Professional Documents
Culture Documents
Matis Mäeker
Andre Nõmm
Copyright © 2020 Matis Mäeker, Andre Nõmm
All rights reserved. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording or otherwise, without the prior permission of the publishers, except in the case of
brief quotations embodied in critical reviews and certain other non-commercial uses
permitted by copyright law.
www.amlcompliancebook.com
amlcft.publishing@gmail.com
“Life is really simple, but we insist on making it complicated.”
– Confucius
Contents
Title Page
Copyright
Epigraph
Disclaimer
Introduction
I. The senior management carries the AML/CFT culture
II. The main principles of AML/CFT compliance
III. AML/CFT compliance framework
IV. Requirements for the AML/CFT employees
V. Business risk assessment
VI. Compiling the rules of procedures
VII. AML/CFT data quality
VIII. Customer due diligence measures
IX. Ongoing due diligence and customer relationship monitoring
X. Employee training
XI. Cooperation with the financial supervisory authority
XII. Cooperation with the financial intelligence unit
XIII. The role of the internal audit
XIV. It is not only about financial institutions
XV. AML/CFT crisis management
Appendix 1 – ‘Papers’ and ‘Laundromats’
About the authors
Disclaimer
The views expressed in this book are those of the authors and do
not necessarily reflect the opinions of their employer or committees
they are members of. Information in this book is not legal advice;
AML/CFT regulation and recognised standards may vary by country.
Introduction
Changes in paradigm
It was not so long ago that narcotic drugs were advertised on
pharmacy counters as something to help your baby sleep when he or
she has a stuffy nose. Such ads touted things like,
“Cocaine toothache drops. Instantaneous Cure!” Imagine a banker
not so long ago, asked to identify the origin of a depositor's money.
“Why me? What have I got to do with where my client’s money comes
from?“ Back then, that might not have been an unreasonable
question. We live in a rapidly changing world which brings new issues
but also shifts values in old ones: data privacy, genetics, gender and
racial equality, green economy, etc., not to mention hundreds of minor
changes in other fields. We seem to lurch from one standard to
another; as each era overlaps with another, it has become an
unpredictable and dangerous playground. Through history we have
often seen events where failures take place that change the world
and provide in these unfortunate circumstances better clarity.
The last decade has been a turning point for banking in the fight
against money laundering and terrorist financing. Dozens of well-
known banks and banking groups around the world have been fined
for not applying financial sanctions or breaching the rules of anti-
money laundering and countering the financing of terrorism and
proliferation of weapons of mass destruction (AML/CFT). Penalties
already amount to billions per bank. This is quite a unique and
unexpected phenomenon in the field of public order, where one
industry has suddenly been hit so hard and extensively in a situation
where complex and well-established supervision has existed for a
long time. Like a storm, this has caused a lot of confusion and
uncertainty among financial institutions, but the same goes for
regulators and supervisors, who are looking for better solutions.
No doubt, there is a change in paradigm, where the public at large
has set the bar higher for bankers, expecting them to have more
robust systems and controls to act more responsibly than ever
before. The diligence expected of banks has risen to an immense
level. What may have been common in the past is qualified as
dubious today. What was once expected of financial intelligence units
and law enforcement authorities is now assumed to be the role of
banks and financial supervisors. Banks operating at the rear end of
the international payments chain are sometimes expected to manage
the impossible. Fear that supervisors could fine them, as well as the
loss of confidence by partner (correspondent) banks, has made
banks cautious. This has led to large-scale risk reduction in banking.
In some cases, even ordinary businesses with no suspicious
transactions have to pay the price. Sometimes it has involved de-
risking as entire business lines and customer groups are no longer
serviced. De-risking, however, is an unexpected outcome of which
regulators again accuse banks.
Not long ago, financial supervisors themselves did not apply much
importance to AML/CFT topics. In particular, the main task of banking
supervision was to ensure that banks were sufficiently capitalised and
that the bank's risk management was in place in such a way that it
could over time withstand changing external risks. During a financial
crisis, there are hardly any resources to spare for other topics. Money
laundering units and departments were small, in the farthest corner of
the office and seemingly held a side task for financial supervisors.
That is not to say that they are to blame, but it is by no means just
banks that have learned their lesson that the risk of money laundering
through operational risk can hit a financial institution as hard as
liquidity or credit risk. Similarly, the reputation of a financial supervisor
is at stake more than ever before.
