and can continue to work effectively, despite unpredictable scenarios and events. Lastly, applying lessons learnt from previous regulatory communications, investigations and enforcement action is crucial, as regulators and enforcement bodies will not look too kindly on companies for repeated AML failings.

 

Jonathan Ritson-Candler is an associate in the London office of Latham & Watkins and a member of the global financial institutions industry group. Mr Ritson-Candler specialises in financial services regulatory advice and has experience advising a range of financial institutions and market infrastructure providers on domestic and cross-border regulatory issues. He can be contacted on +44 (0)20 7710 1815 or by email: jonathan.ritson-candler@lw.com.

Lisa Lee Lewis is head of advisory at Norton Rose Fulbright LLP. As an experienced lawyer and compliance professional, she has advised various domestic and global firms on many aspects of risk, compliance, governance and financial crime for over 14 years. In addition, she gained substantial experience at a global financial services firm, where she had responsibility for a wide range of regulatory compliance and financial crime matters. She can be contacted on +44 (0)20 7444 2184 or by email: lisa.leelewis@nortonrosefulbright.com.

Jennifer Sutton is a special counsel with over 15 years of bank regulatory and enforcement experience. Based in Washington, DC, she advises both domestic and foreign financial institutions on all aspects of bank regulatory and compliance issues, oversees and conducts internal investigations and reviews, represents clients in state, federal and foreign banking investigations and enforcement proceedings, and provides assistance in establishing, maintaining and monitoring Bank Secrecy Act/Anti-Money Laundering and consumer compliance programmes. She can be contacted on +1 (202) 956 7060 or by email: suttonj@sullcrom.com.

© Financier Worldwide


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.