The Trouble with Weak AML & CFT Compliance Programs

Once upon a time, financial organizations functioned without a compliance control system; functions similar to parts of compliance were carried out by full-time lawyers, internal auditors or other employees, and that was considered enough. But as realities changed, organizations faced new challenges. In response, compliance officers and other units responsible for compliance control issues began to appear in many organizations.

Depending on the specifics of the work, size or location of the organization, the compliance “vision” varies. Various international standards – such as the recommendations of the Basel Committee on Banking Supervision, ISO 19600 for banks’ and financial organizations’ compliance management systems, the Occupational Safety and Health Act (OSHA) for employee safety, the Bank Secrecy Act (BSA) or General Data Protection Regulation (GDPR) for bank secrecy and data protection respectively and others – help to form a unified vision of how compliance should look and what it should do, taking into account the activities of the organization. Different jurisdictions rely on such standards and in some part supplement them with legislative acts relevant or specific to a particular country.

A system that adequately takes into account the current market situation, strategy, size and complexity of company operations is vital for the effective management of compliance issues.

In some countries and organizations, the attitude toward compliance control can vary from relatively neutral to extremely negative due to the fact that the implementation of a compliance control system requires certain costs (salaries, special software, etc.). Fortunately, the number of professionals who take a negative attitude toward compliance control is fewer every day.

Scandals and investigations shocking the financial market show how negatively the gaps and shortcomings in a compliance control system can affect an organization’s activities. The result may not only be financial or reputational losses, but also the closure of the business or the opening of criminal cases against its employees. The task of compliance is to prevent or minimize these threats and events. This is even more relevant given the current situation with COVID-19 in the world.

Let’s look at situations when compliance – including the responsible employee or unit and the system built by them – was not properly managed or was completely absent. It is worth noting that this list applies only to those areas where compliance control is objectively needed, and it is potentially far from exhaustive for organizations working without a compliance control.

An Ineffective Compliance Risk Management System

Whether in financial, mining, pharmaceutical or other industries, the organization’s activities are usually governed by various legislative requirements, which are closely monitored by regulators. Ever since the Babylonian law of Hammurabi, the perpetrator of a crime was punished; in our time, violations of the law result in punishment in the form of fines or other penalties by the regulator.

An important task of the compliance risk management system is identification of threats and compliance risk, as well as coordinating how to effectively address them. Thus, organizations are struggling with single violations and systemic limitations from within. An assessment of the organization’s level of exposure to compliance risk allows us to understand the significance of its existing deficiencies and violations. Lack of visibility into the organization’s current risk situation and its exposure to compliance risk can adversely affect the organization’s decisions – to its own detriment.

Compliance costs increase as the regulation standards in the industry increase and as the company expands globally. Compliance costs are also rising for businesses as more stringent measures are being implemented to prevent fraud, money laundering, terrorism financing, loss of data privacy, etc.

The lack of a compliance risk management system leaves the organization defenseless in matters of compliance, leaving the organization with a heavy price to pay. Market analyses show that the amount spent on implementing and maintaining a compliance control system is many times lower than possible fines.

Take, for example, when Google was charged a massive fine of $2.7 billion in 2017 for manipulating search results and violating antitrust laws. You may also recall when VimpelCom was fined $795 million for violating FCPA requirements in the process of conducting business in Uzbekistan. After these events, the company pledged to introduce “rigorous internal controls” to prevent a recurrence of the situation.

Many companies have long recognized the need to create reliable risk management and internal control systems, and they employ the appropriate employees (the so-called compliance officers) responsible for managing compliance risk effectively.

Organizations should pay considerable attention to the compliance risk management system, including appointing responsible persons or units and allocating the resources necessary for them to solve problems and promote compliance.

In turn, compliance officers should keep the system in working condition, including implementing tools to identify violations and systemic shortcomings in the organization’s activities, as well as building an effective system of interaction with the organization’s management to take timely preventive or corrective measures.

It is important that compliance officers constantly develop and learn so as to be prepared for new challenges and trends (laws and technologies), as well as to continually improve the system.

A Lack of a Compliance and Ethics Culture

As a rule, what is not prohibited in the organization is allowed.

