Episode 12: Jim Richards
AML Talk Show host Stephen Platt with guest speaker Jim Richards, Principal and Founder of RegTech Consulting and author of “Transnational Criminal Organizations, Cybercrime, and Money Laundering”.
AML Talk Show Hosted by Stephen Platt
Transcript
Good afternoon and welcome to this KYC360 AML Talk Show with me, Stephen Platt. I hope that you are all keeping well and doing what you can to ensure that there is no second wave. Today, I’m very excited to be joined by Jim Richards, principal and founder of RegTech Consulting. Jim is a well-known expert and commentator on anti-money laundering issues. He has a very varied and interesting background. He started life as a police officer, then became an assistant district attorney. And then crossed the Rubicon to become global head of AML at Bank of America, before becoming the BSA officer at Wells Fargo, in which position, he was in between 2005 and 2018.
Jim also wrote a book entitled, Transnational Criminal Organisations, Cybercrime, and Money Laundering. So as you can see, he has a wealth of highly-relevant experience. And I’m excited to have the opportunity to talk to him. Jim is talking to us from just outside of San Francisco. So it’s pretty early there for you Jim. So welcome and thank you very much for taking the time to talk to us today. How are things are well?
Things are well. Thank you, Stephen. And thank you for that kind introduction. I appreciate the commentator rather than agitator. Because I feel like I’m a bit more of an agitator now that I’ve left the corporate life behind me and I’m working on my own, trying to help clients.
Well, that’s good to hear. Any good quality commentator should be engaged in a bit of agitation, I always feel. So It’s good to hear that. Now Jim, I want to get straight into it because there is a lot of ground that I want to cover with you today, drawing on your experience in this field, in the public, and the private sector. And I’ve read several of your articles in the past, and I know you feel that within industry incentives are… How can I put this? Misaligned. Which means that resources are too.
It seems to me that you’re very keen on increasing, I guess, what I would describe as AML-effectiveness. But what I want to discuss, initially, is what you think AML-effectiveness should look like. What should the overriding objective of all of this effort that goes into this thing called anti-money laundering be? Is this about hygiene factor? Is this about furnishing law enforcement with great quality intel? What’s your view of what we should all be driving towards here?
Well, I think you used the phrase, the actionable intel, and I think that is it, Stephen. Really, and very simply, providing timely and actionable intel to law enforcement is the key. Let me point in the excited States of America, we have the BSA/AML examination manual. It’s a 400-plus-page manual. We’ve had six versions of it and a couple of smaller edits of it from 2005, all the way through April of this year. And it is what the examiners use when they come into examine a financial institution for compliance with the regulatory requirements.
And on page seven of that manual is a quote and it says, “A sound BSA/AML compliance program is critical in deterring and preventing money laundering and terrorist financing.” I have argued, in public and in writing, that that is false. I don’t believe a sound program is critical in deterring and preventing money laundering. I think providing timely and actionable intel to law enforcement is critical in deterring and preventing money laundering and terrorist financing. And a sound BSA/AML program provides the foundation for being able to do so.
I think that might be a subtle shift, but I think it’s a very, very important shift. Because we are being examined on how we do our jobs but not on how well we do our jobs, if our job is to provide timely and actionable intelligence to law enforcement.
Oh, that’s a really fascinating point of view actually. Isn’t it too much of an ask to expect supervisors to be able to qualitatively assess the output or the value of intel that’s provided by an organisation to law enforcement as part of their job in determining whether or not that foundation is being laid correctly by the organisation?
Yes, I think you’re absolutely right. It is very difficult for prudential regulators to make that determination. However, they’re not even asking the question.
Sorry Jim. Is it a question that can be fairly put to a regulated entity when they’re not really in a position to be able to evaluate what the value of the information they provide to law enforcement is?
It’s not a fair question to ask them today, but I think it could be a fair question to ask them tomorrow. I’ve written about this. I call them TSV-SARs or tactical and strategic value SARs. Because right now, we, we being the industry, and 2019 in the United States, there were 2.75 million suspicious activity reports filed. And those were filed with law enforcement. But we don’t know whether they were used by law enforcement. Or which ones were used by law enforcement, how they were used by law enforcement.
And so I’ve proposed that we all sit down together and figure out a way that we could get law enforcement to provide feedback to the industry on whether the SARs that are being filed have tactical or strategic value.
Yes.
