Experts mock the whole AML/CTF model

August 22, 2011

If the IMF’s skepticism about the effectiveness of the Financial Action Task Force and the contemporary anti-money laundering (AML) system weren’t damning enough…

A separate report from the U.K.’s Financial Services Authority has shaken the very faith that AML and combating of terror finance (CTF) experts once held in the foundations of the modern system of international financial controls.

It’s about time.

It is a system that over-regulated banks, passed the expenses along to share holders who’ve endured lower returns; account holders in terms of more paperwork, intrusive data mining, lower interest rates; and to financial service employees who have had to make sense of the whole unprofitable mess.  And it’s all been in an effort to find needle-size transactions among giant haystacks of financial exchanges.

The modern AML system is very similar to contemporary airport security.  It treats everybody like a terrorist, and creates a vast bureaucracy that has never quite proved its worth.  It focuses on suspicious transactions rather than suspicious people.  It fails to profile.

The specific findings in this report are that Britain’s banks aren’t doing anything different now than they were doing 20 years ago with regard to opening accounts for corrupt foreign dictators who stole the wealth of their countries and deposited it in British banks.  All this has happened despite extensive regulations, oversight, and requirements for the British financial sector.

If one of the most advanced countries in the world with a first-class banking system cannot achieve what seems a relatively straightforward task of screening their customers and verifying their source of income, what hope can we possibly have that the banks will be able to identify and report a $10,000 transaction from Habib to Farouk so he can buy explosive materials?

The implications of the FSA report reach beyond Great Britain.  Editor Joy Geary of the Australia-based AML Magazine asked, “Does it mean that the AML/CTF framework, as currently in operation globally, is doomed always to fail?” and urged that “The damning contents of the FSA report should lead to a long and hard look at the underlying causes.”

Enough from me.  Here’s an extremely useful article from the above mentioned AML Magazine laying out what makes the FSA report so troublesome:

FSA 2011 Report on banks’ management of high money-laundering risk situations

This report, released recently by the Financial Services Authority (FSA) in the United Kingdom, is simply breathtaking.

The report was commissioned by Philip Robinson shortly before his retirement in 2009 as Head of Financial Crime in the FSA. It describes how banks operating in the UK are managing money-laundering risk in higher risk situations. It focuses in particular on correspondent banking relationships, wire-transfer payments and high-risk customers including politically exposed persons (PEPs). These are wellknown areas of high money-laundering risk; they are not new or evolving methods. Yet the report’s contents are damning and raise challenging questions for both the regulated and the regulator in the UK.

A little history is important to understand why the report’s contents are so damning. Eleven years ago the FSA took UK financial institutions to task about funds associated with General Sani Abacha, the former President of Nigeria. An FSA investigation focused on the anti-money laundering (AML) controls at 23 banks in the UK where accounts linked to Abacha family members and close associates were identified. The investigation found that 15 of the banks had significant control weaknesses.

The FSA investigation identified 42 personal and corporate account relationships linked to Abacha family members and close associates in the UK. These accounts were held at 23 banks which included UK banks and branches of banks from inside and outside the European Union. In total, turnover on the 42 accounts amounted to US$1.3 billion for the four years between 1996 and 2000. (The US$1.3 billion relates only to the turnover on the accounts over this period; it did not necessarily represent the proceeds of crime or the amount of money received into the UK.)

Some 98 percent of the US$1.3 billion went through the 15 banks with significant control weaknesses. The FSA found that a number of the banks had reported suspicions to the National Criminal Intelligence Service (NCIS) on a timely basis.

The following deficiencies were found at one or more of the 15 banks:

  • Inadequate senior management oversight of the account-opening process for customers who could be classified as higher risk;
  • Weaknesses in the verification of the identity of beneficial owners of companies;
  • Over reliance on introductions by existing customers;
  • Inadequate understanding of the source of the customers’ wealth;
  • Shortfalls in following industry guidance on reporting suspicious transactions to the National Criminal Intelligence Service; and
  • Weaknesses in record retrieval and retention.

