The AML Compliance Book

The AML Compliance Book
150 golden rules
Matis Mäeker
Andre Nõmm
Copyright © 2020 Matis Mäeker, Andre Nõmm
All rights reserved. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording or otherwise, without the prior permission of the publishers, except in the case of
brief quotations embodied in critical reviews and certain other non-commercial uses
permitted by copyright law.
ISBN 978-9916-4-0038-8 (paperback)
Cover design by: Timo Tamm

Illustrator: Ott Jeeser
Editor: Michael Haagensen
Printed and bound in Estonia by Tallinna Raamatutrükikoja OÜ
www.amlcompliancebook.com
amlcft.publishing@gmail.com
“Life is really simple, but we insist on making it complicated.”
– Confucius
Contents
Title Page
Copyright
Epigraph
Disclaimer
Introduction
I. The senior management carries the AML/CFT culture
II. The main principles of AML/CFT compliance
III. AML/CFT compliance framework
IV. Requirements for the AML/CFT employees
V. Business risk assessment
VI. Compiling the rules of procedures
VII. AML/CFT data quality
VIII. Customer due diligence measures
IX. Ongoing due diligence and customer relationship monitoring
X. Employee training
XI. Cooperation with the financial supervisory authority
XII. Cooperation with the financial intelligence unit
XIII. The role of the internal audit
XIV. It is not only about financial institutions
XV. AML/CFT crisis management
Appendix 1 – ‘Papers’ and ‘Laundromats’
About the authors
Disclaimer
The views expressed in this book are those of the authors and do
not necessarily reflect the opinions of their employer or committees
they are members of. Information in this book is not legal advice;
AML/CFT regulation and recognised standards may vary by country.
Introduction
Changes in paradigm
It was not so long ago that narcotic drugs were advertised on
pharmacy counters as something to help your baby sleep when he or
she has a stuffy nose. Such ads touted things like,
“Cocaine toothache drops. Instantaneous Cure!” Imagine a banker
not so long ago, asked to identify the origin of a depositor's money.
“Why me? What have I got to do with where my client’s money comes
from?“ Back then, that might not have been an unreasonable
question. We live in a rapidly changing world which brings new issues
but also shifts values in old ones: data privacy, genetics, gender and
racial equality, green economy, etc., not to mention hundreds of minor
changes in other fields. We seem to lurch from one standard to
another; as each era overlaps with another, it has become an
unpredictable and dangerous playground. Through history we have
often seen events where failures take place that change the world
and provide in these unfortunate circumstances better clarity.
The last decade has been a turning point for banking in the fight
against money laundering and terrorist financing. Dozens of well-
known banks and banking groups around the world have been fined
for not applying financial sanctions or breaching the rules of anti-
money laundering and countering the financing of terrorism and
proliferation of weapons of mass destruction (AML/CFT). Penalties
already amount to billions per bank. This is quite a unique and
unexpected phenomenon in the field of public order, where one
industry has suddenly been hit so hard and extensively in a situation
where complex and well-established supervision has existed for a
long time. Like a storm, this has caused a lot of confusion and
uncertainty among financial institutions, but the same goes for
regulators and supervisors, who are looking for better solutions.
No doubt, there is a change in paradigm, where the public at large
has set the bar higher for bankers, expecting them to have more
robust systems and controls to act more responsibly than ever
before. The diligence expected of banks has risen to an immense
level. What may have been common in the past is qualified as
dubious today. What was once expected of financial intelligence units
and law enforcement authorities is now assumed to be the role of
banks and financial supervisors. Banks operating at the rear end of
the international payments chain are sometimes expected to manage
the impossible. Fear that supervisors could fine them, as well as the
loss of confidence by partner (correspondent) banks, has made
banks cautious. This has led to large-scale risk reduction in banking.
In some cases, even ordinary businesses with no suspicious
transactions have to pay the price. Sometimes it has involved de-
risking as entire business lines and customer groups are no longer
serviced. De-risking, however, is an unexpected outcome of which
regulators again accuse banks.
Money is still being enormously laundered despite

the efforts
Know-your-customer principles have existed in banking for over a
decade, as has the obligation to monitor business relationships to
identify suspicious transactions. Yet, for some reason, all these well-
known money laundering cases – grouped and known as ‘Papers’
and ‘Laundromats’ – have still happened. The Panama Papers,
Paradise Papers, Russian Laundromat, Azerbaijani Laundromat,
Troika Laundromat, Moldavian bank fraud, and others,[1] and even
these only play a minor part in the global laundering process, which
according to the United Nations Office on Drugs and Crime is
estimated each year at 2–5% of the world’s GDP, or between $800
billion and $2 trillion.[2]
Is money laundering and the appearance of such cases at least

partly the result of the intensification of political relations, coupled with
the imposition of numerous financial sanctions listing prominent and
not so prominent people? Or is it merely the result of greed among
bankers, where profit expectations are prioritised over ethics? And in
the midst of all this, we cannot leave out financial supervisors
because they have also had to wake up. The reasons we continue to
see these scandals are probably found in all of them.
Another reason is written into the way we understand how money

is being laundered and terrorists financed. Money laundering is, by
definition, a criminal act. Regrettably, we still see very few scientific
approaches to money laundering compared to other areas of
criminology, a challenge that is addressed in depth in this book.
Could it be that criminal disciplines leaning on hard science, such as
anatomy, physics, mathematics and genetic engineering, provide a
much better starting point? There are hundreds and thousands of
scientific articles on the act of murder and profiling a murderer, but
next to none addressing the act of money laundering and profiling
money launderers. Figuratively speaking, there is only one legal tool
in response to murder but the scientific literature runs into the
thousands, while there are thousands of norms preventing money
laundering and only a few scientific articles. AML/CFT thirsts for
"Mindhunters" who could scientifically profile typical money
launderers and terrorist financiers. It seems that it is merely about a
lack of scientific attention in the AML/CFT environment that needs to
be changed. Something or someone in law enforcement, among
others, needs to provide the impetus.
We are also witnessing constant rush to institutional changes in

AML/CFT, something we do not see in other criminal disciplines such
as in homicide despite murders happen there every day. If we do
those changes without a thorough root-cause analysis, there is a
great risk that we will move towards further inefficiency. At one point,
we have more stakeholders guarding the financial sector and the
supervisors than those working on the battlefield where money is
laundered. We are there already today. Instead, we should all devote
more resources investigating money laundering cases.
The money laundering and terrorist financing risk

has become tangible
If we take anything positive from recent money laundering cases,
then the importance and meaning of the risk of money laundering and
terrorist financing in banking has become tangible. It is here to stay.
The consequence of a bank’s failures can be enormous for society.
The business itself will experience a horrendous hit, and the
shareholders will lose billions. More importantly, the credibility and
reliability of the financial sector could be damaged, and in the worst-
case scenario, economic security and democratic values could be at
serious risk. Members of senior management will lose their jobs and
the reputation of employees will be damaged since their opportunities
in the labour market will shrink. It is often forgotten that enabling or
even contributing to money laundering helps criminals to legalise the
proceeds of crime and consequently strengthen their organisations as
well as creating unequal competition in the economy. It also allows
them to legalise money related to, for example, fraud, human
trafficking and environmental crime, of which every person can be a
victim. Terrorist financing helps fund terrorist organisations or
individual terrorists that ultimately allows them to carry out acts that
endanger the lives of each of us. Unfortunately, mainly as a result of
the greed or recklessness of bankers, real examples where all the
above has become a reality.
It is not just the banks that have a part in this global

fight
Before we get to weaknesses and challenges in the AML/CFT
systems and controls within financial institutions, let us not forget the
responsibility of all the competent authorities involved in the fight
against money laundering and terrorist financing. The Financial
Action Task Force (FATF), primarily through its peer review process,
has done tremendous work in forcing countries and competent
authorities to become more efficient. However, developments in
recent years have shown that it is time to take the next leap to
guarantee that the (financial markets) boat will continue to float.
Not long ago, financial supervisors themselves did not apply much
importance to AML/CFT topics. In particular, the main task of banking
supervision was to ensure that banks were sufficiently capitalised and
that the bank's risk management was in place in such a way that it
could over time withstand changing external risks. During a financial
crisis, there are hardly any resources to spare for other topics. Money
laundering units and departments were small, in the farthest corner of
the office and seemingly held a side task for financial supervisors.
That is not to say that they are to blame, but it is by no means just
banks that have learned their lesson that the risk of money laundering
through operational risk can hit a financial institution as hard as
liquidity or credit risk. Similarly, the reputation of a financial supervisor
is at stake more than ever before.
Everyone needs to get a grip and take a necessary step forward.

Internationally, policymakers and regulators should seek more trust
and cooperation between countries. In cross-border money
laundering activities, rigour and energy must first be concentrated
where predicate offences occur and then also where the money is
laundered. All larger money laundering and terrorist financing cases
cross borders, all of them. The authorities will immediately become
lost as soon as they try to blame a single nation. Lubricating one nut
in this system does nothing to get the engine started. We will never
get the wheels moving without a comprehensive horizontal view that
encompasses the entire AML/CFT system, including the private and
public sector, and includes up-to-the-minute risk assessment, based
on predefined and globally agreed AML/CFT data-set.
A good doctor can provide a reasonably accurate snapshot of the

diseases in a body; similarly, a current and collaborative X-ray of the
money circulating in the entire payment system (or at least in parts of
it) is just as important to diagnose money laundering or related risks.
Otherwise, we will always be running after criminals in this chain,
sometimes we will catch them, but mostly not. We can start repairing
the weakest link in the chain and continue to investigate cases from
years ago, but the big picture does not change much, if at all. By the
time we have finished our investigations and learned the lessons, the
criminals will have already established new cross-border channels. In
this book, we therefore also present the challenges and weaknesses
in today's approaches to AML/CFT that extend to jurisdictions and
their competent authorities; we also provide solutions for
consideration.
Money laundering has many facets in today's

society
In the language of law, the term money laundering has a legal
definition. This definition determines the powers and boundaries of
law enforcement authorities, and based on that, people can be
convicted of money laundering. Criminal proceedings are not
conducted at will and arbitrarily. Not everything that may seem
suspicious in banking transactions is money laundering in legal
terms. Certain core elements and prerequisites have to be met to
qualify an act as money laundering; for example, a criminal act
preceding money laundering should be committed – this is called a
predicate crime. In simple terms, money laundering refers to trying to
convert illegally obtained funds (black money) into a form that at first
sight suggests it has a legal origin (pure money).
However, in today's fight against money laundering, various

shades of grey have also come into play. There are no longer any
pure colour codes on which money laundering is qualified by the
public at large. We all often see that the public’s perception of a
bank's “money laundering case” may not have anything to do with
laundering the proceeds of crime, but rather with society's
expectations more broadly. Consequently, another concept of money
laundering has arisen. It often occurs in spoken language and
especially on the pages of the newspapers. In reality, it is often a
suspicious transaction, but the report or the narrative that emerges
uses the term money laundering. This suspicious transaction in real-
life could also turn out to be terrorist financing or tax evasion or, for
example, even bribery. It could also sometimes mean nothing in
criminal terms, but something that crosses ethical lines. In these
cases, we are talking about suspicious transactions made through the
bank that touch upon the moral values of society more broadly.
Nowadays, this mindset has a direct effect on banking, and lately the
effect has unfortunately been quite brutal. As the rules applicable to
financial institutions are built on the word “doubt”, it has made the
AML/CFT task much more difficult for both financial institutions and
financial supervisors.
From holding banking secrecy to a police officer

Centuries ago, bankers were treasurers and lenders, today
bankers are cops too. Frankly speaking, we have partly come to this
place because competent authorities are less and less capable of
catching criminals and fighting the evils of the world. Money
laundering cases are often hampered by a lack of cooperation
between different jurisdictions and countries. In this way, the financial
sanctions regime is increasingly being used, in which all unwanted
persons or countries are placed on lists and forced to change their
behaviour or risk being cut off from the financial sector. One can
argue, when was the last time someone other than a bank was
sanctioned? When those were indicted and convicted for committing
predicate crimes, (professionally) laundering money, enabling the
laundering of money or managed financial institutions involved in
laundering?
Notwithstanding the above, there is definitely a growing

expectation that financial institutions will already prevent crime,
including fraud, corruption and bribery, human trafficking, illegal wild-
life trade, and so on. "I have been tasked with an impossible
obligation," the banker complains. "I don't have the tools to prevent
money laundering in the public interest in this way," he continues,
adding further that, "If the law enforcement authorities can't do that
and are failing in their tasks, why should I be capable under such
public expectations?" Honest bankers, who are really honest,
cautiously assert that they have been unequally drawn into a higher
political game, where they do not have access to the relevant
intelligence information to enforce their obligations in the public
interest.
The role and scope of financial institutions has been much

debated in the AML/CFT community. Still, it would be naive for a
banker in this changed environment to stick with the complaining, as
a consequence, money laundering and terrorist financing cases strike
banks equally painfully. It does not matter whether the case is a result
of society’s ethical expectations or was brought to the table by the
industry supervisor. From the banker's perspective he or she has no
choice, one of his main task is to protect the assets of the depositor
and the shareholder.
The difficulty for a banker in AML/CFT task can be understood,

but one might also ask why the financial institution has the privilege of
mediating dirty money in the first place. Can a banker, who is not
permitted to drop a bomb or sell drugs through his child’s school, be
justified in opening the payment channels at his bank to someone
doing the same thing? Bankers who themselves enjoy democratic
values are sometimes willing to mediate money through their bank,
which puts the same values at considerable risk. In some mysterious
way, people's ethical beliefs are sometimes distorted or vanish
altogether when they are not placed in direct contact with a bomber
or a trafficker. It is a human tragedy when ethical beliefs disappear
when a commercial register entry is made for establishing a financial
institution and the financial institution gets legal capacity.
The increased pressure and re-focus on the financial institutions'

preventative measures understandably have a causal connection.
Moreover, if, on the one hand, countries struggle to maintain freedom
and democratic values, then banking, on the other hand, cannot wash
these efforts away. All in all, the increased pressure on financial
institutions, and also on financial supervisors, is understandable,
even if it sometimes includes the impossible task of identifying and
responding appropriately to suspicion. Some business segments that
use financial services must themselves, for the greater good, also
take a leap forward in terms of transparency because circumstances
have changed. It is much wiser to adapt to the situation if you cannot
change it. To this end, bank customers also have to endure more
thorough screening from time to time, in the same way as we have
now become used to heightened airport security to avoid the
catastrophic consequences of flights being highjacked by terrorists.
The implementation of new standards and values in the financial
sector will not take place overnight. In some countries, anonymous
accounts are still a relatively recent phenomenon in banking. It will
take time and habit for them to adapt. Though, it seems that financial
institutions are today possibly the most crucial layer of protection in
the fight against money laundering, or as said above, against crime
altogether.
Compliance needs to take a huge leap

During the last decade, the role of the compliance function has
been highlighted in the AML/CFT sector as something extremely
important to be able to fight money laundering and terrorist financing.
Compliance, however, has not kept up with the pace. Financial
institutions continue to struggle to invest and make investments work
to achieve an appropriate standard of compliance. This shortfall
includes: CEO’s underestimating their role in implementing a tone
from the top, as well as a culture of and commitment to compliance;
compliance systems still working in “silos”; a risk-based approach not
yet being applied; the principle of proportionality being disregarded;
an appropriate data policy in AML/CFT data still missing; the absence
of actual and meaningful investments in technical solutions; the calls
by supervisors and the guidance they offer ignored; the changes in
social awareness underestimated, and more. In the fallout from a
particular case that breaches the legislation or where an institution
has been used in a money laundering scheme, poor crisis
management is often identified, and this brutally hurts shareholders,
let alone the entire financial system. This book seeks to address
these aspects by providing practical and straightforward guidance on
how to cope better in today's context, how to design the organisation
and communication with stakeholders so that more significant
damage to society is prevented.
Simplification is sometimes needed

It is in the interests of all financial institutions and supervisors to
guarantee that the financial sector works soundly without headlines
on the tabloids, or even worse, where ordinary people are harmed.
Greater transparency, as well as directness and openness in the
relationship between the banking industry and the supervisor, could
go a long way towards achieving a better and more efficient outcome
without blurring the roles. Bankers could also be more confident in
reaching out to regulators if they see the possibility of more
meaningful regulation or supervision in today’s storm.
This book presents our vision of the approach to be taken to

combat money laundering and terrorist financing. It is a walk with
supervisors who have uncovered land-mark cases, where experience
and knowledge from the supervisor’s perspective can help anyone in
the field. While throughout this book we refer to financial institutions,
the rules provided herein are also largely applicable to designated
non-financial businesses and professions and virtual asset service
providers. This book is suitable for anyone who cares about
preventing money laundering and terrorist financing, or more broadly
speaking, those fighting the crime. These include politicians,
prosecutors, law enforcement officials, investigators, staff of financial
intelligence units, supervisors, bankers and compliance officers,
auditors, attorneys, lawyers, other employees working at financial
institutions, journalists, students and why not the average citizen from
the street.
We expand on our view that simplification is both necessary and

inevitable in this challenging AML/CFT world, and instead of over
mystifying the field, bringing it back to an applicable business
rationale and the basic principles of compliance. Most rules that work
simply exist in this world; you do not always have to look for them in
the book of the law. What follows are our 150 golden rules that allow
you to return to the founding principles and their context when you
become lost among the often extremely technical standards, which
are nowadays produced in large quantities in the AML/CFT
landscape. This book is our contribution to the fight against money
laundering and terrorist financing; giving back to the market to
prevent similar cases from happening in the future. Although
AML/CFT is not a phenomenon that is in any way isolated from the
general principles of compliance, risk or crisis management, even it
has its own specific qualities and issues. The golden rules in this
book are in large part transferable to any segment of the financial
sector, but why not also to other compliance-based business areas.
We all work with limited resources, and not everything can be

done with ideal and absolute precision; therefore, it is unthinkable to
apply the same level of diligence everywhere. Some golden rules
could help you stay away from more significant problems. If these
were to be used in synergy as minimum standards, coupled with the
application of modern technology, it would already be a huge leap
forward. In this way, financial institutions can be equipped with
powers to fight this fight and be less vulnerable to money laundering
and terrorist financing and circumventions of financial sanctions. It
would decrease the likelihood of harm. There is always room for
smarter more sophisticated solutions, especially when the entire
financial sector is struggling with legacy systems. This help is long
overdue.
I. The senior management carries the
AML/CFT culture
1. It will also happen to you
It is natural to want distance yourself from the world of risk. I don’t
need to wear a reflector as a pedestrian at night or go for preventive
breast cancer screening. Risks do not cease to exist just by ignoring
them. Money laundering and terrorist financing are not theories; they
are real and have hit dozens of banks hard in recent years. From the
grandstand, they are calm, maybe even exciting to watch, but in an
instant you too can be in the midst of a significant event. Everything
could be fine today, but turn into chaos tomorrow. AML/CFT systems
and controls can never be so accurate as to provide absolute
assurance that suspicious money has never passed through your
financial institution. It can happen even with the utmost care. A
“money laundering case” can happen even without explicit acts of
money laundering or terrorist financing or a circumvention of financial
sanctions. One article or a headline about a customer that may not
have anything to do with a crime, but, for example, it touches on
ethical values, could result in years of criticism and hassle to clear the
name of your financial institution and prove that you actually were in
compliance or are right now. To get out of the crisis successfully, you
need to be ready for it professionally, mentally and at the
organisational framework level.
2. There is only one head of compliance, he or she

has to cultivate the tone from the top
The fight against money laundering and terrorist financing begins
with the implementation of a culture and behaviour by the entire
organisation. This fundamental principle should be applied before a
financial institution starts building complex governance structures.
The tone from the top has the most significant impact on the
company's performance, not only when making profits, but even more
on a moral and ethical level. It doesn't matter if you design a new
mobile phone, fly spaceships into the sky or run a bank.
Unfortunately, in the case of large corporate failures often we see the
opposite, how the senior management quickly distances itself and
tries to find a way to blame individuals for what has happened.
A fully functioning organisation is not about “I” or “they”, but how it

functions and breathes as a united force. If a member of the senior
management can distance him or herself from the responsibility, then
why couldn’t an employee do the same later on? Senior management
members reinforcing the tone from the top should be role models to
replicate and follow. The employees are the ones investing their
utmost to guarantee compliance with this regulatory burden that the
manager just downplayed. If we look back at past schemes and
corporate failures, it is often clear that the "tone" of the senior
management and especially the CEO is what has led to the
unintended consequence. The CEO is head of compliance; it is not
anyone else. If the CEO and his or her management team fail to carry
this role or do not have the support of the owners, the best AML/CFT
systems, controls and procedures can be washed down the drain. In
such cases, there is a high risk that the financial institution will be
significantly more vulnerable in terms of the risk posed by money
laundering and terrorist financing. The compliance system as a whole
is likely to be dysfunctional and in turn, result in non-compliance.
3. Compliance culture will never fall from the sky

A compliance culture is not some kind of magic that appears out
of the blue. The same goes for business ethics and values. The
senior management must continuously work with the institution’s
culture and nurture it. It is the CEO, as head of senior management,
that must lead the AML/CFT culture, from the top down. It is not a
mere declaration, but a “voice” that must also be “demonstrated”.
This must be reflected by specific actions, including when the
financial institution's risk appetite, as well as compliance values and
their importance, are set by the senior management and announced
and explained to the employees. A financial institution may have
produced a state-of-the-art risk appetite statement, but if its
employees in the frontline have never heard of it, it is as if the
document never existed. Therefore, selected values and ethical
beliefs must be trained and integrated into daily work, and that culture
must be brought to the employee. The senior management must
always be able to demonstrate to the supervisor where, when and
what was done to create the compliance culture.
The senior management cannot be expected to know the ethical

beliefs of all its employees, let alone the motives of thousands of
employees, but they should not get too tangled in this. The task of the
CEO and his or her management team is to inoculate and cultivate a
culture of compliance and ethical values in the organisation and
create a compliance organism that breathes uniformly. Even the CEO
must use inspirational language. Often through “symbols” —
statements like, “AML/CFT is important” and “We are committed to
this fight” — this approach, when truly coming from deep down,
makes a huge difference. At some point, this chemistry significantly
reduces the risk of dangerous cancers or unwanted subcultures
developing in the body, resulting in AML/CFT failures. Every
employee must feel they can rely on the company’s values and
culture, even when communicating with senior management and
pushing their own perspective, and when there are dilemmas in the
decision-making process.
4. Ambiguity and lack of commitment will ruin

AML/CFT systems and controls
Supervisory reviews have shown that ambiguity and lack of
commitment from the senior management in dealing with AML/CFT
matters is a substantial contributing factor to money laundering
cases. "Why do you question this customer’s integrity? It has been a
profitable customer for a long time and has not caused any issues
before." This kind of approach will create uncertainty for an
employee, causing him or her to question what is more important –
business opportunities or risk management. Instead, the proper
management of this situation says, “I will need a full picture of this
situation as soon as possible”. The worst thing one can do is to set
rules that seem to indicate that specific actions are essential and
make a difference, but on the other hand, ignore them. Such an
attitude from the senior management can unexpectedly paralyse the
financial institution's compliance culture as a whole. Ambiguity can
cause uncertainty for employees and, in the worst case, even fear.
Uncertainty and fear spread very quickly across a financial institution,
jeopardising the whole risk management system. As a result,
employees will no longer dare raise concerns about risks, and instead
avoid bringing them to the management level at all.
Another hazardous practice and mistake by the senior
management is complaining to employees about the regulatory
burden. We have often seen in meetings how some managers,
alongside their compliance staff, are constantly challenging the
regulations, difficulties in enforcing them and questioning whether the
numerous and complex regulations can be complied with at all. One
can guess what the result will be if the role model itself demonstrates
such uncertainty. Why shouldn’t the compliance staff follow him or her
and take a similar approach?
Instead, the CEO and the senior management must set high
(moral) standards and with their commitment be the role model. With
such behaviour, the CEO with the entire senior management team
surpasses ambiguity and demonstrates commitment as well as the
importance of the role of employees in the fight against AML/CFT. In
particular, the CEO himself or herself must be seen in the corridors,
being interested in real risk management and expressing clear
standards. This also means regulating and encouraging
whistleblowing so that employees have the confidence to bring even
the most sensitive issues and violations onto the senior
management’s table.
The senior management must equally support business and risk

units. When was the last time the CEO thanked AML/CFT staff for
their committed work either personally or in front of the whole team?
When did the CEO emphasise the importance of compliance? When
was the last time compliance or, more broadly, the "money spenders"
received a bonus equivalent to those who earn the money? Both
agents are equally crucial to the success of a financial institution.
Instead of inadvertently helping cause the ultimate demise of the
business through failing to call out some dubious transactions, it is
better for everyone in the long run if employees feel enabled and
trusted to do the right thing.
5. The senior management must possess solid

knowledge of AML/CFT requirements
We all make mistakes. We should not even bother to think
otherwise. If you do not take risks, you cannot reach new heights.
However, you will get into big trouble, at least in the financial sector, if
you take risks without a basic understanding of the rules of the game.
This is called fitness and propriety (i.e. fit and proper), or the
suitability of the senior management. Members of the senior
management must be especially honest and trustworthy, but also
possess the necessary skills and experience for the job. Before
starting as a CEO or senior management member responsible for
AML/CFT, the financial supervisor will require that you have the
necessary skills and knowledge of AML/CFT regulations. This
includes the ability to carry the tone, culture and commitment into the
depths of AML/CFT organisation. The CEO is not necessarily
expected to have the highest level of expertise in the AML/CFT field,
as there might be other senior management members that are
directly responsible for that area. A financial institution must be able
to demonstrate that its CEO, and senior management more generally,
understand AML/CFT requirements and expectations. For this
reason, it is also known in the financial industry as collective
suitability. We may ask why the senior management needs this
specific knowledge when the right experts have been hired anyway. It
is because, without this minimum knowledge, the right tone, culture
and commitment cannot be communicated to the organisation.
Similarly, without this expertise, the senior management will not be
able to distinguish between the right decisions and the wrong ones.
AML/CFT experts are therefore not hired to substitute the senior
management, but also to educate them.
6. The cost of compliance is the other side of

revenue
To earn money, an organisation has to spend money. Sometimes
the cost cannot be measured in currency. Compliance comes through
sweat, tears and especially fear. Fear of the danger to employees,
their families and loved ones. Achieving compliance in the AML/CFT
world means that one has to stand up to criminals, who sometimes
take any means necessary to achieve their goals. We are all well
aware of what it means if one is threatened by criminals and accused
by stakeholders. In these cases, we expect support more than ever.
Compliance works daily to ensure the continued value and reputation
of the company and its brand; it also protects the management and
other employees, as well as investors. Every financial institution is
also part of a broader ecosystem; the institution and its employees
have an enormous role to play. Victims of crime, the proceeds of
which run through the financial system on a daily basis, can be any of
us, including the members of the management themselves. The fight
against money laundering and terrorist financing has become a global
fight against crime, with financial institutions and their staff playing an
important role. A terrorist attack prevented by a financial institution or
a child rescued from human trafficking is a benefit to society. This can
also be a source of revenue through avoiding losses, since it
prevents loss that may result from broken economic relations, such
as correspondent relationships, or a fall in the share price.
Investments in compliance always bring benefits, even if they are not
visible to the naked eye.
7. AML/CFT responsibilities must be clear

Among supervisory approaches, there is a growing expectation
that a specific board member should be designated as responsible for
AML/CFT. There are a variety of workflows and responsibilities in
AML/CFT. Some of them are applied by the first line and some by the
second line of defence. It is debatable whether there can be only one
member that is responsible for every aspect of AML/CFT in a
financial institution. However, it is certainly a precondition that the
responsibilities of managers in different areas of AML/CFT are clear
and transparent. The supervisor wants to see that the AML/CFT
activities of the first and the second line of defence transparently and
unambiguously report to a respective individual member from the
senior management. Unfortunately, in the 21st century, some financial
institutions still ask supervisors to take a tour of the local business
register, where it all ought to be clearly defined. It is terrible practice
in the financial industry, and in AML/CFT, to refer only to general
commercial or company law liability principles when assigning
management roles and responsibilities. This approach rarely satisfies
the supervisor. Regrettably, on the other hand, senior management
quickly recalls the complexity of the liability when more severe money
laundering cases arise and when things go wrong. Then the
responsibility is suddenly shared and not so clearly defined. The latter
approach can be witnessed primarily in cases involving larger
banking groups or larger money laundering schemes, where no one,
in their opinion, ought to be blamed.
8. Senior management must be involved in

addressing AML/CFT requirements
A mere statement that money laundering and terrorist financing is
managed is not enough for a supervisor. Real actions must emerge
from the minutes of senior management meetings and management
decisions. Roughly speaking, if a financial institution does not have
written evidence of the functioning of the compliance system, it does
not exist for the supervisor. These documents must regularly cover at
least the following topics:
• Analysing and taking action on the content of risk assessments,

covering threats and vulnerabilities
• Defining risk appetite
• Deciding on the content and nature of the risk management

framework to manage identified risks
• Approving rules for procedures
• Deciding on investments in AML/CFT systems and controls
• Handling supervisory reports and internal investigations
• Obtaining an overview of developments in legislation and

standards
• Overview of landmark or major money laundering and terrorist
financing cases
• Providing specific guidelines from top to bottom
• Verifying the actual implementation of the decisions made
The above must also be applied in financial groups, but in this

case on a group-wide basis.
9. Words on paper lead to action

Words are powerful, so is written language. Supervisors also
believe the pen and the keyboard are the most powerful weapons.
Wording a decision on paper in black and white in itself leads and
forces an institution to a more accurate result. While a regular
meeting can just be adjourned, a minuted meeting has to have an
exact outcome. Such minutes should include discussions, including
senior management questions and the resulting answers. All this
helps manage the subsequent liability and supposed inactivity of the
senior management when clear decisions were made. Therefore, the
senior management must always be confident that the minutes
summarise the discussions held, including questions asked, if these
were asked, and the answers received, if these were received, and
the decisions made. Of course, the senior management must always
follow up to ensure that employees actually implemented the
decisions and the results are reported. Every word, every sentence,
every action is torn apart during a crisis, and the worst thing is when
the actual work cannot be shown. Today, more extensive
investigations into past failures, not to mention internal reports
governed by external parties, rely on internal documentation. These
investigations often conclude that the failures were due to inactivity
and negligence.
10. Being part of a financial group has its

challenges
The parent company always has more responsibility, especially in
situations where matrix management takes place or systems are built
centrally. Financial groups are always holistic, and it does not matter
if the management tries to indicate their responsibilities or
organisational structure in some other way. In more severe money
laundering cases, it is quite common for the parent company's
management to quickly distance themselves from what happened in
the subsidiaries or branches. This approach is taken to save face and
personal reputation or out of fear of potential monetary penalties or
criminal liability. In the case of financial groups, we have often seen
information getting lost on its way to the senior management,
decisions and responsibilities being left hanging, the necessary
supervisory acts or decisions or internal reports left untranslated, and
so on.
From a legal point of view, one can always argue who is liable.
But in the grand scheme of things and at the level of reputations, it
does not make much difference which company in the group is the
site of the money laundering. A money laundering case at the level of
the parent or the subsidiary (or branch) affects the group as a whole.
Therefore, the price of the parent bank's shares is similarly affected,
and senior management in the parent company are just as likely to
lose their jobs. And vice versa, it does not save the subsidiary's
senior management either if they point to flaws in the parent company
or group-wide policies. Therefore, it is wise to take a pragmatic view
of the group’s entire management and from the outset, maintain a
straightforward approach that avoids hiding behind a legal
smokescreen. The management must ensure that the systems and
controls have a group-wide dimension and are equally capable of
managing the risk of money laundering and terrorist financing as well
as being centrally assessed.
11. A risk not managed will not simply vanish