Right? With that… And it could be a simple way of going into the… They get the SARs from the FinCEN database. When they get them, they could say, yes, it was a good one, or no, it wasn’t a good one, or nobody accessed it, nobody used it. There is a technological way that we could get this done. We could focus on the biggest filers, because we do know from some recent information we got back from FinCEN that, for example, the 11 largest banks in the United States average about 84,000 SARs a year each. That’s one every 90 seconds. Half the banks file less than nine per year, on average.
And so, even if you just focused on the 10, 15, 20 largest filers, you would account the 80/20 rule, right? You would account for 80% of the SARs from 20% of the filers. And you could provide those entities with feedback on whether their SARs have tactical or strategic value.
Now, the other thing I would do is, right now, banks can get public enforcement actions against them in situations where there has been no undetected or unreported suspicious activity of money laundering that occurred through the institution, so that they just had program violations, documentation violations, whatever it was, but there were no allegations that there was any money laundering that went through the institution. I would also propose that in order for a regulator to publish a public enforcement action against an institution, that action would include a statement on the effectiveness of that institution’s SAR filings.
Yeah. Okay. So this is really genuinely very interesting, this discussion. I see the value in what you’re saying about assessing whether or not a SAR has tactical and strategic value. You’ll know, Jim, of course, that the value of a SAR is often not evident straight away. It can take some time for a SAR combined with subsequently disclosed intel to really reveal its true value to law enforcement. But that doesn’t necessarily undermine the point that you’re making. Because, your point is calla tasks net canty tasks. What we want is we want. We are all interested in quality not quantity. And what you’re essentially saying is that we’re never going to drive the quality of the output unless we implement some sort of effective feedback loop mechanism, that’s essentially your point.
And actually, when you think about it, given the amount of investment that is made by industry, by law enforcement agencies, et cetera, et cetera, on AML and SAR reporting, an effective feedback loop mechanism is conspicuous in its absence. You look at other industries and everybody’s got a vested interest in improving outputs. And so they all use feedback loop mechanisms. Why don’t we use those in the AML world?
Exactly. Right now, we’re spending a ton of money and there’s a lot of attention being placed on artificial intelligence and machine learning. Both of which require that feedback loop. And right now, if you equate a bank filing a SAR to an automobile company making a car, it’s irrelevant how many cars that company makes. It’s just irrelevant. What’s relevant is how many they sell. And whether those are good cars, whether they last, if they have quality.
Right now, we’re still at the stage where we’re deploying all this artificial intelligence against the SARs that we’re manufacturing, not the SARs that we’re selling, not the SARs that law enforcement is buying and finding to be useful. I think that’s just flat out madness.
When you engage in dialogue with law enforcement agencies about this, what sort of response do you generally get, Jim? Is there an acknowledgement on their part that this has value? And if so, why have we not seen change?
I don’t know why we’re not seeing change. But to answer your question, when I talked to law enforcement, they would love for us to be providing them with really good, effective SARs. They have no interest in plowing through the, I think it’s 5,500 SARs a day, or something like that, that are filed.
For example, there’s 314A in the United States. And that’s the public private information sharing regime, where if the public sector law enforcement has probable cause to believe there’s money laundering or terrorist financing, they can take those names, they feed them through FinCEN, who gets them out to the industry. Industry then has to respond whether they have that person or entity as a customer, or have transacted with them. And get that information back to law enforcement. Then if law enforcement wants to continue, they’d extend a grand jury subpoena and off we go.
That’s about a 95% true positive regime. And yet what we’re currently doing, which is a monitoring regime that we’ve had in place for 25, 30 years, is 95% false positives. And so law enforcement is greatly interested in targeted more specific work. And I think by a better way of doing the SARs, we could provide that to them. They want that. And I think everyone’s trying to figure out a way to do it. And I’ve proposed a couple of ways.
There are skeptics out there that say, look, ultimately, the paymasters of law enforcement are less interested in the precision and quality that you’ve referred to, and more interested, actually, in sort of general intelligence gathering on the path of the state, of which high volumes of SARs is an important component. Do you think that’s unfair or do you think there’s something in that?
Well, I think the very nature of a SAR doesn’t lend itself to a large sort of dump of data over to law enforcement. The currency transaction report is closer to what you’re talking about there. It is a single transaction, multiple transactions, aggregating to more than $10,000 by or on behalf of the same person. That could be a data dump. That could be a straight-through processing type of a situation where no human being has to touch it in a financial institution, and the data is then dumped into the lap of law enforcement in the federal system.
But a suspicious activity report, by definition, is a trained investigator has a suspicious feeling about something, or a series of somethings, that takes human intervention. I really think that those need to be more focused. Instead of 2.75 million of them, there probably should be about 750,000 of them, but really good ones, really effective ones.
Do you think, Jim, that this massive volume of poor quality data that’s being reported by industry to law enforcement is just one component of a wider problem in the sense that industry itself is deluged with low quality data that it’s compelled to collect from and about its customers? We see industry just drowning in data held in unstructured formats across lots and lots of datasets. They can’t get their arms around it. And so, we see… If you look at this from the position of cradle to grave, from the establishment of a customer relationship, all the way through to a point in time when a suspicious activity report is made about that customer, it is characterised by excessive poor quality data and a huge amount of wasted effort. Would you agree with that or not?
Yes. The data piece is so critical. And I think it doesn’t get the respect it’s due. I’ve said it a couple of weeks ago at a conference that AML is 80% due diligence and 50% clean data, to paraphrase Yogi Berra, an American baseball player. The clean structured labelled data is so absolutely critical to everything that we do. Most of the bigger banks, their data is really sloppy. It’s unstructured. It’s all over the place. And it’s getting clean, consistent labelled data allows you then to drive your due diligence to truly understand who your customer is. Not just the customer that’s facing you, but the total entity of the customer. And with that, you can then do the monitoring and surveillance that you need to do and have better reporting. But the clean data pieces is so so critically important. And banks aren’t very good at it, frankly.
Yeah. Can I explore with you why that is? We are living in an age now where the world’s most-valuable companies are data companies, right? Facebook, Amazon, Microsoft, whatever. As a human race, we are actually… We can be good at this. We’re good with data, we’re making incredible things happen with it. And building enormously successful businesses on the back of that. It’s difficult to reconcile that with the data landscape in many tier 1 banks that make billions and billions and billions of dollars in profits every year. How on earth have they not got to grips with the data challenge, given the resources that are at their disposal?
Well, they’re the product of their history. Right? You take any large bank and they’re probably the product of seven, or eight, or 10, or even more mergers and acquisitions. They’ve bolted on an insurance group. They’ve bolted on a broker dealer. They’ve bolted on an investment bank. And when I say bolted on, they truly have. They’ve just sort of put them together. And the underlying systems are a little bit different and they have all of this legacy data. And getting an enterprise customer risk rating is dependent on not having an enterprise view of the customer. And that is very difficult in larger legacy institutions. Across the depth and breadth of the institution, it’s very, very difficult to really put it all together.
We saw that in the financial crisis of 2008. What came out of that was an effort by the G20 to create the global legal entity identifier. And that hasn’t really taken off. It’s been around for about eight years now. And I think there’s only about 1.5 million of those that have been issued around the globe. They were thinking there that we couldn’t easily track co-dependencies amongst borrowers and guarantors, et cetera, et cetera. And that was across financial institutions across jurisdictions. And we can’t even do it within a jurisdiction or within an institution at this point.
It is incredible. I, perhaps unfairly, have a tendency to judge an organisation’s commitment to AML through its willingness to address the data challenge that you and I are talking about. Because, if you don’t address that data challenge, frankly, your AML effort is never going to be up to scratch. If you can’t in, real-time, wrap your arms around all of the data pertaining to a customer or group of customer relationships so that in real-time you can understand the risk exposure, or the risks that are inherent in that relationship, given that the technology exists for you to be able to do that, I doubt the seriousness with which you’re taking the management of this risk. I might be being unfair, but that’s the way that I look at it. I think it is absolutely imperative for organisations to really begin to address this data challenge.
No, you’re right. One of the ways that I will and have sort of judged an institution is to take a look at what they’re doing on the marketing and credit sides versus what they’re doing on the AML side. Because, in my view, I’d love to have somebody prove me wrong on this one, I don’t believe there’s anything that you would not ask someone or a prospective customer or client, from a credit perspective, that you wouldn’t ask for AML.
Yeah. Right.