The FSA imposed financial penalties on a number of financial institutions following the Abacha review designed to improve the quality of compliance across the board.

Roll forward to 2010, when the FSA commenced its fieldwork for their report. By the contents of the report, the overwhelming outcome seems to have been one of “back to the past”. Not much seems to have changed at all.

The report notes that “Some banks appeared unwilling to turn away, or exit, very profitable business relationships when there appeared to be an unacceptable risk of handling the proceeds of crime. Around a third of banks, including the private banking arms of some major banking groups, appeared willing to accept very high levels of money-laundering risk if the immediate reputational and regulatory risk was acceptable.”

And that “At a few banks, the general AML culture was a concern, with senior management and/or compliance challenging [us] about the whole point of the AML regime or the need to identify PEPs.”

Before visiting banks, the FSA held meetings with law enforcement agencies, forensic accountants, AML consultants, lawyers and commercial providers of intelligence tools (which some firms use in their AML work) to hear their views of banks’ AML performance in the areas covered by the review. Interesting questions of confidentiality must have arisen in these meetings between regulators and private advisers.

Twenty-seven banking groups were subject to site visits, comprising eight major banks and 19 medium-sized banks and smaller banks, including banks from higher risk countries and private banks. The banks were chosen because they dealt in products or with customers likely to give rise to high levels of inherent money laundering risk; none of the banks were selected because of pre-existing concerns held by the FSA about their AML systems and controls.

The FSA Report is the master of the understatement when it notes in the executive summary that two banks have been referred to its enforcement division and consideration is being given to whether further regulatory action is required in relation to other banks. The FSA says it will continue to focus on management of high-risk customers for some time to come.

The report is compelling reading for AML/CTF Compliance Officers, audit teams, assurance teams, senior management and advisers.

The report is divided into three sections, dealing with high-risk customers including PEPs, correspondent banking and wire transfers. Each section contains examples of matters that gave the FSA concern, as well as examples of good practice and poor practice.

Some of these examples associated with high-risk customers include:

  • At two banks, the MLROs could not explain their PEP definition;
  • One bank considered several higher risk countries as “low risk” because they had “lots of dealings” with them;
  • At another bank, relationships with customers in a higher risk country were exempt from country risk assessment simply because the bank’s parent had a presence in the higher risk country;
  • At other banks, sectors normally associated with increased corruption risks such as extractive industries and pharmaceuticals were classified as low risk because these sectors were “regulated”;
  • One bank with many high-risk customer relationships changed the status of many relationships from low risk to high risk one month before the FSA visit;
  • At one bank, a customer who was the subject of allegations of corruption was classified as low risk simply because he came from a low-risk country;
  • The FSA reviewed over 100 high-risk or PEP customer files at the private banking arm of a major banking group. It found that around 25 percent of these accounts had seriously deficient identification and verification documentation or none at all;
  • At one bank, it appeared that many new clients were introduced by the bank’s CEO, and that relevant staff did not question his judgement of these clients’ integrity;
  • Three banks added relevant information to their CDD files for the first time shortly before the FSA visit;
  • One bank held an account for a corporate customer whose nominal beneficial owner changed frequently and without explanation. The bank did not carry out sufficient CDD to ensure there was no money-laundering risk associated with these changes;
  • One bank dispensed with CDD measures and instead relied on the Deputy MLRO “knowing everyone” locally;
  • In one email exchange, where a London based Compliance Officer attempted to follow up allegations of corruption surrounding a customer’s wealth, the relationship manager (RM) wrote that “I don’t know where the funds are coming from as I didn’t know her at the time, but they are definitely hers”;
  • The UK branch of a foreign bank charged RMs’ business units for commissioning intelligence reports. The FSA found evidence on files that, as a result, RMs often decided against commissioning these reports;
  • At one major bank’s private wealth arm, the FSA reviewed a large selection of PEP customer files. The application forms had a money- laundering section where the risk was rated as low, medium or high. Almost all the files the FSA reviewed were ticked low – even when the files contained references to serious corruption allegations;
  • At more than a third of banks in the FSA sample, committee minutes and other records of senior management approval for high risk customers were vague and did not contain sufficient detail about discussions on AML risk. In some cases, it was unclear whether serious allegations about customers had been considered at all;
  • In one bank, a member of the AML team had signed off very high-risk relationships despite knowledge of considerable negative information about the customer. In one email, he wrote “In my view, provided there is sufficient business to justify the risk then I am happy to recommend we proceed”;
  • One MLRO told the FSA that he could not see the value in collecting CDD information because customers would be taken on even if they were subject to serious allegations of criminal activity; and
  • One firm told the FSA that they might have PEP customers who would be above their risk appetite, but they did not have formal criteria in place to decide how much risk they were prepared to take on.