The lack of processes for familiarizing employees with the basic requirements of internal documents or legislation can lead to negative consequences for the organization.

The creation of a compliance and ethics culture is an important element of the compliance control system; it helps prevent or minimize violations committed by employees in the course of their activities. A compliance and ethics culture is part of the corporate culture and aims to ensure that there is no ignorance of the requirements among employees.

The lack of a compliance culture – coupled with the lack of clear distinctions in the functionality of employees – can adversely affect the organization’s processes, reducing their quality and efficiency.

It is worth recalling the situation with FIFA when it became known that the organization was suffering from institutional corruption. Subsequently, a series of charges were brought against FIFA leadership for receiving millions of dollars in bribes.

Compliance culture is understood as a behavior model introduced and/or acquired by an organization in the process of implementing the requirements of applicable laws and internal documents in order to observe them, with the commitment to doing so shared by all employees. At the same time, ethics is a combination of ethical principles and norms of business communication, which all employees of the bank and its subsidiaries (if any) are obliged to follow in their activities. As part of the implementation, compliance officers should do the following:

• develop a usable and affordable code of conduct that will be a high standard for all employees, starting with top-level management;
• ensure regular education and training for new employees, enabling the employee to understand the organization’s high standards;
• provide attention to this issue from senior management. In this case, the tone from the top is intended to show leadership’s commitment to compliance and ethics culture issues;
• provide rights, guarantees and motivation to employees (potential whistleblowers), who may subsequently become an important source of information about possible violations and deficiencies.

The above will keep employees from being afraid to report violations and internal injustice, and it will also help to promptly reveal shortcomings and violations so that they may be eliminated in a timely manner and so that consequences can be minimized. It is important to create a culture that recognizes that saying nothing means being an accomplice.

Becoming a “Laundromat”

Issues pertaining to anti-money laundering/combating the financing of terrorism (AML/CFT) are extremely important for countries’ further development. The events of the beginning of the 21st century marked the beginning of global efforts to counter and prevent such criminal phenomena as money laundering and the financing of terrorism. International organizations and lawmakers from various countries have been tightening their policies on AML/CFT issues.

If at the dawn of the fight against money laundering, it was enough for a financial institution to establish fairly simple procedures, with the process of financial monitoring mainly carried out manually, then the development of high technologies dictates its own conditions.

The financial market needs new tools; therefore, the market is in a stage of active growth. Unfortunately, new products (services) are of interest not only to customers, but also to individuals whose activities do not always comply with the law. Thus, the modern AML/CFT system should also change.

The absence of effective processes can introduce criminals to the organization’s client base – and with that, all the ensuing negative consequences, including the organization becoming part of “the laundromat.” The same applies to counterparties of the organization.

These requirements do not always take into account the organization’s resources and the volume of its operations; accordingly, the most important task for the organization itself is the maximum digitalization of AML/CFT issues.

Without a sufficient level of automation, the effectiveness of the AML/CFT system may be hampered by ineffective controls, a lack of operational information and excessive resources for technical work.

Accordingly, the creation of an automated system that works with big data is necessary to analyze customers and their operations, and constant monitoring is key to the ensure the AML/CFT system is operating effectively. AML/CFT processes should be periodically evaluated to identify and eliminate deficiencies and to identify opportunities for further improvement.

In turn, AML/CFT specialists will be able to focus more on analytics and better analysis and identification of suspicious clients and transactions.

AML/CFT is a constant struggle. In this struggle, the organization should have a good “weapon” in the form of an effective compliance control unit armed with sufficient resources and powers to carry out its tasks.

In another case…

According to open sources, the total global amount of fines in terms of AML/CFT for 2019 amounted to more than $8 billion, most of which came to the United States and Europe. The AML/CFT requirements are very stringent. The multimillion-dollar fines shaking the U.S. and EU financial sector are a great example. In world practice, such fines can reach hundreds of millions of dollars and threaten a financial institution’s licensure.

In 2017, fines totaling $200 million were imposed on Deutsche Bank for the lack of customer due diligence. And in 2018, Danske Bank was embroiled in a major money-laundering scandal in its Estonian branch. This scandal has become one of the largest in Europe and entailed large financial and reputation losses.

Read further in Part 2.