Where’s your source of funds? What’s your source of wealth? Who’s your guarantors? Who owns your company? All of the questions you would ask someone you’re going to lend $10 million to, you’d ask those same questions for AML. And yet we’re more than happy to gather that information, ask clients that information related to credit, but we’re not so happy to do it for AML. I would always say, go to your credit folks, find out what you’re asking for and getting today, how are you recording it? How are you storing it? And I said, you’re going to be 80% to 90% of the way there for AML.
Yeah. That’s, I think, a really good tip. Obviously, as an industry, we spend way too much time crunching through data. The reality is that criminal organisations are getting more and more sophisticated in their use of technology. And I worry that frankly, they’re pulling away from industry. The gap is widening. What’s your view on that, Jim?
Well, it is. And I think it always will be a widening gap. If I was a MLRO or BSA officer at a large institution and I wanted to deploy a new technology of some sorts, I’d have to get it proved from a funding perspective, we’d have to test it in a pilot environment. Then once we got it into production, we would have to have our model validation. People do all of their work. I’d be audited. I’d be examined, et cetera, et cetera. I mean, you’ve got the baggage of managing the management of risk management. The bad guys don’t have that. Right? They want to deploy a new methodology, a new scam, off they go. And they don’t have to worry about testers, and model validation, and auditors, and examiners. So will always be running behind.
Yeah. I see that. Now, one area where there is, in my experience, quite a lot of meaningless data crunching and a lot of wasted effort is around false positives generated by what I would describe as legacy screening systems. But ironically, some organisations seem to me to regard false positives as a security blanket, because they’re a little bit fearful of the regulator response. They’d rather demonstrate that they’ve waded through all of these false positives than risk what they perceive as missing true matches. I wondered whether or not you had a view on that?
Oh boy! Do I ever have a view on that? The false positive ratio is, first of all, we are looking at alerts to SARs or alerts to cases and cases to SARs, et cetera. We’re still not going back to alerts to tactical and strategic value SARs. Right? So we’re measuring the wrong thing when we’re measuring false positive ratios. That’s my first point.
Second point is, the false positive ratio problem might be as much a regulatory problem as it is a technology problem. Because you are deathly afraid of missing something, so you will over alert. Because it’s more regulatory risk than it is financial crimes risk. I’ve asked BSA officers, et cetera, and said, okay, if you weren’t concerned about missing something and being jammed up by your regulators, would your false positive ratios be different? And the answer is absolutely. We could focus more on sort of precision recall analysis. We could do a lot more like that. But frankly, we’re just going to run our systems so that we over alert because we can’t afford to miss anything. Because you get criticised for missing something and failing to file a SAR. You don’t get credit for filing a really good one. There’s no upside. Right?
Yeah. Very interesting. To what extent, generally, Jim, do you think that some of the failure, AML failure, that we see in industry is a product of the structural defects that we’re talking about now?
Well, if structural defects and… Again, I know the U.S system better than I know others. And I’ve called it the clash of the titles. And that is, in the U.S we have essentially four titles of the U.S code that governed BSA/AML broadly. And the first is Title 12, which is Banks and Banking. That’s where the Prudential regulators, the OCC, the federal reserve, the FDSC et cetera. That’s where they get their legislative power and their regulations come from. And it’s a safety and soundness regime.
And then Title 18 is Crimes and Criminal Procedures. Those are the money laundering offenses, et cetera. And then Title 31 is Money and Finance. That’s where the bank secrecy act is. And you’re having to balance those three things, but it’s particularly Title 12 and Title 31 that regulators that are examining. You were focused on Title 12, which is Safety and Soundness. They’re not focused on Title 31, which is Providing Timely, Actionable Intelligence to Law Enforcement.
That’s very interesting indeed. Let’s move on Jim, if we may, to talk about something even more topical, which is obviously COVID-19 pandemic lockdown and so on. This is a health crisis that has clearly caused a significant change in economic behaviour on the part of lots of FinServe customers. Part of the answer to some of the issues that we’ve already discussed lies in technology, but how do RegTech solutions, particularly AI solutions, cope with this sort of changing customer behaviour? Because a lot of activity, which appears to be unusual activity now, isn’t unusual when it’s viewed through the prism of a crisis.
For example people who, for the first time, elderly people who may be accessing online banking services for the first time, or people who are no longer going to the shops, but engaging in more and more online purchases. How does it assist them? How does a RegTech solution contextualize that activity such that it is able to still add value from an AML perspective?
Well, we don’t know yet, I don’t think. And I’m not trying to sort of punt an answer here. But I think the focus in the last few months that financial institutions have had is really a focus on fraud, rather than AML. Fraud is an objective offend if you know what’s happened, money has gone where it shouldn’t have gone. And I think the AI-type systems have been able to adapt quite well from a fraud perspective. AML, I think, is going to be a little bit more difficult. Because we do that in arrears. Right? We’re looking at April’s transactions in May and June. I’m not sure how well we’re going to be able to manage through it.
As I talked to some clients of mine, they’re seeing both the numerator and the denominator really vary an awful lot. The numerator being the alerting and the denominator being the transactions, the volumes, the velocities, the types of transactions. And so, both of those things are changing faster than the models have ever been able to accommodate. And AI and machine learning, you can do a lot of really good things faster and better, but you can also make bigger mistakes faster and better with AI and machine learning. And I think that’s the real danger. Is we’re going to be making bigger mistakes faster because what was normal is no longer normal. It’s going to be very difficult to work that through in the AML side.
Yes, that’s really interesting. Just following on from that, you refer there to transaction monitoring systems. Putting COVID-19 aside, what’s been your experience of transaction monitoring systems? Do you think they work? This is a discussion I have with lots and lots of people who seem to think that an effective transaction monitoring system is Nirvana. I, frankly, I’m yet to be convinced. I’ve not yet seen one that I have felt has worked as well as I would have liked. What’s your view and your experience of them, Jim?
Well, I am on the record saying transaction monitoring has never worked. I don’t think it ever will work. It’s a very blunt instrument. It’s single bank, generally, with bad data, operating from a place of regulatory fear. There’s no context to what is being looked at. It is transaction monitoring. I’ve advocated for what I call relationship-based inter-action surveillance. It’s very, very different than simple transaction monitoring. Rather than looking at a customer, you look at the total relationship. Rather than looking at transactions, you look at all inter-actions, which include transactions that the customer is doing.
And then monitoring versus surveillance, surveillance is contextual and monitoring is not contextual. And context is so critical in this. But the key piece there, the key difference, Stephen, is this concept of inter-actions versus just transactions.
That’s very, very interesting. Are you able to give us an example of that? Can you provide us with an illustration, Jim, of how that might play out in the context of a customer relationship? Just for the benefit of our listeners.
Sure. There’s a concept that probably holds true in Europe as well, but certainly, in the United States. It’s the concept of funnel accounts. So if you think of the shape of a funnel, Southwest Border contraband comes up through a border crossing, whether it’s people, drugs, whatever it might be. And then that contraband is distributed out across the United States, it’s sold, and the proceeds that are funnelled back down through the Southwest Border.
When we look at accounts that are opened up along the Southwest Border, with cash deposits around the United States, we can see that funnel account activity based on transactions. But then when you take a look at who is accessing those accounts, checking balances, et cetera, and we can see one device with a single IP address, not doing any transactions, but it’s accessing 10 different funnel accounts, we have now found that guy who is managing those 10 funnel accounts. Not through transaction monitoring, but through interaction monitoring.
I see. That’s a really powerful example.
Because we found that there roughly… and it was odd numbers…but there would be five interactions that a person would have on their account for every three transactions. So you will check your balance, you will call in to the bank, you will log on mobile, you will log on online, or whatever it might be. You do a lot of different things before you do any transactions. And it’s those interactions that are absolutely critical.
But one other thing I’ll add there around the contextual piece of it. A lot of banks aren’t looking at the order in which your clients or customers are opening up different accounts, the types of products and services they have, and the delivery channels through which they are opening up and accessing their accounts. And if you can get all of that data and look at who you are filing SARs on and who you’re not filing SARs on, you will find very, very quickly.
And I’ll just give a quick example that anybody who opens up an in-person banking relationship, adds a home equity line or loan. And no matter what else they do will not be the subject of a suspicious activity report. It’s that one account and the order in which things are opened up, you will find that you’ve never filed a SAR on that type of customer. So it’s important to look at that profile.
There’s clearly a theme emerging in our conversation here, Jim. Which is that it’s all about quality, it’s not about quantity. And that feeds directly into where we started, which is your strong view that effectiveness is all about good quality, actionable intel for law enforcement. This is genuinely very, very interesting.