Risk-taking is always part of regular business activity. It is no
different with AML/CFT. The greatest danger for senior management
is when a money laundering risk is brought to the managerial level
but the discussions do not result in a specific decision. If the
members of the senior management hope that the situation (the risk)
will pass and the case will resolve itself, they are mistaken. Ultimately,
it will hit the financial institution even harder. The risk of money
laundering is often relative and difficult to measure, and very often, it
cannot be qualified with absolute certainty. However, it is dangerous
practice if no action follows after the risk has been raised for
discussion. The right cause of action or decision may involve, for
example, terminating the business relationship, making a suspicious
transaction report, or applying enhanced due diligence and
reasonable care to overcome the suspicion and continue the
business relationship. Our practice shows that known money
laundering cases and the resulting penalties are usually the very
same cases that were left unresolved at the managerial level. Failure
to address risks is also the main reason why managers lose their
jobs, which might happen either due to a supervisory request or
shareholder decision triggered by distrust or public pressure. If we
take the internal investigations published by the banks or some other
well-known cases of large international corporations as examples, it
was usually the case that the CEO and the senior management was
warned about the risk; however, it was left unmanaged.
II. The main principles of AML/CFT
compliance
12. Do not lose the compliance function
Financial institutions have large and complex organisational
frameworks. There is a high risk that something will get lost on the
long journey involved in applying legal norms. A common problem in
preventing money laundering and terrorist financing is the lack of
understanding about the primary purpose of a compliance system.
Supervisory practice has shown that even if a department exists
under the name ‘compliance’, in reality difficulties often still exist in
distinguishing this function from the legal, risk management or
internal audit functions. The latter two, along with compliance, form
an internal control function. There might be some overlap and
alignment in these functions, but compliance still performs a
fundamentally different and distinct task. It is crucial to keep this in
mind, otherwise there is a strong possibility that the application of
legal norms will fall between the cracks.
• The legal department deals with particular norms, and

compliance uses its help to interpret the regulatory standards.
• The role of compliance function is to holistically maintain and

develop policies, procedures, systems and controls designed to
guarantee compliance with regulatory standards. Through these
actions it lays the foundation for managing risks. It ensures that
nothing is lost along this considerable journey. It deals with
regulations but may also cover the (ethical) values that the
organisation has established for itself. It foresees that the whole
organisation is structured in a way that is appropriate and
functional to avoid non-compliance. As with any form of
compliance, AML/CFT compliance should also have a helicopter
view of the systems and controls and how they are and should
be working (something that is elaborated more in rule number
29). Compliance should therefore provide a top-down
assessment of the operating system so that the different parts of
AML/CFT work in unison. The primary role of compliance comes
from its name – to ensure compliance and deal with non-
compliance risk.
• The risk management function, sometimes also known as risk

control function, in the AML/CFT framework specifically analyses
whether certain risks are identified, assessed, understood,
measured, monitored, managed and, where appropriate,
reported. It also foresees that the risk appetite set by the
management is adhered to. Its role is to assure the management
of internal and external risks and protect a financial institution
from falling into non-compliance; it does so by assessing both
financial and non-financial risks.
• The internal audit provides assurance that all activities are in

line with internal procedures and statutory requirements. In
addition to technical compliance, it also assesses effectiveness.
Often, the compliance function is also seen as only or mainly
someone performing a controlling function – are employees
meeting their obligations and are tasks performed as per the
internal rules and procedures. However, this role is more the task
of an internal audit.
Think about what would happen if these duties were not

separated and, especially if compliance had not set the rules for how
the systems should be built and operate to manage the risk of money
laundering and terrorist financing. Everyone would run in a different
direction. Therefore, a financial institution must have agreed and
articulated procedures and a division of responsibilities. And that is
the primary compliance obligation. The above is the reason why we
emphasize the compliance function and its duties – this simply is the
strongest basis for effective money laundering and terrorist financing
risk management.
13. The starting point can be daunting, but still an
opportunity for compliance
Banks process millions of payments worth billions every day. It is
a major challenge for banks to rule out the possibility that a particular
transaction is not money laundering, terrorist financing or the
circumvention of financial sanctions. Financial institutions simply do
not have direct access to intelligence information or the databases of
law enforcement authorities. In contrast, the media often reports of
millions and billions of euros having been laundered; however, these
transactions may not have anything to do with money laundering. The
public at large does not always make a distinction between money
laundering, terrorist financing, various criminal activities and unusual
transactions – all of this today often falls under the “money
laundering” term. Let us look at some examples.
The acts of the well-known Azerbaijan Laundromat, where the

Azerbaijani government offered bribes for decisions, were later
declared to be money laundering. The real issue here was that the
money was meant to influence decisions. However, by default this
does not in itself mean the money was laundered, even if it is
accepted by a corrupt politician. It was merely a bribe, which is a
predicate crime to money laundering; in other words, it became
money laundering when that person started to conceal and disguise
the bribe he or she had received, or when he or she acquired,
received possession of or used property that was the proceeds of a
crime. Another example is the case of Danske Bank. The world's so-
called one of largest money laundering case, where allegedly 200
billion euros was laundered. At the time of the publication of this
book, no court has legally qualified it as money laundering.
The real allegations are that the systems and controls should
have caught such suspicious situations and reported them for
criminal investigation, yet they had failed to do so. After all, the latter
is what the duty of care in AML/CFT expects of banks, regardless of
whether it is money laundering or not. It is naive to assume today that
financial institutions should only deal with money laundering, terrorist
financing and financial sanctions directed against weapons of mass
destruction and terrorism. Banks are also expected to follow financial
sanctions applied for political reasons, due to activities that are
unacceptable to humanity, such as war crimes, torture, and so on.
Even if there is no mutual understanding of the scope of regulations,
financial institutions have no other option but, in the public interest, to
identify and reject activities that are predicate offences to money
laundering and that generate substantial proceeds or contradict a
sense of human justice. These include tax evasion, fraud, corruption
and bribery, human trafficking, illegal wild-life trade, and others.
Society expects bankers to fight crime more broadly. The new reality
in AML/CFT is that the public is not interested in whether there is real
criminal activity behind the money used in a particular transaction.
This is the foundation that one needs to take into account when
building an AML/CFT compliance framework today.
14. Compliance must work in step with society

The difficulty of AML/CFT tasks can sometimes be understood,
and expectations are sometimes blurred, complaining does nothing
for bankers except waste time and energy. Indeed, there are many
regulations to follow, and it is difficult to manage risk, but we should
not allow all this to get us in a strangle hold. It does not, in any way,
protect the depositor or the shareholders. Complying with financial
sector regulations is no longer an absolute guarantee of staying out
of trouble. Life has shown that it has become less about regulations
and their implementation, and more about the public questioning a
bank's behaviour in the context of general business ethics.
Rising social awareness and care makes a difference and may be

one of the biggest challenges for financial sector compliance today. A
similar reality is emerging in many different areas of life. We have
already seen this in the field of AML/CFT, it is also reflected in the
repeated failures in the advertising industry, where cultural
differences are underestimated, we will also see it more and more in
the field of environmental protection in the future. While changed
circumstances pose a challenge to financial institutions, the
complexity of regulations is often overemphasised. Paradoxically,
over-regulation and the complexity of regulation can be one of the
engines of innovation as well as ushering in changes in the global risk
environment. The smart thing here is to adapt to these new
circumstances. A more multidimensional and complex environment
also requires a smarter approach. In the field of AML/CFT, keeping up
with the global developments means investing in new technologies.
15. The “headline test” always helps

In difficult situations, it is best not to overcomplicate things but
simplify them using the “headline test”. Would you recommend that
your mother take out insurance that leaves her without compensation
in the event of an accident? Would you recommend a consumer loan
for your children, which will ultimately leave them on the streets?
Would you be willing to answer journalists’ questions and explain
your choices? Would your answers be satisfactory or would they
instead back-fire? It is true that in AML/CFT matters, the algorithm is
undoubtedly a tad more complicated than when offering loan or
insurance products, where the service itself and the end product is
entirely under the control of the financial institution, but still the same
simplification applies. Similarly, as in many cases that entail ethical
values, it often depends on the quality of the know-your-customer
data and ongoing due diligence. However, even in these
circumstances, we have very often noticed an over-mystification.
Unfortunately, in the majority of cases that have gone public, financial
institutions were aware of the high risk involved and deliberately did
not ask relevant due diligence questions or carry out appropriate
checks.
16. Put proportionality first

The compliance function should work under the principle of
proportionality. Even if the goal is always to achieve compliance
regardless of the nature of the business, more effort must be shown
where the necessity and risk is higher. The principle of proportionality
in AML/CFT means that the systems and controls used are
commensurate with the nature, scale and level of complexity of the
activities and services provided, including the risk appetite and risks
arising from these activities. A financial institution will never be able to
scrutinise every customer, every transaction, and do so with the same
level of diligence. Proportionality is also enshrined in specific
obligations, such as the application of simplified and enhanced due
diligence measures.
Proportionality is a prerequisite for building AML/CFT systems and

controls so that they are risk-sensitive and intensify when and where
the financial institution is more likely to come into contact with
unusual activities. It is like in sport, when the coaches and technical
staff analyse the opponent's activities and combinations – their
strengths, weaknesses and the "heat map" (risk factors) – to design
the right offensive, but more importantly defensive tactics. The
principle of proportionality also comes into play when designing
systems and controls to continue to ensure the smooth provision of
services, but at the same time to comply with the legal requirements.
Rough and unusable solutions usually follow, when a financial
institution does not make a proportionality assessment and does not
have a risk-based view of its activities. One result may be, for
example, that a low-risk customer is forced to endure over-intensified
controls that may instead be more appropriate for a higher-risk
customer. Such behaviour understandably drains company resources
and hinders the application of an appropriate level of diligence in
higher-risk situations and ultimately the identification of suspicious
activities. The application of diligence where it is not necessary is
unfortunately widespread behaviour among financial institutions, who
then allege this is done under supervisory pressure.
17. One will get sanctioned for severe breaches

The principle of proportionality can also be explained from the
perspective of financial supervision. Financial supervisors, too, do not
reach everywhere, and they understandably deal mostly with cases
that have higher money laundering and terrorist financing risk.
Therefore, they work on a risk-based basis. The frequency of
supervisory activities and the methods applied are also based on the
principle of proportionality. They also take into account the size of the
financial institution, the nature, scale and complexity of its activities,
the possible consequence to the financial system if the financial
institution were to fail in its operations.
The reason supervisors have become stricter in sanctioning

financial institutions is their inability to deal with past breaches and
especially because of failures in the high-risk customer segment, or
also due to inactivity or even intentionally providing a conduit for illicit
funds or the circumvention of financial sanctions. People that smoke
and drink alcohol are more likely to die younger than those that eat
cabbage and drink water. The same applies in supervisory cases –
no one is punished only for failing to apply diligence in low-risk
situations, at least not in most cases.
18. Financial institutions cannot abstain

It is a dreadful mistake for a financial institution to distance itself
from AML/CFT or any other legal requirement when communicating
with a customer. Unfortunately, it is quite common practice that
financial institutions apply customer due diligence measures and then
justify their own actions and the resulting burden solely in terms of
supervisory expectations. Instead, the financial institution must
explain the reasoning of the requirements and professionally
demonstrate competence to the customer. The opposite practice
tends to create unnecessary confusion and uncertainty for customers,
which is never in the interests of any business or the financial sector
as a whole. As airport security checks can be annoying but
understandable for passengers, the same clarification could be
expected for financial institution customers. It is, however, financial
institutions who should forward the message. While the application of
customer due diligence measures might be personally inconvenient
and stressful for an employee, and therefore for a financial institution,
the role of a financial institution is to explain the necessity of these
measures in terms of the risk to society just as airports do. The
probability of something going wrong may be relatively small, but we
are still used to those comprehensive checks. We usually understand
and tolerate such impositions when we know the overwhelming
benefit. We all are used to waiting behind a red light at night, even if
the road is clear and no cars are coming the other way. It should not
be any different when it comes to AML/CFT controls.
19. You cannot be a bride at two weddings

There is a cartoon for children about a bat, who was constantly
whining that it is neither a bird nor an animal. In the end, he was not
accepted by either and was not admitted to a party held by the birds
nor the animals. This can also happen in the AML/CFT field. Known
as "de-risking,” it is a negative phenomenon in which a financial
institution refuses to serve particular groups of customers without
evaluating one or another customer individually. A financial institution
does so to avoid risks. One of the undesirable side effects of de-
risking is that when banking services are not available to some
businesses or customers, they transfer their activity to opaque and
non-regulated channels. It is therefore universally held that risks must
be managed and not de-risked. A financial institution must use a risk-
based approach applied on a person-by-person basis.
The concept of de-risking is, however, one of the most conflicting

and ambiguous elements of guidance in the AML/CFT framework
metered out by competent authorities. This happens when competent
authorities provide guidance at the headline level – the way it suits
them most. If, on the one hand, competent authorities want real
actions from financial institutions to reduce risks or avoid criminals
from laundering the proceeds of crime, then they should not, on the
other hand, send out messages that undermine that goal. When real
money laundering cases occur, these competent authorities name
and shame those financial institutions, and if actions are taken, they
are punished again because they had turned to de-risking. It is,
therefore, a highly antithetical and ambiguous approach that these
authorities are taking by promoting de-risking.
Another layer of ambiguity is in the term de-risking itself. Let us

picture an example where a financial institution decides that it does
not want to serve customers that are located in a jurisdiction known to
be a “tax haven” or that deal with, for example, gambling or virtual
assets. The financial institution decides this because it does not have
the systems and controls to manage those customers – it does not
have the appropriate expertise, IT systems, and so on. It might also
do this because it costs more to mitigate the risk compared to what
they earn from that customer segment. And frankly speaking, in the
case of customers from “tax havens” this is, in most cases, not even
their home jurisdiction. In this reasonably common situation, one
might ask whether this is de-risking or textbook risk management.
It can be argued that a risk-based approach is more accurate, but

why shouldn’t a financial institution have the right to foreclose a
market if it sees a high risk in a segment that it does not want to take
on or for which its risk management systems and controls are not
built. Therefore, using the same argument, why don’t regulators
require banks offering only consumer credit loans to issue business
loans as well. Prudential requirements preclude such loans if the
banks concerned cannot understand and manage the credit risk,
potentially placing depositors at risk. This is a bit like asking why
dentists are not allowed to perform heart surgery? After all, they are
doctors, are they not?
The concept of de-risking is, therefore, not well thought through. It

should be normal competition between banks that regulates this
situation. The kind of competition that rests on the foundation of a
normal functioning society. There are always opportunities for some
new business lines and maybe too much risk for others, but the
market determines the result. Regulators should be careful here not
to distort the market. We should better ask in today's context whether
de-risked business lines and customer segments are those that ought
to take steps towards transparency? The hypocrisy here is that the
competent authorities might qualify the same situations mentioned
above (i.e. clients in a “tax haven” and operating in gambling and
virtual assets) sometimes as adopting a risk-based approach and
sometimes as de-risking. Whichever pleases them more at any given
moment. It seems that the competent authorities themselves do not
know where they want to head with this topic. One thing is clear, even
for them, de-risking is sometimes allowed, they just call it a risk-
based approach. And it is okay too for financial institutions to take it
the same way; you just need to think through your responses to
questions that might come later. But still, it is not rocket science to
avoid risks; the real expertise is managing them (as we point out in
rule number 42).
20. Invest in modern technology

Financial institutions have not kept up with the global pace of
technological development, especially with their AML/CFT capacity.
They still use solutions that were built a decade or more ago.
Significant investments in AML/CFT systems and controls have not
been made for a long time now. They are quite often legacy systems.
Shameful for banking where money should not be an issue. Let’s
compare this with the current ability to model the weather. It can
usually be done with an accuracy of a single minute. AML/CFT
systems for detecting suspicious activity are at the other end of the
spectrum. It could be confidently assumed that there is significantly
more financial capacity in banking than in the weather portal industry.
The consequences of failing to detect suspicious activity is many
times greater than failure to predict rain, at least in most cases.
However, the reason is rather simple. This is due to the hitherto low
demand from the public and supervisory authority for such accuracy.
By comparison weather forecasters certainly have not lacked such
public demand and this has led to results.
The AML/CFT environment has, in recent years, changed vastly.

Rapidly changing typologies of criminal behaviours require smart
solutions. In such a context, it is essential to keep up and for the
senior management to support the implementation of modern
technology. Society has set the bar significantly higher than ever
before, and this ultimately requires investments in more sophisticated
AML/CFT know-your-customer and due diligence solutions. It is
simply impossible to identify suspicious patterns from millions of
payments manually. If a financial institution itself is not able to make
such developments on its own, recent events have brought to the
market a large number of RegTech companies looking for better
solutions to such challenges. We are not referring to those service
providers who provide an environment for the analysis of
transactions, but rather those who help to design sophisticated
algorithms and solutions to detect suspicious transactions and
activities. The role of financial institutions is to encourage the
development of such solutions and to implement them actively. Only
in this way can we always be one step ahead of criminals, no matter
what they invent next.
21. Systematise your workflows

If you remove a component from a watch, it will no longer show
the correct time. If specific actions are to be done in a specific order,
such as on the conveyor belt introduced by Henry Ford, and a worker
fails to add one component to a car, it may not start when it rolls off
the production line. Due to the nature and complexity of AML/CFT
systems and controls, it is essential to use solutions to be able to
follow the workflows. These are ancillary means to guarantee and
digitally monitor the application of all the tasks, including their
movement inside an institution, employee actions, and the status of
controls. This helps to ensure that nothing is left unresolved in these
sequential obligations, and even then, we would know where the
chain had broken. This makes it possible to log and retrospectively
identify all the actions taken. A systemised digital workflow solution
makes it possible to identify places where holes must be filled already
in the construction and implementation phase, so that no consecutive
action is missed. The clear advantage of the technology is that it just
stops working when something is missing.
Whenever a money laundering case materialises, the supervisory

authority will ask for all the necessary documentation to see why the
engine did or did not stop working and where risks were not
adequately managed. It does not matter whether a financial institution
has incorporated this digital workflow solution or not. Failure to
provide a log in a reproducible form is a significant shortcoming in a
financial institution's risk management system. In such cases, it is
almost impossible to demonstrate one’s diligence.
22. Manage conflicts of interest

There are several mandatory requirements for compliance, such
as independence, adequate funding, competence, access to
management, and others. Still, in AML/CFT, we would especially
highlight the need to manage conflicts of interest effectively. As in
society as a whole, it is vital for financial institutions to maintain
agents that have complementary roles but at the same time are
opposite to each other. One deals with the (business) opportunities
and the other with risk management. Segregation of these duties is
essential to manage money laundering and terrorist financing risks
effectively. Therefore, blurring these roles is one of the major
contributing factors to the materialisation of risks. Conflicts of interest
do not only arise between in-house functions. In the AML/CFT world,
a conflict of interest may also occur in an employee's relationship with
a customer or the financial institution’s other business partners.
These conflicts can even have a more significant impact. To identify
and manage conflicts of interest, the following is recommended:
• Establishing procedures for the identification, management and

prevention of conflicts of interest
• Avoiding situations where the personal interests of owners,

employees, senior management and customers conflict with the
financial institution's interests and prevent compliance with
AML/CFT requirements
• Collecting data on economic interests from its employees

responsible for AML/CFT obligations and from senior
management, and evaluate the data presented from the
perspective of conflicts of interest
• Identifying and analysing whether people who refer customers

to the financial institution (e.g. so-called agents, resellers) have
conflicting interests and also work on behalf of potential
customers (e.g. provide them with legal or accounting services)
• Ensuring the independence, appropriate balance and praise of

employees dedicated to risk management, including employees
and committees
• Establishing remuneration principles for employees and senior

management
• Having automated IT systems and investigation practices to

detect indications of a conflict of interest, such as employees
managing a relationship and at the same time acting on behalf of
customers (e.g. log-ins to customer accounts from financial
institution’s location or network), providing input to customers on
how the AML/CFT systems and controls work, and so on
23. Give everyone a whistle and let them blow

Whistleblowing, when done in good faith and following the rules of
law, is an integral part of the work of a financial institution and the
rights of an employee. Financial institutions must provide appropriate
safeguards so that no employee is afraid to blow a whistle on his or
her superior. The lack of a whistleblowing option and real support in
identifying problems can be a major source of risk in implementing an
appropriate compliance culture. The idea could be to provide a
platform for informing the employer of shortcomings in systems and
controls. But more importantly, whistleblowing means that an
employee reports intentional illegal conduct.
24. Provide your input to professional associations

It is hopeless to expect that a financial institution will become
strong alone and without contributing to the work of the entire country
and its partners from the same sector. Moreover, a financial institution
is as strong as the entire network of stakeholders, including how
resilient other financial institutions of the same sector are to threats.
This contribution should be, amongst others, done by active
participation in various professional associations, always expressing
one's opinion and raising the sectorial standards. If, as a
representative of a financial institution, you do not disclose to other
financial institutions cases, schemes and typologies that you have
identified, and solutions you have applied to mitigate money
laundering and terrorist financing threats, do not expect others to
share such things with you either. This prevents you from learning
from the mistakes of others and thus improve your systems. It is a
circle of life where you help others and others help you. To overcome
this, all players must continuously work together and mutually
contribute to their collective strength.
25. Root-cause analysis helps to avoid the next

failures
Financial supervisors base their opinion on the information that is
available also to the financial institution itself. If supervisors make a
(material) finding or learn about one, they conduct in-depth analysis
to learn why those findings have occurred and whether they could
reoccur. Financial institutions must, where appropriate, similarly make
their own root-cause analysis in response to such (material or
reoccurring) findings. These findings can, for example, come from
internal and external audits and compliance reports, something that is
a perfect place also for any financial supervisor to start. Financial
institutions must therefore take internal and external audits seriously.
They should not only mechanically close an audit finding and tick-the-
box, but sometimes also conduct an analysis of why a lack of
compliance has occurred and especially, if it is a recurring issue. The
same goes for more material cases where a suspicion of money
laundering or terrorist financing has led to a suspicious transaction or
activity report to the financial intelligence unit. Root-cause analysis
can help to predict and resolve issues before they are found by the
supervisor.
26. Compliance looks to the future

When the compliance unit has determined its role and applied its
functions, it should never get too caught up in the present but have
one eye towards the future. Compliance staff can easily fall into a
daily routine that satisfies existing solutions. Compliance has to
assess whether the whole organisational framework is appropriate
and will be in the foreseeable future. In the area of AML/CFT, where
everything is evolving rapidly, we have to remain prudent in our
actions. In addition to external risks, there may be significant changes
in the other parts of the financial institution's own systems, or the
products and services offered, all of which also affect AML/CFT
compliance. By the time a new car model is launched, work on the
next model has already begun. Why should banking be different from
other areas that are constantly showing progress to meet external
expectations. In banking, too, compliance, like any other business
unit or product development, should be future-oriented.
III. AML/CFT compliance framework
27. Achieving compliance may be different for
every organisation
Just as every corporate entity is unique, there is no formula for
building a one-size-fits-all compliance strategy. There are several
theoretical and sometimes even overly mechanical approaches to
compliance framework set-ups, including the three-lines-of-defence
principle, whether the compliance should shift attention more towards
the supervisor or be more advisory for the financial institution’s
business lines. Still, each organisation has its own characteristics as
do its business activities. Compliance standards and regulations are
abstract, and their authors cannot predict the thousands of business
models and the resulting organisational specifics. Although we can
take universal cross-country skis and use them both for classic and
freestyle skiing, they are far from ideal for both, so a lot depends on
what “style” of business a financial institution is pursuing. Similarly, it
is possible to achieve compliance in many ways. Nevertheless, a
financial institution must be able to justify its choices to itself and the
supervisors. Argumentation and assessment must be considered in
advance and not sought afterwards. It is also vital that they take into
account, on the risk mitigation and management level, at least the
following umbrella principles: compliance leadership exists,
subordination lines and responsibilities are clear, quality of decision-
making is achieved, the organisation is working in a coordinated
manner, sufficient staffing and expertise (diversity) is provided, the
compliance function is properly financed, conflicts of interest are
managed (including remuneration, independent committees,
whistleblowing), and external engagement is maintained (stakeholder
relations).
28. Financial supervision is the supervision of the

organisation
The way AML/CFT functions in the organisation is crucial also
from the supervisor’s point of view. The financial supervisor, working
in the interests of the public, focuses primarily on the supervision of
the organisation of a financial institution. It focuses less on individual
cases of money laundering because that is the work of financial
intelligence units or law enforcement authorities. The supervision of
prudential requirements, for example, foresees how a bank covers
external risks with capital. The supervision of business conduct deals
with services provision and protecting the interests of customers. The
monitoring of AML/CFT obligations ensures that financial institutions
have appropriate systems and controls in place to detect suspicions
of money laundering and terrorist financing, including through the
application of know-your-customer and ongoing due diligence
principles. Specific cases of money laundering, terrorist financing and
the circumvention of financial sanctions are dealt with by financial
intelligence units and law enforcement authorities. When managing a
financial institution, it must be taken into account that the organisation
as a whole should meet the regulatory requirements and the
expectations of the supervisor. The withdrawal of the right to operate
in the financial market or the imposition of fines in money laundering
and terrorist financing cases is based primarily on non-compliance
with organisational requirements. When money has been laundered
through a financial institution, the financial supervisor will always
focus on organisational flaws to find the weaknesses that led to the
incident. This knowledge is a good starting point for any financial
institution (re)setting its compliance strategy.
29. It all starts from the “helicopter view”

The AML/CFT compliance system presupposes that a financial
institution has a function or unit that has a complete picture of the
organisational solutions and responsibilities for preventing money
laundering and terrorist financing. This complete picture is a
helicopter view of the entire AML/CFT situation across the
organisation, from top to bottom. It provides a clear vision and
understanding of the organisation's operations, responsibilities,
problem areas or where additional resources are needed. Developing
an organisation without a “helicopter view” is risky. Implementing such
a view will help guarantee efficiency and that the principle of
proportionality and a risk-based approach is ultimately applied. Each
organisation is a complete ecosystem, and there is no need to build
an army where there is no war.
By strengthening or weakening one structural unit or part of an

organisation, other parts of the system are also affected. Take, for
example, a situation where an ongoing monitoring solution is adjusted
so that it produces a lot of false positives, and this was a deliberate
decision by that institution. This, in turn, means a greater need for
human resources to review these false positives. Or, if this monitoring
solution is improved, so that the financial institution obtains more
accurate information about suspicious transactions, it means that
most probably additional resources must be given to the money
laundering reporting officer (MLRO)[3] function. The latter processes
these suspicions and makes suspicious transaction reports to the
financial intelligence unit.
Here are some examples of how compliance should work and the
value of the “helicopter view” when different parts of the AML/CFT
organisation are changed:
• If a financial institution wants to change its organisational
structure, it should consider: (i) whether all tasks are covered
and everyone knows their roles and responsibilities; (ii) whether
functions are separated and lines of subordination in place; (iii)
whether conflicts of interest are managed; (iv) whether the
organisation is being changed out of necessity or for the sake of
change;
• If a financial institution wishes to implement new systems and

controls or enhance existing ones, it should consider: (i) the
reasons the existing system did not work (e.g. inadequacy of the
current system, staffing and expertise issues); (ii) whether certain
preconditions need to be met to implement additional systems
(e.g. re-organising data, re-organising know-your-customer
information, asking for additional information or asking for it
differently); (iii) whether, instead of enhancing the current system,
the system should be abandoned altogether and a new one built
from scratch taking into account all the latest technological
developments;
• If a financial institution wishes to implement additional

monitoring algorithms, it should consider: (i) whether the existing
system (e.g. where data is located) allows it at all and the service
provider providing this system meets the needs of the financial
institution; (ii) whether the previous algorithms worked and what
to learn from these previous rules; (iii) whether additional
algorithms require additional staff; (iv) how to test algorithms
before the implementation as well as when they are already
applied in practice; (v) whether additional algorithms are based
on a justified need and a fully argued decision;
• If a financial institution wants to hire additional people, it should

consider: (i) which unit needs it the most; (ii) whether it may
cause additional resource needs in other structural units; (iii)
whether there are clear rules for requesting additional resources
and assessing the validity of that request.
These are just a few examples of how compliance expertise
should be included in individual changes. The compliance unit must
be familiar with the system as a whole and the consequence of one
or another change in the organisation. A financial institution is like a
living organism where training just the leg muscles is not enough, the
heart must also be trained, and the blood vessels must pass it all on.
30. Three lines of defence is just a theory based on

headlines
It has been recognised around the world that an organisation
should be separated according to the so-called three-lines-of-defence
principle. We increasingly see that this separation has become a
more theoretical approach. There are more and more lines of defence
that, depending on their role, are referred to as 1.5 lines of defence or
2.5 lines of defence. Therefore, the most important thing is not
whether it is the first or second line of defence or the lines between
them, but whether the functions themselves are separated through
lines of subordination, so the conflict of interest is managed.
Irrespective of the abovementioned tendencies, the theoretical side of
this approach helps to build an organisation. An organisation that is
founded on this principle is the standard today, although there may be
justified differences. In today's environment, we see AML/CFT
functions through the three-lines-of-defence principle as follows:
• An employee in the first line of defence:
- Is a vehicle through which risks arise – they serve

customers who pose a risk to a financial institution. This means
that they are the managers (owners) of the risks and responsible
for them;
- Assesses and identifies risks on an ongoing basis, including

the details, scope and extent. This means that they must know
the customer well, be aware of his or her activities and business
in detail, and the risks involved;
- Manages the risks arising through these activities. In other
words they:
:: Apply due diligence measures both when establishing a

business relationship and through ongoing monitoring of these
relationships. Therefore, IT solutions used for ongoing monitoring
with less refined monitoring algorithms are in their toolkit (these
algorithms are designed to determine whether transactions
conducted are consistent with the institution’s knowledge of the
customer);
:: Identify through risk mitigation activities suspicious and

unusual transactions and unusual patterns of transactions, which
have no apparent economic or lawful purpose;
:: Make internal reports to the second line of defence – the

