EXPERT TALK
MONEY LAUNDERING AND REGULATORY TRENDS
By Hala Bou Alwan
Many organizations across the MENA region are seeking to bring
their compliance policies in line with international best practice.
Globally, corporations and financial institutions are changing their
approach to compliance, which has evolved from a standalone
task to an integrated and complex function that incorporates
legal, risk, operations and tax. At the centre, strong controls and
processes are required to manage what has become a complex
corporate function.
With growing economic integration, companies will be increasingly
exposed to the risk of financial crime and regulatory censure.
Regulatory fines have increased dramatically and now run into
billions of dollars. Personal liability of senior executives has also
increased.
Business and finance houses in the MENA region will not only
face more and more of these challenges as time goes by, but
will also increasingly be impacted by the effects of international
developments in regulations, enforcement actions and other
trends.
The pressure on the compliance function will only grow, and
compliance officers should, where they can, take a long term view
to future-proof their policies.
Looking ahead, there are four identifiable trends in Anti-Money
Laundering (AML) and regulatory compliance that are interesting
to note.
INCREASING DEMANDS ON COMPLIANCE RESOURCES
The incredible growth in regulation to reduce financial crimes such
as money laundering, terrorist financing and corruption has been
driven by a range of initiatives from the G20, increased awareness
among regional financial regulators as well as the requirement
to meet the demands of US and EU legislation such as the US
Foreign Corrupt Practices Act (FCPA), and the UK Bribery Act
(UKBA). The global regulatory environment will continue to
increase in complexity.
We see, for example, the trend towards increasing tax legislation
with extra-territorial reach to reduce evasion. The Foreign
Account Tax Compliance Act (FATCA) is a US regulation aimed at
preventing tax evasion by US citizens and the latest transnational
The views and opinions expressed in this paper are those of the author and do not
necessarily reflect the official policy or position of Thomson Reuters.
legislation to fundamentally change the compliance landscape.
It applies to Foreign Financial Institutions (FFIs), which include
banks, mutual funds, hedge funds, insurance companies, trusts
and Islamic finance structures. The Act requires FFIs to identify
US customers and provide the US Internal Revenue Service with
information on customer assets, income and trade flows.
FATCA came into effect on July 1, 2014 and its fundamental
impact has been to increase the compliance burden even further,
requiring deeper due diligence during Know Your Customer
(KYC) procedures. While the increased administration necessary
to expand AML controls to meet these requirements is not
insubstantial, getting on the wrong side of US regulatory enforcers
is not a good idea. Lebanese Canadian Bank was flagged as a
‘prime money laundering concern’ by the US OFAC in 2012 for its
involvement with various criminal organizations – a development
that ultimately led to the demise of the bank.
FATCA represents the vanguard of a raft of similar tax disclosure
legislation from a range of countries. China recently announced
their intention to develop similar legislation and in early 2014
the Organization for Economic Co-operation and Development
presented the world with the Automatic Exchange of Information
(AEOI). Developed in conjunction with the G20 countries, the
AEOI is a common global standard for the automatic exchange of
tax information between countries and has quickly been dubbed
GATCA, for Global FATCA. KYC procedures are the first line of
defence and are particularly well established in most financial
institutions given the increasing risks associated with doing
business with the wrong customers.
But, as FATCA has demonstrated, the requirements for gathering
information on new and existing customers, and reporting these,
will become more onerous as legislation continues to develop.
Financial institutions are already required to conduct
research and profiling on customers today that would have been
considered due diligence a few years ago and the concept of
enhanced due diligence is now firmly entrenched in customer
onboarding processes.
While MENA financial institutions typically display fairly
sophisticated KYC programs – particularly in their use of
EXPERT TALK | TITLE
technology – levels of training for the personnel administrating
the KYC processes and controls is a concern.
This is especially true given the importance of the KYC process to
effective governance and compliance processes. The continuing
increase in the complexity of the regulatory environment requires
KYC processes to deepen and advance to meet these needs.
THE NEED FOR INCREASED DATA SECURITY
Cybercrime is a rising global concern and the rapid increase in
cyberattacks is driving the need to ensure that IT systems and
security are adequate to prevent and detect unauthorized access
and data breaches.The theft of personal information from nearly
80 million customers of US health insurer Anthem in February
2014 again highlighted the serious reputational and financial risks
facing firms from cybercrime. And the trend has not escaped the
attention of international regulators, with the US Securities and
Exchange Commission and the Bank of England highlighting their
concerns and initiating testing protocols to ensure the adequacy of
financial sector defences against cybercrime.
The MENA region has a higher penetration of mobile devices
than most other parts of the world. This broader access through
smartphones, tablets and laptops provides a wider range of
opportunities for cybercriminals to access personal information
and company systems. At the same time, governments are
moving more services to the web and financial services companies
are developing their online presence to match the demand for
anywhere, anytime access.
Already there have been many cases of cyber security breaches
within the MENA region. The 2012 attack on Saudi state oil
producer Saudi Aramco demonstrates the extensive damage that
can be caused by such attacks, with more than 30,000 computers
affected and the company’s network shut down for over a week.
While some websites are hacked to make a political or social
statement, most cybercriminals are motivated by financial gain.
In a cyberattack in 2013, for example, criminals stole US$40
million from the Bank of Muscat in Oman and a further US$5
million from RAKBANK in the United Arab Emirates. Given the
interconnectedness of the international financial systems, the
controls in place are only as good as their weakest link – in the
Bank of Muscat and RAKBANK attack, the hackers gained access
through the third party transaction processors of the banks.
One benefit of the high profile cyberattacks in the region is that
awareness at board level tends to be high. As with all governance
concerns, tone at the top is critically important and a consideration
of the risks posed by cybercrime must be part of strategy and top
of mind in board discussions.
‘…barriers to entry are low in cyber space and attacks are
readily scalable. Low level attacks are now not isolated
events but continuous. Unlike physical attacks that are
localized, these attacks are international and know no
boundaries. As it changes and multiplies cyber is elusive,
hard to define and to measure. But it is clear that the risk is
on the rise and a growing cause of concern to industry and
authorities alike.’
THE NEED FOR A STRONG CULTURE OF COMPLIANCE
A recent survey of compliance professionals in the MENA regions
revealed that 60% of respondents had experienced a substantial
rise in the cost of compliance over the past two years, another 60%
expected regulatory change to continue at its current pace, but
only 50% had faith that their compliance policies were effective.
It is clear that compliance departments are being overwhelmed
by the increasing speed and complexity of regulatory change.
Building a robust culture of compliance can be an effective
method of increasing the efficacy of compliance policies without
the need to increase compliance resources.
The guidance from the most active and highest profile
enforcement agencies globally starts with the ethical culture set
by an organization’s leadership – the so called ‘tone at the top’.
This requires leadership to act in a way that is congruent with
the company’s ethical aspirations and emphasize the necessary
attention to compliance through their actions.
This culture of compliance is embedded into the company
through ongoing training and awareness programs that
communicate clearly the company’s zero tolerance approach
to unethical behavior. Compliance-specific training for relevant
personnel is also crucial, as is training of senior management
and board members to ensure that they stay abreast of the latest
developments and understand their responsibilities arising from
those developments.
A strong culture of compliance is also essential for companies to
be able to understand, assimilate and implement the necessary
procedures that flow from the rapidly changing compliance
landscape. By ensuring that every person grasps the importance
of an effective compliance function and their role in compliance,
companies are better able to manage the risk that arises from
regulatory overload.
BUILDING A SKILLED AND DIVERSE WORKFORCE
FROM THE BOTTOM UP
The development of the MENA economies has been rapid and
compliance skills are often in short supply in particular areas,
which makes it all the more important that business leaders
take a long-term view and invest in the development of these
 EXPERT TALK | MONEY LAUNDERING AND REGULATORY TRENDS

increasingly critical skills. It is likely that competition for scarce
skills will increase and companies will have to become more
self-reliant when creating the skills base that is required to meet
the increasing compliance challenge. The complexity of many
regulatory demands will at times require innovative responses,
and this is best served by an inclusive and diverse workforce,
especially in the top level of management. To support long-term
diversity outreach, recruiting and retention, it is necessary to create
the infrastructure that supports it.
While companies continue to increase spending on compliance
there is a concern that much of the spending is allocated to
technology and processes rather than training.As local, regional
and international regulatory frameworks continue to align and
develop, effective training programs will be essential to ensure
that employee knowledge and skills are in place and continually
developed to sustain a robust compliance framework.
Training will not just be limited to the employees directly
responsible for implementing the controls – it is critical that top
management and board members are informed about the risk
areas. This will ensure that they understand their obligations
under local and international legislation, communicate the
necessary zero tolerance culture and ensure that adequate
resources are allocated to addressing the key areas.
LOCAL BUSINESS NEEDS TO TAKE A GLOBAL APPROACH
TO COMPLIANCE
While the unique characteristics of the MENA countries create
a vibrant regional economy, companies no longer operate in
isolation. Local companies have to stay abreast of international
developments and ensure that they have the necessary policies,
processes and controls in place. Regular assessment of
governance processes – both through internal review and the use
of external authorities where necessary – is important to ensure
compliance, as is benchmarking against best practice.
The effectiveness of any system is ultimately only as good as the
people implementing it. This is no less applicable to compliance
systems and an ongoing commitment to effective training and
skills development will be essential to address the increasing
demands of the evolving international regulatory framework.

AUTHOR BIO:
Hala Bou Alwan is a governance, risk and compliance expert in the advisory and education division.

RISK MANAGEMENT SOLUTIONS FROM THOMSON REUTERS

Risk Management Solutions bring together trusted regulatory, customer and pricing data, intuitive software and expert insight and services – an unrivaled
combination in the industry that empowers professionals and enterprises to confidently anticipate and act on risks – and make smarter decisions that accelerate
business performance.

For more information, contact your representative

or visit us online at risk.thomsonreuters.com
© 2015 Thomson Reuters  GRC03246/7-15