Now, Jim, you, as I said right at the outset of this podcast, you were the BSA officer at Wells Fargo for quite a long time. And Wells Fargo in common, it has to be said, with many of the world’s large financial institutions, has had its fair share of difficulties in the AML space. $3 billion settlement for being a fake account and alleged laundering for the Sinaloa Cartel and so on and so forth.
I don’t, obviously, want to put you on the spot by asking you to comment specifically on those matters because that clearly would be unfair. But I do want to ask you just more generally, when I looked at your bio and I saw that you’ve been the BSA officer at Wells for 12, 13 years, my immediate reaction to that was, wow! There’s a survivor. Because, generally, BSA officers don’t last that long. Normally, I think the average tenure might be two, three at the outside maybe four years. You were at Wells for 12, 13 years. And looking back, do you think you did right? What would you perhaps do differently if you had your time there again? Are you prepared, are you able to give us a bit of an insight to on that please?
Sure, I can. And first of all, sort of defend myself a little bit. The $3 billion settlement was a sales practices related matter. And that was in February of 2020. Which was a couple of years after I left the company. And it related to sales practices and sort of regulatory compliance and had nothing to do with BSA/AML. And the Sinaloa Cartel matter originated at Wachovia. In fact, Martin Woods was the guy that first identified the suspicious activity that was flowing through some of the Mexican related accounts. And that work led to a deferred prosecution agreement that Wachovia entered into after it had been purchased by Wells Fargo.
But I spent a couple of years helping the lawyers negotiate the terms of the consent order and deferred prosecution agreement. And then involved in the remediation of that. And both the DPAs was lifted within a year. And the consent order was lifted within four or five years. So we were able to work through those things.
But you’re spot on. As BSA officers, you’re a little bit like the captain of the bomb squad. Right? One’s going to go off, it’s just how bad is it going to go. It’s very difficult, I think, to build a program. But it’s even harder to maintain the program, and more importantly, tear it apart and rebuild it when the world around you is changed. So I think just by the nature of the job, you come in, you rebuild a program, you get it up and running, things are running great, and then you move on to the next bank before you have to tear apart the program you built and rebuild it, because of the new environment you’re operating in.
And that’s, I think, the primary reason why BSA officers, or reasons why BSA officers move as often as they do. I had the privilege to work there and be able to rebuild the program a couple of times. But also… I think what did I do well, what did I not do well? Very early on, we decided to merge AML and fraud. We had two separate groups, one doing AML, one doing fraud. We pulled them together, from a data perspective, from an organisational perspective. We went from having a job family of AML investigators and a job family of fraud investigators. And we put them together as financial crimes as one job family. Tremendously difficult to do. We merged the two groups and we found a lot of great synergies. And that worked very, very well for us.
So I think that was probably one of the best things that we were able to do. We also were running machine learning and artificial intelligence systems as early as 2009, coming out of the financial crisis, which was really fascinating. So we were able to run very lean compared to our peers, as far as the number of people looking at alerts and referrals. Because of, essentially, the genius. It was a Brit guy by the name of Grant Bailey, was the head of financial crimes analytics for me, for 10 years. I’ve often said, I think, he’s the finest AML technology mind I’ve run across. So I got very lucky there.
That’s very interesting. You referred, in your answer to that Jim, to the Wells Fargo DPA. I don’t want you to comment on that specifically. Because, again, that would be unfair of me to expect that. But, what I am interested in, is your view on the role of DPAs. Do you think they’re effective or cope up? Because they seem to fuel the accusation that AML finds it just a cost of doing business. And you went through the whole DPA negotiation and then the remediation and so on. What is your view of them having been through that?
Well, I’m torn a little bit. Because, I think they survey purpose, in that they allow the criminal prosecutors to take very extreme action against a financial institution that falls just short of pulling their charter. Because if a financial institution is convicted of a criminal offense, it can, and will, lose its charter to do business. That’s probably not… I’m sorry.
Sorry. Essentially, it’s a death sentence.
It’s a death sentence. And so, by deferring the prosecution through an agreement, it allows that institution to continue in business, but it really puts them under a bind. That said, and I’ve often said this, anything that could be fixed with money is an expense, not a problem. It might be a big expense, but it’s essentially an expense. BNP, $8.9 billion. The Wells Fargo sales practices, $3 billion. They pay the fine they move on.
And so it gets into the more personal side, are you going to go after people? And the department of justice has a manual. And in order for an institution, a business entity, to get any cooperation credit, they have to identify all of the people that were involved in, or caused the underlying activity. Which brings in the individuals. And I think that’s where people are… And I’m very, very nervous about this. Because being the BSA officer at a place for so long, you’re squarely a target when it comes to, did that person fail to do their job?
Yes. And I understand that.
Right. And, it’s very difficult, I think, for BSA officers to be targeted. The Michael LaFontaine case from U.S Bank, he was a single person that was sanctioned by, I think it was a $400,000 fine by FinCen for the five years of failures of one of the largest banks in the United States. And it’s just odd to me that you could single out one person in an institution that had egregious failures for five years.
That’s the very definition of taking one for the team. Isn’t it? Goodness me!
Yeah.
Now, you referred earlier, as well as indeed I did, to the sort of miss-selling. And having been exposed to the sort of resolution of that, is it right, do you think, Jim, that BSA officers should be as focused on internal bad actors potentially as much as they are on external threat sources like illegitimate customers?
Yes, Because I think that’s important. That’s part of the customer experience. I mentioned the order in which products and services are sold to a customer, the delivery channel through which that customer obtains and uses their products and services. And there’s also the relationship manager they have, or the banker that opens up the accounts, or the person in the phone bank, the phone system, for the company that’s speaking to those customers, changing cell phone numbers, changing addresses, doing whatever they’re doing. And so a BSA officer needs to be able to look at, are there common relationship managers, are there common bankers, is one banker opening up accounts for people that you filed 15 different SARs on.
So yes, you really need to go back. Unfortunately, you can find a lot of crime ring related activity by looking at the employee that’s touching those accounts, that’s accessing the accounts, looking at the balance on the accounts, opening up the accounts. That sort of thing. So absolutely, look at the internal bad actors… Actually, you look at all the actors to try to find the bad actors.
Yeah. And that is a critical component, or should be a critical component of an effective interaction surveillance system of the type that you were espousing earlier. Because I certainly know from my experience that a lot of toxic customer relationships do centre around the same individual internal actors. Birds of a feather do flop together. And understanding that those next, if you like, is really, really very important. So that is, I think, interesting.
Now, another area I’d like to get onto, Jim, if we may, is the sort of marijuana business, the cannabis business. Because I know that this is an area that you have been quite heavily involved in advising businesses in Canada, businesses that are doing business with marijuana-related businesses following the decriminalisation of that industry. And I suspect that as we see more decriminalisation throughout the world, a greater number of organisations will face similar challenges to those that have been faced by organisations that you’ve been advising. Have you got any tips, or pointers, or guidance that you can give our listeners outside of Canada on that industry?
Sure. MRBs or marijuana-related businesses, technically in the United States, remain illegal from a banking perspective. That’s just a full stop. You can’t, knowingly, provide banking services to a federally-illegal business. So if you are choosing to provide banking services to marijuana-related businesses, you were knowingly violating federal law. Now, whether you’re going to get caught, charged, et cetera. You can pick a percentage chance of that happening. But you’re knowingly violating federal law. So it automatically puts you in sort of the cross hairs of your regular regulators.
And so, to do anything like that, you really have to have a very, very, very robust program that your board has not only approved, but your board understands what they’re approving. They’re approving you to knowingly violate federal law. So I think unless, and until the United States federal law changes, in the cannabis marijuana space, I would still, unfortunately, advocate that you not knowingly provide financial services to marijuana-related businesses.
That said, it’s very, very different to knowingly provide investment advice, or insurance products, to a marijuana-related business. It’s very different than providing cash management to those businesses. All of that said though, we all are aware of the cash-intensive nature of these business, and it doesn’t do anybody any good on the street level to have that amount of cash flowing around. So we’ve got to find a way to get as much of the cash as possible out of the system.
But we’re not going to get it all out, it’s always going to be a cash-intensive business, as our casinos, as our restaurants, et cetera. I think there’ll always be marijuana-related businesses, and will always be high-risk. And I point to money services businesses in the United States, which are federally legal, federally licensed, state licensed financial institutions. And yet 15 years later, they’re still considered high-risk businesses for banking. So even if things change, I think we’re going to have to have robust onboarding, robust monitoring and surveillance of those businesses in order to work with them.