The report contains similar material for correspondent banking and wire transfers.

What does this report mean in practical terms for those dealing with the UK? Where does the UK now sit in a country risk matrix where there is evidence of statistically significant non-compliance with the fundamentals of AML/CTF? What does the report suggest about the effectiveness of non-public remediation programs in the United Kingdom which have been the preferred mode of supervision in the UK for the past five or six years? Will supervision in the United Kingdom go down a path of public enforcement combined with hefty fines and personal sanctions?

It all comes down to two questions – can the AML/CTF regime really work and, if so, what is required to make it work?

The fear many in the UK have with strong enforcement action is the adoption of a compliance driven tick-box approach. But non-public remediation in the UK does not seem to have led to a culture of strong compliance across the financial services sector. Dealing with criminality using civil tools does not seem to be producing successful outcomes. The FSA must be left pondering to what extent the absence of enforcement action has been interpreted by the regulated as a sign of weakness.


  1. I’m curious about your comment that the UK’s AML regime “focuses on suspicious transactions rather than suspicious people”. In fact, UK institutions are required to look out for and report suspicious activity – which encompasses anything a client might do, from a straightforward transaction, to changing their mailing address, to appearing uneasy during a meeting.

    You also say that it “fails to profile”. In fact, the whole risk-based approach is in fact a fancy word for profiling: customers from high-risk areas of the world (known for corruption or drug connections or people trafficking) are subject to more rigorous checks, as are those related to politically exposed persons. It’s not perfect by any means, but the profiling theory has been adopted.

    • Good to hear from you, ihatemoneylaundering!

      All right, let’s stipulate for the moment that the U.K. has adopted the profiling theory. What would you say is causing the bankers to fail to comply with the profiling mandate? Are the banks too greedy, too lazy, too under-regulated, or Is the profile formula too complicated/amorphous? Or are the PEP requirements just one facet that slips through the cracks of the overall AML regulatory regime? I’d like to hear what your perspective on the problem.

      Also, please take a look at the video here, although it deals with the U.S.’s AML regime. One example it uses: U.S. banks filed 18 million reports on their customers (most of which had nothing to do with PEPs) in 2008, and the end result of all this reporting was no reduction in financial or terror crime rates.

  2. Hello there. I’m not sure that it’s fair to say that UK bankers are failing to comply with the risk-based approach – although as I am not one myself, I can’t be certain! I think the majority of UK bankers do try to comply with their own bank’s risk-based approach – but by definition this varies from bank to bank (or, more accurately, from regulated institution to regulated institution) and so it is hard to judge whether the regulated sector as a whole has got it right.
    I can’t really comment on the US situation, as I don’t do any work there, but isn’t it terribly muddied by the CTR requirement, which – as far as I can see from a distance – creates mountains of reports with absolutely no beneficial effect?

    • Hmm.. From the FSA report it certainly sounds like there’s a failure of some kind if 15 of 23 banks examined “had significant control weaknesses.”

      Does the U.K. not have any equivalent to the U.S. CTRs? How about to the U.S.’s suspicious transaction reports?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

<span>%d</span> bloggers like this: