The importance of purposeful anti-money laundering controls

Speech by Mark Steward, Executive Director of Enforcement and Market Oversight, delivered at the AML & ABC Forum 2021.

mark steward speeches 340 180 migration.jpg

Speaker: Mark Steward, Executive Director of Enforcement and Market Oversight
Event: AML & ABC Forum 2021
Delivered: 24 March 2021
Note: this is the speech as drafted and may differ from the delivered version

Highlights

  • Two of our biggest sanctions in the last 12 months related to failures to address financial crime and anti-money laundering (AML) risks.
  • We currently have 42 investigations ongoing into firms and individuals involving, for example, systems and controls over politically exposed persons, customers with significant cash intensive operations, correspondent banking and trade finance, and transaction monitoring. 
  • AML investigations are often complex because they are rarely transactional and require a systemic understanding of how a firm operates, its governance controls, its cultural habits, and the nuts and bolts of sometimes opaque systems.
  • In the last 12 months, we have increased our surveillance of online investment promotions targeting offers from unauthorised firms, potential investment scams and other too good to be true promotions, including lead generation sites.

Detection, investigation and prosecution, where necessary, – either civilly or criminally – of breaches of the Money Laundering Regulations, SYSC 6.3 and/or the Principles for Business are key priorities for the FCA.

Recently we commenced our first criminal proceeding against a bank under the Money Laundering Regulations 2007. As has been widely reported, the case is concerned with the bank’s systems and controls to monitor and scrutinise significant levels of cash deposited by a UK incorporated customer. As the case is before the court, it is not appropriate to say anything further at this stage about the prosecution.

And over the last 12 months, two of the biggest sanctions we imposed related to failures to address financial crime and AML risks. Both cases highlight inadequate systems and controls where one could be forgiven for thinking the true function and meaning of the controls had become lost in elaborate processes leading to failure.

Systems and controls that are purposeful, efficient and courageous in identifying suspicious activity are vitally important; system and control failures, on the other hand, provide an invisible, illicit cover for criminals and criminal activity that affects the whole community, not only in this country but also beyond, and can erode confidence in the financial system. 

Systems and controls that are purposeful, efficient and courageous in identifying suspicious activity are vitally important; system and control failures, on the other hand, provide an invisible, illicit cover for criminals and criminal activity that affects the whole community, not only in this country but also beyond, and can erode confidence in the financial system.

Recent action

In the first action, which we took last summer against Commerzbank AG’s London branch, we imposed a fine of £37.8 million. Commerzbank London provided products and transaction platforms for many of the bank’s global customers. It was also a hub for sales, trading and due diligence processes for many of the bank’s global customers. We found that for over 5 years the bank failed to have effective policies and procedures in place to identify, assess, monitor and manage money laundering risks. In particular, we found:

  • some parts of the bank’s operations failed to verify beneficial ownership details, including in relation to high risk clients, from a reliable source
  • processes for identifying risks with politically exposed persons were inadequate
  • there was no clear process or criteria for terminating a relationship with a customer based on financial crime risks; and
  • there were substantial and unjustifiable backlogs in conducting refreshed know your client checks. In October 2016, 1,720 new clients were in a 'huge backlog' awaiting to be onboarded. At this point the bank had only three staff engaged in this task. By February 2017, the backlogs had increased, and 2,226 existing clients were overdue refreshed KYC checks.

These failings contributed to additional problems because automated systems lacked up to date information which in turn meant they became less reliable and effective. The catalogue of failures meant investment in systems and controls was wasted on measures that were unable to function as they had been designed or purposed. 

In the second case, together with the PRA, we imposed a fine of £96.6 million on Goldman Sachs International (Goldman Sachs) in relation to three bond transactions which Goldman Sachs arranged for 1MDB, a Malaysian state-owned entity associated with serious embezzlement allegations. Goldman Sachs was the primary booking entity for these transactions which were negotiated by a deal team based in Asia. The bond issuances had several red flags, none of which were especially hard to spot:

  • They were very large transactions compressed into tight timetables.
  • They involved jurisdictions which Goldman Sachs already considered had high risks.
  • Goldman Sachs possessed information about a third party whom they considered was high risk and who was said to be closely associated with the transactions. 

The FCA found these risks were not adequately explored or considered holistically when approving the bond transactions.

Instead, overreliance was placed on statements of the deal team, who had an evident interest in proceeding with the transactions, to the effect that the third party had no role, despite inconsistent accounts being provided by a senior member of the deal team about the third party’s involvement in the first 1MDB bond transaction. The risk of the third party’s involvement was not even raised in the documentation that went before the committees approving the 1MDB Transactions.

Moreover, the approving committees failed to assess the relevant risks factors either individually or in aggregate when approving the transactions or they were not provided with all the information that was available to enable that to happen. This meant significant reputational and financial crime risks were effectively ignored or censored from the approval process. 

A significant failure in this case involved the absence of proper record keeping of the identification, management and assessment of the substantial and evident risks involved in the transaction. Record-keeping is a vitally important part of effective governance. It is more than just a minuting of what has happened or being decided but helps to ensure there is an effective and purposeful discipline over the decision-making process.

Consequences

Both cases illustrate well how systems and controls failures in London can have consequences outside the UK.

