Are the world’s financial institutions and their leaders ready to begin defending the front lines in the war against international financial crime and terrorism?
They’d better be.
Governments and their regulatory agencies increasingly expect these institutions to serve as police, to work harder to prevent themselves from being used for money laundering and to prevent breaches of sanctions against countries with poor human rights records and those that support international terrorism. And regulators are punishing institutions when they fall short.
U.S. enforcement authorities, flexing their regulatory muscles, recently imposed fines for sanctions breaches on Lloyds Banking Group ($350 million), Barclays ($298 million) and Standard Chartered ($327 million).
The Department of Justice and the Securities Exchange Commission are using the Bank Secrecy and Foreign Corrupt Practices acts to demand greater due diligence from all parties involved in transactions, holding them responsible for both sins of commission (facilitating money laundering or committing sanctions breaches) and omission (failing to implement sufficiently strong internal controls against either or both).
In December 2012, HSBC agreed to a $1.9 billion settlement to resolve charges that it had failed to monitor more than $670 billion in wire transfers, allowing for money laundering, and had also breached U.S. sanctions against Iran, Libya, Sudan, Burma and Cuba. And in December 2013, RBS was fined $100 for violating sanctions against Iran, Sudan, Burma and Cuba. More recently, the Federal Reserve has held up M&T Bank’s merger with Hudson City Bancorp until M&T beefs up its anti-money laundering controls. In short, governments are making it clear that they will not tolerate what they deem to be reckless conduct by financial institutions or a weak commitment to abiding by international rules.
Governments want senior management – CFOs, chief executive officers, chief compliance officers and chief risk officers, among others – deeply engaged (with compliance experts sitting on boards) and leading the work to build financial crime defenses.
It won’t be easy.
It’s been estimated that $2.9 trillion worth of stocks, bonds and derivatives are traded in U.S. financial markets every day. According to a 2012 report by the European Central Bank, 2,827 non-cash transactions (credit transfers, direct debits, credit card payments and checks, among others) are made by European financial institutions every second of every day of the year. That works out to about 248 million every day, and 90 billion last year.
And with the increased popularity of mobile banking, one may presume those numbers, already enormous, will only grow.
Given the volume and pace of transactions in global financial markets – magnified and accelerated by new technologies – it’s easy to see how keeping track of both financial transactions and the people who conduct them is monumentally difficult for banks, hedge funds and other financial serviced institutions. It keeps their risk and compliance officers up at night.
Generally, financial institutions believe the expectation that they can act as a branch of law enforcement unreasonable. They cannot, they say, monitor every transaction or client with 100 percent certainty, nor make their businesses risk-free. They say the investment they must make in people, processes and technology to comply with regulations places a massive strain on resources.
Consequently, some banks are voting with their feet and pulling out of more risky industry sectors and geographies. Both Barclays and HBSC, for example, decided last summer to stop providing banking services to cash transfer businesses in Somalia for fear that they could be used for money laundering. And while the banks felt they had no choice, demonstrators in London protested that the banks were abandoning people in need, painting Barclays and HBSC, not the relatively invisible and untouchable money launderers, as the bad guys.
This was a classic no-win situation. And if the financial sector doesn’t change the way it approaches its role in stopping (or at least vigorously limiting) how it’s used by the bad guys, there will be many more.
Manage Risk, Not Money
To prevent themselves from being used by criminals and terrorists, financial institutions must improve their risk-assessment capabilities and make that effort an organizational priority.
In short, banks need to get smarter about both client and transactional risk, and do more about them.
This effort must be led from the top. Senior management must be fully engaged in building the financial crime defenses – the internal controls – that can make their organizations less vulnerable both to missteps and the depredations of criminals.
They have no choice but to accept their role in the global struggle against financial crime and terrorism and work consistently to build ever stronger defenses, with risk assessments completed intelligently and thoughtfully and regularly updated. The list of U.N.-sanctioned countries and politically exposed persons must be monitored continually.
However, given the complexity of global finance, and the cunning of criminals, all defenses have to be risk-based, with the institution’s finite resources devoted appropriately to businesses and jurisdictions with inherently higher risk profiles or weaker control environments.
Mitigating Client Risk
Financial institutions need to make their client onboarding rules and processes more rigorous before accounts are activated, and those accounts need to be reviewed regularly afterwards.
This requires repeatable risk-based client assessments that can identify politically exposed persons and people with criminal backgrounds or connections. The assessments also must be able to unearth people conducting business in sketchy jurisdictions and geographies and individuals acting as proxies for hidden players.
Criminals are continually changing the ways they move money in and out of institutions, and use increasingly complex and opaque structures to hide the true sources, identities and destinations of funds.
Mitigating Transaction Risk
Banks should acquire and implement detection technologies that can filter and flag sanctioned or otherwise suspicious transactions. There is a vast array of commercially available transaction-monitoring tools that can introduce business rules into an institution’s systems and define acceptable or unacceptable transactions (such as identifying sanctioned country codes on transfer receipts).
These tools can establish thresholds that trigger alerts, and automate watch lists for suspicious persons and transactions. They are also capable of sophisticated record-keeping and can produce compliance reporting that can be critical when an institution finds itself in a government’s or regulatory agency’s crosshairs. But all these tools are only as good as the people who use them. Firms must acquire skilled talent to fine-tune the systems as well as to analyze, assess and act upon the alerts and reports they produce.
These tools and processes, and the human capital that make them work, are necessary for financial institutions to steer clear of trouble. Their implementation is also a statement of good faith. Making sure the compliance and risk-management function is well-staffed and independent of business pressures, and deploying up-to-date processes and tools will make regulators less inclined to punish firms that run into trouble or made the occasional, unavoidable mistake.
It’s Never That Simple
Because it is difficult (if not impossible) to define the scope of the global problem – how much money is being laundered, where it is coming from and where it is heading – it is challenging for CFOs and other business leaders to measure the success, failure or even the outcomes of any anti-money laundering effort and thereby assign an ROI to anti-money laundering investments. Again, these investments should be viewed in the light of risk mitigation, and their efficacy determined in large part by what doesn’t happen – fines, reputational damage, lost business – not what does.
Ultimately, it is unrealistic to think that one firm or even and industry can take on the bad guys by themselves. Fighting crime is not a role for which financial institutions were created or designed. However, in today’s climate, they have no choice but to play the part as best they can. That means continually improving the ways in which they protect themselves and the world’s financial system.
One can hope that the future will bring greater levels of cooperation between governments and the financial sector. Ultimately, that is the only way to begin to de-fund criminal interests, terrorists and others who would seek to sabotage the world’s financial systems and use them to further their own anti-social ends.
Peter Brooke and Christine Moran are managing directors in the governance, risk and regulation team at FTI Consulting, based in London.