The evolving AML and sanctions landscape in Germany
April 2023 | TALKINGPOINT | RISK MANAGEMENT
Financier Worldwide Magazine
April 2023 Issue
FW discusses the evolving AML and sanctions landscape in Germany with Lars-Heiko Kruse, Saskia Isabell Platte and Marco Smeets at PricewaterhouseCoopers GmbH WPG.
FW: To what extent is financial crime growing in frequency and complexity? How would you summarise recent trends in Germany?
Kruse: As a central and economically significant country in Europe, characterised by high volumes of global export and transit business, Germany has been and remains exposed to various kinds of financial crime. Fostered by an ever-changing environment and external factors such as the war in Ukraine and the coronavirus (COVID-19) pandemic, topics such as money laundering and financial sanctions are highly relevant to market players. However, other activities such as online banking fraud, identity theft, bribery and corruption should not be underestimated or neglected, specifically in times of economic uncertainty. Considering the steady increase in regulatory obligations, the rapid change of sanction regimes and the new methods criminals develop to commit different kinds of financial crime, the increase in complexity and thus the pressure on regulated entities in Germany is higher than ever.
Platte: Times of instability always facilitate malicious acts; correlatively financial crime is perpetually growing in frequency and complexity, both in terms of liabilities for market participants as well as the extent of emerging threats. Prevention becomes increasingly challenging, as, due to the intensification of global market integration as well as a steady increase in banking digitalisation, such as new payment methods, current prevention measures must be completely rethought and adapted. This particularly applies to the analysis of payment flows, which is one of the most important methods used to detect illicit behaviour. However, financial institutions (FIs) only have a limited view of their own transactions, which is why identifying complex schemes requires intelligent analytics tools. In addition, to enable comprehensive prevention, measures need to be fostered in non-financial industries, such as goods trading, real estate and gambling.
Smeets: Global uncertainty related to the impact of financial sanctions, including individual exposure and required action, is growing across all market sectors, ranging from FIs to manufacturing companies. In recent years, numerous sanctions regimes were implemented, including those targeting Russia and Iran. In this context, financial sanctions have become more and more an instrument to achieve political interests by imposing measures such as asset freezes, restrictions on financial transactions and travel bans. Accordingly, the major challenge for FIs and companies is to react to rapidly changing regulatory restrictions and expectations. In the last year, the war in Ukraine and the resulting sanctions programmes clearly sensitised market players in Germany to the far-reaching impact of financial sanctions.
FW: Could you outline some of the key regulatory developments in Germany affecting anti-money laundering (AML) and sanctions? Do companies need to accept that they now operate under heightened scrutiny, and react accordingly?
Smeets: In general, sanctions regimes and programmes have been and will be further implemented and expanded. Especially for non-financial companies, the latest developments and highly dynamic sanctions landscape creates uncertainty but also increased awareness of the need to adequately comply with sanctions regulations. Companies are increasingly being held responsible by their business partners, such as banks and other contracting parties, to comply with sanctions and to demonstrate proof of risk-mitigating measures. Recent developments have shown that auditors in Germany will put a focus on financial sanctions in this year’s audit cycle for FIs. Considering this clearly heightened scrutiny, companies will need to proactively implement preventive measures. The design of those measures highly depends on individual influencing factors, as well as the institution’s risk evaluation. The implementation process should consider all lines of defence in the context of a target operating sanctions compliance model, with continuous improvements.
Kruse: Financial crime in its various forms is more an area of focus than ever in Germany, frequently discussed from a political point of view at federal level. Related to money laundering, the results of the recent mutual Financial Action Task Force (FATF) report criticising decentralised supervision, the continuous challenges faced by the Financial Intelligence Unit (FIU) in managing the massive amount of suspicious activity reports (SARs) and a general increase in enforcement actions against companies that fail to comply with their reporting requirements, show that obligations and expectations of market players are more likely to increase than decrease. To meet the challenges currently posed by an extremely fragmented supervision landscape, there are plans for a centralised federal authority to be installed in the next few years, harmonising and thus intensifying supervisory practice. Concerning financial sanctions, Germany has significantly tightened requirements and stepped up enforcement actions, with expectations that go beyond plain list screening to now include targeted compliance programmes, following the example of US authorities.
Platte: The extent of anti-money laundering (AML)-related regulatory requirements and official expectations have not diminished in recent years. Major cornerstones of AML regulatory developments in Germany have been the implementation of a national risk analysis, the introduction of a transparency register, the adoption of an all-crime approach as well as intensified collaboration between authorities. However, mediocre results from the mutual evaluation report issued by the FATF in 2022 highlight some positive achievements since the last review, but also significant shortcomings in the effectiveness of national prevention measures. Consequently, companies should not expect regulatory expectations and requirements to ease. In particular, highly fragmented supervision and inadequate analysis of illicit financial flows were criticised by the FATF, which set out future measures to be expected. Market players should already be preparing for anticipated heightened scrutiny.
FW: How would you describe AML and sanctions monitoring and enforcement activity in Germany? What problems may arise for multinational companies as a result of the extraterritorial reach of certain laws, and greater collaboration between national agencies?
Kruse: Anti-financial crime supervision has increased significantly over recent years. A central element is to strengthen international prosecution, with plans to install the Anti-Money Laundering Authority (AMLA) as a supranational, European supervisory body. This authority will be tasked with fostering international prevention measures by enabling enhanced identification of cross-border schemes. It will also aim to enhance extraterritorial information exchange and collaboration between national authorities. There are considerations to potentially domicile this authority in Frankfurt. The existence of the AMLA will add further pressure on companies to cope with presumably increased regulations.
Platte: In the last two years, the financial industry in Germany has experienced intensified money laundering prosecution practices. The significant increase in cases reflects the intensity of auditors’ expectation for companies to establish adequate money laundering prevention measures. This takes into account the steady increase of underlying threats and the need to continuously improve prevention measures. On the supervisory side, intensified prosecution in connection with several special audits initiated by the German Federal Financial Supervisory Authority (BaFin) has become a reality for many German banks. Payment providers in particular are targets for enhanced supervision. Potential penalties are not limited to fines but could also lead to prohibitions placed on new business and even a revoked banking licence.
Smeets: The Sanctions Enforcement Act is the governmental approach to enforcing sanctions more effectively in Germany. With regard to the financial industry, Deutsche Bundesbank is focused on financial sanctions and has executed several audits of institutions of all sizes. In addition, the non-financial sector is increasingly targeted by focused enforcement actions by the German Customs Office and the Federal Office of Economic Affairs and Export Control (BAFA). Added complexity is raised by different and partially contradictory directives, such as competing European Union (EU) and US sanctions regimes. Multinational companies may face these challenges due to the extraterritorial reach of many sanctions regimes, and must carefully navigate complex and ever-changing regulatory requirements.
FW: What steps should companies operating in Germany take to ensure adequate processes, programmes and policies are in place to support AML and sanctions compliance?
Platte: Adequate prevention requires a targeted and comprehensive AML governance model. The specific design depends on the risks to which a company is exposed, as well as the extent of applicable obligations. For example, a fully regulated FI requires a different operating model than a privileged goods trader. However, the foundation should always be a customised risk analysis, based on a reasonable methodology, with an embedded and structured process for regular revision and follow-up measures. Depending on the outcome, the company should define adequate programmes, processes and procedures for initial and ongoing customer due diligence measures, including know your customer (KYC) and transaction monitoring. In addition, supporting processes for SAR filing, second level controls, special investigations and training need to be implemented. An important element, often neglected, is to explicitly assign responsibilities, including escalation and reporting programmes.
Kruse: Any compliance processes and programmes should be harmonised, streamlined, properly implemented and well documented. A structured and transparent hierarchy for written documentation will not only enable employees to follow clear guidance and thus increase the quality of performed tasks, but is always a benefit in any audit, as third parties can clearly comprehend the underlying processes. Furthermore, it helps to use interfaces in certain processes, to create synergies and increase overall efficiency. In addition, effective prevention can only be achieved with a strong compliance culture across all lines of defence, which requires clear communication and awareness fostered by an explicit tone from the top.