Very interesting. What’s your experience of the attitude of businesses towards this? Clearly, there is a risk because there’s a risk that you’re going to, as you say, breach federal law. Are you seeing businesses, nevertheless, engage in a calculation, which is, look at the chances of this actually facing any enforcement action, even though it is a breach of the black letter law, is so slim that we’re going to do it anyway? Is that something that you’re seeing or not?
We’re seeing it. FinCEN publishes quarterly statistics on the number of financial institutions, it’s actually banks and credit unions, that are filing suspicious activity reports, that are sort of marijuana-related suspicious activity reports. And although FinCEN hasn’t published anything since last December, they’re saying it’s about 700 institutions that are filing marijuana-related SARs. But when I talked to the people in the industry, we believe it’s about 40 banks and credit unions around the country, out of roughly 10,000 that are knowingly actively banking cannabis-related businesses, and have programs to do so.
And what’s interesting, there’s only about two or three of them that are promoting it. That are sort of public information. And they’re out there saying, yes, this is what we’re doing. A lot of them that… And I’ve counselled a couple of them. They’re not advertising it. They don’t want people to know that they’re in marijuana bank. But they’re doing it anyway.
That’s interesting. Jim, the last area I’d like just to cover off with you, if I may, is a real hot button topic. Which is beneficial ownership. There are a lot of folks in the UK that are, rightly in my view, critical of Companies House. In fact, on KYC360 today, we’ve got a big piece on how hundreds of thousands of UK companies are able to, essentially, avoid or evade the AML rules. But in the United States, you don’t even have the equivalent of Companies House. What’s your view on that, having seen it from both sides of the fence?
Well, it’s… You’re actually very lucky to be able to criticize Companies House because you’ve got a Companies House to criticize. As you say, in the United States, incorporation of the creation of legal entities in the United States is done on a state by state by state basis. And at last count, I think it was three out of the 50 states, even bothered to ask for any sort of beneficial ownership information, and none of them maintain it. So it’s not current accurate verifiable information.
I think it’s… Ken Blanco, the director of FinCEN, has said this, Steve Mnuchin, the Secretary of the Treasury has said this, the lack of a requirement to collect and maintain accurate, beneficial ownership information and the lack of a central registry to gather it all and to be able to use it, is a matter of national security in the United States. It’s a failure of the United States. And it is. We’ve been criticised in every mutual evaluation we’ve had with the FATF. That has been a failure on the part of the United States.
The last mutual evaluation that was done in 2016, the U.S created the beneficial ownership regime in order to get through that evaluation. And they still didn’t get through it very well. But the failure to have a central registry, the failure to be required to provide that information, I think is a foundational, fundamental gap in the American regime. And the American regime will never be effective, unless we have it. It’s like trying to make an omelette without eggs. Not having a Companies House or the equivalent, is like trying to make an AML omelette without eggs.
What are the chances do you think that in the next five years this flaw will be addressed?
Oh, making predictions about the future is hard, right?
Yeah.
I think we’re going to have to have. We’re going to incrementally get to something like that. I don’t know if it will be the equivalent of Companies House. But we have to have a regime where we understand who the beneficial owners are, of legal entities, including trusts, or the controllers, certainly, of the trust. And without which, we will always just simply be tilting at windmills. The chances, I put them at 50/50, if that’s a bit of a cowardly prediction, but…
Yes. Very, very interesting. Well, look, Jim, we could talk for much longer. But we’re, I’m afraid, up to our time limit. I can only speak for myself. But I think that that was a really, really fabulous conversation. I enjoyed it enormously. And enjoyed your perspective on lots of important issues. And I’m sure that our listeners have as well. So thank you very much for taking the time to share your experiences and your thoughts with us. And for being so open.
I hope that you, as listeners, have enjoyed it. And I would encourage you to visit Jim’s website, www.regtechconsulting.net, to learn more about Jim and how he could possibly add value to your organisations. If you like, what you’ve heard today, please do spread the message about KYC360 and the AML Talk Show. This recording will be available as a podcast on KYC360 and many other platforms from tomorrow morning.
Our next podcast will be with an old friend, Jack Blum, who I had the pleasure of interviewing just a couple of months ago. But, who in light of the tragic death of George Floyd, I’ll be talking to again, about whether the war on drugs in the United States is a war on the black community. And that should, indeed, be a fascinating and indeed timely conversation. So I hope, very much, that you will be able to tune in for that one next Friday. For now stay safe. Thank you. And goodbye.
Count this content towards your CPD minutes, by signing up to our CPD Wallet