Instead, the CEO and the senior management must set high
(moral) standards and with their commitment be the role model. With
such behaviour, the CEO with the entire senior management team
surpasses ambiguity and demonstrates commitment as well as the
importance of the role of employees in the fight against AML/CFT. In
particular, the CEO himself or herself must be seen in the corridors,
being interested in real risk management and expressing clear
standards. This also means regulating and encouraging
whistleblowing so that employees have the confidence to bring even
the most sensitive issues and violations onto the senior
management’s table.
From a legal point of view, one can always argue who is liable.
But in the grand scheme of things and at the level of reputations, it
does not make much difference which company in the group is the
site of the money laundering. A money laundering case at the level of
the parent or the subsidiary (or branch) affects the group as a whole.
Therefore, the price of the parent bank's shares is similarly affected,
and senior management in the parent company are just as likely to
lose their jobs. And vice versa, it does not save the subsidiary's
senior management either if they point to flaws in the parent company
or group-wide policies. Therefore, it is wise to take a pragmatic view
of the group’s entire management and from the outset, maintain a
straightforward approach that avoids hiding behind a legal
smokescreen. The management must ensure that the systems and
controls have a group-wide dimension and are equally capable of
managing the risk of money laundering and terrorist financing as well
as being centrally assessed.
The real allegations are that the systems and controls should
have caught such suspicious situations and reported them for
criminal investigation, yet they had failed to do so. After all, the latter
is what the duty of care in AML/CFT expects of banks, regardless of
whether it is money laundering or not. It is naive to assume today that
financial institutions should only deal with money laundering, terrorist
financing and financial sanctions directed against weapons of mass
destruction and terrorism. Banks are also expected to follow financial
sanctions applied for political reasons, due to activities that are
unacceptable to humanity, such as war crimes, torture, and so on.
Even if there is no mutual understanding of the scope of regulations,
financial institutions have no other option but, in the public interest, to
identify and reject activities that are predicate offences to money
laundering and that generate substantial proceeds or contradict a
sense of human justice. These include tax evasion, fraud, corruption
and bribery, human trafficking, illegal wild-life trade, and others.
Society expects bankers to fight crime more broadly. The new reality
in AML/CFT is that the public is not interested in whether there is real
criminal activity behind the money used in a particular transaction.
This is the foundation that one needs to take into account when
building an AML/CFT compliance framework today.
Here are some examples of how compliance should work and the
value of the “helicopter view” when different parts of the AML/CFT
organisation are changed:
• If a financial institution wants to change its organisational
structure, it should consider: (i) whether all tasks are covered
and everyone knows their roles and responsibilities; (ii) whether
functions are separated and lines of subordination in place; (iii)
whether conflicts of interest are managed; (iv) whether the
organisation is being changed out of necessity or for the sake of
change;
- Helps the first line of defence to define where the risks are
occurring. This means that they also perform the MLRO function,
which is:
- Helps the first line of defence to manage risks but is not the
one taking them. This means that they are part of the risk
management and compliance function. They ensure that all risks
are identified, assessed, understood, measured, monitored,
managed and, where appropriate, reported across all levels of a
financial institution (not at an individual risk or customer level).
Therefore, they conduct business risk assessments, and assess
the application of the risk appetite;
The trouble with solutions that are too strict is that they start to
reduce the level and skills of risk management. As it is never possible
to reduce risks to zero in business operations, the compliance
function, as a risk management agent, is itself forced to take certain
risks that are inherent in business operations. When the compliance
department refuses everything and becomes known as the “No-Man”
or ironically as the “business prevention department” then it is
devaluing its role. It makes them intolerable colleagues and in the
worst-case scenario the organisation even begins to ignore or avoid
them. The latter may ultimately mean a significantly higher residual
risk for the financial institution.
With the existing knowledge, you can only drive for a month or two
in the AML/CFT field, a year at the most. After that, you will start
having problems in front of the senior management and the
supervisor. Colleagues, too, will have progressed past you. There is
always something to take away from each document and every
training session. You need to be caught up in the ever-evolving
AML/CFT world all the time. This is also how you prove yourself to
the regulator, as discussed above. And don’t forget to share your
knowledge with colleagues, as the goal is to arm your employer with
the best know-how.