One of the dilemmas of white-collar crime is the victim is too often either invisible or, in some cases, like insider dealing, believed, wrongly, not to really exist, which means the wrongdoer is more easily able to commit a crime in which real harm is never felt, seen or experienced directly. So too if the potential impact is not on ‘your street’ or in ‘your country’.

One of the dilemmas of white-collar crime is the victim is too often either invisible or, in some cases, like insider dealing, believed, wrongly, not to really exist, which means the wrongdoer is more easily able to commit a crime in which real harm is never felt, seen or experienced directly. So too if the potential impact is not on ‘your street’ or in ‘your country’.

There is a version of this in relation to systems and controls, especially if they become a bureaucratic insulation, attenuating the system from the gritty reality of the predicate criminality that needs to be inhibited.

And, for the purposes of AML controls, the risks are not limited to white collar crime, extending to the proceeds of all criminal proceeds, from drug trafficking to terrorist financing. While the harm from such crimes may be difficult to feel or appreciate, because the distance between fund flows and the scene of the crime is so attenuated, the consequences of AML failures may well be a life and death matter.

These cases demonstrate both the value and challenge of systems and controls. On one hand, effective AML systems create a control environment that is able to identify valuable signals in complex data, with repeatable interrogations geared to specific and reasonably foreseeable crime risks, to ensure decision-making is calibrated to those risks and to record accurately how those risks have been addressed.

On the other hand, systems can become overly complicated, bureaucratised, vulnerable to gaming by less scrupulous players, and expensive. 

There is an inherent risk that complex systems lose a sense of what they exist for, where the management challenge to maintain the system, becomes an end in itself, rather than the system or control acting as radar to identify and manage the actual risks facing financial services firms. 

AML systems and controls must be focussed explicitly on the activating purpose and function of those controls, to ensure the system is not just a bureaucratic process and to ensure it cannot be gamed.

AML systems and controls must be focussed explicitly on the activating purpose and function of those controls, to ensure the system is not just a bureaucratic process and to ensure it cannot be gamed.

We currently we have 42 AML investigations ongoing into firms and individuals (25 are investigations into firms and 17 are investigations into individuals), involving, for example, systems and controls over politically exposed persons, customers with significant cash intensive operations, correspondent banking and trade finance, and transaction monitoring. 

These are often complex investigations because they are rarely transactional; they require a systemic understanding of how a firm operates, its governance controls, its cultural habits – all of which can generate terabytes of data and information - as well as the nuts and bolts of sometimes opaque systems.

Emerging risks

Let me now turn to a couple of specific AML risks that have arisen over the last 12 months.

First, as has been reported elsewhere, we have increased our surveillance of online investment promotions targeting offers from unauthorised issuers without FSMA approvals, potential investment scams and other too good to be true promotions, including lead generation sites. 

A number of these sites are under investigation or have become the subject of proceedings.

We have also issued alerts on our Warning List concerning well over 1,000 firms, an increase of over 100% on 2019.

The Warning List is designed to prevent consumers dealing with firms that appear they should be authorised by us but are not or falling for investment scams without undertaking proper checks. We are now able to detect these sites, check them out and issue warnings, where appropriate, much more quickly than before.

While the aim is to provide a means for consumers to protect themselves, the same list should also be used by firms. How many firms on our Warning List have bank accounts? How many are the subject of suspicious activity reports?

We would like to see our Warning List actively used, not only by consumers, but also by authorised firms seeking to ensure any transactions or transfers of funds by or to such firms are properly scrutinised and, where applicable, the subject of suspicious activity reports or other reports to the NCA and the FCA.

We would like to see our Warning List actively used, not only by consumers, but also by authorised firms seeking to ensure any transactions or transfers of funds by or to such firms are properly scrutinised and, where applicable, the subject of suspicious activity reports or other reports to the NCA and the FCA.

The second area of risk relates to cryptocurrency firms. As from 10 January 2021, the FCA is the AML supervisor of cryptocurrency firms. While we do not regulate or supervise the cryptocurrency business, these firms are required to be registered with the FCA and they are required to comply with the Money Laundering Regulations.

We have now developed a version of the Warning List, called the Unregistered Cryptocurrency Businesses List, to help consumers and FCA authorised firms identify cryptocurrency firms that appear to be carrying on business in the UK but are not registered with the FCA or sought such registration. 

We placed the first names on the Unregistered Cryptocurrency Businesses List earlier this month, all crypto ATM firms, and we have just added 29 crypto custodian wallet providers to the list.

Without commenting on what other steps may be taken to enforce the new obligations, appearing on the list should be a warning for FCA authorised firms, including any banks who may be providing banking services to these firms, as well as consumers.

We would like to see the Unregistered Cryptocurrency Businesses List used in the same way as the Warning List, to safeguard consumers, as well as to ensure any transactions or transfers of funds by or to such firms are properly scrutinised and, where applicable, the subject of suspicious activity reports or other reports to the NCA and the FCA.

We know much of the industry is devoted to strong systems and controls in relation to AML. Indeed, the aim of AML regulation is not to catch anyone out but to set high standards of probity and scrutiny to inhibit illicit money flows in the financial system and to encourage participants in the system to behave as custodians and guardians of the public interest in preventing money laundering.