Smeets: A holistic sanctions compliance framework should include all necessary elements. Deutsche Bundesbank’s ‘Guidance on compliance with financial sanctions’ serves as good guidance for companies on this front, along with the ‘Framework for OFAC Compliance Commitments’. A targeted operating model supports business activities in a dynamic and complex environment aligned with risk appetite. A target state considers risk identification, governance measures, tools, policies, training and controls. Especially for manufacturing companies, a clear separation between export control, terrorist financing and sanctions compliance is important and cannot be underestimated in order to avoid sanctions breaches and to fully adhere to regulatory requirements.
FW: In what ways can companies utilise technology to help manage risks arising from AML and sanctions?
Kruse: In the field of compliance, certain tasks require extensive expert know-how and in-depth evaluation. Other tasks may be simple and repetitive, but no less important and still extremely time consuming. In order to enhance efficiency and concentrate internal resources on complex tasks, it is advisable to utilise automation technology for repetitive tasks. Prime candidates for automation are AML transaction monitoring and sanctions-related list screening. Nearly all institutions must invest to transform from a rule-based approach to smart technology solutions. For example, by using artificial intelligence (AI), tools can learn to prepare a complete pre-check for alert handling, which then only requires final verification by an analyst. This not only saves valuable time but also increases quality through a standardised, comparable evaluation procedure. In addition, certain KYC-related tasks such as politically exposed persons (PEP) screening, company data checks and negative news screening can benefit from automation, which significantly reduces processing time.
Smeets: Name-list screening, as an essential part of adhering to sanctions regimes, tends to create a high number of false positives, due to various similarities in list parameters. To reduce those, it is necessary to implement sophisticated AI tools, which can learn to consider various parameters in a screening from different lists and sources. For manufacturing companies, automated dual use screening and export control is advisable to reflect dynamic changes in the regulatory environment. From an overall perspective, a data-driven risk assessment should be carried out for sanctions, to always keep up to date with ever-changing requirements and to monitor individual requirements and implemented safeguards.
Platte: In recent years, FIs have constantly needed to address new money laundering risks and obligations by adapting their transaction monitoring indicia models and amending their KYC processes – all of which leads to a steady increase in alerts and files to be processed. To avoid backlogs, most institutions addressed this by adding staff as a short-term measure. However, over the long term, big alert-handling teams are neither cost efficient nor do they always provide the required quality. Accordingly, as a lasting solution, FIs should invest in smart technology to improve the quality of alerts using AI, to reduce false positives by improving the segmentation and parameterisation of indicial models, and to automate repetitive parts of the process. This will reduce costs and manpower, improve the overall quality of money laundering transaction monitoring and avoid the risk of backlogs. In addition, this can be further supported by outsourcing other repetitive tasks, using managed services, to unburden internal staff.
FW: What overall advice would you give to organisations in terms of marrying technology with protocols, to enhance the efficiency of their AML capabilities and allow them to detect unusual behaviour and identify red flags?
Platte: To enhance efficiency in money laundering prevention, FIs should focus on four pillars. First, as a baseline it is important to always stay up to date with applicable regulatory requirements, which can be improved by using technology to continuously monitor changes to legal standards. Second, it is important to have a clear view on current risks related to the institution’s business model, as well its customers, transactions, products and countries involved. This can be significantly enhanced through ongoing data driven risk analysis using advanced analytics tools. Third, investing in AI technologies can help to identify unusual behaviour and red flags, thus improving the overall quality of the transaction monitoring model. Lastly, an institution should leverage automation technology for alert handling and reporting, to improve quality and reduce costs.
Kruse: Relying solely on static rules and parameters in AML and sanctions-related transaction monitoring and screening, as well as manually clearing alerts, is obviously outdated. It is neither efficient or effective and will most likely be considered an inadequate prevention measure by regulators and auditors. The future will see the use of advanced analytics connected with AI, which is why companies should invest in this technology to enhance their efficiency and to properly prepare for the requirements of tomorrow. By deploying machine learning (ML) algorithms, complex and unusual patterns can be detected by analysing vast amounts of transaction data, which enables companies to identify potential red flags they would otherwise not be able to detect, while simultaneously reducing false positives.
Smeets: Money laundering, terrorist financing and sanctions are closely connected and often directly linked, for example with regard to sanctions circumvention. To identify, for example, unusual customer behaviour or concealment of data, using only name-list sanctions screening will not always be sufficient. More often, schemes and indications have to be collected to identify potential sanctions violations using appropriate tools and measures, including AI solutions. Synergies can be generated in a holistic governance approach to sanctions, money laundering and terrorist financing.
FW: Going forward, do you expect the risks posed by financial crime in Germany to increase over time? Do companies need to continually improve their system in order to deal with current and emerging threats?
Kruse: Keeping up with financial crime requires FIs to be flexible, responsive and fast moving, as criminals are constantly developing new methods. Accordingly, adequate prevention governance is characterised by constant review and adjustment of current measures, to keep up with new requirements and emerging threats. To address these trends, German authorities are increasingly implementing stricter regulations and utilising new technologies to detect and prevent financial crime. This is also reflected in authorities and auditors setting out a different level of expectations and requirements. Accordingly, if an FI receives evidence of shortcomings that have not previously been identified, this should not be questioned, but taken as a sign that measures to continually improve security measures have not been adequately implemented.
Smeets: Global sanctions regimes and enforcement actions will increase over time. Expect to see more individual restrictions, such as sectoral restrictive measures, which are more complex and highly dynamic, requiring companies to react quickly. Effective risk management and internal compliance programmes are crucial. They should include regular sanctions risk assessments and adequate ML tools to detect and prevent financial sanctions breaches. FIs and companies should stay up to date with regulatory requirements and industry best practices to ensure that their tools and processes are in line with regulations and the expectations of authorities and business partners. A holistic approach to sanctions compliance mitigates risks and protects against potential reputational damage and fines. In addition to monetary penalties and potential personal liabilities, indirect costs associated with probes on potential violations can occur, including costly investigations, special audits and imposed remediation actions.
Platte: Systemic, highly developed money laundering activities by international criminal organisations is not a threat likely to be eliminated quickly. To disguise illicit sources of funds, criminals will always seek to develop new methods and schemes. Any company involved in such a scheme, whether consciously or unconsciously due to ineffective security measures, faces reputational risks, potential losses and severe penalties, which will presumably increase in the coming years. To maintain the internal capabilities to address those threats in the future, companies will need to continuously improve their measures, not least by investing in smart analytics tools.
Lars-Heiko Kruse is a lawyer with a banking and economics background and a partner at PwC in the risk & regulatory advisory department, with over 20 years of professional experience. He is a member of the global financial crime group at PwC and has significant experience with special audits on behalf of the German supervisory authority, financial crime investigations and advising clients. His main focus is on AML, sanctions compliance and anti-fraud management systems-related issues. He can be contacted on +49 160 9694 1067 or by email: lars-heiko.kruse@pwc.com.
Saskia Platte is a manager in the PwC risk & regulatory advisory department in Frankfurt, with extensive experience in the field of regulatory compliance and anti-financial crime. Her sphere of expertise is money laundering, criminal offences and financial sanctions, focusing on the comprehensive analysis of AML target operating models and the holistic optimisation of compliance governance models. She can be contacted on +49 151 1911 3414 or by email: saskia.isabell.platte@pwc.com.
Marco Smeets is a senior manager at PwC in the risk & regulatory, forensic services advisory department in Frankfurt. In his work, he has gathered extensive experience in the field of anti-financial crime and compliance with a strong focus on AML and sanctions regulations in various industries of the financial services and non-financial services sectors. He can be contacted on +49 151 1493 7448 or by email: marco.smeets@pwc.com.
© Financier Worldwide