05 Mar 2020
2019 was the year of clarifying guidance from law enforcement, regulators, and anti-financial crime organizations, even if the effects of new expectations haven’t quite appeared in the form of increased enforcement actions. Nonetheless, it is quite likely that the punitive tail of non-compliance may start to manifest in 2020 and beyond.
Regulatory trends comprise of a mixed bag of disciplinary statistics in recent years. Enforcement against entities supervised by the Federal Reserve dropped to the fifties in 2019 from an average of 87 per year the previous three years. Civil Monetary Penalties and Cease & Desist Orders issued by the Office of the Comptroller of the Currency (OCC) have numbered 76, 73, 61, and 45 since 2016. Conversely, the Office of Foreign Assets Control (OFAC) civil penalties peaked at 26 in 2019 since bottoming out at nine in 2016. And while predicting what any agency may focus its resources on in any given year is a dubious prospect at best, it is certain that the direction provided by Department of Justice (DOJ), OFAC, the Wolfsberg Group, and others last year will set heightened standards and expectations when it comes to preventing, detecting, and reporting financial crime.
Starting with DOJ, arguably the most important, direct guidance came in the form of “The Evaluation of Corporate Compliance Programs” issued in late April. The guidance “…is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program… is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution.” The document is quite clear on the expectations of what an appropriate compliance program should look like from the criminal prosecution purview, and describes in detail what the US government will be looking for when it has to implement the proverbial “stick” to remediate lack of compliance.
Those expectations include: being able to answer key questions about the effectiveness of a compliance program, assessing if a compliance program is designed for maximum effectiveness and implemented appropriately, and testing whether or not the program actually works. The level of detail provided in the document provides companies a specific roadmap to avoid compliance pitfalls and the ensuing financial, operational, and reputational fallout.
DOJ followed that guidance with a revision of its “Export Control and Sanctions Enforcement Policy for Business Organizations” in December. The revision reinforces DOJ’s stance “…that when a company (1) voluntarily self-discloses export control or sanctions violations to Counterintelligence and Export Control Section, (2) fully cooperates, and (3) timely and appropriately remediates… there is a presumption that the company will receive a non-prosecution agreement and will not pay a fine, absent aggravating factors.” For companies, the clear signal is that when an issue is detected, acknowledging the problem, quickly remediating the underlying issue, and cooperating with government inquiries are key to limiting the fines imposed.
Notably, DOJ won a court ruling in July (United States Court of Appeals, Case No. 19-5068) essentially enabling it (and presumably other agencies) to subpoena records and data that may not be stored in or possess a direct US nexus (person, currency, or jurisdiction). From the opinion, “Records ‘related to’ to a US correspondent account include records of transactions that do not themselves pass through a correspondent account when those transactions are in service of an enterprise entirely dedicated to obtaining access to US currency and markets…”. This important decision provides action-enabling teeth to the aforementioned DOJ guidance, especially with regards to the government’s ability to obtain information that may implicate an organization in lacking effective compliance controls or violating sanctions.
Moving on from DOJ, OFAC published, ”A Framework for OFAC Compliance Commitments” in May that is “intended to provide organizations with a framework for the five essential components of a risk-based sanctions compliance program”. The OFAC guidance is in sync with and mirrors much of DOJ’s aforementioned compliance framework, but goes a step further in identifying root causes of previous failures (benchmarking). Notably, the document closes with specific instruction related to OFAC’s inclination to pursue individual liability in addition to corporate penalties.
In addition to US rules and regulations, the Financial Action Task Force’s June 2019 Guidance implemented what is now known as the “FATF Travel Rule.” The guidance requires countries to ensure “that originating virtual asset service providers (VASPs) obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, submit the above information to the beneficiary VASP or financial institution (if any) immediately and securely, and make it available on request to appropriate authorities.” While not legally binding, FATF’s members and standing on the international stage impose intense financial pressure on countries and organizations to comply. As such, regulators and VASPs have spent the last several months determining how best to store and transfer this information securely between organizations in preparation for the beginning of compliance monitoring by FATF in June 2020.