MLRO – after they have identified such unusual transactions.
This reporting could also include a direct report to the senior
management.
• An employee in the second line of defence:
- Helps the first line of defence to define where the risks are
occurring. This means that they also perform the MLRO function,
which is:
:: Organise the collection and analysis of unusual transaction

or activity reports (internal) that might refer to money laundering,
terrorist financing or the circumvention of financial sanctions;
:: File reports to the financial intelligence unit in the case of

proven suspicion.
- Therefore, unlike the first line of defence, they only conduct

ongoing due diligence to the extent that their ongoing monitoring
algorithms are complex and flag transactions and circumstances
that are similar to the information that in normal circumstances
would be passed to the MLRO function by an employee of the
first line of defence after it has applied regular ongoing due
diligence, including after learning about that activity or
transaction through less refined monitoring algorithms. For more
sophisticated algorithms, it is the automated system that makes
the internal suspicious transaction report instead of an employee
(see also rule number 96);
- Helps the first line of defence to manage risks but is not the
one taking them. This means that they are part of the risk
management and compliance function. They ensure that all risks
are identified, assessed, understood, measured, monitored,
managed and, where appropriate, reported across all levels of a
financial institution (not at an individual risk or customer level).
Therefore, they conduct business risk assessments, and assess
the application of the risk appetite;
- Acts as a controlling function. This means that they are a

senior management tool that oversees the risk management
framework and ensures that existing rules are implemented. In
cooperation with the risk management and MLRO function they
conduct reviews for the senior management;
- Helps to guarantee compliance with AML/CFT

requirements. This means that they maintain and develop the
compliance policy and perform all the tasks that are, in addition
to the abovementioned controlling function, part of the core
compliance function. This includes, among others, the provision
of training, and maintaining and developing policies, procedures,
systems and controls designed to guarantee compliance with
regulatory standards.
• An employee of the third line of defence:
- Evaluates the risk management solutions. This usually

means that they are a tool of the board of directors (or
supervisory board) that assesses both the relevance and
adequacy of the AML/CFT systems and controls;
- Is part of an independent and effective internal audit
function.
31. The compliance function is well integrated into

the business
Like any other requirement of the financial sector, AML/CFT
requirements are inevitable. They cannot be changed by financial
institutions. On the one hand, regulation is a burden, but the real art
is to see it as an opportunity and to put it simultaneously to work for
commercial purposes. While the compliance unit often struggles to
make the AML/CFT system to work as a whole, it is at least as
daunting to integrate it into the day-to-day business. This task is
easier when implementing regulations that are designed to protect
customers directly (e.g. responsible lending principles and suitability
tests for investment services). However, it is far more challenging to
implement AML/CFT rules when the consumer protection goal is less
direct. In such cases, the AML/CFT measures protect client deposits
indirectly, through keeping the bank away from any significant
damage (e.g. bank-run, withdrawal of authorisation).
Recent money laundering scandals have required financial

institutions to strengthen their AML/CFT systems and controls
dramatically and quickly. As a result, it has created an environment
where financial institutions have created quite robust know-your-
customer procedures in a hurry that are sometimes lacking a risk-
based approach or even resulted in the collection of disproportionate
data and with disproportionate regularity. Furthermore, the ever-
changing business environment poses a challenge to compliance as
this assumes smarter solutions. Customer feedback is, therefore,
essential input for compliance, and it should be taken into account
more boldly. This may explain why disproportionate and ill-considered
solutions exist.
There are compliance theories that, in our opinion, place

excessive emphasis on the independence of the compliance function
and call the compliance unit to distance themselves from the
business. Either way, a professional compliance function should be
able to integrate compliance requirements into day-to-day business
so that they ensure a seamless and pleasant customer service.
Therefore, the independence of compliance and its integration into
the business are not mutually exclusive concepts.
32. Invest in compliance wisely

Rapidly changing circumstances have forced financial institutions
to move quickly. If the senior management sees an urgent need to
improve the compliance of the organisation or has been requested to
do so by a supervisory authority, they should not forget that it still
needs to be done prudently. Wherever possible, it is desirable that
before making these systemically important changes, a financial
institution has transparent discussions internally and, where needed,
with the supervisor. In light of recent money laundering and terrorist
financing cases, banks have recruited thousands of new compliance
staff, sometimes quite recklessly. Only after employing them will they
start to analyse where exactly to place them within the organisation.
Then it may turn out that the expertise that was needed is entirely
different.
Another hazardous practice is the overexploitation of consulting

firms to remedy the identified breaches. Financial institutions tend to
forget that once the end product is handed over, the competence to
resolve similar issues will be gone too. The supervisor will also get
restless because it will wonder whether the financial institution even
has the expertise to prevent the next case from happening.
Therefore, it would be good practice even during a crisis to use
internal resources as much as possible and educate those so they
are able to avoid the next crisis or bear the strain if a new storm rises.
All this is again due to the lack of a comprehensive view of the

financial institution's compliance system. This view is the starting
point for building systems and controls, and in this case, a
prerequisite before recruiting new people or making any other
investments or changes to AML/CFT measures. Such behaviour after
money laundering scandals is not much different to what happens
after a financial crisis, where first comes the crises, then over-
regulation with failures, then re-regulation. Therefore, a similar
parallel can be drawn with compliance developments where there is a
reactive approach to money laundering or crises. First comes the
request for additional resources and creating new units and then a
relocation of existing roles and responsibilities.
33. Do not spread AML/CFT expertise too thinly

When a glass breaks into hundreds of tiny pieces, the entire glass
still exists somewhere, but it is rather challenging to manage this
“mosaic” effectively. A financial institution must be legitimate and
effective and must not be unduly or inappropriately complex and
opaque. The journey involved in implementing a single standard in a
financial institution can be lengthy – from lawyers, compliance and
management to the frontline customer service providers. In AML/CFT,
the risk of allowing an organisation to become over complex is one of
the most fundamental issues. Unlike many other tasks, AML/CFT or
the fight against crime is today often scattered across many different
units. Financial institutions should be cautious here about moving
between extremes. Good compliance practice presupposes that the
roles of various units are precisely defined, and the in-house flow and
reporting of relevant information reaches the right decision-maker.
The opposite is where risks and suspicion are identified but left
“hanging in the air”. In such a case, a financial institution is unable to
address the risks accurately or substantiate its actions later to the
supervisor.
We have faced many solutions where expertise that should be

grouped is unsystematically disseminated across the organisation.
For example, one unit analyses the information received from media
monitoring and carries out a broader analysis of the customer
portfolio. Another responds to inquiries from the financial intelligence
unit and supervisory authority. In this example, not all the information
that could be important for money laundering and terrorist financing
risk management was delivered to a single point making
understanding and then managing the risk more complicated. Not to
mention the fact that in this case, the financial institution did not
understand the importance of the information received from its
financial intelligence unit and the supervisory authority’s inquiries as
an ideal way to understand money laundering risks and the strategies
of the competent authorities. It would have provided excellent
indications of both systemic weaknesses and the risks in servicing
particular customers. Ultimately, it made that financial institution more
vulnerable.
The AML/CFT compliance function tends to be viewed narrowly,

often without the need for a specific entity. It may be a separate
AML/CFT unit or part of an overall compliance function. Still, it is
preferably integrated into a broader role involved in preventing
financial crime. It is crucial to ensure that nothing is lost between
departments when implementing a legal provision or dealing with
other external risks.
34. Compliance must ensure that the organisation

works in a coordinated manner
Once the organisational framework is agreed upon and

established, it becomes relevant to coordinate. It is vital to have
functional synergy between different units. If this does not exist, it
does not matter whether different units separately have high
standards or whether there is one extremely sophisticated unit. One
of the most significant risks in the organisational framework is
working in “silos” instead of working as a united force. It is as if
scientists would have all worked alone in the 1960s to get to the
moon. AML/CFT also has an “ultimate goal” that cannot be achieved
when working in “silos”; everyone should cover each other’s backs.
Practice shows that working in “silos” often creates a situation where
risks are identified but not managed. This may significantly affect
financial institutions and their senior management, as being non-
responsive to risks that have been identified might be even worse
than not identifying the risks at all. Or vice versa, another example is
where a unit dealing with high-risk cases is well staffed and prepared,
but cases from other units simply do not reach their desk. Sometimes
it even happens that a team works better when the strongest link is
taken away from the equation because it just interferes with the
synergies. At other times you have to deal with the weakest link,
which may be weak because of a unit, department or one individual
nearby. So even if there is a "helicopter view" and all the roles are
well distributed, and the team seems to be perfect, it can all still only
be apparent compliance. The idea on paper must also work in
practice – it must be monitored continuously after implementation.
35. In group structures, there is a risk of blurring

We discussed above the need to have a group-wide dimension
and someone to take the lead responsibility. However, the group-wide
dimension does not mean that a subsidiary or branch cannot build its
systems and controls differently. Each country or jurisdiction has its
risks, and the requirements of the supervisory authority also differ.
The parent and its subsidiary bank may also operate in very different
customer segments and markets. Therefore, in some cases, a
subsidiary has to do more than the parent bank and vice versa. This
could lead to one having a more efficient organisational structure,
more IT or human resources, or better ongoing monitoring solutions.
36. Compliance has to make its way to the senior

management
Previously, we discussed the responsibilities of the senior
management in decision-making and communication. However, this
cannot be one-way traffic. One of the main tasks of the AML/CFT
compliance function is to make itself visible and audible to the senior
management. Compliance in some cases is more difficult, while in
others easier, it all depends on how committed the management is
and the overall compliance culture. As the reporting obligation is an
active duty, the compliance officer’s ability to reach the management
level demonstrates his or her strength as well as the strength of the
entire compliance framework. When a money laundering case
materialises, the supervisor always asks whether the compliance and
all the other employees have made a noise and pointed out the
deficiencies in the system. The compliance function, together with the
risk management and MLRO function, should therefore provide the
senior management with at least the following overviews:
• Significant changes in the AML/CFT legal framework
• Modern methods, trends and specific typologies of money

laundering, terrorist financing and circumvention of financial
sanctions, and their impact on the financial institution, including
the need to mitigate these risks through an amendment of the
current solutions
• The results of risk assessments within the supervised entity as

well as those by supervisory authorities, law enforcement
agencies, financial intelligence units, home country, or the union
of states, and their impact on the financial institution, including
the need to mitigate these risks through an amendment of the
current solutions
• Volumes of services provided in sectors and customer

segments vulnerable to money laundering and terrorist financing
threats, and possible changes and trends in these
• Adherence to the risk appetite

• Operational risk incidents related to the prevention of money
laundering and terrorist financing, and the organisational
solutions designed to combat them
• Reports to the financial intelligence unit, including statistics on

the amount of suspicious or unusual transactions, and their
impact on the financial institution, including the need to mitigate
these risks through an amendment of the current solutions
• Adequacy of the financial institution's compensation

mechanisms (including IT systems and human resources)
• Proposals to change or supplement the risk appetite, risk

assessments or the measures taken to prevent money
laundering and terrorist financing
• Proposals to terminate or suspend the provision of specific

products or services until the compliance framework or other
capabilities have been adjusted to the risks being taken
IV. Requirements for the AML/CFT
employees
37. You are the compliance expert
Performing AML/CFT obligations is undoubtedly not an easy task.
Supervisors often hear compliance personnel asking to provide the
exact sequence of actions to be followed and the number of
documents to be collected to dispel suspicion. They also complain
that supervisors do not give direct guidance in that regard. This
attitude is something that compliance should get rid of very quickly.
Can you imagine the chief engineer of a Formula 1 team sitting next
to the team leader and asking out loud: “What should I do to make
this car faster?” Or a musician asking someone what it thinks is the
right order of notes to make a new radio hit? Given the nature of
money laundering and terrorist financing, no ultimate guidance will
ever be possible. Anyone who thinks that collecting a certain number
of documents per customer gets the job is done is naive. Even in
well-known money laundering schemes, the underlying customers
have often provided banks with all the necessary documentation as
part of the ongoing due diligence. Contracts, transportation and
customs papers, you name it—all bright and shiny. The task is
challenging indeed. Supervisors also understand this, but the focus
must be on finding solutions. There must be a proper level of due
diligence to protect the financial institution, not only because it is
required by law. The compliance personnel should understand that it
is not just a matter of supervisory guidance because the bank may
face problems in front of the public regardless. It is the compliance
officer who is the leading expert in a financial institution. He or she
has been hired for this and must support its senior management in
finding adequate solutions, and to instil confidence in the supervisor
with their professional skills.
38. Choosing an employee is about education,
skills, character, and much more
We discussed earlier how AML/CFT compliance and related units
have seen a substantial increase in employees and only later has the
organisation found them a place. This highlights the importance of the
employee selection process. Often, an employee is selected because
he or she has had a previous encounter with the AML/CFT world.
Often it is secondary for an employer to analyse what expertise it
needs or what knowledge a given vacancy requires. There is a saying
that success generates success, but a good name, or having held a
prominent or publicly visible position does not mean that this person
is made for the job or can perform a specific duty. Every institution
should think very carefully about why a particular employee is
needed. It should also question how this person will fit in with the
other team members and whether this candidate can perform the
work required for the system to operate perfectly and smoothly as a
whole.
The expertise needed to perform AML/CFT obligations is diverse.

It is not the case that the best AML/CFT team should consist mainly
of experienced police officers or former investigators because the
most crucial thing is supposedly to have an investigative capacity.
This is undoubtedly a critical aspect of the work, but several others
are at least as important.
Working in AML/CFT, including as a compliance officer, requires

the ability to build an organisation, manage workflows, ensure data
quality, set up ongoing monitoring solutions and reporting lines, and
so on. Therefore, it requires management experience, legal
knowledge, data expertise, knowledge of how organisational
solutions should work in a financial institution, mathematical
knowledge when designing ongoing monitoring algorithms, analytical
knowledge in determining the level of risk for customers, and more.
Hence, a complete team will have all those characteristics and
education to cover all those fields. Consequently, a financial
institution needs to carefully consider the background of each
candidate before choosing them to work in AML/CFT, as they might
need to have very different skills and abilities. Finding the right
candidates presupposes also a willingness to provide reasonable
remuneration. Financial institutions get the skills and qualities they
pay for.
39. Some expertise is needed in all fields of life

The prevention of money laundering and terrorist financing, as
well as detecting the circumvention of financial sanctions, involves
identifying suspicious behaviour. In most cases, the financial
institution does not even know whether money is being laundered
behind suspicious circumstances or not. This poses another
fundamental challenge in today's approach, since financial institutions
are sometimes expected to do more and more to meet their
obligations. A phenomenon which often produces tens of thousands
of suspicious transaction reports; a controversy we will discuss later
in this book.
A financial institution serves customers whose activities cover

entirely different business areas. All with their own specific business
needs and well-established practices. Whatever education an
employee has, it is often presumed that he or she is an “expert” in
every business area, and can manage risks correctly and understand
customer behaviour, or at least to know when and where to find the
“expert” that provides input and helps to complete the picture. The
personal qualities and skills required for a job in AML/CFT should not
be underestimated. We have had to sit for hours, sometimes even
days, to familiarise ourselves with a business area, and to profile a
customer of a financial institution and then identify or rule out a
suspicious circumstance. We have had to do that to resolve money
laundering cases and to understand that, for example, what is written
in the know-your-customer files or transportation or customs
documentation is something that cannot be true or at least provides a
basis for further investigation.
For example, if a customer is actively buying and selling clinker,

then what exactly is that. As someone apparently bought
approximately 280,000 tonnes of this material, this specific example
required a call to an expert working in construction. We have also
examined various metal alloys, their degree of purity, to confirm the
credibility of the business activities of a specific company. We have
also investigated transportation requirements. What are incoterms
and what does a particular incoterm mean? Moreover, what are the
requirements for transporting particular goods and is there anything
suspicious in the submitted documentation. For example, how is it
possible to transport hundreds of tonnes of chicken wings to a hungry
province thousands of kilometres away without refrigeration
equipment? There are also new demands and challenges for financial
institutions in the world of financial sanctions and counter proliferation
financing. There are sometimes very technical nuances in this area.
For example, do the goods sold or purchased fall within the definition
of dual-use goods.[4] There are examples where a metal of a given
level of purity is a dual-use item, but if the purity is 0.001% to the
other side, it is no longer a dual-use item. This means an employee
needs to read the product specifications and know what is precluded
in the financial sanction.
These are just a few random examples of the practice of

identifying suspicion, but this is what is expected of an AML/CFT
expert today. And let us not forget, an employee operating in a high-
risk customer segment must also have profound investigative skills.
Such a gene must be present in his or her DNA. If not, the
investigating journalists will do the work for them.
40. Be clear you understand what money

laundering is
Let us imagine a show game in football where the intention of both
teams is not to win the game. There may be a lot of beautiful
elements in a game like this, but the result is probably quite
unpredictable in such a format. In a real game, the ultimate goal
should be to score. If the objective is clear, the systems will start
working towards only that goal. Financial supervisors commence their
on-site inspections with two questions. Their order may change, but
in terms of content, they complement each other. The first question is:
"How can your institution be used for money laundering? Or terrorist
financing?" This is a question about customers, products and
services, delivery channels and geographical risks. The next question
has sub-questions, but in a nutshell, it is: “What is money laundering?
Terrorist financing? What does a financial institution look for in its
customers' activities?” Consequently, in addition to the ability to
profile customers and understand their activities, an employee of a
financial institution must also be able to grasp what to look for in the
customer's activities; in other words, what is money laundering.
These questions seem elementary or even a bit naive. However,
countless times we have seen employees familiar with every single
detail in the procedural rules describing due diligence measures, but
unable to place its activities in the broader context of why it applies all
these obligations and what it is looking for. In the absence of such a
view, it may be difficult to verify suspicions in terms of AML/CFT. A
widespread consequence is that the specific employee is lost when it
matters most.
41. Show yourself to the supervisor

The compliance personnel and the financial supervisor operate in
the same "business area", which is why the compliance function is
the main focus of the supervisor. The primary goal for a supervisor is
to prevent financial institutions from failures that are a consequence
of non-compliance or inadequate compliance with regulations. From
the supervisor's point of view, the compliance officer must have the
relevant know-how and the ability to speak the same language as the
supervisor. Only then will the supervisor truly trust and be confident
that the financial institution's compliance system is capable of
managing risks and working correctly. If the expertise of the
compliance officer does not instil trust and confidence, the supervisor
will be sceptical about every sentence produced and every action
taken. Therefore, in the end, it will be more costly for the financial
institution if it fails to invest in the right expertise from the beginning. It
is the compliance that has to prove itself to the supervisor, not the
other way around.
42. Manage risk; do not avoid it

It is an often-noted tendency that the compliance function focuses
too eagerly on risk prevention rather than risk identification and
management. This is especially apparent in the work of different
committees and decision-making processes where compliance has a
role, but where it only focuses on the negative and prefers to say “no”
to everything or veto every action that entails risk. It does so because
it is easier. Avoiding risks is the simplest solution, but not always the
smartest one. We remember one conference where, in front of
hundreds of people, we were asked by one of the largest credit
institutions in a particular financial market, what the supervisor thinks
of the result that the media and public perception has created.
Previously they took risks and tried to manage them, now they are
forced to take every possible action to avoid risks. He was right. Of
course, such behaviour on a scale that only includes black or white is
not correct; the art of compliance is also to manage things that have
halftones.
The trouble with solutions that are too strict is that they start to
reduce the level and skills of risk management. As it is never possible
to reduce risks to zero in business operations, the compliance
function, as a risk management agent, is itself forced to take certain
risks that are inherent in business operations. When the compliance
department refuses everything and becomes known as the “No-Man”
or ironically as the “business prevention department” then it is
devaluing its role. It makes them intolerable colleagues and in the
worst-case scenario the organisation even begins to ignore or avoid
them. The latter may ultimately mean a significantly higher residual
risk for the financial institution.
On the other hand, a financial institution must take into account

that poor risk management will someday be outperformed by a
competitor with better risk management skills. At some point, this can
be seen from the income statement, but by then it will be too late.
Financial institutions should not be required to serve customers in
segments where its risk controls are not equivalent, but a “no" should
be said where justified and where the alternative risk management
options have been exhausted. The "No-Men" do not sail to the end
because they are left behind. A balance must be found within the
permitted framework, and this will ultimately lead to a significantly
better result. Such risk management goes further and is more
profound in terms of risk assessment, thereby generating higher
skills.
43. Constantly educate yourself

Extensive reading is the first condition for the compliance officer’s
professionalism. An AML/CFT employee operates in a rapidly
changing world. This profession requires a great deal of reading and
constant work with yourself. This work does not end when you close
the door behind you on your way home. You need to listen to others
to understand if the approach you have taken is right or wrong. There
are hundreds of publications in the world on money laundering and
terrorist financing, and today there are even dozens of podcasts.
Different fora, such as membership of trade bodies and associations,
are dedicated to AML/CFT and hold in-depth discussions on the fight
against money laundering and terrorist financing. They all give you
something; you just have to find out what that something is for you.
We recommend reading specialist literature and listening to the ideas
of others. If you have not started, we trust you at least have the plan.
There are a number of test questions you can always ask

yourself. Do you know all the latest terminology, the latest typologies
and modern developments in AML/CFT technological solutions and
companies offering such services? Would you be able to train other
employees, help the management understand the topic, and earn the
respect of others as a valued expert? Would you be able to build a
new or improve the existing AML/CFT organisation? Do you know
what other financial institutions are doing to be better equipped in this
fight? These are forward-looking questions when doing your job with
all your heart, when taking on a new task and when a manager is
looking for a new candidate to fill a critical vacancy.
With the existing knowledge, you can only drive for a month or two
in the AML/CFT field, a year at the most. After that, you will start
having problems in front of the senior management and the
supervisor. Colleagues, too, will have progressed past you. There is
always something to take away from each document and every
training session. You need to be caught up in the ever-evolving
AML/CFT world all the time. This is also how you prove yourself to
the regulator, as discussed above. And don’t forget to share your
knowledge with colleagues, as the goal is to arm your employer with
the best know-how.
Here are some sources that an AML/CFT compliance officer

should at least be aware of:
• Mutual evaluation reports of the FATF, MONEYVAL and other

FATF self-regulatory bodies
• IMF and OECD evaluation reports
• European Banking Authority peer review reports and

summaries of those assessments
• European Commission country reports

• FATF and MONEYVAL guidelines, typologies and other
documents
• European Banking Authority guidelines
• European Commission thematic reports and risk assessments,

including the Supranational Risk Assessment
• Domestic typology and threat reports and national risk

assessments
• Egmont Group guidelines and typologies
• Basel Committee on Banking Supervision and Wolfsberg Group

guidelines
• Financial supervisor guidelines
• Sanction decisions of the supervisory authorities
• Internal reports published by financial institutions
• Various newsletters and studies by organisations committed to

combating money laundering and terrorist financing, such as
Association of Certified Anti-Money Laundering Specialists
(ACAMS), KYC Global Technologies (KYC360), Royal United
Services Institute (RUSI), as well as posts by different experts on
LinkedIn and Twitter
• Various media publications that reveal money laundering

schemes, such as Organized Crime and Corruption Reporting
Project (OCCRP) and International Consortium of Investigative
Journalists (ICIJ)
44. Follow the messages of the supervisor

War is what happens when language fails (M. Atwood). Listen to
every word your supervisor utters carefully, as they always put
messages and tips in their presentations, interviews, texts and
dialogues. If your financial institution belongs to a cross-border
financial group, be aware that they may differ from supervisor to
supervisor. They warn between the lines and guide financial
institutions to change their behaviour. They give you an idea of what
the supervisory priorities are, what changes or qualities they want to
see in AML/CFT systems. It is only a matter of time before they come
to evaluate the principles they have just communicated. For example,
if a supervisor in a public forum or conference covers a new trend or
expectation, there is a good chance that it is talking about the
financial institution you are working for. Moments later, you will be
due for an on-site inspection. If the supervisory authority hints that
financial institutions should invest in smarter ongoing monitoring
solutions, know that on-site inspections are to be expected soon in
this area. Always ask yourself, if the supervisor's statements were
specifically about your financial institution, how would you respond?
Are you able to answer this without blinking? If not, then act now so
that you at least have the answer tomorrow. Also note that financial
supervisors are generally one step ahead of financial institutions, as
they operate within an intelligence information ecosystem that is
vastly different from that which any single financial institution has
access to.
45. Everyone is responsible

When money laundering risks materialise, but also in the course
of routine controls, financial supervisors usually try to identify the
responsible parties in case of system failures. Senior management is
asked if the tone, culture and commitment has been passed on to the
employees. The internal audit unit is asked what control activities
have been performed, whether they are often enough, why certain
things have not been identified, and so on. The compliance unit is
asked why the system does not work as a whole and why compliance
has not been achieved. The supervisor then asks employees with
direct contact with customers, what due diligence measures have
been implemented or why suspicious activities have not been
identified. Anyone who has failed to fulfil their obligation in this chain
is liable. However, this liability can be reduced but only if they were
not attributable or under the control of a specific employee. This
therefore depends on whether that employee had the opportunity to
influence the situation. If the reason for a failure is, for example, a
lack of resources, then the question is whether the employees
communicated this to their immediate superior. The same applies to
deficiencies in business tools, the ability of (automated) systems, and
so on. If these shortcomings have not been pointed out, but were
known to the employee, then that employee has contributed to the
failure. Consequently, every employee must be aware of their role in
a financial institution and be active in pointing out shortcomings.
Otherwise, in the event of a failure, the employee could be in the
same difficult position as the CEO.
V. Business risk assessment
46. Risk assessment is the most critical thinking
exercise in the AML/CFT fight
Business risk assessment is a prerequisite for building a proper
AML/CFT organisation. It is a crucial brainstorming exercise for a
financial institution in shaping its policies so that it can develop
countermeasures that are commensurate with the risks it takes.
These countermeasures are AML/CFT systems and controls
implemented on a daily basis. A lack of risk analysis is a major risk
for a financial institution, but also a major source of inefficiency in
building risk control in the organisation. Moreover, supervisory
authorities also want financial institutions to answer and always be in
a position to describe how it can be used for money laundering and
terrorist financing purposes or to circumvent financial sanctions. The
correct answer is not that “this is not possible” because such a risk is
always present in the activities of any financial institution. The actual
question is how big or small the risk is. The latter, in turn, depends on
the circumstances, in particular the nature of its business.
This exercise can be described through six concepts and related
activities:
• Risk is a function of threat, vulnerability and consequence
• Risk assessment (also referred to as business-wide risk

assessment in the AML/CFT literature) is the combined
assessment of money laundering and terrorist financing modus
operandi (threats) and how the financial institution could
potentially be used for these purposes (vulnerability). The result
of this combined assessment provides an understanding of the
risk that remains after the application of risk mitigation measures
(residual risk) and what is the potential harm caused
(consequences)
• Threats arise from environments where and ways how money

can be laundered, terrorists financed and financial sanctions
circumvented
• Vulnerabilities arise from the customers serviced, products and

services offered, delivery channels used and geographical risks
faced (inherent risk), on the one hand, and the AML/CFT
systems and controls implemented on a daily basis to balance
out the inherent risk or to assess and manage these risks (via
countermeasures or risk-mitigating controls), on the other
• The consequences include the impact and harm that threats

could unleash. Usually, this part of the assessment is not
executed in the risk assessment document because it is
challenging by nature; however, for financial institutions, it is the
same exercise the risk management function does to understand
the financial and non-financial consequences of potential risks
• Risk appetite is a policy adopted by the senior management

that defines which money laundering and terrorist financing risks
it is willing to accept and at what levels
Let us illustrate this process with the following real-life example.
Getting a cold could result in bronchitis (threat). If it is minus 30°C
outside (inherent risk) and a child does not have the right clothing
(countermeasures) for such cold weather, then it is quite likely that
even after a short spell outdoors, the child may develop bronchitis
even if he or she is properly clothed (residual risk). However, if we are
ready to send the child to play outdoors in such weather (risk
appetite), we will need to dress him or her warmly enough (additional
countermeasures) to prevent illness.
It is no different for a financial institution. The organisation must

understand the various ways criminals launder money and finance
terrorism (threat), and then understand its own vulnerability to this by
identifying products and services, customer segments, delivery
channels and geographical risks that criminals could exploit (inherent
risk) and systems and controls that are in place at the given moment
to mitigate the risk (countermeasures). Once a financial institution
has determined the extent to which it is prepared to accept certain
risks (risk appetite), it is then up to the financial institution to design
and build the necessary additional countermeasures to manage the
risk.
As we can see from this, there are two types of countermeasures.