Under customers, you could analyse the inherent risk related to:
resident customers, non-resident customers; resident customers
whose beneficial owner is a non-resident; customers who are
financial institutions that serve customers (respondent institution);
customers providing a particular service (e.g. adult services,
gambling, currency exchange, purchase and sale of precious metals
and stones, services with a specific high risk (e.g. related to financial
sanctions)); customers operating in certain business lines (e.g. trade,
construction, catering); customers that have a particular characteristic
(e.g. a politically exposed person, a beneficial owner of a company is
younger than ‘n’ years, is a trust, an association or a non-profit
organisation (NPO)); or customers that have a particular ownership
structure (e.g. ultimate beneficial owner is identifiable from layer No
‘n’).
• How and when the first line of defence should send an internal
notification to MLRO about suspicious or unusual transactions
• Methodology for MLRO to use to analyse suspicious and
unusual transactions or circumstances
The “longest possible train” in Europe at that time was 750m long
and consisted of 50 wagons with a total capacity of 2,250 tonnes. We
could not find a bigger one and if there were one, it certainly would
not have been much bigger. Pure mathematics showed that at least
hundreds of fully loaded 750m long trains had to run one-by-one to
the final destination to carry all these pipes. Or tens of thousands of
sea containers, as each container holds about 30 tonnes. In any
case, the financial institution should have asked many questions on
the basis of this, which it failed to do. We did not even get to the
question of who needs hundreds of thousands of tonnes of pipes,
who could produce them, and so on. This whole "train ride" was
simply too unrealistic.
This was an extreme example, but we apply the same business
logic in other cases, and so should financial institutions. The issue of
credibility is central to identifying money laundering and terrorist
financing. In most of the cases, only standard behaviours are
believable and justifiable.
A person who wants to hide will have done everything in his or her
power to have someone else, a nominee, control his or her account
and companies. That ‘someone else’ does not disclose that he or she
is not the real beneficial owner, on the contrary, he or she has
arranged all the paperwork so that he or she is seen as the beneficial
owner. In many countries there can even be no formal contracts for
these nominees, but the set-up is built on trust that the nominee will
never break.
The real or ultimate beneficial owner is often just a fiction, and its
veracity cannot be verified merely by assessing the control structures
or looking at the registry entry. The cases of money laundering, which
are well-known in the international media, also tend to show that
no one knows whose funds are behind those companies and who
exercises ultimate control. In light of these cases, it should actually be
acknowledged that beneficial owner registers do not enable anyone
to find out the truth. Therefore, we are challenging the effectiveness
of the current approach. We believe that too many resources are
being deployed in identifying and verifying ultimate beneficial owners
and monitoring the registers that hold this information. Instead, we
should emphasise measures for understanding a customer's risk
profile – understanding the purpose and intended nature of the
business relationship, after which it is already possible to build
effective ongoing monitoring solutions.
• Has there been any suspicion before? What was the content,
and when was it raised?
• Ethical values
• Risk appetite
• Due diligence measures that are to be applied when
establishing a business relationship
• Record-keeping requirements
• Communication with customers, including fulfilment of the
obligation to provide proper explanations
[1] For further information about some of these “Papers” and „Laundromats“, please see
Appendix 1 of this book.
[2] Based on the information available in English on the webpage of the United Nations
Office on Drugs and Crime.
[3] Also known as AML compliance officer, nominated officer or BSA (Bank Secrecy Act)
officer.
[4] Dual-use goods are goods that can be used for civilian as well as military purposes,
or goods that can be used to manufacture or spread weapons of mass destruction.
[5] This is an example of a customer type, but according to the same algorithm, an
assessment should be performed for all other customer types as well as for all products and
services, delivery channels and geographical risks.
[6] FATF Guidance: Politically Exposed Persons (Recommendations 12 and 22).
Available in English on the FATF webpage.
[7] Based on the SWIFT MT202 COV message fields. Available in English on the SWIFT
webpage.
[8] The FATF Recommendations (2012). Available in English on the FATF webpage.
[9] The United Kingdom Financial Intelligence Unit – Suspicious Activity Reports Annual
Report 2019. Available in English on the National Crime Agency webpage.
[10] The FATF Recommendations (2012). Available in English on the webpage of the
FATF.
[11] The FATF Methodology (2013). Available in English on the webpage of the FATF.
About the authors