Not lacking in teeth, the European Union’s Fifth AML Directive (5AMLD) initiated steps to increase transparency and accountability in the fight against European money laundering and terrorist financing. The EU first expanded the pool of persons obliged to comply with the AML/CFT directives to include crypto-to-fiat exchanges, digital wallet providers, and persons trading in works of art. Additionally, and potentially most notably, while trusts remain behind the curtain of “legitimate interest,” the protective curtain has been withdrawn for legal entities, requiring member states to make beneficial ownership of companies available to the public.
Other important provisions of the 5AMLD include country-specific clarity on politically exposed persons (PEPs), consistent EDD measures when dealing with high-risk third countries, and increased cooperation between national authorities through a register of member states’ AML /CFT authorities. EU member states were directed to implement the 5AMLD by January 10, 2020, demonstrating a legislative stance against money laundering and terrorist financing moving into the new decade.
From the private sector, the Wolfsberg Group released a “Statement on Effectiveness” in December 2019, which renewed the FATF’s 2013 call for states and financial institutions to turn their focus from technical compliance with AML/CFT frameworks to effective outcomes in the fight against money laundering and terrorism financing. As such, the Wolfsberg Group proposed the effectiveness of AML/CFT programs be evaluated against “three key elements: (1) comply with… laws and regulations, (2) provide highly useful information to relevant government agencies in defined priority areas, [and] (3) establish a reasonable and risk-based set of controls to mitigate the risks of… illicit activity.” Additionally, since all risk profiles and risk mitigation strategies are unique, the Group appealed to the relevant government agencies to evaluate the programs on a case-by-case basis.
In addition to the “Statement on Effectiveness,” the Wolfsberg Group also published compliance program enhancement materials supporting their previously released Correspondent Banking Due Diligence Questionnaire (CBDDQ). The Group’s materials include an introductory video, a guidance document explaining how certain questions should be answered, and 12 high-level training sessions which assist financial institutions in accurately and completely answering the CBDDQ’s detailed questionnaire. For the Group, the clear goal is to standardize some aspects of financial crime prevention in correspondent banking which, in turn, could slow the decline in the number of correspondent banking relationships among the international community (de-risking).
Rules of the Road
The through-line for most of the 2019 guidance is clear… ignorance isn’t bliss when it comes to understanding regulatory expectations and implementing those directives. Further, meeting those requirements now has a clearer roadmap, albeit pieced together from multiple agencies. That compliance blueprint, specifically as it relates to preventing, detecting, and reporting money laundering, sanctions, fraud, bribery, and corruption, includes five key overarching concepts applicable to most companies.
Governance, Resources, and Testing
A paper compliance program can be considered worse than no compliance program at all. The following aspects of building and maintaining the people, processes, and technology driving your compliance program are essential in making sure it all actually works: basing the company’s risk management process on specific identified risk; allocating appropriate staff, technology, time, and effort to high risk jurisdictions, customers, products, and transactions; regularly updating the risk assessment periodically or based on new events and information, and changes to operations; ensuring that risk updates are incorporated into policies, procedures, and controls; and integrating design, comprehensiveness, access, implementation, training, and communication into policies and procedures.
Additional essential considerations include: building training programs that regularly and effectively address the company’s specific risks, lessons learned, and internal reporting mechanisms; creating compensation and incentive structures that support the intended ethics and compliance structure; testing the compliance program utilizing model risk validation, data testing, third-party due diligence testing, transaction testing, benchmarking, and review of internal audit processes and outcomes; implementing a scalable compliance strategy; provided appropriate autonomy and authority to compliance personnel; and prevention, detection, and reporting functions strongly supported by a culture of compliance established (formally and informally) by senior management.
Data, Information, and Technology
Bad information and data begets poor decisions and inaccurate reporting, which are often critical failures in fighting financial crime inside organizations. Incorporating data and information into the risk management process; ensuring data throughout compliance systems and business functions is accurate and complete; and conducting data validation and testing that assesses inputs, outputs, quality, logic, change management, change documentation, error resolution, and reporting are three primary pillars within data and information compliance management.
Supplemental factors in ensuring reasonable and defensible decisions include: using quality data to support risk decisions; granting appropriate access to information to support investigations; identifying gaps between IT systems, especially when multiple systems support vertical compliance functions; and enabling new systems and capabilities to enhance compliance program functions where resources and maturity of technology allow.