The first are the systems and controls available at the time of the risk
assessment (countermeasures or risk mitigating controls), and the
second are measures yet to be taken; a level must be achieved to
balance out the risk.
Such a risk assessment is also imperative for a financial institution

when assigning risk levels to customers, which in turn determine
whether a customer should be subject to simplified or enhanced due
diligence measures. This whole exercise allows a financial institution
to use and direct its resources most efficiently. A financial institution
needs to invest where it is needed most.
47. Risk assessment takes a business-wide view

Even the utmost diligence cannot totally prevent a financial
institution from being used for money laundering and terrorist
financing purposes. No risk can be reduced to zero. However, a
properly executed risk assessment significantly reduces the likelihood
of such risks materialising. As the risk assessment requires a
business-wide view of the threats a financial institution is facing, and
its vulnerability to these threats, the owner of this assessment should
presumably be the second line of defence. The second argument in
favour for the second line of defence is the nature of AML/CFT, where
financial institutions must always be alert so that business units do
not downplay risk in order to have more lax controls that could favour
criminals. Depending on group solutions and management models, a
group-wide view across this risk assessment should probably be
taken. The same group-wide view should also be taken concerning
risk appetite and decisions about the additional countermeasures to
manage and mitigate the residual risk. A poorly conducted or non-
existent risk assessment will result in unjustified choices and gaps in
AML/CFT systems and controls. It will guarantee conflicts between
resources and competencies and compromise decision-making at the
management level.
48. The first page of a risk assessment says it all

A risk assessment should provide an understanding of the most
likely ways a particular financial institution could be used for money
laundering, terrorist financing and the circumvention of financial
sanctions. It boils down to questions about which products and
services are most likely to be used, by or through which customers
and delivery channels, involving which geographical factors. This first
page of a risk assessment must provide a clear answer to these
questions, and every employee and every member of the senior
management should know this in the blink of an eye. It is where the
actions of every employee and building the organisation should start.
49. A risk assessment is easier to read if a clear

structure is followed
In public guidelines, the concept of the risk assessment is
practically always theoretical. There are always questions about what
should come first – the business risk assessment and then the risk
appetite or vice versa, or should these be presented simultaneously.
No one specifies how to write this document or what exactly to follow
when writing it. This is mostly a matter of taste, but since we have
read hundreds of risk assessments during our supervisory
experience, including those compiled by financial institutions and
entire nations, we dare to offer one example of how to logically
structure a risk assessment. In very simplified terms, a risk
assessment should mirror the following steps:
Customer type 1[5]
Step 1: Possible typologies broken down separately for

money laundering, terrorist financing and the circumvention of
financial sanctions (threat)
↓
Step 2: Statistics about customer type 1, including number of,
share of the total, etc. (inherent risk)
↓
Step 3: Existing countermeasures to mitigate the inherent risk
and their adequacy analysis (the other side of the vulnerability)
↓
Step 4: Determine the residual risk
↓
Step 5: Define the risk appetite for customer type 1
(decrease/increase/leave it at its current level)
↓
Step 6: Decide on additional countermeasures, in particular, if
the risk appetite is to be increased and/or the residual risk is
positive
These steps, again in very simplified terms, could through a

hypothetical example, appear as follows. In Step 1 a financial
institution learns from a publicly accessible typology that corrupt
politicians are laundering bribes (i.e. the proceeds of crime). A
financial institution in Step 2 starts to analyse its vulnerability (i.e.
inherent risk), looking at politically exposed persons (PEP), and
learns that it has 1,000 politically exposed persons as customers,
which is 50% of its customer base. It then combines the information
from Step 1 and Step 2 and sees that it has a lot of customers that
could be vulnerable to the threat and that they make up a relatively
large share of the portfolio. In Step 3, it analyses the existing
countermeasures, including how it applies customer due diligence
during customer on-boarding, what ongoing monitoring algorithms it
has and how many people are employed to go through all this. It
concludes that the countermeasures are sufficient and that it is not
vulnerable. In Step 4, it concludes that the residual risk is negative. In
Step 5, it decides at the managerial level that this business is
profitable and that it wants to have 1,000 more politically exposed
persons. In Step 6, it analyses whether the existing countermeasures
are sufficient to cover the additional 1,000 customers or whether it
needs to apply additional countermeasures. It concludes that it is
more than enough, and it could manage the new risk appetite, and
there is no need for additional countermeasures. It then proceeds to
customer type 2.
Analysing different categories together; for example, certain

customer types with certain products, is also often advisable. In this
example involving politically exposed persons, Step 1 should also
have involved analysing, for example, the services offered (e.g. cash)
to understand the entire size of the inherent risk.
50. Differentiate threats of money laundering,

terrorist financing and the circumvention of financial
sanctions
When analysing vulnerability to threats, a financial institution must
distinguish between the threats of money laundering, terrorist
financing and the circumvention of financial sanctions. Financial
institutions that are large and complex should at the very least
analyse the modus operandi that the financial institution, based on its
knowledge, considers the most threatening.
The threats associated with money laundering should be divided
into three stages: placement, layering and integration. These three
stages are all known as the usual stages of money laundering
activity, where the proceeds of crime are being placed into the
system, then laundered through layering and then integrated as if
they were from a legitimate source. Terrorist financing must also be
divided into three: raising, movement and use.
However, these are not all sub-categories that a financial

institution must take into account. In today's globalising world, the
public expects a financial institution to also understand crimes that
are predicate offences to money laundering and that generate a
significant amount of criminal proceeds and affect human justice.
These include tax evasion, fraud, corruption and bribery, human
trafficking, illegal wild-life trade, and so on. To identify, assess and
understand all threats, a financial institution must be constantly aware
of different typologies, and risk and threat assessments of both the
state (and union) and the competent authorities that cover these
predicate crimes. It must also learn from past experience whether
there are additional threats that are not covered by the
abovementioned typologies and assessments.
When analysing threats, it should be noted that different

typologies and risk and threat assessments are also read by
criminals. A financial institution must always think one step further
about how, by slightly altering or developing the same typology, a
new threat or course of action by criminals could emerge. For
example, the money laundering scheme known from the Russian
Laundromat, which used courts to launder proceeds and create a
reason for the transmission of funds, is unlikely to be used by
criminals to such an extent in the future. However, there may be
alterations to this, which is why a single feature or solution known
from a previous case might be used. On the other hand, there are
cases where a financial institution must thoroughly familiarise itself
with the modus operandi that is used again and again. For example,
concerning sanctions against Democratic People`s Republic of
Korea, it is clear that no one is openly and publicly transporting to the
Democratic People's Republic of Korea the components needed to
build weapons of mass destruction, sending money to its banks or
picking up coal from their ports. In these cases, the typologies include
how the Democratic People's Republic of Korea finances itself or
imports or exports goods that are forbidden, including what countries,
services and products or delivery channels are used for this purpose.
Even the people targeted by financial sanctions know their listings
and so do not come to open accounts; therefore, it is relevant again
to understand the methods used for circumvention. The same is true
for terrorist financing, where a financial institution must learn and
know how terrorist groups or even individual terrorists are raising
money, moving and then using it.
51. Inherent risk must be analysed across four

different categories
The coverage and depth of a risk assessment depends on the
size of the specific financial institution and the nature, scale and level
of complexity of its activities and the services provided. An inherent
risk assessment should cover at least four main categories: (i) types
of customers, (ii) products and services, (iii) delivery channels, and
(iv) geographical risks. For the sake of the readability of a risk
assessment, financial institutions do not have to perform an in-depth
analysis of all customer groups, all products and services, all delivery
channels and assess the risks related to all countries of the world. A
risk-based approach means that more resources are needed where
the risk is potentially greater, which in turn requires an understanding
of the different trends, methods and typologies. To illustrate, we also
provide some examples of what could be analysed under each of the
four categories.
Under customers, you could analyse the inherent risk related to:
resident customers, non-resident customers; resident customers
whose beneficial owner is a non-resident; customers who are
financial institutions that serve customers (respondent institution);
customers providing a particular service (e.g. adult services,
gambling, currency exchange, purchase and sale of precious metals
and stones, services with a specific high risk (e.g. related to financial
sanctions)); customers operating in certain business lines (e.g. trade,
construction, catering); customers that have a particular characteristic
(e.g. a politically exposed person, a beneficial owner of a company is
younger than ‘n’ years, is a trust, an association or a non-profit
organisation (NPO)); or customers that have a particular ownership
structure (e.g. ultimate beneficial owner is identifiable from layer No
‘n’).
Under products and services you could analyse: payment services

to a particular country and/or of a specified amount; payment services
that are in ‘n’% cases used together with currency exchange;
payment services that allow cash usage; a term deposit with an
unreasonably long maturity (i.e. a maturity of more than ‘n’ years);
loans; trade finance; investment funds; portfolio management;
investment advice; personal asset management; life insurance; unit
linked life insurance; trades on the stock exchange; trades over-the-
counter (OTC); or virtual assets.
Concerning delivery channels it could be useful to analyse: how

customers are obtained (e.g. customers come through a
recommendation, a trust or a company service provider, an agent
with a business relationship with the financial institution); methods of
customer identification (e.g. via video, digitally, face-to-face); or
channels of communication with the customer (e.g. internet or
telephone bank, app, or other channels used to issue orders).
Inherent risk coming from geographical aspects is where

customers, products and services, or delivery channels have a
meaningful connection to the following: high-risk jurisdictions subject
to a call for action (FATF blacklist); jurisdictions under increased
monitoring (FATF grey list); jurisdictions with high corruption risk;
jurisdictions with high terrorist financing risk; jurisdictions involved in
or connected to the proliferation of weapons of mass destruction;
financial centres; or low-tax territories. A meaningful connection could
include residence (for a legal person), trading (large turnover in a
higher-risk country), and so on.
52. During a risk assessment, analyse existing
countermeasures
In addition to analysing the inherent risks, a risk assessment must
also assess the other side of the vulnerability. In determining the full
vulnerability, a financial institution should also assess all the risk-
mitigating controls it uses at the time of the risk assessment to
mitigate inherent risks, and understand what additional measures it
needs to take. These are systems and controls to combat money
laundering and terrorist financing; in other words, threats and inherent
risks that the financial institution had previously identified. A
vulnerability assessment requires an analysis of the entire
organisation, including IT solutions, human resources, the existence
and location of different structural units, and so on. It is an
assessment of design and operational effectiveness.
Countermeasures should be assessed per identified inherent risk;
however, a financial institution may combine the assessment process
to cover different risks.
53. Risk appetite must be in line with AML/CFT

systems and controls
After all threats and vulnerabilities have been identified, assessed
and understood, the crucial decision is that which determines the risk
appetite. This involves a quantitative and qualitative decision about
the money laundering and terrorist financing risk that the financial
institution is prepared to take within the regulatory landscape to
achieve its business goals and objectives. Risk appetite should take
into account at least the higher inherent risk indicators and metrics
identified during the risk assessment. If a financial institution offers a
wide range of products and services to a wide range of customers,
this means defining the risk appetite for all relevant business lines,
business units and/or groups of products and services. These global
risk appetite principles are those that the senior management must
bring to the attention of each AML/CFT employee.
While the result of a risk assessment merely identifies the
likelihood, size and materiality of risks, a risk appetite is means to
deciding which transactions and customers the financial institution is
generally ready to proceed with and to what extent. Therefore, risk
appetite has a direct correlation to the institution's business plan,
where one influences the other.
Risk appetite is not something that can be changed arbitrarily. A

change in the risk appetite must be preceded by a thorough analysis
and a considered decision. This means avoiding a situation whereby,
in response to rising risk levels, a financial institution simply increases
the risk appetite without analysing the consequences, in particular the
resilience of the countermeasures.
54. After the risk assessment and risk appetite

decision, additional countermeasures are considered
Risk assessment and risk appetite are the foundation for the
following risk management activities. These involve decisions on
which AML/CFT systems and controls the financial institution still
needs to invest in. In the previous real-life example, the decision was
about how much clothing a child should wear if you are letting him or
her go out in very cold weather.
It is quite normal for financial institutions to analyse the increases

and decreases of inherent risk indicators continually. Regrettably, the
same constant analysis is not conducted for the countermeasures.
Financial institutions often neglect human resources movements,
including situations where human resources significantly decrease or
more experienced employees are replaced with less-experienced.
Threat and vulnerability analysis and risk appetite, on the one hand,
and countermeasures, on the other, should work hand in hand. Every
financial institution should have a set of rules about deciding to limit
risk-taking until countermeasures are restored and the necessary
replacement employees found. A financial institution must determine
the employees that continuously monitor the sufficiency of
countermeasures and any changes in them. If you do not have a
jacket right then and there, or it got ripped the last time it was worn,
you can guess what will happen if you let your child go outside
without it in very cold weather.
55. Update your risk assessment regularly

The risk assessment, including the threat and vulnerability
analysis, needs to be continuously updated. We recommend doing
this at least every 18 months, but in some cases, it needs to be
updated more often. It must be updated, firstly, when new typologies
emerge and after new risk and threat assessments by the national
(and union) authorities. A financial institution must update its risk
assessment and analyse the risks additionally when it identifies new
trends, methods and unusual activities in its client base that appear to
be a new type of threat or a way to launder money, finance terrorism
or circumvent international financial sanctions. The risk assessment
must also be updated if the financial institution decides to offer new
products and services, use new or non-traditional delivery channels.
Also, when it chooses to provide products or services through new
technologies or to new markets or geographical locations, or to
change its risk appetite to take more risks.
56. Create a dashboard to manage risk

Imagine driving a car on a road that has speed limits without a
speedometer on the dashboard to show the speed of the vehicle. To
avoid any violations, the driver should probably drive much slower,
just in case. Money laundering and terrorist financing risk
management is no different in principle from the management of
other risks. One of the central principles of risk management is
constant monitoring of the size and materiality of the risk, but also
visualising this risk.
It is highly recommended for a financial institution to create a
central easy-to-read dashboard solution, which regularly shows
increases and decreases in the major pre-defined inherent risks.
These monitored risks are preferably those identified as the most
relevant during the risk assessment. The same dashboard should
continuously show the magnitude of the risk in relation to the decided
risk appetite and whether these quantitative limits are being adhered
to.
Dashboards often also include notifications when specific

parameters are exceeded as well as provide key performance
indicators. The dashboard must be available to all money laundering
and terrorist financing risk owners and those helping to mitigate those
risks, including senior management and the relevant employees and
departments exposed to money laundering and terrorist financing risk
in their day-to-day operations. It is also essential to show the
supervisor that the financial institution is aware of the magnitude of
risks at all times, as otherwise, it is highly questionable how the risks
can be managed appropriately without constant and up-to-date
information. An absence of a dashboard can only be explained if the
financial institution operates in a very low-risk environment; in other
words, "drives at a very low speed".
VI. Compiling the rules of procedures
57. Rules of procedures help to consider the
content of AML/CFT systems and controls
The more regulated a business area or the more complex an
organisation is, the more the rules of procedures come into play. The
rules of procedures not only work to provide comfort for a supervisor.
They form a risk management tool for the day-to-day implementation
of AML/CFT systems and controls. They help implement the
objectives set out in the legislation and the policy chosen by the
financial institution and keep everything in line with the decided risk
appetite. As a secondary objective, the process of writing rules of
procedures helps to systematically analyse the systems and controls
that are in use to ensure they are adequate, but also to record in
writing the historical expertise and how everything should be working.
Supervisors take the procedures as a basis when they grant
authorisations or during an ongoing supervision to learn how the
AML/CFT organisation is established, and systems and controls
work. Rules of procedures are written evidence that the senior
management has considered the content of the AML/CFT systems
and controls and has established clear rules of conduct.
58. Rules of procedures are a description of work

processes
A standard error that financial institutions often make when writing
rules of procedures is that they first write a rule of conduct and then
set up systems and controls. Very often, these systems and controls
are entirely different from the rules because the rules were simply not
applicable. The rules of procedures should be a description of
activities already considered and agreed within an organisation. This
means that the compliance unit should first establish which AML/CFT
systems and controls are or ought to be in place, taking into account
the particular money laundering and terrorist financing risks, and only
then can these processes be described in the rules of procedures. If
all this is done in reverse, with the rules of procedures first and then
the practice, the rules of procedures will become something that no
one actually uses and that exist because of legal requirements and
supervisory expectations. Subsequent inspections often reveal that in
these cases the rules of procedures have very little connection with
the everyday life of the organisation.
59. The language of the rules of procedures should

be as simple as possible
Indeed, the scope of rules of procedures sometimes dictate the
sophistication of the language used in the text. However, readability is
nevertheless one of the most important objectives that should be
achieved when writing them. The rules of procedures should be
presented in as simple a language as possible. Excessive use of
complex language and unnecessary wording will kill the reader as it
will with any written text that uses this style. Rules of procedures are
no exception. If you lose the reader at the outset, you are already
likely to have failed. Even a simple document such as a furniture
assembly guide can be written and presented in an overly
complicated and unreadable way. Therefore, it is clear how much
effort and professional skill is needed when writing rules applicable
for a financial institution. It is very similar to when the general
conditions in a financial services contract are written. The customer
will understand the terms and conditions better if the language is
straightforward instead of complicated legal text. Undoubtedly, there
is always a dilemma between simplicity and accuracy, but they are
not mutually exclusive. The first goal must be to get the employee to
read it and to understand its obligations.
60. The rules of procedures are a living document

The purpose of rules of procedures is not only to achieve
coverage of all tasks, but also to bring them to life. This means that
employees adopt these rules, and they become guidelines for their
daily routine. Rule drafters very often underestimate the importance
of everyday usability. Therefore, merely writing down the relevant
rules is not enough; several other vital preconditions are needed for
success. In a vast number of cases, financial institutions fail to write
documents so they are usable and have a soul. As a result, they
become out-of-date and out-of-context. This often happens when the
process of writing rules of procedures is seen as a tedious
supervisory requirement or when it is outsourced to an external
adviser. Usually, such rules are presented during the authorisation
process, where the market entrant has taken these rules off the shelf
of a law firm. Typically, it is the supervisor who later finds these rules
during an inspection where they are close to the shadow of death. In
such cases, an unpleasant consequence for the financial institution
will have already started to emerge. Financial institutions try to
excuse themselves in such failures through the burden of
bureaucracy. Still, it is mainly due to a lack of professionalism on the
part of those drafting the rules of procedures. Therefore, the rules of
procedures must always have an in-house owner who keeps the
rules alive and keeps them relevant and up to date for the big picture.
61. Rules of procedures answer the questions why,
what and how
The operation of AML/CFT systems and controls can be
described through three words (i) why, (ii) what and (iii) how. “Why”
asks why something is done, why are we combating money
laundering and terrorist financing. There is a simple answer to this
question in the AML/CFT field. This is due to the various established
regulatory requirements, international practices and customs, as well
as the complexity of large banks' organisations. It is highly unlikely
without rules of procedures, that risks can be managed properly. The
"why" therefore symbolises the general policy, general approach and
structure of a financial institution as it complies with international
practice, the law, and the guidelines of the competent authorities.
"What" asks about the specific actions that need to be taken as a
minimum to manage risks. “How” leads us to the right method for and
approach to realising the actions identified in answer to the “what”
question.
The terms "why" and "what" traditionally cover the responsibilities

of the second line of defence, since they deal with compliance with
the legislation by providing guidance. For example, in a situation
where the law requires that the source of wealth be established, the
role of the second line of defence is to stipulate for the first line of
defence the general policy (why) and required steps (what) that must
be taken to identify it. During “why” and “what”, the second line of
defence takes actions to achieve the compliance of a financial
institution with the applicable requirements and any changes to them,
and assesses their possible impact on the financial institution’s
activities and the compliance framework. "How" specifies the
technical implementation of "why" and "what" – the method of
complying with general policies and requirements. This is usually for
the first line of defence to establish, and is its obligation to follow, for
example, in determining the source of wealth described above. "How"
means the steps that the first line of defence takes daily to apply
certain obligations at the employee level. These three questions
provide the foundation and content for the rules of procedures. They
also help distinguish who ought to draft these rules.
62. Rules of procedures have a clear hierarchy

A lack of hierarchy that may also be in the form of significant
repetitions as well as the scattering and fragmenting of different parts
of procedures into many documents is one of the weaknesses we
have witnessed in financial institutions. Such a solution does not
provide much hope that an employee will get a fair understanding of
how the organisation works and what obligations it has on a day-to-
day basis. The hierarchy of the rules of procedures must also be
clear and unambiguous. It is quite common in large banks for the
rules of procedures to be continuously added to and existing rules to
be supplemented. However, writing rules of procedures is not a
competition won by the one who writes the most extended rules or
whose rules consist of the most different documents. At some point,
the sequence disappears and the rules of procedures become sets of
documents, each of which is 100 or more pages. The idea of why
they were originally written – to give a clear and unambiguous code
of conduct to the employee – is lost.
As new rules of procedures are continually being written and

current documents re-written, it may be the case that it is ultimately
not possible to know what the umbrella rules are, and subsequently,
what the general or specific rules are, what rules apply, for example,
to all first and second line of defence employees, and then also to
particular departments and staff. Rules that become fragmented and
scattered, especially with a significant amount of repetition, will
sooner than later start to confuse people. Supervisory practice also
shows that in such a fragmented model, the financial institution is not
able to find and present all the relevant procedures even to the
supervisor. Therefore, take a step back, forget that someone has
written a procedure, instead delete it and start writing the rules from
scratch. If the principles of "why", "what" and "how" are followed, a
hierarchy of rules of procedures is likely achievable.
63. The rules of procedures show the

meaningfulness of tasks
Having a meaningful role in an organisation is the biggest
motivator for an employee and a precondition for retaining them.
They understand why the things they are doing are necessary or
what is the greater good, and where their effort should eventually
lead. With the example of the furniture assembly guide mentioned
above, you will have a cabinet or a set of shelves if the assembly
guide is followed. Likewise, this determines the requirements for the
rules of procedures. They should be spoken in the same kind of
language and provide a clear picture of the entire AML/CFT system,
the tasks of different units and a clear code of conduct for each
employee. Through rules of procedures, each employee should
understand his or her importance in the organisation. Employees will
also understand how their efforts to comply with the rules are directly
dependant on whether and how the financial institution prevents
money laundering and terrorist financing risks from materialising.
Consequently, employees understand that their omissions could
result in a bomb exploding near their favourite restaurant, or the road
they drive to work could be pot-holed because the state did not
receive enough tax revenue due to tax evasion.
64. Rules of procedures have a broad scope

There is a significant amount of guidance about the overall
requirements for rules of procedures, but less about what they should
cover in substance. We present our vision of this and believe that
there should be at least procedures for:
• Preparing a risk assessment of the financial institution
• Identifying and managing risks associated with new and

developing technologies and new services, products and delivery
channels
• Identifying and managing risks associated with a customer and

its activities, and for determining the customer's risk profile
• Applying due diligence measures both during the establishment

of the business relationship and during it, including vis-à-vis
respondent institutions
• Monitoring and screening transactions, including against

financial sanctions and other lists
• Record-keeping, including collecting and storing data, as well

as making them readily available
• Data quality assurance and management
• Refusal to establish a business relationship, refusal to enter

into a transaction and the extraordinary termination of a business
relationship
• How and when the first line of defence should send an internal
notification to MLRO about suspicious or unusual transactions
• Methodology for MLRO to use to analyse suspicious and
unusual transactions or circumstances
• Actions to be taken, including methodology and guidance, if a

financial institution suspects money laundering and terrorist
financing or an unusual transaction or circumstance
• How and when reports should be sent to a financial intelligence

unit
• Restrictions on tipping-off parties potentially associated with a

suspicious event
• The hierarchy, functions and rights of those involved in the

AML/CFT compliance function
• Submitting reports and analyses to management
• Outsourcing and reliance on a third person
• Training managers and staff involved in the AML/CFT

framework
• Avoiding conflicts of interest, including screening of employees
• Updating the rules of procedures
If a financial institution belongs to a financial group, the group-

wide dimension and scope must always be taken into account by
subsidiaries or branches.
65. “Digitising” the rules of procedures

It has increasingly become difficult for financial institutions to
present to supervisors its entire rules of procedures in writing. And
this is understandable in part. For example, in the case of AML/CFT
systems and controls that use machine learning, artificial intelligence
or similar new tech solutions, it is no longer always possible to write
the rules of procedures in the classical format. Also, the assessment
of these procedures nowadays requires a different kind of expertise.
Supervisors should encourage financial institutions to adopt better
technologies and invest in digitised workflows and ongoing monitoring
solutions for AML/CFT. In this way, specific procedures are integrated
into the financial institution's systems themselves. Let these systems
then do some of the talking themselves. As such, particular aspects
of procedural rules are integrated into the system specifications,
digitised work processes, and algorithms used in modern
technologies.
VII. AML/CFT data quality
66. It all starts with the quality of the basic data
Quality of data is the foundation. This must come before risk
management. You can mix ground meat, water and salt together and
put it all into the best oven in the world, but the sausage you get out
of it is neither better nor worse than the quality of its ingredients. All
subsequent AML/CFT operations depend on the quality of the basic
data; that means, ongoing monitoring solutions and algorithms, the
identification of suspicious activities, and customer-specific risks.
Data is the basis for answering supervisory inquiries. It also allows
financial institutions to conduct a business-wide risk assessment and
perform strategic analysis on aspects such as trends in payment
volumes and deposits. Data is needed to assess changes in the
consumption of financial services, trends in geographical risk, but
also to compare all this against new typologies and any internally and
externally known risk trends.
The database created for AML/CFT systems and controls is
subject to the same data quality rules and policy principles as in any
other area where the quality of the data determines effectiveness.
AML/CFT needs high-quality data in the same way that medicine and
information technology do, but also other areas of banking itself, such
as credit or liquidity risk measurement. A financial industry that does
not address data quality and potential weaknesses has little
perspective tomorrow for a better result than today. Like diseases are
diagnosed through external signs, suspicious activity in banking is
diagnosed in the "payment channels". Unfortunately, even banks that
earn billions suffer from poor data and poor systematisation. Scientific
approaches to AML/CFT data are today virtually non-existent.
Significant progress needs to be made in the definition and quality of
AML/CFT data.
67. Manage your data quality

To have good quality data, a financial institution needs to have in
place an AML/CFT data management framework and data policy.
AML/CFT is no different from any other data-driven field, where
appropriate measures must also be taken to ensure the quality of
data. During this operation, a financial institution assigns an in-house
owner to the database as well as responsible employees, and
determines the scope of the database, data quality controlling
mechanisms and processes in this area. All this requires competent
staff capable of rising to the task. This framework and policy
ultimately ensure the quality of the data used for AML/CFT purposes.
It is not something that should be invented from scratch. All in all,
prepare to answer the supervisor's first question: Who are the bank's
managers and employees responsible for the various parts of the
financial institution's AML/CFT data quality. Play through the
supervisor's theoretical visit, and this will also help you quickly find
vulnerabilities in your systems.
68. Databases need to be integrated into a single

system
One of the elements of data quality is also related to how the
databases themselves are set up. AML/CFT data should not be
scattered between different undefined databases. Managing the
database is certainly a challenge for financial institutions, since, for
example, know-your-customer data can be collected as part of
different tasks and providing various services. Data processing
should strive for efficiency. This means at least that data is not
collected repeatedly, and its location clearly defined for different
tasks. The customer should also experience as little of this burden as
possible. Subsequently, the financial institution needs to set the
location of the data, the data fields that are necessary and the rules
for entering everything into the database. In some way, databases
can also struggle with the "silo" problem, similar to compliance
workflows. This should be understandably avoided.
69. Follow basic data quality rules

Data quality rules have always been there. The real art is to apply
these universal principles to the AML/CFT data ecosystem. The rules
for data quality include at the very least the following seven
conditions: relevance, accuracy, consistency, completeness, validity,
reliability and availability. From the AML/CFT point of view, they all
have their specific value. AML/CFT data is not always as “digital” as it
is in medicine or information technology. This, in some respects,
certainly makes rules more difficult to follow, but that does not mean
that it should not be pursued. Following the rules is definitely easier to
achieve for a stand-alone financial institution that has no branches or
subsidiaries. Supervisory cases have shown that data quality can be
a major challenge in banking groups operating on a cross-border
basis. In those cases, specific weaknesses may exist either in
centrally implemented systems or in a decentralised system. The
former does not take into account local specificities, while the latter
loses the group view. Differences in data quality or loss of quality are
a major risk in the event of bank mergers or customer portfolio
takeovers, but especially when transitioning to new AML/CFT
systems.
70. Data must be relevant

The relevance of AML/CFT data is undoubtedly one aspect for
which we see the need for a more centralised approach. The
minimum requirements for the collection of information by financial
institutions, which then in turn are used for ongoing monitoring
solutions for AML/CFT, should be defined internationally in a uniform
and standardised way. Financial institutions are too alone in this
regard. This would allow risks to be measured more uniformly in the
present. It would also create significantly better preconditions for
RegTech developments and international cooperation in dismantling
money laundering schemes. We can see, for example, how a
financial institution today defines a high or low-risk customer based
on data, and how the resulting share of such customers creates
extreme confusion between supervisors, relevant stakeholders and
the general public. At times it cannot be digested any more. With
precisely the same characteristics, one financial institution may
designate a customer as high risk, while another may see the same
customer as low or medium risk. The only difference is that the bank
that is considered riskier in this example on the “headline level”, is so
because it supposedly has numerically more high-risk customers.
However, the difference actually is that it deliberately applies more
robust AML/CFT measures and sees the need to apply enhanced
due diligence to more customers. This is just one example where the
inconsistency in the AML/CFT data shows incomparable results.
The principle of data relevance is the most critical principle for

data quality in the AML/CFT field. Therefore, all information and the
precise composition of what is to be collected for AML/CFT systems
and controls needs to be defined as a preliminary step. The
relevance of data is of such great importance in AML/CFT systems
and controls in banking because even with the best of intentions, it is
not possible to read the patterns in millions of payment transactions
and manually identify suspicious activities. This, in turn, requires the
availability of relevant basic data. The requirements of legislation and
supervisory guidelines should also be taken into account when
defining the data to be collected for AML/CFT purposes. To ensure
the relevance of data, it is also essential to monitor new typologies
continually, as no current public guideline is ever complete. The new
typologies help us understand trends in money laundering schemes
and provide reason to include new "relevant" data fields.
Financial supervisors are not so much interested in the volume of

data collected according to the know-your-customer principle or
during other data collection processes. They are interested in the
assessment of why the data is sought and how it is used to apply
AML/CFT obligations. Financial institutions often impose intensive
know-your-customer questionnaires, but later it is not possible to
explain why it was necessary to ask for such information and which
AML/CFT control required it. This indicates the redundancy of some
data requests. Excessive data collecting creates problems in the
smooth provision of financial services, as customers become restless
and would like justifiably to understand the rationale behind the
questionnaires. In those cases, the data protection principles,
including purposefulness, also come into play. The relevance of the
data is directly linked to the AML/CFT risk-based approach principle,
including the implementation of simplified and enhanced due
diligence measures. The result should be that a low-risk customer
should enjoy a lower level of controls compared to a high-risk
customer.
71. Data must be accurate and consistent