Customers, Vendors, and Third-Parties
Understanding attributes of all persons and entities that participate in a company’s value chain (sourcing, supply, manufacturing, distribution, sales, financing, and disposal) is critical. Knowing all the key players helps compliance staff assess the risk related to financial or trade activities.
The following assessment factors are further detailed by the European Union’s Fifth AML Directive and Correspondent Banking Due Diligence Questionnaire and include: understanding vendor and third-party risk along a company’s value chain; assessing sourcing risks to ensure ethical materials and labor practices (anti-human trafficking and child labor); designing external compliance touchpoints with customer experience in mind; establishing defensible documentation and risk-classification standards that are addressed throughout the customer lifecycle; incorporating a risk-based and integrated process, appropriate controls, management of relationships, and review of appropriateness of transactions to third-party due diligence practices; conducting periodic and event-driven profile updates; capturing customer and vendor offboarding trends, then tracing those causes back to governance decisions; and identifying and reviewing ultimate beneficiaries of funds, goods, or services.
Identifying behaviors that indicate suspicious or illicit activity provides context to compliance detection functions should factor in the following proactive steps: capturing transactional (sales, finance, contracts, etc.) information that identifies remitters, beneficiaries, intermediaries, jurisdictions, currency, financial instruments, frequency, payment structure, purchase order details, and purpose; creating monitoring and alert rules to capture activity identified in the company’s risk assessment; regularly tuning those rules as often as risk profile changes warrant; applying statistical and risk-based approaches to transaction monitoring to reduce the waste of staff time and errant reports; and conducting periodic gap analysis to transaction monitoring systems in order to identify concerning activity that is not being captured.
Investigations and Reporting
When something goes wrong, and it will, having a clear, independent, and expedient resolution and report process is essential in mitigating punitive or other regulatory enforcement measures. That high-level process should consider: conducting effective investigations and applying thoughtful root cause analysis of misconduct; ensuring investigative staff possess the appropriate experience and skills to conduct meaningful investigations; applying timely and appropriate remediation to address the root causes of misconduct; communicating results of investigations with staff; and incorporating lessons learned into the compliance framework and training.
Follow up from investigations may be considered equally as important from a defensibility and liability standpoint, so the ensuing reporting processes should be accurate and meaningful to the recipient. Voluntary Self Disclosures (VSDs) submitted to regulatory agencies should be complete and address root cause of compliance failures. Prompt responses to law enforcement inquiries must include accurate and timely information. Finally, generating reports such as SARs and CTRs that are well-written, complete, and comprehensive enough to assist law enforcement agencies in pursuing illegal financial activity are some of the most important outputs from civilian anti-financial crime programs.
2020 may be another year of legislative activity that further prescribes the compliance requirements for mature and emerging industries. However, it may also be a year when the enforcement actions and penalties are significantly increased if regulators feel that compliance priorities have been communicated and detailed expectations have been appropriately set.
Increased global connectivity has definitely led to an uptick in cross-border transactions in the past decade. The technology, heightened awareness, and legal backbone required to detect and address illicit activity, international and domestic, has followed suit to some degree. This environment creates a new set of risks for companies that fail to assess, implement, improve, or scale their compliance programs in response to their specific business operations. Failing to have a proper roadmap or misunderstanding the rules of the road will likely serve as poor defenses against regulatory and legal inquiry.
Mike Carter is a senior leader in the area of financial crimes, which includes anti-money laundering (AML), counter-terrorism financing (CTF), sanctions, fraud, bribery and corruption. He is a Project Management Professional (PMP), a Certified Anti-Money Laundering Specialist (CAMS), and Certified Fraud Examiner (CFE) with over 15 years of experience providing organizations with advisory, performance improvement and operational and organizational leadership.
Bobby Lowe is an expert financial crime consultant in Washington, D.C. He deals with a variety of global regulatory and compliance issues across multiple industries from a law and regulatory perspective. He possesses a Juris Doctorate and has worked on multiple high-profile compliance remediation projects.
RiskScreen: Eliminating Financial Crime with Smart Technology
Count this content towards your CPD minutes, by signing up to our CPD WalletFREE CPD Wallet