The accuracy of the data answers the question of the extent to
which the data correctly reflects the situation. The consistency of the
data requires the use of a uniform methodology for data collection
and storage. Even the slightest inaccuracies and lack of regularity in
data quality can mislead AML/CFT systems and controls and lead to
erroneous results. It is time for banks to invest in more sophisticated
technologies and ongoing monitoring solutions. These should be
smarter in identifying suspicious transactions even if the basic data is
not accurate or consistent, thus determining irregularities and
compensating for the shortcomings in the quality of data collected
during customer due diligence.
During our supervisory activities, we have often witnessed cases

of a lack of data accuracy and consistency. One example concerns
cases where names are recorded in databases in different ways. The
simplest of those are where the names of natural persons are
sometimes spelt in the form "first name SPACE surname" and then
"surname COMA first name" or "surname SPACE first name". In the
case of legal persons, for example, there are usually situations where
the legal form of a legal person is written in different ways, such as
"Ltd", "Ltd." or “Limited”. Furthermore, financial institutions often have
customers whose names include vowels that are not represented in
the official alphabet used in the country the financial institution is
located in. In this example, a financial institution needs to establish
clear transcription rules to avoid situations where similar or the same
names are marked differently in different parts of the same database.
Even mistakes as simple as those mentioned above could prevent

the organisation from identifying suspicious patterns of transactions
or connected customers. Accuracy and consistency can also be an
issue when wrong information is inserted in a specific field in a form.
Different terms mean different things and so dedicated data fields
should be filled using a similar approach. Take, for example,
customer residence, which has many different sub-meanings (as we
elaborate in rule number 86), and therefore could create a distorted
picture of the geographical risk of a customer compared to other
customers. All such inaccuracies and presentational errors could
cause a situation where the data is unusable or prevents connections
being identified or discoveries made that are necessary for managing
money laundering and terrorist financing risks effectively.
72. Data must be complete

The completeness of data presupposes that the data identified for
AML/CFT systems and controls have been collected. By violating the
principle of completeness of data, the successive control
mechanisms of a financial institution also become incorrect. It is
reasonable to use appropriate technological storage solutions to
achieve completeness of data. These do not allow specific fields to
be left empty and raise flags if the data is incomplete. Such a solution
ensures the completeness of data. It also makes it possible to
measure the efficiency of the system, relevance of the data,
reasonableness of the scope, frequency of collection, and so on. In
other words, if this data collection process is continuously hampered
by incomplete data, a financial institution knows that it has to attend
to the rigour of its data storage and, if necessary, return to the
question of data relevance. Consequently, this contributes to a better
risk-based approach.
73. Data must be valid
Data requires constant updating throughout the business
relationship. The validity of data is crucial for a financial institution to
be able to perform real-time AML/CFT checks. The risk profile of
customers can change rapidly, which also necessitates a higher
intensity of data collection. Recent money laundering cases have
shown that the information gathered from the companies used in
those schemes when the business relationship was first established
quickly became invalid or was invalid from the outset. Ensuring the
validity of data is also one of the biggest challenges for a financial
institution. Constant requests for data disturb customers, and so a
smarter more fluid compliance solution in cooperation with the
business would be more efficient.
Validity can be confirmed using automated systems that extract

information from reliable and independent external sources and
compare it with the information held in databases. Moreover, if
ongoing monitoring solutions use data gathered during customer on-
boarding, then today, there is also room to use the information vice
versa. Specifically, today's collection of know-your-customer data is
often based on information collected from the customer. However,
there is significant room for developing solutions where the know-
your-customer data is drawn from ongoing monitoring solutions
without having to bother the customer. For example, a financial
institution could skip approaching low-risk customers if the analysis of
the account shows that its profile and behaviour has not changed. If
the account still shows that the customer receives a salary from the
same entity and he or she always goes to the same grocery store,
then why is it necessary to send the customer endless forms to
update the know-your-customer data.
74. Data must be reliable

Data reliability means verifying that the sources on which the data
is based are reliable. The reliability of data is not only necessary for
the financial institution’s own AML/CFT systems and controls but is
equally important for its relationships with supervisors and, in
particular, financial intelligence units and law enforcement authorities.
Financial supervisor's assessments are primarily based on regular
reports from financial institutions as well as ad hoc inquiries.
Submitting incorrect data to supervisory authorities could lead to an
inaccurate risk assessment of a particular institution, and that could
be interpreted as misleading the supervisor and ultimately lead to
severe consequences. Furthermore, the reliability of data is also of
decisive importance in relations with the financial intelligence units to
which financial institutions submit suspicious activity and transaction
reports. Where false or erroneous data is provided and then used to
analyse whether money laundering or terrorist financing has
occurred, the consequences can even be more material. Law
enforcement authorities may no longer be able to establish relevant
links or identify missing links, which may ultimately become
detrimental to resolving a complex case.
75. Data must be available

The availability of data is one of the biggest problems in the
legacy systems extensively used by financial institutions today. A
major obstacle in implementing AML/CFT obligations is when the
data is technically somewhere, but it is not machine-readable, or no
one knows precisely where it is stored. Moreover, it is quite common
that the necessary data is stored on paper and thus not actually even
available. To understand the historical risks and to avoid repeating
them in the present, financial institutions must take a risk-based
approach to digitising paper-based materials.
Therefore, supervisors are often faced with a situation where

financial institutions are not able to respond with sufficient speed to
fairly basic statistical inquiries. This indicates a financial institution’s
actual weakness in assessing money laundering and terrorist
financing risks and responding with sufficient speed, for example, in a
crisis. A tool that gives access to basic AML/CFT data should be a
daily reality for an employee working in the AML/CFT field. IT
solutions should provide AML/CFT employees with independent and
rapid access to databases. Such queries should not always be a
stand-alone IT exercise, nor should the AML/CFT unit or the
supervisor have to wait in line at the door of a financial institution's IT
department.
76. The termination of business relationships

enriches the database
When financial institutions terminate a business relationship or
refuse to enter into one with individuals where they suspect money
laundering or simply because of their internal risk appetite, then they
often forget to take appropriate accompanying steps that allow them
to manage risks correctly in the future. Financial institutions usually
do not mark in the database the reasons for the termination or refusal
of the business relationship. Should the same person want to re-
establish a business relationship, the financial institution will not be
able to ensure that this person will not become a customer through
the back door at a later stage.
A subcategory of this situation are cases where financial

institutions retain only the name of such a customer. In recent money
laundering cases, the customer's “lifespan” is usually a maximum of
1.5 years, so it is rare that a customer with a similar name could want
to re-establish a business relationship. Therefore, all the data that
defines the customer must be kept with the customer name. These
include names of beneficial owners, representatives, nominee
directors and shareholders, place of registration and operation, IP
addresses used and, if possible, the customer’s most important
business partners. This means that the entire customer profile must
be marked accordingly so that the same "customer" cannot re-
establish the customer relationship without the knowledge of the
financial institution. It is not prohibited to re-establish such a business
relationship, but a financial institution must at least be able to make
an informed decision.
77. Data should be cleansed at regular intervals

Financial institutions must use modern cleansing technology to
increase the quality of data. This process locates irregularities, errors
and inadequacies in the data, thereby increasing the quality of the
data, standardising it, eliminating duplications and reducing false hits,
etc. "Fuzzy logic" or a similar method that uses a "degree of truth"
test instead of a "true or false" test, can easily be used to verify data
and find data that is misspelt or duplicated in different parts of the
database.
VIII. Customer due diligence measures
78. When it looks suspicious, it is suspicious
The money laundering and terrorist financing world is, at times,
quite two-faced when it comes to the financial sector and the
expectations placed on it. The entire concept is primarily based on
credibility and suspicion. There are no “digital” solutions, no forensic
ballistics, DNA patterns, nor any hard science like this. As a result,
financial institutions, but in fact also financial supervisors, are in a
rather tricky position. If a financial institution classifies something as
suspicious and decides to terminate the business relationship, some
stakeholders are quick to criticise the financial institution for
overreacting. Even the de-risking concept is brought into play.
However, if the business relationship is not terminated in similar
circumstances, and the customer is later found to be connected to
something even remotely suspicious, then the verdict is ruthless.
Condemnation often arises from materials that were not and could
not have been available to the financial institution at the time a
decision was made. The cases of large fashion manufacturers can be
compared here. If the public considers a balaclava sweater or
advertisement as racist, then so it is. In public, no fashion company
can later convince anyone otherwise.
In money laundering cases hindsight is unfortunately used too
lightly. It is often the argument that something should have been
suspicious and irrespective whether these circumstances were there
or not. A financial institution always loses and does “wrong” from one
point of view or another. The challenge is to manage these difficulties
even when the circumstances and suspicion is not measurable with
100% accuracy. There is a principle to follow in the money laundering
and terrorist financing world that will always help out. What seems
suspicious generally is suspicious in most cases. This approach
helps in virtually every case. If there is a bad feeling or a hunch, our
practice shows that in most of the cases, it is always a justified
hunch. A lesson to be learned from recent money laundering cases is
that financial institutions have no choice but to raise their bar and
build more effective systems and controls to detect and qualify
activities as suspicious. Only then can it emerge from this fight as a
“winner” and not a “loser”.
79. Find the business rationale

Certain fundamental principles in economic and business relations
are always there. They are resistant to any innovation. It does not
matter which tradition or culture the business comes from. This is why
all information gathered for AML/CFT purposes should be reduced to
the standard business logic and rationale and rules of economic
relations. Although attempts are sometimes made to over-mystify the
economic activities of companies, the reality is that abnormal
situations are quite rare. Or, if such situations were to occur, it should
lead to additional questions and checks to dispell any doubt.
Transparent and honest businesses should not have any difficulties
answering further questions and providing credible explanations. The
world is usually much simpler and more rational than some try to
indicate. To verify a situation as suspicious or exclude it, we always
try to reduce it to sound business logic and rationale and the rules of
economic relations. Often the results we obtained using this approach
were too eagerly challenged by the financial institutions. Years later, it
has become clear that these have been filthy cases. As it looked
suspicious, in reality, it turned out to be suspicious.
We can provide one more extreme example. This is about a

company that sold pipes. A suspicion arose from the numbers in the
customer's files, including the share volume and price. In cases like
that, the typical business logic and rationale for us is that we try to
reduce them to the “longest possible train” or “pile of goods” that
everyone can picture in front of their eyes.
The “longest possible train” in Europe at that time was 750m long
and consisted of 50 wagons with a total capacity of 2,250 tonnes. We
could not find a bigger one and if there were one, it certainly would
not have been much bigger. Pure mathematics showed that at least
hundreds of fully loaded 750m long trains had to run one-by-one to
the final destination to carry all these pipes. Or tens of thousands of
sea containers, as each container holds about 30 tonnes. In any
case, the financial institution should have asked many questions on
the basis of this, which it failed to do. We did not even get to the
question of who needs hundreds of thousands of tonnes of pipes,
who could produce them, and so on. This whole "train ride" was
simply too unrealistic.
This was an extreme example, but we apply the same business
logic in other cases, and so should financial institutions. The issue of
credibility is central to identifying money laundering and terrorist
financing. In most of the cases, only standard behaviours are
believable and justifiable.
80. Tune your conscience

In many jurisdictions, a court will evaluate all evidence in
aggregate according to the judge’s conscience. If the judge has the
right to convict a person, is it not also up to the banker to decide
based on his or her conscience whether something is suspicious or
not? What questions should at least be asked, and what steps should
be required to enable a financial institution to say that it has fulfilled
its obligation and has applied adequate due diligence measures? As
supervisors, we have received many such questions, as well as
suggestions that the public authorities should provide more precise
guidelines, more exact figures. This is one, if not the most, naive
approach to AML/CFT controls. There is no one-size-fits-all criterion
in determining what is proper due diligence. The AML/CFT field has a
plethora of different typologies. Financial institutions themselves also
establish a set of identifiers for AML/CFT systems and controls, which
should help verify whether suspicious activity is a cause for concern.
It is undoubtedly challenging to create solutions that can handle all
cases and situations. Customers whose activities conform to a given
typology or even the identifier described in a typology may or may not
be involved in a suspicious transaction. It could very well be a very
justified business rationale. Typologies that have emerged from many
internationally known cases can also be a completely ordinary
business practice in a different real-life situation. For example, the
fact that terrorist organisations use charities to raise funds doesn’t
mean that all charities are illegal and cannot be used in ordinary
everyday business. Financial institutions have to set their boundaries
somewhere, but this is one of the most challenging tasks in the know-
your-customer principle.
AML/CFT systems and controls are inevitably connected to a

carefully tuned conscience. No matter how strong the AML/CFT
controls of a financial institution are, human cognition will always be a
part of identifying suspicions of money laundering and terrorist
financing. This can be used both to assess the activities of a specific
customer and verify suspicious activity. The analysis could then lead
to a decision whether sufficient customer due diligence has been
applied or whether additional information should be gathered. The
point is that such a conscience is based on a comprehensive,
complete and objective review of the facts. Consequently, the
development of a person’s conscience is, in turn, related to the
principle of reasonableness. Reasonableness is to be judged by what
people acting in good faith would ordinarily consider to be reasonable
in the same situation. Therefore, a conscience during the application
of customer due diligence measures is a state (of mind) where,
whoever the person is that applies customer due diligence,
understands and is convinced that sufficient data has been collected
on the customer and the customer's activities. This is also the
approach that we take in our supervisory proceedings.
We have to ask ourselves, if an average member of the public

were to stand in the same place as the employee of a financial
institution, would that person have identified (based on their
conscience) who the customer is and what its activities are and
therefore that there is nothing suspicious about his or her activities. If
the answer to this question is negative, the financial institution has
failed to apply its due diligence obligation on that customer and its
operations. This is also the best answer to the question of how many
documents have to be gathered in the course of the know-your-
customer process. The answer is as many as you need to satisfy
your conscience, a state that any person would reach if he or she
were in the same position. This principle is certainly not the easiest to
follow, but we have yet to see anyone come up with a better and
more bulletproof one. Of course, reliance on your conscience does
not exempt you from creating AML/CFT algorithms or achieving
traceability.
81. Suspicion cannot be resolved only by

requesting documentation
Often, during the application of customer due diligence to detect
money laundering and terrorist financing, or more importantly to
exclude such activities, financial institutions only ask for documents
from customers. This method is still valid and cannot be thrown aside;
however, this is not as black and white as it might sound. It must be
borne in mind that those involved in illegal activities are nowadays
able to produce everything required by a financial institution. If a
financial institution asks for customs documents, these are produced.
If they ask for contracts, here they are. The perpetrators have upped
their game, and it has become increasingly difficult for a financial
institution to identify documents that are clearly forgeries. In the past,
we saw contracts showing how cranes and combines were sold in
paper bags or how there were other signs of forgery, such as text
printed on top of signatures or stamps. Indeed, mistakes are also
made in the “factories” that produce these contracts; however, they
are no longer that common.
Moreover, regulators should not require of financial institutions,

and financial institutions themselves should not decide to collect, only
documents that are provided in a pre-determined exhaustive list. In
addition to the fact that criminals know then what to produce, such
requests will also be at some point disproportionate for fully
transparent businesses where they are not necessary. It will also
contradict the principle of the risk-based approach, since it will
become a rule-based approach. Such side effects should be avoided
to keep the due diligence process appropriate, smooth and
reasonable.
82. The know-your-customer principle is the

foundation for identifying suspicious activities
In the course of applying the know-your-customer principle, a
financial institution identifies the customer and takes measures to
understand which services a customer wishes to consume and why.
In doing so, the financial institution verifies whether the customer's
wishes coincide with his or her actual activities, abilities and needs.
The extent to which the know-your-customer principle has to be
applied should be commensurate with the risk associated with the
customer and the business relationship. The higher the risk
associated with the client and the business relationship, the more the
financial institution must take measures to understand the customer
and its activities. This know-your-customer information is the basis for
assessing the future activities of that customer. Therefore, in
performing ongoing due diligence on the customer’s activities,
financial institutions compare the reality against the information it
collected when it applied the know-your-customer principle. During
this ongoing due diligence, the goal is to identify unusual transactions
and activities. Therefore, based on the risk profile of the customer,
the financial institution decides the regime and intensity of further
ongoing monitoring.
83. Separate a customer’s risk level from the risk

profile of the business relationship
When applying AML/CFT measures, a distinction must be made
between the level of risk assigned to the customer – usually on the
scale of low, medium or high – and the risk profile of the business
relationship. These are often considered synonymous because the
level of risk assigned to a customer takes into account the risks in the
business relationship (i.e. services provided) and the customer’s
activities. This is an accepted approach, but a financial institution
should really differentiate these aspects. The customer risk level and
business relationship risk profile could entail an essential difference.
Both must be taken into account when applying customer due
diligence, in particular when defining the scope of measures to be
taken, including when and to what extent enhanced and simplified
due diligence should be applied. Determining a high level of risk
means that a financial institution considers that individual customers
or business relationships are more likely connected to activities that
are unforeseen or unusual, which is why more attention must be paid
to the customer and his or her activities. While, in the case of a low
level of risk, a financial institution generally considers certain unusual
activities to be less likely, which also reduces the scope for attention.
In this book, we do not focus on the specifics of determining the level
of risk for a single customer. There are several guidelines on this,
such as the comprehensive guidance from the European Banking
Authority.
In theory, the level of risk can be determined separately for both

the customer and a transaction that the customer is executing. For
example, it could be that a low-risk customer makes a transaction
that is high risk in nature. While in this case enhanced due diligence
is applied vis-à-vis this transaction, it does not necessarily change the
risk level of the customer; in other words, these two levels of risk can
be unrelated to each other. It could also be vice versa that a high-risk
customer makes a low-risk transaction, but this does not necessarily
lower the risk level of the customer. Usually, however, the level of the
customer’s risk is more known, and when the level of risk is
mentioned generally, this normally refers to the level of the
customer’s risk. Therefore, we also focus on a customer’s risk level.
Moreover, as mentioned above, the risk profile of a business

relationship is something different to the customer’s risk level. It might
be that the customer has a low or medium risk level but enhanced
due diligence measures must be applied irrespectively. The level of
customer risk, as in any money laundering and terrorist financing risk
assessment, must be based on the customer, products and services,
delivery channels and geographical risks. Let’s imagine a situation
where a customer is a resident of a small town and has a transparent
control structure (customer and geographic risk). The customer is a
restaurant operator (customer risk) who has established a business
relationship face-to-face in a bank office (delivery channel risk), and
wishes to open an account to pay salaries to its employees (product
and service risk). Let’s assume further that the risk factors listed
above alone would add up to a low or medium risk. At the same time,
through their own analysis, the financial institution has identified that
the most significant money laundering risk comes from a customer
who meets the same characteristics as described above – a small-
town restaurant owner. The financial institution, which is otherwise
operating in a low-risk sector, has repeatedly observed suspicious
activities in the case of restaurant operators, such as turnover
deviating from normal operations or even the consumption of
atypically complex financial services. This is called the risk profile of a
business relationship.
The business relationship risk profile is also associated with

situations where a financial institution, regardless of the level of risk
assigned to a customer, feels that it has too little experience in
providing some financial services or there is more risk than they can
detect. In such cases, the risk level of a particular customer may be
low or medium. Still, this business relationship involves a higher than
average risk, which cannot be taken into account when determining
the customer's risk level or cannot be taught in any way to an
automated risk determination system. This is the risk profile of the
business relationship, which takes into account the risk assessment
of the financial institution, which in turn is, of course, based on the
country's risk assessment, typologies, and so on. This is something
specific to the financial institution that it has identified as a risk to its
activities and which it wants to pay more attention to. Therefore, in
addition to the risk level of a customer, a financial institution must also
take into account the risk profile of the business relationship.
84. There are at least six due diligence measures

to be applied during customer on-boarding
The due diligence measures applied during the establishment of a
business relationship or during an occasional transaction are
generally divided into three groups: (i) identifying the customer and
verifying that customer’s identity, (ii) identifying the beneficial owner,
and taking reasonable measures to verify the identity of the beneficial
owner, as well as understanding the ownership and control structure
of the customer, and (iii) understanding the purpose and intended
nature of the business relationship. These three are at least the ones
that the FATF also refers to as due diligence measures when
establishing a business relationship. There are additional due
diligence measures to be applied during customer on-boarding that
are not so obvious and must involve reading between the lines of
Recommendation 10 in the FATF Standards. Therefore, instead of
three customer due diligence measures, there are five or even six
due diligence measures to be applied during the establishment of a
business relationship. The sixth measure is the identification and
verification of a representative of both a natural person and legal
person that may, for example, be acting through a power of attorney
(POA). The fourth and fifth measures are respectively, the obligation
to sometimes identify the source of wealth, and identify whether a
customer is a politically exposed person. In this section, we do not
focus so much on how to apply individual due diligence measures
and what the international standard is in this regard. This can be
found both in the FATF recommendations and in the various FATF
guidelines. Instead, we focus on some practical aspects that are not
directly addressed in these guidelines, but which are often seen in
supervisory cases when financial institutions have failed in their
obligations.
85. Try to strike a balance between due diligence

measures and the risk
Today, financial institutions, supervisors and international
standards setters focus on the questions of customer identification
and verification. This due diligence measure means that a financial
institution has to identify who the customer is – identify basically the
customer’s name, date of birth and place of birth, and verify this
information using a reliable source; in other words, verify whether the
customer is the person he or she claims to be. Questions on the table
today include, whether this could be done remotely and using a digital
identity card, should a photo of the customer be sought or is the utility
bill sufficient. These are just some of the issues that are being
emphasized and discussed today. In these aspects, we also see a
healthy dose of technological development. Some of them
automatically withdraw information from reliable and independent
sources and compare this to what the customer has declared, others
use algorithms to detect fraudsters by comparing the customer or
their “selfie” with what is used on an identification document.
Unfortunately, this excellent development is disproportionately
quicker compared to systems where the need is more urgent (e.g.
ongoing monitoring solutions).
Identifying a customer’s identity and verifying this information is
undoubtedly an essential part of customer due diligence, but certainly
not the most effective in preventing money laundering and terrorist
financing. There are not many who know a recent case where,
through this customer due diligence measure alone, a financial
institution identified a situation where someone opened or wanted to
open an account, and he or she turned out not to be the person they
claimed to be. Certainly, there are cases like that in some
jurisdictions. Still, at least in recent internationally known money
laundering cases, such cases are not very common, or have not even
happened at all. Usually, people are who they claim to be. Therefore,
the focus of this issue has not really been the customer’s identity, but
whether the intended nature and purpose of the business relationship
correlates with their capabilities. By focusing too much on customer
identification and verification, we may be disproportionately wasting
valuable administrative resources. Working in a resource-constrained
environment, sometimes some actions are more important than
others. This ultimately provides financial institutions with fewer
opportunities to detect money laundering and terrorist financing than
perhaps some other due diligence measures.
86. When identifying a customer, it is far more

important to understand customer residency
When establishing a customer’s identity, it is far more critical to
determine the customer's residency. It will provide essential input for
identifying geographical risks associated with the customer. The
creation of tax standards has forced financial institutions to collect
better information on residence, which complements customer due
diligence measures applied for AML/CFT purposes. However,
financial institutions should distinguish between different sub-
categories of residency and, if necessary, create corresponding fields
in their databases. Unfortunately, for many financial institutions, this
differentiation is seen as an indicator of a more sophisticated system.
Instead, it ought to be a norm. Residence for natural persons can be
divided into at least country of origin, citizenship, tax residence and
habitual residence. And then there are Golden Visas and Golden
Passports that may have additional meaning to the customer’s
citizenship (i.e. residence). For legal entities, residence can be
divided into country of registration, operation, administration,
residence of beneficial owner or representative, and so on. Each of
these may also have a different weight in terms of geographical risk.
This requires a financial institution's knowledge of the political and
religious situation, tax environment, areas of terrorism and much
more.
Let us take two examples. Countries chosen are coincidental,

without wishing to stigmatise anyone on religious, racial or other
grounds. In one case, the person was born in Syria but moved to
Sweden with her family on the fifth day of life. There she also
acquired citizenship. Now she has bought a house in Norway, which
is her place of residence, but her habitual residence is in Singapore,
as she is there every year for more than half the year. In another
example, a person was born in Finland. He moved to Sweden with
his family on the fifth day of life. There he also acquired citizenship;
however, he has now bought a house in Monaco where he is a tax
resident. He lives more than half of every year in the Republic of
Congo. The corruption index, the threat of terrorism, the tax
environment, and so on in these countries are very different. The risk
profile for these customers may be completely different, although they
have the same citizenship. Even having lived in your country of birth
for only a few days can have a significant impact on the aspect of
geographical risk. Therefore, there are many combinations of
residencies related to a person, and verification of citizenship alone is
often not sufficient to determine a customer's risk profile.
87. Make the purpose and intended nature of the

business relationship the most critical due diligence
measure
Knowing the purpose and intended nature of the business
relationship means getting a comprehensive understanding and
overview of the customer, its risk profile and real beneficial owners,
as well as the reason why a specific service is needed. In doing so, a
financial institution can satisfy itself that the services sought and then
later provided meet the customer's actual needs, are in line with the
nature and objectives of the specific service contract and are
commensurate with the level of risk assigned to the customer. Based
on this information, the financial institution can assess the activities
the customer is expected to engage in, and later can compare its
knowledge of the customer with the actual transactions and volumes
made within the business relationship.
In many of the cases we have dealt with in the past, financial

institutions would have been able to prevent the escalation of
suspicious activity quite quickly if it had put enough emphasis on
understanding the purpose and intended nature of the business
relationship and followed the corresponding principles. At this stage,
AML/CFT systems and controls should have raised a red flag when
the customers declared unusually large or improbable business
capabilities (field of business) and improbable transaction volumes
(payment practices). It should also have identified unusually young
people for some business fields (experience), or customers that did
not have sufficient business ties to perform the declared activity (main
business partners).
To illustrate the importance of understanding the purpose and

intended nature of a business relationship, we compare it to some of
the other measures. How often do we see a person on a financial
sanctions list opening an account with a credit institution? How
probable is it that the head of a corrupt state will try to open an
account for itself to launder the proceeds of corruption and theft? This
and similar examples and cases are very rare. Second, how reliably
can we build AML/CFT systems and controls to identify beneficial
owners using documents and ownership structures that can be seen
from the beneficial owner registries?
Today's beneficial ownership registries are unfortunately full of

individuals who are actually only beneficial owners on paper. Even
with the best supervision, it is challenging and almost impossible to
get these registers to provide accurate information. One of the very
few options is to implement a system where companies are formed
and beneficial owner information is kept up to date by trust and
company service providers. They will also have the obligation to
populate the beneficial ownership registries with accurate information.
But even then, the quality of the system depends of the quality of
trust and company service providers’ application of customer due
diligence measures and how these service providers are supervised.
Mutual evaluation reports of those countries that use such systems
have often shown that in reality the diligence of those trust and
company service providers are unfortunately not yet up to the
standard.
A person who wants to hide will have done everything in his or her
power to have someone else, a nominee, control his or her account
and companies. That ‘someone else’ does not disclose that he or she
is not the real beneficial owner, on the contrary, he or she has
arranged all the paperwork so that he or she is seen as the beneficial
owner. In many countries there can even be no formal contracts for
these nominees, but the set-up is built on trust that the nominee will
never break.
The real or ultimate beneficial owner is often just a fiction, and its
veracity cannot be verified merely by assessing the control structures
or looking at the registry entry. The cases of money laundering, which
are well-known in the international media, also tend to show that
no one knows whose funds are behind those companies and who
exercises ultimate control. In light of these cases, it should actually be
acknowledged that beneficial owner registers do not enable anyone
to find out the truth. Therefore, we are challenging the effectiveness
of the current approach. We believe that too many resources are
being deployed in identifying and verifying ultimate beneficial owners
and monitoring the registers that hold this information. Instead, we
should emphasise measures for understanding a customer's risk
profile – understanding the purpose and intended nature of the
business relationship, after which it is already possible to build
effective ongoing monitoring solutions.
In our opinion, the purpose and intended nature of the business

relationship is the most important, and today, clearly the most
underestimated due diligence measure. If the right questions are
asked, a financial institution can understand that a person is trying
something unusual; for example, is trying to legalise someone else’s
funds or move them on their behalf. Based on this information,
financial institutions can more effectively assess whether a person is
really who he or she claims to be. In other words, they can know if a
transaction is made on behalf of someone else (and that the real
beneficial owner is in fact hidden), and that the funds may actually
belong to a politically exposed person or person on a financial
sanctions list. It also makes it possible to detect shell companies and
front companies, where the former is incorporated with no
independent operations, significant assets, ongoing business
activities, or employees, and the latter is a fully functioning company
with the characteristics of a legitimate business, serving to disguise
and obscure illicit financial activity.
It is more effective to ask questions about who the person is, their
field of activity, his or her payment practices, key business partners,
and where his or her experience comes from. Financial institutions
should work harder to develop such questions and tests. Sometimes
these questions are thought to be part of asking about the source of
funds and source of wealth, but we tend to believe that the questions
are more about obtaining an understanding of the purpose and
intended nature of the business relationship. Greater efficiency and
wisdom should be sought in the implementation of this due diligence
measure, and it is on this information that fictitious beneficial owners
can be identified and subsequent business relationship monitoring
controls should be built.
88. Field of activity says a lot about the customer

Identifying a customer’s field of activity means that a financial
institution knows and understands which business the customer is in
and what it intends to do in the course of the business relationship.
Financial institutions must then examine whether the purpose of
establishing a business relationship and the customer's field of
activity are consistent and how the field of activity fits into why the
customer wants to establish a business relationship; in other words,
whether the customer's declarations are in line with reality and seem
credible. Identifying the field of activity does not mean that a financial
institution simply records the data submitted to business registers. It
must understand what the customer is doing and collect the
corresponding data.
The precision of the information about field of activity depends on

the risk profile of the customer and the business relationship. For
example, in a high-risk case, the field of activity cannot be
unreasonably broad from the economic point of view or unjustifiably
disparate. Undoubtedly, in some cases, both broad activities and
activities in quite different fields can also exist in a real business.
However, very broad or unjustifiably different fields of activities
usually indicate some kind of unreasonable practice and must be
investigated more closely. A wide range of activities can be recorded
in the commercial register, but certainly not in the financial institution's
know-your-customer information database.
Let's look at an example here. A bank's customer declares that its

field of activity is textiles and construction and it wishes to open a
bank account for settlements. Of course, it is possible, and we know
many well-known brands acting in utterly different business segments
(but usually through separate entities). Still, this should cause an
initial alarm bell to ring for the bank because in most cases it is highly
unlikely that a company can do business in textiles and construction
simultaneously. These are unjustifiably different fields of activity. We
have seen and witnessed a real case where on the same account a
customer sold building materials (income) and then used this money
to buy textiles. It turned out to be a very shady business.
But let’s assume that the customer only declares construction.

Depending on the customer's level of risk and the risk profile of the
business relationship, the bank should ask what the customer is
building because they could build skyscrapers or renovate
apartments. They might also only sell construction materials. Hence,
‘construction’ can mean anything.
The importance of narrowing down the field of activity lies in the

fact that otherwise the financial institution will not be able to assess
the risk profile of the customer. The risk profile consists of
understanding the payment practices and transaction volumes that
the customer thinks will take place on the account, what countries it
will do business with, and hence where the payment flows will
originate or end up. To build a skyscraper, the customer must also
have a reference, and this customer must probably be searchable
from a third-party independent source (e.g. a website). Being capable
of building more prominent buildings, in turn, means higher
transaction volumes, which would not be justified if they were building
small apartment buildings. Therefore, defining the field of activity
helps assess whether the customer is capable of such activities – has
the knowledge, skills and experience, and whether it has found the
right business partners. It is not possible to wake up one morning and
start building skyscrapers in the afternoon. One must have the skills
and the necessary business partners.
89. Payment practices provide an idea of what is

going to happen
Identifying payment practices means examining the volumes and
range of financial services to be offered. For example: (i) for a current
account, the approximate number, volume, purpose and frequency of
transactions, but also from which countries and to which countries the
payments would be made, the proportion and channels of cash use,
what channels are used for making payments (bank office, internet
banking, card payments), etc.; (ii) if there will be a loan or overdraft,
the frequency and amount of loans provided and repayments made,
loan provision and repayment period, persons receiving and repaying
the loans, etc.; (iii) for investment products, types and indicative
quantities of securities to be bought or sold, the amount of assets to
be invested, objectives, frequencies, maturity, information
accompanying their realisation, the expected duration of the business
relationship (one-off, ongoing), etc.
In some cases, for financial institutions, identifying payment

practices also means the general need to find out whether the
customer is capable of such transactions in the first place, what
makes them capable and under what circumstances. This includes
questions about how this correlates with the customer’s experience
and its risk profile in general. In many well-known money laundering
cases, we have seen that customers have declared unreasonably
high and unusual payment practices that did not coincide with the
customer’s capabilities; however, the financial institutions have not
acted upon this. We have also seen that if the information gathered
when establishing a business relationship had subsequently been
compared with the rapidly increasing levels of turnover, the financial
institution could have red-flagged the activity for closer scrutiny much
earlier.
90. Main business partners justify their customer’s
wishes
When looking at the main business partners, a financial institution
determines who the customer will make its largest and most regular
transactions with. This means questions about who is committed to
helping the customer fulfil the purpose of the business relationship
and the payment practices declared. The main business partners can
be categorised separately for incoming and outgoing transactions if
the service to be provided is payment services. Moreover, in a
situation where a customer is buying or selling goods, asking about
main business partners may also include questions about companies
who are transporting goods for the customer. Since these really ought
to be main counterparties, a financial institution can later verify in the
course of the business relationship that transactions with these
parties are performed and if not, ask questions about this apparent
discrepancy. Some might ask, for example, how a company that has
just started its business can provide such information to a financial
institution. The identification of main business partners is still
essential then even if such information can only be provided in a very
abstract form. Recent money laundering cases have shown in
retrospect that the high-risk persons involved would have very likely
had trouble substantiating their main business partners if these
questions had been asked.
91. A curriculum vitae is not the only thing that

shows a customer’s experience
The field of activity, payment practices and main business
partners mentioned above must be consistent with the customer’s
experience. Identifying a customer’s experience means asking where
the customer's ability, capability, skills and knowledge come from to
operate in such a field of business, with such payment practices and
main business partners. Therefore, questions about experience are
not limited to asking for a curriculum vitae but require a substantive
understanding of how the customer's prior knowledge fits into their
desired business and the provision of financial services.
In the case of a legal person, the experience of the customer’s
representative(s), beneficial owner(s) or key employee(s) can be
assessed. Experience does not have to be proven for all of them, but
at least for someone in this chain. The difficulty of this task is
understandable, but here too, it is possible to take a risk-based
approach, and financial institutions can conduct a more in-depth
analysis in high-risk cases. Looking again at more significant money
laundering cases as examples, there have been customers that have
entered a new business area very quickly without previous
experience and have been able to generate considerable turnover
immediately. In some cases, the private individual in the position of
manager and/or owner has been as young as 18 years. It is possible,
of course, that such examples can also be bona fide businesses, but
it is still an important aspect to monitor when considering normal or
unusual behaviour.
92. Although dollar bills are not labelled, the origin

of wealth provides an adequate picture of a customer
The source of wealth should not be confused with the source of
funds. The latter is sought to understand the funds involved in the
specific business relationship or occasional transactions. Usually, the
source of funds is sought during customer on-boarding to understand
where the funds to be used during the business relationship are
coming from. Often, however, the source of funds is also sought
during a business relationship to corroborate the information
previously known about the customer and understand the origin of
funds used in a particular transaction or transactions.
Identifying the source of wealth is usually sought in higher-risk

cases and it means that a financial institution obtains a bigger more
general view of the customer's overall net worth. The application of
this due diligence measure usually provides input on how much the
customer might have, and where the customer obtained the assets.
Financial institutions often ask regulators whether the source of

wealth means identifying the source of every dollar ever earned.
Take, for example, a person who has been punished for fraud, but
transactions on the account are connected to receiving a salary from
a transparent company (source of funds) and spending it daily to
cover ordinary living expenses. In this example, the source of wealth
does not help the financial institution. Or let’s imagine some famous
investment banker wants to open a bank account and use it as his
main account for transactions. Does the source of wealth mean that
the bank has to analyse all the investment transactions that he has
ever made and understand how the wealth was earned?
Understandably, that would be too much.
Identifying the source of wealth means that a financial institution

can verify more broadly the origin of those funds that might be used
during the business relationship with the financial institution. This
information helps to verify the source of funds described above.
Usually, the source of wealth is requested directly from the customer.
Depending on the customer’s risk level and the risk profile of the
business relationship, in addition to questions posed directly to the
customer, to corroborate the source of wealth, information should
also be collected from public databases and other public or non-
public data, such as real estate, land or similar (property) registers,
declarations of economic interest, company registers, and so on.
Collecting documents and information about the source of wealth
from such public registers and databases – in other words, from
reliable and independent sources – should be the norm when the risk
level of a customer is high.
93. A politically exposed person is nothing more

than just a risk indicator
International standards and supervisory guidelines all
predominantly focus on politically exposed persons, including who
they are by profession and who their family members and close
associates are. They also focus on the due diligence measures to be
applied in such cases. There is less focus on the fact that politically
exposed persons know their status and are aware they should not try
to make money obtained from a bribe seem like legal funds on their
personal accounts. These guidelines also provide less focus on the
difficult task of identifying family members and close associates.
Take, for example, the FATF Guidance on politically exposed persons
that helps define family members. A family member can be any
person with whom the politically exposed person is known to be
having a (sexual) relationship (e.g. girlfriend, boyfriend, mistresses).[6]
If it is not in the gutter press, how should a financial institution identify
that connection?
When identifying a politically exposed person, their family

members and close associates, all financial institutions rely to a large
extent on the customer's statement or the lists provided by vendors. If
the client does not declare such relationships or their status as a
politically exposed person, or these facts, including known sexual
partners, cannot be found from any available lists, it is a common
assumption that the financial institution has missed a potential risk.
Failure to identify that a customer is a politically exposed person,

or a family member or close associate of one, is not necessarily a
tragedy, since other controls and systems could compensate. This
does not mean that a financial institution will not be able to detect
suspicious and unusual transactions with that customer, and thus
money laundering, terrorist financing or the circumvention of financial
sanctions. As noted above, the purpose of determining a customer’s
risk level is to predict whether a customer is more likely than another
customer to engage in certain activities (i.e. money laundering or
terrorist financing). A politically exposed person is just one more
indicator of high risk, but if this indicator is not identified, it does not
mean that suspicious activities will slip by unnoticed.
All the activities of financial institutions during the process of

establishing a business relationship is to understand whether a
customer is likely to make unusual or suspicious transactions during
the business relationship. Or even more simply, it does everything it
can so that during the business relationship, it can easily recognise
whenever a customer makes a transaction that does not coincide with
their knowledge of the customer. If the financial institution's ongoing
monitoring solutions work correctly and are sufficiently powerful, the
financial institution will be able to identify an unusual transaction even
without factually identifying whether the customer is a politically
exposed person or not. It is the same in any other ML/TF case, where
the prime suspect is not labelled accordingly.
IX. Ongoing due diligence and
customer relationship monitoring
94. Keep up with changes in the paradigm
Financial supervisors like to give fancy names to their
approaches. In the language of supervisors, the world has moved
over time from compliance-based supervision to risk-based
supervision. The AML/CFT world also knows it as effectiveness-
based supervision. This means that it is not only the existence of
systems and controls that are important, but also their ability or
effectiveness in managing money laundering and terrorist financing
risks. If we take these categories as a basis, then we should take the
next step. The fight should be turned to the present. In the ongoing
monitoring phase, there is too much looking into past cases and
trying to find unusual behaviours from business relationships that
have already been terminated and thus learn from historical
typologies. Criminals are operating right now; a reactive approach
from financial institutions and authorities suits them well. Instead of
looking backwards, we should be more proactive. Some call this new
approach the investigative mode. Actions that are based on
compliance, risk and effectiveness are there anyway.
The financial sector is struggling with legacy systems. Solutions

that were appropriate and sufficient 3 or 5 years ago, should not be
the norm today. Developments in risk control systems have not gone
hand in hand with the globalisation of banking and payment services.
The capabilities arising from technological developments have not
reached AML/CFT systems and controls as they could and should
have. Without a modern ongoing monitoring solution, it will not be
possible to fight crime and meet the expectations set for financial
institutions. This approach presupposes that supervisors agree that
this is the most critical area to which energy and effort should be
directed, leaving aside the less significant or even substitute activities
that are still abundant in today's approaches. It must also reflect the
desire, at the national and international level, to fight crime uniformly
and as effectively as possible.
The capability of ongoing monitoring solutions in this investigative

mode is the most crucial aspect in managing the risk of money
laundering and terrorist financing in the most effective way. The
absence of such solutions, however, is on the other hand the most
considerable risk in fulfilling all AML/CFT due diligence obligations.
Since mistakes can be made in other areas of AML/CFT systems and
controls, then there is nothing to compensate for ongoing monitoring
solutions when suspicious activity is not detected then and there. The
know-your-customer principle during customer on-boarding is
important, since it helps to establish the risk profile for the customer
and the business relationship and eliminate clearly suspicious cases.
However, at the on-boarding, it is highly unlikely that a financial
institution can be sure that money is or will be laundered or terrorists
financed or anticipate the true motives of future transactions.
Therefore, instead of the know-your-customer principle, we should
also support the know-your-information approach, which means
investing in ongoing monitoring solutions that analyse all the
information available to the financial institution (including the know-
your-customer data). Thousands of norms written by supervisors help
build systems, but in very rough terms, financial institutions can
probably do without them. But they cannot operate today without
ongoing monitoring solutions that rely on all the data they have about
a customer and his or her transactions.
95. Machines are coming, do not fall behind

In recent years financial institutions have invested large sums in
compliance human resources, often indiscriminately. During these
actions, one of the questions to be asked is whether to invest in
people or machines. Machines have their advantages; they are
objective, not biased. They do not make mistakes brought on by
fatigue, and they can work 24/7 without coffee breaks and investigate
thousands of transactions in seconds. Smarter ongoing monitoring
solutions are able within that single second to also compare know-
your-customer information with what happened on an account. We do
not see much prospect in the fight against money laundering and
terrorist financing unless financial institutions themselves decisively
encourage and support investment in new technologies. Today,
ongoing monitoring of business relationships with customers is
broadly divided into two types: post-transaction monitoring and real-
time transaction screening. There is also an obligation to update the
know-your-customer information and implement various solutions for
a more extensive analysis of the customer base. However, more
effort should be exerted in the ongoing monitoring itself, making it a
much more powerful tool than it is today.
Ongoing monitoring solutions usually run on algorithms. There are

two categories of algorithms, these could be implemented
independently or in combination. The first set of algorithms are widely
called scenarios that are pre-defined by humans. In IT-language
these scenarios usually start with the question “if” – if a certain
transaction has specific characteristics, the automated system flags
them and creates an “alert”. In the second set of algorithms, the
solution initially profiles a customer and then analyses its entire
behaviour in one go, as well as linking individual transactions with
previous transactions and other information known about the
customer. In this second solution, the system can also be based on
scenarios, but the scenarios are not necessarily always pre-defined.
It is for the system to create “scenarios” and the “alerts” to flag
unusual patterns and behaviour.
Customer bases in financial institutions have become so large and
so complex that looking at single transaction(s) alone does not help
us identify patterns of suspicious transactions. One might create even
tens or hundreds of new pre-defined scenarios, but in the grand
scheme of things it will not be a huge leap closer to identifying
unusual activities. In the investigative mode that we have referred to
above, in our opinion, the most important thing is to invest in and use
more extensively the second set of algorithms; in other words, profile
a customer and analyse its entire behaviour in one go. We need to
put much more emphasis on developing machines that can do that
and detect not only suspicious transactions, but especially suspicious
activities in more general and unusual patterns of behaviour.
96. Ongoing monitoring has two layers in a

financial institution
The IT solutions for ongoing monitoring that are prevalent in
financial institutions today – described above as being dependant on
pre-defined scenarios by humans and answering the question “if” –
are often unrefined and not usually designed to identify anything that
happens outside single transactions. They are not necessarily built to
immediately and conclusively identify suspicious activity.
Understandably, it is not possible to assign a customer manager or a
responsible person to every customer; therefore, financial institutions
have created a mechanism to extract customers, and usually single
transactions that could lead to suspicion or that should be looked at
more closely (Step 1). These situations are then referred to a
designated employee for further analysis – to compare the
transaction with what is known about the customer and, if needed,
apply additional customer due diligence measures, and ultimately
validate whether anything suspicious is happening (Step 2). If there is
suspicious activity, the situation is then referred to the MLRO (Step 3)
to confirm and decide whether to file a report with the financial
intelligence unit (Step 4). The reason for this setup is that the
algorithms usually do not run on all the know-your-customer
information and all transactions made, which is why it is simply not
able to do more. They are primarily based on limited information and
very often the same data that is available from a SWIFT message.
There is a fundamental problem in today's solutions. They are not
built for investigative mode. They do not allow the IT system itself to
detect suspicion, as it is instead a system for extracting pre-defined
single transaction(s) for humans to look further into.
Remember, we focused above on the role of the first line of

defence, which was as the owner of the risk to apply customer due
diligence measures to know the customer and identify suspicious
transactions. The role of the second line of defence was to help
identify risks. Based on this segregation of obligations, IT solutions
for ongoing monitoring should also be divided into two. The simpler
systems – those that are primarily in use today to identify pre-defined
and scenario based single transactions for further investigation –
should be the tool for the first line of defence. These should help
select customers and transactions to look more closely into and
investigate whether there is any unusual activity. However, more
sophisticated algorithms that profile a customer and take into account
the entire behaviour of the customer, including all the know-your-
customer information and previous transactions, should go to the
second line of defence. These are people or units that ordinarily
analyse the internal suspicious reports sent by the first line of defence
as described above in Step 3. Such a sophisticated system is the
Step 2 analysis that today is being done by an employee but should
be done automatically by a more advanced system. A more refined
system would be able to think smarter and in the same way as a
human being. It would highlight suspicious transactions and activities
in the same way as employees do who monitor the customer's
business relationship daily and try to find suspicious circumstances
and patterns, including through applying the above-mentioned less
refined system dedicated to the first line of defence. Such
sophisticated IT solutions are extremely necessary today and will
become even more central in the future fight against money
laundering and terrorist financing.
97. It is time to head to real-time monitoring instead

of post-monitoring
According to today’s understanding, if someone talks about
ongoing monitoring, it usually means post-transaction monitoring as
we described above. This is another hurdle in today’s approach in
addition to its simplicity. Post-monitoring means that transactions are
extracted and displayed based on specific parameters for further
analysis. In post-monitoring, this extraction is done at the end of the
day, or a day, a week or a month or more after the transactions are
made. Screening is usually carried out in real time and flags those
transactions where there is an indication of a financial sanctions
case, a connection to a politically exposed person, negative
information about a customer or if a financial institution has placed
certain persons under a special watch list filter. Everything except the
watch list filter is traditionally based on databases provided by third-
party vendors, where there are lists of individuals who meet the
abovementioned criteria.
Monitoring is therefore usually an ex-post evaluation of a

transaction that meets pre-defined characteristics. Screening, on the
other hand, is real-time monitoring business relationships based on
the names of individuals and the words used in the dedicated fields of
a transaction. There is one crucial hole in this system, which is the
inability to respond to money laundering activities that happen in real
time. By real time we mean that a transaction is stopped immediately
when the suspicion is formed by the machine, it all depends how
quickly the machine can calculate and identify the suspicious event.
In today's global world, funds can make countless circles around the
globe in a matter of minutes. In many cases, we have seen that this is
by no means a theory but, on the contrary, a conventional scheme in
which funds are moved as quickly as possible to complete the money
laundering phase smoothly, thereby avoiding funds being frozen.
If to react to transactions at the end of the day, the next day or a

week or a month later means the money is long gone, and it is
impossible to catch it or ultimately understand its origin. Reports
made to financial intelligence units are therefore in these cases
useless, as they are simply unable to do anything to save the victims'
money, to prevent terrorist financing, and so on. Depending on the
strength of the financial institution's systems and controls, criminals
may run such schemes for a long time and the next day already
through completely new companies.
98. Ongoing monitoring must rely on all available

data
We have often been asked whether it is even possible to monitor
business relationships in real time as described above. The doubters
argue it will no longer be possible for customers to make transactions
at all because each transaction is suspended for further analysis.
These questions confirm the main problem of the ongoing monitoring
solutions used today. The systems convert too many alerts that are
actually false positives because no one acknowledges that they are
not built to identify suspicion, but to extract specific transactions for
further analysis. As described above, the systems today usually run
on information similar to what is available from a SWIFT message.
Only sometimes they also take into account the customer’s level of
risk, but not all the know-your-customer information.
Consequently, monitoring business relationships for many

financial institutions focuses on the following parameters: (i) time and
date; (ii) amount; (iii) currency; (iv) the name of the payee and
recipient payment service provider; (v) the country of location of these
payment service providers; (vi) the name and identification number of
the payee and recipient; (vii) the payment explanation.[7] In addition to
the fact that today’s monitoring solutions run on this information, they
are very often only able to assess single transaction(s). Since there
are so many transactions and not every transaction can be analysed,
basically the only possible restriction is to set another “if” into the
sequence, this time a limit on transaction values above which it will
be sent for an additional check. In addition to this system being far
from meeting today's needs, such systems are more vulnerable due
to their predictability if someone in a financial institution should be
aiding and abetting criminals.
Therefore, the abovementioned ongoing monitoring tool for the

second line of defence should at least take into account all the
information that a financial institution has collected about a customer.
It does not matter whether this is know-your-customer or IP-address
information, the countries or locations where cash has been
withdrawn from an ATM, etc. This means that all the information that
a financial institution knows about a customer, or could or should
know, is taken into account by ongoing monitoring IT solutions. It
should also take into account not only the current transaction but also
all previous transactions. A system that considers all such factors can
detect suspicious and unusual transactions and patterns of
transactions. Only then, with the help of computing power and IT
solutions, are we able to identify circumstances that do not coincide
with previously known information about the customer and identify
deviations in the customer's activities.
Moreover, the monitoring should also cover all services provided.

Commonly, banks focus only on payment services, notwithstanding
the provision of securities services, life insurance products and loans.
It could be argued that each of the above types of services often has
one end that involves the transfer of funds, so there supposedly is no
need to create special rules for these services. However, wire
transfers do not always show all the risks associated with the
customer's activities, and money laundering may also be committed
through other services without becoming (i.e. being “converted” into)
fiat currency. Furthermore, the further the proceeds reach from the
predicate crime, the cleaner it gets, which is why one cannot argue
that the financial institution who mediates the assets in the form of fiat
currency should monitor it. The financial institution that has been
involved in the layering of the proceeds will always be considered as
having failed to prevent the crime.
To exemplify the situation, we take securities transactions and so-

called mirror trading, which has many sub-layers. It could be that a
customer buys securities in one currency and at the same time
another customer wants to sell the same amount of securities,
including sometimes in another currency. Another situation is where
securities have already been acquired in one currency, and they are
transferred to a securities account opened with the service provider
and then immediately sold, including money converted into another
currency. If in these examples, a financial institution only monitors
payment transactions, the system may not detect the unusual activity.
Similar examples can be found in lending, where there may be a
situation where one person takes a loan which is repaid by another
person. In the case of life insurance contracts, for example, it can be
that different and unrelated people hold a different status, such as the
policyholder, the insured person and the beneficiary. If the banks only
monitor payment transactions, such unusual circumstances may not
be detected.
The approach of not using the entire data-set is rather common

today. This shows that moving from such stand-alone solutions to
holistic solutions is inevitable. Still, we can also imagine what
resources will be required or what solutions will be missed if each
financial institution does this by themselves. The answer here is for
financial institutions to provide the dummy information to RegTech
companies and to support investments and developments in machine
learning, artificial intelligence and other similar solutions. This will
facilitate the leap from analysing individual cases and individual
typologies and create more sophisticated ongoing monitoring
solutions. Such an approach would also help build smoother
customer service solutions that reduce interference in day-to-day
business where it is not necessary.
The term "this is not possible" should be forgotten. It is possible if

financial institutions invest in it. This is how smart and sophisticated
ongoing monitoring solutions work. In these circumstances, a
financial institution is also able to apply real-time monitoring. The
financial system has vast amounts of data at its disposal, which
makes it possible to really distinguish the unusual from the ordinary
and suspend them at the very moment they are attempted.
99. The broader risk outlook should remain

The transition to more sophisticated systems and real-time
monitoring solutions does not mean that financial institutions should
not build a comprehensive analytical solution to help gain a strategic
overview of the entire portfolio and potentially risky customers and
transactions. Previously, we addressed this concept through a risk
dashboard solution; however, this type of customer relationship
monitoring has some nuances. Through such monitoring, the system
could identify, amongst others, transactions that meet the following
characteristics:
• Natural and legal persons whose accounts have the highest

turnover, highest incoming or outgoing transactions, are the
biggest borrowers, investment service’s customer, fund
unitholder, and so on (these lists could be divided by currency,
maturity, etc.)
• Largest single transactions by currency and service
• Cash withdrawals and deposits exceeding a particular limit

made both in the bank office and at ATMs
• Movement of funds to and from respondent institution’s

accounts
• Transactions made by previously determined customer types,

such as politically exposed persons, high-net-worth individuals,
etc.
100. Algorithms do not appear out of thin air

No algorithm or wisdom in the AML/CFT field falls from the sky.
Ongoing monitoring solutions are not available from the local store. It
involves know-your-customer and transaction information from one
side and an algorithm based on information technology capabilities
on the other. The algorithm is the entire logic behind extracting
unusual transactions and activities. It includes computing power,
machine learning and artificial intelligence solutions. Creating
algorithms requires a combination of particular skills, such as
advanced maths skills, data processing, knowledge of economic
logic, and so on. In money laundering and terrorist financing
schemes, it is no longer just a matter of identifying the unknowns, but
of identifying the unknown unknowns. There are tens and hundreds
of ongoing monitoring solution service providers. However, when
choosing between them, the most important thing is the algorithm
behind it.
Building algorithms, according to today’s expectations, requires

new expertise from financial institutions; it is no longer limited to a few
compliance employees and lawyers. Every financial institution should
ask who in the organisation manages and creates such algorithms or
codes the machine. Or who is that person in the vendor to whom this
obligation has been outsourced? It is time to think about this because
it will be most important in the next phase of the fight against crime.
Building algorithms, updating and testing them. This person does not
always have to be employed by the financial institution. If the financial
institution itself is unable to build up this expertise and develop
algorithms, it is necessary to identify the RegTech that can do this for
them. Financial institutions do not also produce pens and paper or
the ATMs. Choosing the right employees or external partners should,
nevertheless, not be taken lightly, as a mistake in building an
appropriate system will later cost the financial institution much more.
101. Risk assessment is the basis for monitoring

algorithms
Each financial institution is unique, because its customers, the
services it provides, the delivery channels it uses and the
geographical risks it faces are unique. Therefore, the base algorithms
can be universal for every financial institution, but not all of them, at
least with the current capabilities of ongoing monitoring solutions.
There must be a critical assessment of whether a single external
service provider can provide a service for every market participant. It
is equally inappropriate for a parent bank to set up all the same
algorithms in its branches and subsidiaries located in other countries
and hope that risks should now be effectively managed. Once again,
each financial institution faces its own risks and performs its own risk
assessment, and ongoing monitoring solutions should take that into
account.
Therefore, when creating monitoring algorithms, the results of the
risk assessment of the financial institution should be taken into
account. This includes the risks associated with its customers and,
where applicable, their counterparties (international sanction risks),
products and services provided, delivery channels used and
geographical risks encountered. When designing the entire algorithm,
a financial institution should be familiar with the typology reports
prepared by the competent authorities, including both domestic and
foreign ones. Risk assessments and threat reports at the state or
union level, as well as those prepared by supervisors, financial
intelligence units and law enforcement authorities should also be
taken into account. All the above should be covered in the financial
institution’s risk assessment as already described in this book.
Subsidiaries and branches (especially those of large banking groups,
whose subsidiaries offer insurance, leasing, etc.) also often outsource
their monitoring obligation to the parent company. This is why the
algorithms should also cover the risks that the subsidiary or branch
faces.
Systems built on the principles of machine learning and artificial

intelligence can potentially offer more universal solutions in the future.
Recent money laundering cases and institutional failures have
highlighted a clear need for such technological developments.
102. Alert management is as crucial as generating

the right alerts
While financial institutions should place great emphasis on the
development of monitoring algorithms, they should not forget the
solutions used to analyse the cases the machines flag. This case
management view should provide all the necessary information to
investigate a case and reach a conclusion about whether it is
suspicious or not. This view should include at least the following:
• Why is the case flagged? What is the narrative?
• If the algorithm is based on pre-defined scenarios, then through

which scenario was the situation flagged? If the situation is
flagged by a machine that has itself “created” a scenario, then
what scenario is it?
• Has there been any suspicion before? What was the content,
and when was it raised?
• Have any reports been made to the financial intelligence unit

that are connected to this suspicion, including a connection
through the customer, counterparty, and so on? What was the
content?
• Who is this customer, including place of registration or

residence? Who are its representatives and beneficial owners?
Do these connected people have accounts of their own? What
do these relationships look like when visualised?
• Is the customer part of a broader customer group? What unites

the customers (e.g. beneficial owners, representatives, same
addresses, same nominee directors or shareholders)? Do these
other customers have accounts with the financial institution?
What do these relationships look like when visualised?
• What other products does the customer consume?
• Graphically, what were the volumes of services consumed by

the client in the previous month, quarter, half-year or year? What
volumes are involved with the services being provided (e.g.
securities portfolio size, loan balance, cash withdrawal amounts,
value of payment services, etc.)? From which countries do the
funds mainly originate, and to which countries do they go? In
which currencies have transactions been made?
• What IP addresses does the customer use? What countries do

the IP addresses refer to? Does it match what is expected of the
customer? Do other customers use the same IP addresses?
What do these relationships look like when visualised?
Financial institutions should think more about how to visualise

customer information and pre-determining related workflows. All the
information mentioned above about each customer should be
available to any AML/CFT employee with a single mouse click. Such
a case management tool provides an opportunity to analyse
suspicion from start to finish in one window. The IT solution should
also fill in all the necessary fields when preparing a report for the
financial intelligence unit, or at least it should be easy to do this
without an employee having to move between different databases or
system tabs to manually transfer the information. Unfortunately, the
legacy systems used today are not capable of the above, since all the
information is fragmented between different databases. Building this
case management system provides a foundation for identifying more
complex cases and could provide a considerable leap forward in
identifying suspicion more quickly.
103. Suspicion is there to be investigated

When managing alerts about suspicious behaviour, it is also
important that financial institutions consider how to analyse a
suspicious situation and then confirm or refute it. All this must be
done before sending a suspicious activity or transaction report to the
financial intelligence unit. Otherwise, the report sent will not be of
good quality, and it could even be argued that the financial institution
has made a defensive report, because the suspicion has not been
thoroughly investigated. Financial institutions also need to think about
what information to seek from the customer during this process (while
avoiding tipping them off), how much information to ask for, and what
it should prove in the corresponding case. The FATF stipulates that if
customer due diligence measures cannot be applied, the financial
institution is prohibited from allowing transactions to be made, and
the business relationship must be terminated. However, this does not
mean that the financial institution can require the customer to answer
any questions that come to mind. It also does not mean that failure to
provide this information justifies terminating the business relationship
with the customer.
The absence of collecting meaningful data is today still a

significant problem for financial institutions. On the one hand, this
shows the weakness of the AML/CFT compliance system, but it also
jeopardises normal relationships with customers whose activities are
not suspicious. In the course of our supervisory activities, we have
seen financial institutions asking questions of their customers that are
completely out of proportion with a potentially suspicious situation.
For example, customers are asked regularly to provide 12-month
statements of accounts from all and any other banks. Sometimes all
contracts entered into within the past 12 months are requested, and
these should then provide legal grounds for the transactions made
during this period. In more extreme cases, such wide-ranging
questions should not be ruled out.
The financial institution should be able to justify to itself, but also

to the customer and supervisor, exactly how the information
requested by default fits into the process and logic. In the
hypothetical cases referred to above, the reason for asking such
wide-ranging questions is not necessarily to analyse a suspicious
event, but to compensate for the weaknesses of the IT solutions that
failed to flag transactions that were really suspicious when they were
made. Again, we come back to the issue of investigating past
transactions, where the proceeds of crime have already been
laundered, and financial intelligence units and law enforcement
authorities have limited possibilities they can do with these now. In
the case of more effective solutions, IT systems do the work
themselves and highlight suspicious and unusual transactions or
transaction patterns, and do so much earlier.
104. Look for further efficiency

One of the goals for ongoing monitoring solutions should be to
achieve better efficiency. This, in turn, requires more investment in
machine learning and artificial intelligence and other similar
technologies. The resources that are invested in people analysing
‘false positive’ alerts are unacceptably high in today's financial
institutions. In a recent internal investigation report commissioned by
a Scandinavian bank it was noted that in today’s environment, the
rate of false positives often exceeds 90%. If this is even close to
being accurate, then the AML/CFT world is in an even deeper canyon
that one could imagine, especially if this is thought to be ordinary and
inevitable. False positives lead to system overload – resources are
not deployed where they are needed. If a financial institution fails to
ensure that the number of false positives is kept to a minimum,
employees may not be able to identify genuine suspicious behaviour
because of their resource constraints. Through that, actual true
positives might be misclassified as false. The financial intelligence
unit faces the same problem today, as their systems are also clogged
with vast amounts of unusable and irrelevant information. They are
being sent suspicious transaction and activity reports that are only
used in a small percentage of cases. The real issue, therefore, is in
the extreme inefficiency of the AML/CFT systems and controls and
especially in ongoing monitoring solutions. Inefficiency generates a
massive number of defensive and false reports.
105. System testing guarantees operations

In the AML/CFT field, the disruption of systems, and in particular
the disruption from the ongoing monitoring of business relationships,
means that financial institutions are unable to detect suspicious
activities in their customers. A single transaction that is not analysed
in time can also mean severe consequences, for example, in the form
of a terrorist attack. The most crucial part of business continuity from
an AML/CFT perspective is system testing. System testing should be
two-tiered to look at (i) whether the applied algorithms work, and (ii)
whether the algorithms are appropriate and effective. The remaining
business continuity principles are subject to the usual business
continuity rules, as with any other part of a financial institution's
system. The latter means that business continuity rules must be in
place; they should be continuously reviewed and, where necessary,
updated.
106. Test whether the applied algorithms work

All algorithms must be tested before implementing them as well as
during operation. To this end, financial institutions must have a test
environment or the ability to test algorithms in advance using fictitious
customers and fictitious transactions. The same process should be
repeated after certain intervals to make sure that there have been no
changes to the systems in the meantime that prevent the algorithm
from performing. We recommend testing the systems (i) at different
times; (ii) on weekdays and weekends, as well as (iii) by subcategory
of different products and services; (iv) using different amounts and (v)
different currencies. Although it may seem that the algorithm could be
neutral under certain conditions; in other words, it does not seem to
matter whether the transaction is, for example, made in one or
another currency, it is still worth testing the system in this respect as
well. While this sounds impossible, we have seen a situation where
the system seemed to work, but the algorithm did not analyse
transactions that were made at a specific time of the day and certain
types of payments on certain days of the week.
107. Be sure that the algorithms are appropriate

and effective
Testing the system also means testing at specified intervals to
assess whether the applied algorithms are appropriate and effective.
There are three types of notifications that the system can display.
These are:
• True Positive – the algorithm flags a transaction or activity that

is suspicious
• False Positive – the algorithm flags a transaction or activity that

is not suspicious and does not turn out to be
• False Negative – the algorithm does not flag a transaction or

activity, although it is suspicious
There is also the concept of true negative, where the algorithm

does not flag a transaction or activity, and there is no actual suspicion
either.
Financial institutions must continually analyse transactions and

activities that are flagged by the algorithms to achieve appropriate
balance and effectiveness. This should be done even if the system
seems to be efficient and it does not produce 90% false positives as
was described previously. The analysis includes an assessment of
the amount of different types of reports generated. If the system has
pre-defined scenarios, the review should be made scenario-by-
scenario. Through this exercise, the financial institution must capture
the algorithms that produce false positives and try to reduce them. It
must also learn its weak spots to eliminate false negatives. If in the
case of a false positive, the system at least allows suspicious
transactions and activities to be found, while in the case of a false
negative, the system has essentially failed, and the suspicious activity
will most likely never be detected. Undoubtedly, there are always
compensatory systems in place in AML/CFT systems and controls,
such as customer due diligence updating and portfolio-wide analyses.
However, even these can miss a suspicious event and may not be
useful for the financial intelligence unit and law enforcement authority.
Financial institutions must, therefore, eliminate, as far as possible,
false negatives from occurring and false positives from piling up.
It is also necessary to continually assess whether, for example, a

risk assessment or other measure (portfolio-wide analyses) points to
risks or situations that the algorithm has failed to identify, and to take
action to improve the system in this respect. Situations should also be
assessed where employees have provided the MLRO with
information about a suspicious transaction or activity, but which could
also be or should have been flagged by the algorithm. In this way, the
MLRO must have a constant overview of the algorithms and must
always consider whether the automated ongoing monitoring solution
should be capable of flagging a particular transaction or activity itself.
Testing the appropriateness and effectiveness of a system can also
be reverse-engineered to corroborate the content of the risk
assessment. True positives might show areas the financial institutions
have overlooked.
In conclusion, we recommend looking at the statistics of reports at

shorter intervals, including how many events turned out to be
suspicious, how many did not and how many were reported to the
financial intelligence unit. After testing appropriateness and
effectiveness, financial institutions must be able to easily and quickly
add new algorithms or change existing algorithms. This should not be
an area of development that stands for ages in the queue for the IT
department. When purchasing such a service from third parties, it
must be possible to add or adjust like this in the system they offer. If a
financial institution changes its ongoing monitoring algorithms, it
should also consider whether the new algorithms could or should be
applied to past transactions and customers. We recommend following
this practice if the new algorithm focuses on identifying patterns of
transactions, and the new algorithm is smarter than the previous one.
X. Employee training
108. Define your yearly training plan
A good practice is to systematically prepare a training plan, while
taking into account the development needs of different functions,
units and employees. Poor training practice is born on emotion. They
are built to train single individuals and about topics that are more or
less random. A sound training plan helps to ensure that employees
are better prepared for their training. At the same time, it has room for
flexibility as new themes and typologies emerge. Do not be afraid to
gather all or part of your team at little notice to deal with issues that
have suddenly appeared.
109. The CEO is at the same time the giver and

the taker
Let’s picture a large bank where people from different countries
and cultures work and where people have different ethical values, not
to mention motives. What is the likely outcome if this entity is allowed
to follow its path without clear company values being defined and
their application systematically supervised? A likely consequence, at
least in the AML/CFT area, is a very high vulnerability to money
laundering and terrorist financing risks. The lack of a common culture
in an organisation is the biggest source of risk, and it makes a
difference to have one. The creation of a common culture must take
precedence over any applicable system and control. We have already
addressed the inevitable role of the CEO as the carrier of a
compliance culture. This role also means that the CEO must take part
in training those ethical values and, more specifically, in implementing
the AML/CFT training programmes. The role and privilege of the CEO
at the same time is to be the trainee and trainer. When was the last
time you saw the CEO standing in front of their staff and training them
or at least introducing that day’s AML/CFT training topics? Training in
the field of ethics should be visible in the CEO’s calendar.
110. Business ethics frame AML/CFT controls
It is not just money laundering that threatens the bank's payment
channels, but also other dirty money that has been fraudulently taken
from crime victims – theft, robbery, investment fraud, etc. These are
ordinary crimes that until the money is transferred to the criminal's
bank account, do not necessarily have any connection to money
laundering or terrorist financing. In the public debate, we continually
hear banks customers questioning why AML/CFT systems and
controls did not capture a criminal act (e.g. investment fraud) and
allowed it to go through, and why the bank did not warn the victim. It
would be somewhat inappropriate for a financial institution to explain
then that these systems and controls are designed for other
purposes. This example clearly illustrates the expectation the public
has towards AML/CFT systems and controls and that the legal
concept of money laundering and terrorist financing does not
necessarily prevail in these situations. In this book, too, we have
repeatedly argued for the need for a financial institution to take a
much broader view on aspects that concern questions of public
ethics, and for the urgent need to put the appropriate systems and
controls at its disposal. The vast majority of financial institutions have
reported significant losses in internationally known money laundering
cases, which are often not money laundering cases in the legal sense
at all and which have not reached the courts and may never do so.
AML/CFT is bound to complex ethical values more than ever before
and more than any other aspects in the field of finance. This is why
employees should be trained in ethical values, and significant efforts
must be in place to prepare employees for this battle in the given
environment.
111. Train employees where they are

Employees deserve proper training. To do this, look for content
that is of high quality and adds value to your employees. Train them
where they are. When the employer regularly takes steps to educate
its staff, then it is motivating for employees and is highly ranked
alongside other motivators. No AML/CFT requirement or expertise
should be excluded from the need for training. However, not all of
them can be stacked in one course or session. It makes sense to
divide training into different categories. One of the goals of training is
that employees have a better understanding of their responsibility in
the organisation and their place in the bigger picture of the fight
against money laundering and terrorist financing. Make the employee
feel that his or her work is meaningful, which in turn is one of the
biggest motivators in the work environment. Otherwise, there is a
high risk that they will leave the office. Training should cover at least
the following areas:
• Ethical values
• Results of the risk assessment, especially inherent risks and

the most likely ways it could be used for money laundering,
terrorist financing or the circumvention of financial sanctions
• Risk appetite
• Due diligence measures that are to be applied when
establishing a business relationship
• Requirements for the application of ongoing due diligence and

ongoing monitoring and screening
• How to recognise suspicious or unusual transactions and

activities
• How and when to notify the MLRO or the financial intelligence

unit
• Data quality requirements
• Record-keeping requirements
• Communication with customers, including fulfilment of the
obligation to provide proper explanations
112. Training should provide new skills

It is not the rules of procedures that guarantee the proper
behaviour of employees, but rather training that often explains the
expectations written in them. Often, training is solely based on a
retelling of the content of the rules of procedures or statutory laws
and guidance. As a supervisor, we always ask for the training
materials, and we often see situations where one slide chases the
next, quoting the rules of procedures, supervisory guidelines or
applicable laws. However, by doing so, the trainer will most likely lose
the audience and you know then that it was a poor training session.
The trainer should focus on the principles of conduct and activities
that have led to the rules of procedures. It should pass on the
professional skills that are needed to apply them. The consequence
of an employee's failure to comply, or negligence in enforcing the
AML/CFT obligations, including possible criminal and civil liability,
must be clearly explained. The employee should not be satisfied with
everything the employer offers, especially when it comes to poor
quality training. Each employee should ask for the training they are
entitled to, and that at the least covers its everyday tasks. The
employee should provide honest feedback if the training was
insufficient or poor quality. Ultimately, the employee is also liable if the
work is not done correctly, and as a result, a risk materialises with the
financial institution being used for criminal purposes. Training should
be conducted according to the principle that by the end of the training
day, the trainer is ready to trust any employee doing its work.
113. Employees are not trained to satisfy the

supervisor’s expectations
Training is provided for the employee and in the interests of the
financial institution. The training requirements are indeed reflected in
financial sector regulations, and financial supervision also supervises
their implementation. Different e-learning solutions are often used to
provide all employees with training, as this allows them to provide
reasonable evidence of compliance at a later stage. E-learning
certainly has its advantages in terms of managing the training task,
but for AML/CFT, we are somewhat sceptical about e-learning. The
AML/CFT field deals with ethical values and the dilemmas that arise
from them. There is often no "yes" or "no" answer to deal with all
situations requiring action. Even similar cases are often managed
differently. The due diligence obligation that a financial institution
undertakes is often not unambiguously measurable. It requires a
great deal of consideration. It is challenging to achieve such skills and
experience with e-learning. Monotonous e-learning does not help
employees progress. All effort should be made to make the training
interactive so that employees can argue about the dilemma(s). Group
tasks should be considered to contribute to the integrity and common
foundation of the AML/CFT system.
114. Follow the training discipline

While a financial institution could have a systematic approach to
establishing a training plan, weaknesses often arise in its
implementation. The most severe consequence of this is weak
participatory discipline, which is often excused on the basis of day-to-
day running tasks; excuses are made due to things that need to be
done that are supposedly more important than training in that very
moment. Moreover, every training session always has someone who
thinks they are smarter than the trainer, and wants to display their
power. This is especially common in situations where the senior
management is being trained. It is wise to establish clear rules of
conduct before each training programme. During that, the trainer
could explain that first there will be a presentation and later time for
questions, as well as when and how mobile phones and tablets could
be used. It also means that the interferer is called to order if
necessary. Employees could also be disciplined to participate by a
“healthy” fear of a test. The senior management, however, holds the
most significant responsibility in ensuring that values and discipline
are prioritised. Their job is to make clear that without proper training
and professionalism, an employee will not be able to manage the
risks of money laundering and terrorist financing effectively.
XI. Cooperation with the financial
supervisory authority
115. AML/CFT supervision is founded on trust
Financial institutions and financial supervisors both face a difficult
task in the fight against money laundering and terrorist financing.
They operate in a very sensitive area. Such a situation presupposes
trustworthy communication between the financial institution and the
supervisory authority. Even the slightest crack in this fragile world can
have severe consequences for the relationship of trust. For the
financial institution, the supervisor is inevitably in a position to stay, so
it makes sense to take a pragmatic approach. If a financial institution
is transparent, honest and dignified, the supervisor can be
understanding when there is a need for extra time. Good relations
ensure a more direct dialogue, which makes it possible to prevent
shortcomings and leads to better results.
116. Choose appropriate language

Think for a moment about a situation where the police stop you
because you were speeding. Although you are sure that you did not
exceed the speed limit, you will not get out of the car and knock the
police officer off his feet because he or she stopped you for no
reason. What do you think is the probability that a police officer will
then get up, wipe the dust off his clothes, apologise for the
inconvenience and sit back in his or her car? The probability is quite
low. However, the likelihood that the police officer can find additional
violations, if there are any, is, at the same time, extremely likely. The
behaviour itself gives this reason and shows that not everything can
be in the best order. It is not an abuse of power, but instead sensing
indications of improper behaviour, unwillingness and otherwise high
risk. Also, during or after inspections, it is bad practice for the
financial institution to play the wise-guy and show themselves to be
smarter than someone else in the same room. It does not help the
financial institution, but instead creates unnecessary new tensions
and does not show a relationship of trust and transparency.
We have also heard from other supervisors and seen ourselves

rather passionate objections from financial institutions. It usually
becomes clear later that these fiery financial institutions are, as a
rule, the ones who have provided knowingly or unknowingly a conduit
for money laundering or terrorist financing. However, one might ask,
what is the expected outcome of such communication from point of
view of the financial institution or its senior management? Instead of
that, where necessary, the management has to educate and support
its employees on how to maintain proper regulatory language and
dynamic dialogue, how to communicate with supervisors, but also
with other stakeholders. The success of a financial institution
depends on this.
117. Swords can be avoided

Too fiery dissenting opinions made and signed by a financial
institution could be sometimes interpreted by the supervisor as a
declaration of war. Instead, look first for common ground with the
supervisor, focus your energy on finding solutions that satisfy both
parties, and that instead show that the supervisor's comments are
being taken seriously. Financial institutions, but also supervisors,
generally do not have the luxury of enjoying a public collision that
lasts several years and is about the soundness of its AML/CFT
systems and controls, especially if it is in front of depositors, investors
and correspondent banks. A dissenting opinion is undoubtedly a legal
right and is part of good administrative practice but consider other
options carefully first. Common ground can always be found so that
swords can be avoided. This will ultimately lead to a better result. And
vice versa, supervisors should listen carefully to financial institutions
when they propose methodologies to achieve a better outcome.
118. Do not hide

Do not try to tactically find ways to withhold information. Any
deceitful behaviour is usually seen and always condemned. These
deplorable actions can, in practice, take place in many different
forms. The worst, of course, is direct concealment, but concealment
may also be in the form of downplaying the risk. These actions could
also include examples where actual system failures are being
formulated in official documents through an employee’s personal
opinion, so it would not look like a genuine finding. Another is where
results are left in draft form so it could be seen as a working
document rather than an actual discovery.
The worst thing a financial institution can do is to give the

supervisor the impression that it has provided all the information,
even though in reality it knows, or will find out later, that what was
presented is incorrect or incomplete. In any case, any information
submitted to the supervisory authority, which is in fact incorrect or
which subsequently proves to be false, must always be corrected.
The supervisor should not be left guessing; instead, it should always
be able to rely on the information it is sent.
When communicating, do not underestimate the possibility that

someone from your institution or outside has blown a whistle. It is a
fact that larger money laundering cases have often emerged based
on leaked facts or documents, including account statements, in-
house reports or something else showing a financial institution’s
vulnerability. Always assume that the supervisor may already be one
step ahead and often knows more about you and your customer base
than you know. Frequently, supervisors have much more information
than you might think they do and are already looking for ways to
qualify your actions and manage this unacceptable risk to the
financial market. Even if the supervisor does not yet know, it will get
there sooner or later because falsities and secrets always come out.
The above can also be summarised with the advice – do not commit
a crime.
119. If you doubt whether to notify, then do it

If you are asking yourself whether you should report something to
the supervisor or if the law covers that kind of report, you can be
100% certain that you need to notify the supervisor. This principle
especially applies to cases where the financial institution is weighing
up whether to send an internal audit or other internal and external
reports identifying critical weaknesses in the AML/CFT systems and
controls to the supervisor on its own initiative. Financial institutions
that fail to report or do not disclose facts that should be reported may
impede financial supervision and pose significant risks to the financial
system. Failure to report does now allow the supervisor to respond
appropriately to the identified risks, which may also make it possible
for criminals to exploit the financial system. Financial supervision and
the resulting assessments are primarily based on regular reporting
and responses to ad hoc inquiries. This is why the submission of
incorrect data or risk overviews can have serious consequences not
only to the financial institution, but also for financial stability in
general.
120. The supervised entity is the subject of

supervision
The supervised entity should keep in mind that the outcome of
every supervisory proceeding is a verdict about the financial
institution and not about the supervisor. This is a fundamental
principle that is sometimes forgotten and missed by the supervised
entity. It is in the interests of the financial institution that the outcome
of the inspection fully reflects the positive activities and that the result
is as accurate as possible. Supervisory proceedings can vary widely.
There can be on-site inspections or off-site inspections, these in turn
can be divided into regular and ad hoc inspections. The supervisor
may also use a combination of these; one may lead to another, and
so on. It is the financial institution’s responsibility to ensure that the
supervisor has all the necessary information to make an accurate
assessment. If you have doubts about the answers or if the
presentation or scope of the supervisor's questions are widely
interpreted, then answer more comprehensively. In general, financial
institutions themselves must be active in any AML/CFT supervisory
action; for example, in providing overviews on aspects that the
supervisor has not asked for, but which, in their opinion shows the
efficient work of the AML/CFT systems and controls.
121. Questions are there to be answered

Once a cooperative attitude is in place, follow the questions asked
during inspections. One of the most unprofessional practices in
correspondence with the supervisor is trying to outsmart the
supervisor. Trying to outsmart with responses like "You did not ask
that," is a dreadful way for a financial institution to respond when it
can see that its responses could be misinterpreted or its systems
misjudged.
Moreover, it is one thing to give the best possible explanation to

the general questions on the AML/CFT framework, but do not miss
the specific questions that are often more important in the grand
scheme of things. Try to understand in the best possible way the
scope of the supervisory proceedings and their methodology. If
necessary, ask the supervisor to specify the scope of the topic or
inspection. This will guarantee that facts and documents submitted
during inspections are in line with the purpose of the supervisory
inspection. The scope of the inspection may emerge from the
inspection order, or its basis may have been previously clarified by
the supervisory authority, or perhaps through its training. If necessary,
ask the supervisor for some additional clarification. In regard to the
supervisory methodologies, supervisors usually do not disclose
these, but they can often be sensed from the scope of the inspection
and the questions asked. Ensure that the supervisor's questions are
answered during the inspection. Do not underestimate the team-
building phase before the on-site inspection. All the necessary staff
and historical memory should be presented in the preparation of any
responses or when an overview of applicable rules and practices is
given. It makes sense to appoint a team leader for this project who
will organise everything and coordinate the response so that nothing
falls between the cracks.
122. Take every supervisory action seriously

Previously we debated how to technically address supervisory
questions during inspections. However, the management must also
stress the importance of these proceedings. As direct as it might
sound, financial institutions have a bigger role in avoiding any
disparity in understandings or any omissions during on-site
inspections. Remember, the initial findings are formulated already
during the on-site inspection as the findings are based on information
that is made available to the supervisor. Later, when the draft report is
written, it is challenging to reverse the supervisor's assessments, let
alone when such a discussion enters the final phases of the
inspection.
It is a fairly common practice for the management to enter the

“game” only when things have already gotten out of hand and the
exchange of arguments has become intense. The management
should actually get involved from the outset, as this is an opportunity
to assess the company's compliance and show its presence as in any
other business line. The involvement of the senior management is
particularly important when day-to-day compliance decisions are
being made and brought to them. In this case, it is the management
that has the best understanding of the systems and controls of the
entire financial institution as well as first-hand knowledge of all the
decisions and choices made previously. All inspections should be
taken seriously at the senior management level. It does not matter
whether it is a full or thematic (targeted) inspection. The results of
these inspections will trigger additional investigations and are the
basis for any sanctioning decision. Identified weaknesses in a
financial institution’s AML/CFT systems and controls, even if they are
small in nature or are found during a thematic inspection, can
become crucial evidence in later civil, administrative and criminal
cases and will later be re-used by supervisors again and again.
123. Every supervisory action ends with

remediation and alignment
Remember, financial supervision is continuous. Past inspection
and audit reports, as well as past findings and allegations, are often
dusted off and reassessed. The question will be whether the financial
institution has made the necessary improvements to its systems and
controls in the light of past observations. If such a review process is
being conducted under the spotlight of the media, then failures to
remediate previous breaches will draw even more negative coverage
by the media and is more likely to give rise to potential claims by
shareholders.
In internationally known sanctioning cases, we increasingly see

shortcomings in financial institutions that go way into the past. They
have been identified in previous inspections, but also by internal and
external audits or compliance controls. When they re-appear, it is
very difficult for the financial institution to prove later that it is not a
recurring issue and that it has previously resolved it. In these cases, it
is also improbable that the supervisor’s decision during the
sanctioning process will be lenient on this point.
Therefore, ensure that all findings made by the supervisors, as

well as during different internal and external audits, are addressed. It
does not matter whether the supervisor has adopted some form of
remediation based on these findings or not. If the supervisor does not
decide to sanction on the basis of its failings, this does not invalidate
the assessments made. They may be raised again in subsequent
cases. Usually, previous findings are corroborated during subsequent
inspections, and any failings in remediation may become decisive in
the supervisor’s assessment, including when deciding about the
senior management’s suitability. Ensure that any remediation can be
followed from the written decision and is clearly noticeable. Present
the changes to the supervisory authority, even if these are not
requested.
124. Ask for feedback

Providing feedback is not just the responsibility of the financial
intelligence unit. If possible, also ask for feedback on the quality of
the data and information provided during financial supervision. This is
especially relevant in situations where a supervisor conducts market-
wide off-site inspections or evaluates the financial institution’s
systems and controls through desk-based exercises. At the same
time, it is necessary to recognise where it is not appropriate to ask for
feedback. For example, it is not appropriate to ask for immediate
feedback on each supervisory activity, as this may appear to the
supervisor to be excessively "defensive" behaviour on the part of the
financial institution and may indicate there is something to hide.
Financial supervisors often avoid over-assisting and managing risks
for a financial institution. In those cases, they distance themselves in
order not to unduly lessen the financial institution's compliance
obligation and ultimately weaken it. In larger jurisdictions, given the
number of market participants, it is also not physically possible to
implement such day-to-day communication.
XII. Cooperation with the financial
intelligence unit
125. File reports about suspicious transactions,
including attempts at them
It is a common expectation that financial institutions file a report to
the financial intelligence unit and notify them in the following
circumstances:
• Unusual Transaction Report (UTR) or Unusual Activity Report

(UAR) – Indicators show that a transaction or activity is unusual,
but there is no clear suspicion, knowledge or indications that the
proceeds of crime are being laundered, terrorists being financed
or financial sanctions circumvented
• Suspicious Transaction Report (STR) or Suspicious Activity

Report (SAR) – A financial institution suspects, knows or has
indications that money laundering or related crimes have been
committed. A sub-category here also includes situations where a
financial institution does not commence with a business
relationship or transaction or decides to terminate a business
relationship because it has failed to comply with relevant
customer due diligence obligations
• Terrorist Financing Report (TFR) – A financial institution

suspects or knows or has indications of terrorist financing or
related crimes
• International Sanctions Report (ISR) – A financial institution

suspects or knows or has indications of a breach of an
international financial sanction
• Cash Transaction Report (CTR) – It is pre-defined by local law

that any cash transaction(s) that exceeds a certain threshold
must be reported
• Any of the above transactions or activities are attempted
126. A suspicious transaction or activity report

does not always mean suspicion of money laundering
The world of financial institutions and financial intelligence units
operates primarily with the abbreviations: UTR, UAR, STR, SAR,
TFR, ISR and CTR. However, it is far more important what financial
institutions understand by those terms and international standards
may in fact not provide the best answer. According to
Recommendation 20 of the FATF Standards[8], [i]f a financial
institution suspects or has reasonable grounds to suspect that funds
are the proceeds of a criminal activity, or are related to terrorist
financing, it should /…/ report promptly its suspicions to the financial
intelligence unit. The precondition is therefore that there is a
suspicion of a predicate crime or terrorist financing.
In the period from April 2018 to March 2019, for example,

reporting entities in the United Kingdom made approximately 478,000
suspicious activity reports.[9] It is unlikely that every one of those
reports contained a suspicious event or that the proceeds were from
criminal activity or linked to terrorist financing. And if they did not
describe such a suspicious event, were they then defensive reports?
In 99% of cases, financial institutions are not in a position to
confidently assert or even suspect that the proceeds originate from
criminal activity or are related to terrorist financing.
The current system is far from sustainable if the volume of

suspicious reports has reached millions and is still growing. Of those
reports, however, only a tiny part is usable in criminal investigations.
Let’s imagine hypothetically what the result would be if the public sent
a million reports to the police of suspected fraud. Will it bring more or
less fraudsters to justice? There is probably a danger that there
would be rather less, which would be the expected consequence of
such an overload because the authorities would not likely reach the
real cases due to the burden.
The whole notification system has certainly gone beyond its

original purpose. It seems as though the obligated entities are really
expected to send a report if they have any doubt. They are also
expected to report abnormal deviations from a customer’s behaviour.
The contents of the reports may not indicate any connection to
money laundering or terrorist financing. It may be related to another
crime, if anything at all. For these reasons, the current notification
system generates a great deal of inefficiency. As we described above,
the basis for inefficiency is the legacy ongoing monitoring solutions
that are not built to find suspicious activities. In the changed
circumstances, the current system as a whole should be re-
evaluated, and more effective solutions should be sought. The
objectives of this reporting system and the specifications of reporting
should be defined from scratch.
127. Before reporting, make a comprehensive

analysis
It is likely that in the future, both supervisors and financial
intelligence units will pay more attention to the quality of reports.
Given that the focus in the future will be even more on profiling the
customer and identifying anomalies in its activities, the thoroughness
of the financial institution's analysis that precedes the notification will
also be of great importance. It can be argued that future notifications
that do not thoroughly describe the content of the suspicion and only
provide data collected during the due diligence measures or just the
entire account statement will never again be tolerable. It is highly
likely that reports that do not follow this approach will be regarded as
defensive reports and sanctioned accordingly. Therefore, it is
becoming increasingly important for financial institutions themselves
to analyse the situation and make an informed decision whether to
report it to the financial intelligence unit. Of course, all this cannot be
put on the shoulders of financial institutions. This will require a
transformation of today’s approaches and a much more significant
role for financial intelligence units to quickly react to defensive reports
as well as to those reports that are of bad quality. Higher quality
reports also mean significantly better input for the state to identify
criminal activity.
128. Define reporting rules

The reporting obligation cannot be applied randomly. Financial
institutions need to define situations where reporting is always
mandatory or where further analysis is necessary. In the absence of
such rules, it is challenging for a financial institution to justify at a later
stage why the choice was made to report or not to report, or why an
analysis of the situation was not commenced or was terminated. It is
therefore essential to digitalise all respective workflows to show how
information was exchanged and handled in-house and who made
which decisions. The consequence will be more difficult for a financial
institution that is not able to demonstrate its actions if a money
laundering case materialises compared to an institution that has done
a thorough analysis and can provide the background to its judgement.
129. Ask for feedback on the quality of the

reporting
It is the responsibility of financial intelligence units to provide
feedback to financial institutions on the quality of the reports made.
This will help financial institutions to improve the quality of the
information they provide. On the other hand, it also provides meaning
to the work of the employees involved if they know that their activities
provide more concrete and precise results. Feedback can also be
used to protect the institution. It is a common practice to conduct a
root-cause analysis later when a money laundering case materialises
and to assess whether a financial institution has diligently complied
with its reporting obligation. If a financial institution has had clear
instructions from the financial intelligence unit or the notifications
have always been made in good faith, it is also more likely that the
financial institution will not have to be liable, at least not in this
respect.
XIII. The role of the internal audit
130. The role of auditors is increasing
Today, where there are bigger failures in AML/CFT systems and
controls, the supervisory authorities mostly deal with the suitability of
senior management. Financial supervisors are also reviewing existing
solutions, looking for new methods that could provide better results.
The demand for more in-depth systems and controls in the future also
affects internal and external auditors. They are also part of the
safeguards in the system identifying weaknesses in a financial
institution's AML/CFT systems and controls so that the risk-mitigating
controls would not allow money laundering to occur. Sooner or later,
they will be held more often accountable for failures if they have not
applied proper diligence during their audits.
131. Every audit starts with an assessment of the

risk environment
Auditor's activities must be more risk-based compared to what is
applied today. Auditors should take into account the size of the
financial institution and the nature, scale and level of complexity of its
activities and services, including the risk appetite and risks arising
from its activities. We have seen many situations where a financial
institution is exposed to a higher than average risk of money
laundering and terrorist financing. Still, the auditor carried out audits
only every few years. These audits were simplistic and not
commensurate with the risk. For example, one simply inspected
whether data from paper materials had been entered into the systems
correctly. Instead, it should have covered the content of the due
diligence measures and made sample-tests. The risk-based
approach covers both the frequency of audits, given the magnitude of
money laundering and terrorist financing risks, and in particular the
topics covered by the audits. Auditors often put greater emphasis on
whether the existing systems and controls work as per the
established rules. Unfortunately, while they ought to, they less often
pose questions about the appropriateness of these systems and
controls, and therefore about the functioning and real effectiveness of
the AML/CFT organisation as a whole – aspects that have been
covered extensively in previous sections of this book.
XIV. It is not only about financial
institutions
132. Financial institutions have the right to strike
back
What is the reason why large amounts of dirty money still flow
through bank payment systems? Is this a sign of the failure of the
current AML/CFT system, or is the system fine and the banks and
supervisors should just show better results? AML/CFT is probably the
area of financial supervision with the greatest international dimension.
In many landmark money laundering cases, it is not only a single
country or bank that has been involved. The schemes have covered
numerous jurisdictions, not to mention countless legal persons and
arrangements that have been registered in multiple jurisdictions. In
larger cases, many supervisors or law enforcement authorities could
have had a chance to close these schemes down.
There is much debate about the weaknesses of financial

institutions and financial supervisors. The money laundering life-cycle
has many stages, from predicate offences to integration. In recent
cases, financial intelligence units and law enforcement authorities
have escaped very easily from being on the front pages and from
discussions in general. The public is keen on naming and shaming
financial institutions and their supervisors quickly. However, in those
scandalous money laundering schemes where supposedly billions
have been laundered there are too few questions about why the
perpetrators committing the predicate crimes, the (professional)
money launderers, those enabling the laundering and the managers
of the financial institutions are not indicted and convicted. But, it is
also fair for financial institutions to ask whether the financial
supervisors, acting in the public interest, have themselves taken
advantage of all the opportunities to find greater efficiency and
cooperation in international supervisory arrangements. There, too,
existing solutions have been partially exhausted, and new
approaches should be sought.
In the AML/CFT fight it is, therefore, the task of the public

authorities to encourage the search for and use of new solutions that
keep up with the criminals. If, on the one hand, financial institutions
are put under enormous pressure to deal with money laundering and
terrorist financing, the importance of cooperation in this fight cannot
be lost. Financial institutions have the moral right and justification to
challenge this current system, including the work of the competent
authorities.
133. Much more has to be uncovered from the

“black box”
The vast amount of data at the disposal of banking today is like a
"black box". With today's technological capabilities this data should
provide marvellous and untapped opportunities for drawing out
patterns of normal and unusual behaviour. Today it is like a giant
warehouse with the most valuable goods which are never used. From
this massive amount of data, if we were to assume that most of it
indicates the normal behaviour of businesses and people, there is a
good chance we could also use it to identify and, more importantly,
learn about criminal behaviour and threats; that is, anomalies and
typologies that indicate unusual behaviour. It could even help us find
more effective AML/CFT solutions in general. Why not open the vast
banking data warehouses under certain conditions to RegTech
companies to provide the ideal innovation driver for AML/CFT
compliance methods. Looking into this “black box” could, for example,
for the above reasons provide the cure for the illness in the current
ongoing monitoring solutions. Much has not been discovered yet, and
the public stakeholders must once again play a more significant role
here in unravelling the “black boxes” of data.
134. AML/CFT needs a uniform and global

understanding of risks
Internal reports and supervisor inspection reports for some banks
have revealed to the world the high risk of non-resident business
volumes. While transparency is a driver for change, the energy of the
public has only followed those historic numbers. A recent FinCEN
Files, that is just a tiny part of the suspicious activity reports sent to a
financial intelligence unit, shows the potential magnitude of high-risk
banking. The competent authorities cannot afford the luxury of sitting
only in history or working irregularly with only partial information. It
would be quite naive to think that these figures represent today or
represented yesterday a significant part of the worlds high-risk
banking. This thinking comes from the fact that the AML/CFT system
does not hold such a risk outlook and works partly on gut feeling.
Sure, the European Commission's supranational risk assessment

is a valuable analysis of threats. However, internationally, but within
European Union too, we need a proper analysis of the numerical
values to understand how relevant the threats actually are. The
central measurement of risks and central risk dashboards are not
unfamiliar to Europe. In the capital markets, for example, the
securities’ market supervisor has been working on this for years in
the field of capital market transparency. Banking supervision itself is
also aware of such an approach, but not in the AML/CFT field. Risks
in banking are instead seen in the areas such as asset quality,
solvency, credit and liquidity risk, among others.
If we require supervisors to carry out risk-based supervision, then,

for example, globally there is no appropriate wider money laundering
and terrorist financing risk outlook or a methodology for measuring
risks in the present; in other words, to assess actual vulnerability in
the form of inherent risk. The central analysis of risk indicators is at
least as critical to identifying money laundering and terrorist financing
channels as it is for banks to detect anomalies in specific customer
transactions. Which jurisdictions provide the largest volumes of
particular products, to specific customers, through certain delivery
channels, whilst having a meaningful connection to certain countries.
The cross-border approach should be the same as the national

approaches to risk assessments and how financial institutions assess
business risk. This understanding helps to set risk management
measures globally, but also within individual countries themselves. It
is impossible to model tomorrow’s weather globally nor locally and
prepare for what is coming by just looking at today’s “temperature”
and “clouds” above a specific country. Instead a global picture of the
movement of different weather systems is the only way to predict
when and where disasters may occur. Today this approach is non-
existent in AML/CFT and global risk is modelled through risk
assessments of individual countries during the mutual evaluation
process. Such a shortcoming in the international AML/CFT system is
rather unexpected in 2020, as this area addresses values such as
crime prevention and advocacy for democracy.
Another layer of the vulnerability analysis is the assessment of

countermeasures in all jurisdictions in combination. The AML/CFT
world, similar to financial institutions, is running in all kinds of
directions and constantly creating new standards and expectations. It
seems as though we are trying to cover yet another bleed with a
bandage, but not looking for the reason these bleeds keep occurring
and find a cure for that. We should instead ask where in this fight is
the compliance function that has a helicopter view at the global level
and a root-cause analysis to understand why we are still failing to
effectively counter money laundering and terrorist financing. We, who
expect financial institutions and jurisdictions to have this capability,
are not applying it ourselves at the global level. We should therefore
take a step back and conduct a fully-fledged analysis of the reasons
we are failing. Are criminals one step ahead because the financial
institutions do not play their part, supervisors are unable to enforce
compliance, financial intelligence units or law enforcement authorities
are collapsing under the burden of cases, or some other factor. If we
only close the conduits of criminal money and sanction the private
sector for their failures in preventing money laundering and terrorist
financing, we will never reach our goal because criminals will
continuously find new routes. We should re-focus on our common
enemy – the perpetrators. The only way to get back into the game is
to have a uniform and global understanding of the risks and
vulnerabilities.
135. AML/CFT data needs to be centrally defined
The prerequisites for a central risk analysis include AML/CFT
information that is uniformly defined and the creation of reporting
systems that run on this information. In today's system, financial
institutions each define and collect the basic information for their
AML/CFT systems and controls following their own logic and
structure. There are no central AML/CFT data specifications that
would allow better measurements to be made in the system as a
whole. All of this could work as a single united system, instead of
today's separate systems where risks cannot be assessed because
the basic data is simply incomparable. If data is similarly defined
everywhere, this will also facilitate the exchange of information
between financial institutions. Otherwise, one speaks of apples and
the other of oranges.
136. The FATF Recommendation is the basis for

initiating discussions
Knowing every sentence of the FATF Recommendations[10] and
the FATF Methodology[11] does not only mean that a financial
institution knows its responsibilities as they are assessed by local
supervisors or the FATF (or its regional bodies) during peer reviews. It
is also the best study material for a financial institution on how and in
what way the state should assist financial institutions in the fight
against money laundering and terrorist financing. We discussed
before about asking for feedback from the financial intelligence unit,
but the state also has many other responsibilities.
For example, the state must:
• Ensure that a national risk assessment is carried out and that

its results are communicated to financial institutions (Immediate
Outcome 1 of the FATF Methodology). The financial institutions
do not only have the right to obtain an overview of the results of
a risk assessment, but also to have a high-quality risk
assessment document to provide the financial institution a
direction to help it carry out its own risk assessment. Therefore, a
financial institution has the right and should require of the state
such a high-quality risk assessment.
• Take actions to increase the compliance of financial institutions

(Immediate Outcome 3 of the FATF Methodology). Financial
institutions have the right to ask for written guidelines and
training, if these are missing or superficial. In addition, to ask of
the supervisors that they impose dissuasive sanctions and
publish the sanction decisions so as to learn from them.
Moreover, to ask them for on-site inspections to be carried out to
assess the systems and controls of the financial institution
posing the question when there has been no inspection for a
more extended period. The latter also applies to situations where
supervision is not effective in specific sectors or is not conducted
in individual riskier institutions, despite there being significant
signs of weaknesses that could jeopardise the entire financial
system’s reputation. For example, it is known that many money
laundering cases in the world today used or are using trust and
company service providers located in financial centres to
establish companies or legal arrangements for criminal
purposes. Trust and company service providers especially in
financial centres should, therefore, provide a significant number
of reports to financial intelligence units. As an example, there is
one financial centre where within a single year trust and
company service providers made only around 25 reports. This
represented less than 0.1% of all notifications in that country. At
the same time there are several typologies and case examples
where legal entities and arrangements from this jurisdiction were
used in well-known schemes. Financial institutions can question
whether the supervision of these service providers is appropriate,
and whether this an instance where financial institutions should
demand action from the state.
• Ensure the accuracy of beneficial ownership data, which should

be done through active monitoring, testing and verification
(Immediate Outcome 5 of the FATF Methodology). It is the right
of financial institutions to demand the fulfilment of this obligation
as they rest on the accuracy of the beneficial ownership data
during the application of customer due diligence measures.
Moreover, since state authorities, just like financial institutions,
must also be effective in their actions, financial institutions can
also call the authorities to drop legacy systems and implement
sophisticated solutions to guarantee the correctness of the
beneficial ownership information they provide. If financial
institutions should implement state-of-the-art ongoing monitoring
solutions, then why shouldn’t the authorities themselves use
similar sophisticated monitoring solutions to detect deviations
and unusual patterns in beneficial ownership information or
unusually complex organisational solutions, which can then be
further investigated.
• Provide feedback on the quality of suspicious transaction and

activity reports (Immediate Outcome 6 of the FATF
Methodology). It is the right of financial institutions, as described
above, to request and receive feedback.
• Investigate money laundering and terrorist financing cases

(Immediate Outcome 7 and 9 of the FATF Methodology) and
confiscate the proceeds of crime from criminals and terrorist
financiers (Immediate Outcome 8 and 9 of the FATF
Methodology). The rights of financial institutions here are to
demand more extensive actions from the law enforcement
authorities. Combating money laundering and terrorist financing
is not only the task of financial institutions, or rather it could be
said that it is more the task of law enforcement agencies,
because they convict criminals and confiscate their assets. This
is where the fight against money laundering and terrorist
financing actually originates. The described obligation of the
state is especially the part where financial institutions should
react, as seemingly they have lately been left alone in this fight.
• Ensure that United Nations’ Security Council Resolutions on

terrorist financing and the proliferation of weapons of mass
destruction are immediately transposed, and that clear written
guidelines are provided to financial institutions, but also that
supervisors are active with their proceedings in this area
(Immediate Outcome 10 and 11 of the FATF Methodology). The
rights of financial institutions here are to demand primarily the
same things that are covered under Immediate Outcome 3 but
are connected to United Nations’ Security Council Resolutions.
XV. AML/CFT crisis management
137. Prepare yourself for the risks to materialise
AML/CFT cases have had severe consequences for financial
institutions. After the scandal is revealed, shareholders of listed
companies have lost billions of euros in minutes, the wrong answers
by senior management have lost them their jobs, etc. An AML/CFT
case usually strikes a financial institution without warning, especially
in cases when potentially suspicious transactions are brought to light
by the media. At this point, it is very late to start drawing up a crisis
management plan. Think about crisis management during peacetime,
so that it can be implemented whenever a crisis hits, and so that the
crisis team can start working immediately in an organised way. This is
called the pre-crisis phase, where the organisation can prepare itself
for the crisis, test these in light of potential situations to the extent that
does not necessarily require a crisis itself.
Before the crisis, there is plenty of room to play through different

scenarios. Start with a crisis management plan. A crisis management
plan is a procedure that a financial institution can prepare in order to
think risks through, assess their impact and define responsible
parties. It also includes operational issues, such as the designated
crisis management team, communication (including pre-draft
messages), identifying stakeholders, training, etc. Based on our
supervisory experience, we highlight here one specific element of
AML/CFT. The crisis management training exercise especially helps
to test a financial institution's systems and controls beforehand, and
specifically in terms of how smooth, fast and accessible financial
institution’s own AML/CFT data is in order to assess the suspicions
raised. This information is usually immediately requested by the
supervisor anyway. The crisis preparation exercise has significant
added value not only for crisis management, but especially for day-to-
day risk management.
138. Appoint a dedicated crisis management team
It is wise to think ahead about the crisis management team. It is
essential to create a team that can later be exclusively dedicated to
the crisis. This should include at least members from the senior
management, public relations, human resources, legal and
compliance staff, head of operations, AML/CFT experts and the call
centre. External experts can be involved if necessary. There is little
point in setting up a crisis management team if it is never tested or
trained during peacetime. During the crisis, the team should only
work on the case. Not surprisingly, improper crisis management could
do more damage than the seriousness of the situation itself. A small
mistake in risk management and attempts to cut costs can later lead
to significant losses. The responsibility vis-à-vis the shareholders and
depositors is enormous. The future of financial institution managers
and employees may even depend on their crisis management skills.
Recent money laundering scandals have shown how costly it can be
to deal with the consequences of what has happened and how long
the process can last, especially when the case is managed sloppily. It
can take years to restore the brand value.
139. Identify your stakeholders

The main goal of crisis management is to prevent further damage
to the business. All the stakeholders who may have an impact come
into play. List all the parties who have any connection and might
suffer because of the crisis. Customers, correspondent banks,
employees, supervisory authorities, and depending on the case, the
financial intelligence units and law enforcement authorities will also
be included. In the crisis management plan, think about how one or
the other is involved, when they will get involved. It is too late to start
building solid relations during a crisis. The most severe and
immediate consequence that banks encounter in the event of a crisis
is the potential risk of a bank-run. The depositors are the ones that
must be properly informed and given the confidence that everything is
under control. This brings us to the importance of communication.
140. Communication is the most critical aspect
Transparent communication is crucial. Assign a spokesperson to

communicate with the public, and deliver messages in a controlled
manner. Keep messages clear and consistent. Train spokespersons,
keep them in the same information field during the crisis. One small
mistake, one unclear presentation, can lead to chaos. Be aware,
funds can be moved to another bank in seconds. Literally, in the case
of ABLV Bank AS, a Latvian credit institution, it only took minutes for
it to be no longer an operational credit institution when rough news
came to light. Think about communicating with your stakeholders.
Think about the channels that a financial institution can use, or create
your own separate channels if necessary. Include a call centre, set
and train their messages, as they are on the front line, interacting with
depositors. Keep an eye on the messages in the public sphere or on
social media, react if necessary because they can also help to
unravel a new crisis for a financial institution.
141. Be honest, do not lie; be quick but accurate

There is no place for dishonesty during crisis management. All
that matters is that everything is and seems transparent. A quick
response is considered important in crisis management, but at the
same time, communication must be accurate in the context of the
available information. This shows that the financial institution is
generally in control and competent. If previous communication has
been wrong, it must be corrected immediately. If you think it will blow
over, it will not. Any incorrect statement, not to mention a lie that is
later revealed as such will have catastrophic consequences and is
many times worse than the damage the case itself would have
caused.
In AML/CFT cases, it is very likely that the actual circumstances

may not (yet) be known to the financial institution, even if due
diligence measures have been implemented appropriately. The press
may have much more information even when they publish an article.
Moreover, it is to be expected that the debate in public does not often
follow legal concepts, and any suspicious event may be presented as
money laundering. If you do not have a definite answer, think about
how to communicate this professionally. Honesty is fundamental for
senior management, including in the fiduciary relationship with
shareholders. Shareholders are those who are forced to replace a
dishonest manager to protect their assets, even if harmful behaviour
has taken place with the knowledge of the main owners.
142. Do not let your employees down

Do not leave your employees behind during a crisis. The senior
management does not own them, nor does the financial institution.
Employees deserve honest and transparent communication. The
success of a financial institution depends on all of them. They need to
feel secure in the knowledge that the environment in which they work
is safe. They have a right to expect that they will not be adversely
affected by any damage to their employer’s reputation. Rising social
awareness is one of the biggest drivers today. It also affects the
AML/CFT field directly. Employees care very much about this, and
they do not want to work for a financial institution that mediates dirty
money. This can be a decisive criterion when choosing a job. Internal
communication is as important as external. Unfortunately, many well-
known scandals show how managers turn a crisis into a personal
rescue effort, raising their interests above the interests of thousands
of employees. This highlights how the situation became a crisis in the
first place. The senior management has cared for their own business
instead of creating tone from the top and a culture of compliance.
143. Do not underestimate even a minor case

In an environment of incomplete information, there is a risk of
underestimating a risk. Denying a problem can be an independent
source for the case to escalate. Indeed, not every media inquiry
immediately marks the beginning of a new crisis. Still, it is wise to
monitor the development of the issue professionally and, if there is
any doubt, it is better to bring the crisis team together than do
nothing. In doing so, the team will be able to assess whether the case
may become hazardous to the financial institution and the extent of
the risk. Senior management cannot be expected to be aware of
every media inquiry, but a financial institution should use policy and
criteria for when the managers should be informed.
144. Follow other cases

AML/CFT cases are often covered in great detail in the media, as
various "Laundromats" and "Papers" are uncovered. Numerous minor
cases are also mentioned on a daily basis. These cases often include
comprehensive lists of different individuals and the connections
between them. Always check the published information for possible
links to your current and historical customer database before others
do it for you. Even if a random bystander does not know the details of
the case, knowing who is involved, related countries and the way the
scheme operates may provide useful reference points. A particular
typology may emerge from it, which may give you reason to look into
your own "books". In today's global banking, it can be quite likely that
at the end of the day, the case will lead to one of your customers, and
it turns out that your institution has been involved in that suspicious
payment chain.
145. Do not lose your “last friend”
In a crisis, it is crucial to maintain a trustworthy relationship with
the supervisory authority, the financial intelligence unit and law
enforcement authorities. The supervisor grants the licence; it decides
when sanctions need to be imposed, whether the managers are
suitable, and so on. But the supervisor is also the custodian of the
credibility of the market as a whole. It might sound a bit contradictory,
but the supervisor is the financial institution's last friend during a
crisis. The supervisory authority is not there to cover your back or
conceal information for you, but to protect the financial system. The
financial supervisor and the industry itself is also under public
pressure in an incident, so the provision of incorrect or incomplete
information by a financial institution in these stressful circumstances
can have grave consequences for the entire financial system. If you
look at recent examples of crisis, it is sometimes surprising how
foolishly some managers have underestimated the crisis and its
escalation. The result is a loss of confidence, and the manager writes
himself or herself out of the market in an instant. This can sometimes
be explained by the fact that the golden handcuffs often outweigh
those that are made of another metal.
146. If you choose transparency, be prepared to

apply it everywhere
In AML/CFT cases, financial institutions quite often issue
promises in a crisis, setting a deadline for publishing the results of
internal investigations. This is often justified by the fact that a financial
institution does not want to hide from the public and so offers extra
transparency. A financial institution should be cautious in this if its
sole purpose is to save time, and it is not able or cannot guarantee
that the investigation has resulted in a clear conclusion. In such
cases, questions will arise the very next day as to what the actual
scope of the investigation will be, whether such a scope will later
satisfy the public, or whether it will lead to further ambiguity and
misunderstanding. It is not just a matter for the financial institution;
thousands of investments depend on a professional response, which
in more difficult cases, must be able to preserve depositors' assets.
147. Any assessment by an independent expert

must also look independent
It has recently become trendy to involve external experts to x-ray
customers and their transactions, including digging into the historical
activities of customers and the financial institution itself. This in no
way removes the financial institution's managers from their position of
responsibility, but may indicate a desire to obtain the most objective
assessment possible. When involving external experts, it is vital to
ensure their professionalism and expertise, as misunderstanding
AML/CFT rules and data and making superficial assessments can
have a significant impact. Such assessments must also appear
independent, meaning that they cannot, for example, point to severe
criticism of a financial institution's performance in setting up AML/CFT
systems and controls, but at the same time assess the
appropriateness of the performance of its managers as “best in
class.” Such discrepancies may call into question the analysis and its
motive as a whole. If the results of these independent assessments
indicate some suspicious event or behaviour, the supervisory
authority should be informed immediately, and notifications must be
sent to the financial intelligence unit. It does not matter whether they
are internal reports in the form of a draft or final report. These
assessments do not operate in any way independently from the
financial institution's reporting obligation. The opposite action
provides a basis for qualifying or contributing to concealment.
148. Do not miss post-crisis phase

Take what happened as a gift because there is a lot to take away
from any difficult experience. Not everyone has the privilege of
learning from real cases. The worst-case scenarios provide an
opportunity to make ex-post assessments of what went wrong before
and during the crisis. Do all this to be more professional next time,
which will undoubtedly come. Amend how the crisis management is
organised and take notes on the case that the institution just
survived. Take the existing crisis management guidelines and make
the appropriate corrections. If there was no crisis management plan,
formulate one based on the experience of the case. At the end of the
crisis, people are often tired, and the extra effort of following up is
challenging. However, this is the time when the experience is still
recent, and this allows you to write the respective codes of conduct
more effectively. When the next crisis hits, you will only regret that no
effort was made.
149. Avoid middle-ground messages

In crisis management, avoid "middle-ground" messages. These
are messages that try to suit and satisfy different parties at the same
time. For example, in your communication with the supervisory
authority, very often in the interests of the financial institution,
messages try to disagree with the supervisor, while at the same time,
attempting to please the supervisor and show a willingness to make
any changes the supervisor requires. This often happens when
external legal advisers are brought into the case. "No comments" or
other “middle-ground” messages can cause extreme chaos in crisis
communication. We have never seen success in this kind of
approach. This is not favoured by communication theory, and more
importantly, since banks are always under such high scrutiny by the
public, using such complex and overly legal messages is
inappropriate. This instantly creates a crisis of trust. The answers,
assessments and action plan that financial institutions give must be
clear and unambiguous. This clarity must be achieved not only during
the crisis, but during day-to-day risk management in the entire
AML/CFT area. Whether or not a financial institution likes it, there is
no place for a middle-ground approach. The middle-ground approach
does not solve problems, as there can be no mediocre AML/CFT
systems and controls. A mediocre system only leads to new breaches
on the part of the financial institution and takes them so much closer
to the next crisis.
150. Where to now?

See rule number one and follow from there.
Appendix 1 – ‘Papers’ and
‘Laundromats’
1. ‘The Panama Papers’ was a leak of 2.6 Terabytes of
information consisting of 11.5 million confidential documents
belonging to a Panamanian law firm and corporate service provider
Mossack Fonseca. It showed, among others, how rich people and
perpetrators can use and have used legal persons and arrangements
to conceal and disguise the true origin of funds. Further information
about the ‘Panama Papers’ can be found in English, for example, on
the webpage of the International Consortium of Investigative
Journalists (ICIJ).
2. ‘The Paradise Papers’ was a leak of 1.4 Terabytes of

information consisting of 13.4 million confidential documents
belonging to law firms and corporate service providers, and especially
a company named Appleby. It showed, among others, how legal
entities and arrangements can be used for tax avoidance and
borderline tax planning. Further information about the ‘Paradise
Papers’ can be found in English, for example, on the webpage of the
International Consortium of Investigative Journalists (ICIJ).
3. ‘The Russian Laundromat’ was an immense financial fraud

scheme operating between 2010–2014 enabling $20.8 billion
(allegedly even up to $80 billion) to be moved out of the Russian
Federation. The money was concealed and disguised and moved into
Europe and beyond through bribery and the exploitation of the
Moldovan legal system. Further information about the ‘Russian
Laundromat’ can be found in English, for example, on the webpage of
the Organized Crime and Corruption Reporting Project (OCCRP).
4. ‘The Azerbaijani Laundromat’ was a complex money laundering

operation and slush fund that operated between 2012–2014 and
handled $2.9 billion of unknown origin, which was allegedly
connected to Azerbaijani President Ilham Aliyev. Further information
about the ‘Azerbaijani Laundromat’ can be found in English, for
example, on the webpage of the Organized Crime and Corruption
Reporting Project (OCCRP).
5. ‘The Troika Laundromat’ was a scheme operating between

2006–2012 that allowed $4.8 billion to dissipate out of the Russian
Federation using a collection of 70 offshore shell companies and
using an independent arm of the Russian investment bank Troika
Dialog. Further information about the ‘Troika Laundromat’ can be
found in English, for example, on the webpage of the Organized
Crime and Corruption Reporting Project (OCCRP).
6. ‘Moldavian bank fraud’ was a large-scale fraudulent activity at

three Moldavian banks (Banca d’Economii SA, Banca Sociala SA and
Unibank SA) between 2012 and 2014. It involved fraudulent issuing
of loans to a series of Moldovan companies acting in concert in the
amount of up to $900 million. It was then laundered and dissipated to
a variety of end destinations. Further information about the
’Moldavian bank fraud’ can be found in English, for example, on the
webpages of the Organized Crime and Corruption Reporting Project
(OCCRP) and National Bank of Moldova.
[1] For further information about some of these “Papers” and „Laundromats“, please see
Appendix 1 of this book.
[2] Based on the information available in English on the webpage of the United Nations
Office on Drugs and Crime.
[3] Also known as AML compliance officer, nominated officer or BSA (Bank Secrecy Act)
officer.
[4] Dual-use goods are goods that can be used for civilian as well as military purposes,
or goods that can be used to manufacture or spread weapons of mass destruction.
[5] This is an example of a customer type, but according to the same algorithm, an
assessment should be performed for all other customer types as well as for all products and
services, delivery channels and geographical risks.
[6] FATF Guidance: Politically Exposed Persons (Recommendations 12 and 22).
Available in English on the FATF webpage.
[7] Based on the SWIFT MT202 COV message fields. Available in English on the SWIFT
webpage.
[8] The FATF Recommendations (2012). Available in English on the FATF webpage.
[9] The United Kingdom Financial Intelligence Unit – Suspicious Activity Reports Annual
Report 2019. Available in English on the National Crime Agency webpage.
[10] The FATF Recommendations (2012). Available in English on the webpage of the
FATF.
[11] The FATF Methodology (2013). Available in English on the webpage of the FATF.
About the authors
Matis Mäeker has worked for the Estonian Financial Supervision

Authority since 2012, where he currently is Head of the Anti-Money
Laundering Unit. Having developed new supervisory methodologies
and guidelines for the agency, he has led inspection teams that
significantly reduced money laundering risk in the financial sector.
Matis Mäeker has been an evaluator and reviewer in the global
AML/CFT Mutual Evaluation process and has spoken at many
conferences. Since 2020, he has been a Member of the MONEYVAL
Bureau that prepares the work of the MONEYVAL committee, the
regional body of the FATF.
Andre Nõmm has been a member of the Management Board of

the Estonian Financial Supervisory Authority since 2014, and since
then he is also responsible for anti-money laundering supervision.
With 25 years in the financial sector, he has managed numerous
different supervisory cases in the public and private sector, including
those outside anti-money laundering. Since 2020, Andre Nõmm has
been a member of the Standing Committee of the European Banking
Authority (EBA) on anti-money laundering and countering terrorist
financing (AMLSC).

The AML Compliance Book - 150 Go - Matis Maeker

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The AML Compliance Book - 150 Go - Matis Maeker

Uploaded by

Copyright:

Available Formats

150 golden rules

ISBN 978-9916-4-0038-8 (paperback)

Cover design by: Timo Tamm

Money is still being enormously laundered despite

Is money laundering and the appearance of such cases at least

Another reason is written into the way we understand how money

We are also witnessing constant rush to institutional changes in

The money laundering and terrorist financing risk

It is not just the banks that have a part in this global

Everyone needs to get a grip and take a necessary step forward.

A good doctor can provide a reasonably accurate snapshot of the

Money laundering has many facets in today's

However, in today's fight against money laundering, various

From holding banking secrecy to a police officer

Notwithstanding the above, there is definitely a growing

The role and scope of financial institutions has been much

The difficulty for a banker in AML/CFT task can be understood,

The increased pressure and re-focus on the financial institutions'

Compliance needs to take a huge leap

Simplification is sometimes needed

This book presents our vision of the approach to be taken to

We expand on our view that simplification is both necessary and

We all work with limited resources, and not everything can be

2. There is only one head of compliance, he or she

A fully functioning organisation is not about “I” or “they”, but how it

3. Compliance culture will never fall from the sky

The senior management cannot be expected to know the ethical

4. Ambiguity and lack of commitment will ruin

The senior management must equally support business and risk

5. The senior management must possess solid

6. The cost of compliance is the other side of

7. AML/CFT responsibilities must be clear

8. Senior management must be involved in

• Analysing and taking action on the content of risk assessments,

• Defining risk appetite

• Deciding on the content and nature of the risk management

• Approving rules for procedures

• Deciding on investments in AML/CFT systems and controls

• Handling supervisory reports and internal investigations

• Obtaining an overview of developments in legislation and

• Providing specific guidelines from top to bottom

• Verifying the actual implementation of the decisions made

The above must also be applied in financial groups, but in this

9. Words on paper lead to action

10. Being part of a financial group has its

11. A risk not managed will not simply vanish

• The legal department deals with particular norms, and

• The role of compliance function is to holistically maintain and

• The risk management function, sometimes also known as risk

• The internal audit provides assurance that all activities are in

Think about what would happen if these duties were not

The acts of the well-known Azerbaijan Laundromat, where the

14. Compliance must work in step with society

Rising social awareness and care makes a difference and may be

15. The “headline test” always helps

16. Put proportionality first

Proportionality is a prerequisite for building AML/CFT systems and

17. One will get sanctioned for severe breaches

The reason supervisors have become stricter in sanctioning

18. Financial institutions cannot abstain

19. You cannot be a bride at two weddings

The concept of de-risking is, however, one of the most conflicting