Senior management and boards are increasingly acknowledging the threat of financial crime as a critical risk to their business that must be addressed. This has been exacerbated in the last 12 months through the impact of the pandemic as well as rising domestic and international tensions. Our financial crime compliance specialists, located in the UK, US, Canada, Australia and Asia, are looking ahead to 2021 to identify the incoming legislative changes, growing role of technology and the need for an effective regulatory response. This forms part of a seven part series which will assess amongst other things the expansion of virtual currencies, the growth of the role of the money laundering reporting officer, the changing world of sanctions regimes, and how the Biden Presidency could shape financial crime compliance into the future.
Across the globe in all key financial centres, financial services companies have faced punitive action from regulators over the last decade for money laundering and terrorism financing failures. This trend shows no sign of stopping, with supervisors intensifying their investigative remits and criminals continually becoming more sophisticated.
Against the backdrop of increased regulatory scrutiny, there has been considerable global regulatory change with respect to anti-money laundering (AML) over the last 12 – 18 months. For example, the European Union has implemented its 5th and 6th Anti-Money Laundering Directives and the US’s National Defense Authorization Act for Fiscal Year 2021 indicates steep stepwise changes in national AML legislation. See our Part 1 of this series (Recent and incoming legislative change) for further details.
Developments in the FinTech and RegTech spaces have sought to optimise compliance activities whilst mitigating risk. However, with this rapid pace of change also comes the need for robust governance mechanisms as well as proactive leadership through individuals with both risk and technological competencies.
Culture and conduct has remained at the forefront of regulator’s attention over recent years, manifesting in greater expectations on how and when firms report financial crime risks and the manner in which senior leadership are required to rationalise and evidence the operation of their risk-based approach.
Finally, the Covid-19 pandemic has not only changed how the population accesses financial services, but also forced criminals to become yet more sophisticated in the methods they adopt to seek to launder illicit funds.
Given this raft of continuing turbulence in the AML landscape, the need for a qualified and suitably experienced and skilled Money Laundering Reporting Officer (MLRO) (also known as Anti-Money Laundering and Counter Terrorism Financing Compliance Officers in some jurisdictions) is crucial to support firms in safeguarding their business from money laundering and terrorism financing risks. Increasingly, the MLRO needs to not only excel in the compliance arena and possess a strong working knowledge of their local AML framework and legislative trends, but also is required to demonstrate leadership, technological, negotiation and horizon scanning skillsets. In the current climate, this means that finding and retaining a suitable candidate is no mean feat for institutions.
Reporting suspicious activity
At its core, the MLRO role is responsible for oversight of a business’ compliance with local anti-money laundering (AML) and counter terrorist financing (CTF) obligations. Further, in many jurisdictions including the United Kingdom, Australia and the United States, the MLRO function serves as the primary role for the reporting of suspicious matter or activity reports to their jurisdiction’s financial intelligence unit. This requires not only a certain level of authority and independence, but also deep financial crime subject matter expertise combined with a working knowledge of regulatory expectations, investigative rigour and internal stakeholder management.
The disclosure of high quality, accurate and timely suspicious activity reports (SARs) is imperative to provide actionable intelligence for use by both local and international law enforcement and other authoritative bodies in order to fight financial crime on a global scale. It is therefore vital that the MLRO possesses a multi-faceted skillset given the importance of their function. Even with the right experience, unless the MLRO is autonomous and is supported by adequate technology, resources and, most importantly, by the tone at the top of the organisation – it may not be enough to keep the organisation compliant and support the global fight against financial crime.
Resourcing, expertise and technology
MLROs serve a central function to a business combatting against money laundering and terrorism financing risk. To achieve this, the MLRO must have the necessary and appropriate resources required to discharge their duties and responsibilities. In their risk based guidance into the banking sector published in 2014, the Financial Action Task Force (FATF) noted that this encompasses the necessary independence, authority, seniority, resources and expertise to carry out their functions effectively, including the ability to access all relevant internal information and stakeholders.
Independence of the MLRO function, for example, is necessary by separating the commercial imperatives of the business influencing the MLRO’s role in reporting potential non-compliance. Training is also essential to keep the MLRO abreast of emerging risks and to ensure they are meeting reporting regulatory obligations.
In addition, as technology enhancements plays an increasingly key role in financial crime compliance, MLROs are also expected to be able to articulate to regulators how any FinTech/RegTech solution deployed within their organisation help facilitate financial crime risk identification, mitigation and prevention. This therefore requires a certain level of data/technological competence from the MLRO, as well as a strong risk management skillset.
The nature, size and sector of a regulated entity is also a key indicator in assessing the type of individual suitable to perform this function. However, with the absence of express legislative requirements for education and formal training and qualifications, it remains difficult to fully determine who is most appropriate to perform the role or roles with the function for the entity.
Personal liability and enforcement action
Regulators around the world remain focused on holding senior executives and responsible persons liable. According to Fenergo’s Fines 2020 Report there were approximately 212 individuals that were fined $99.3 million USD for financial crime and AML related breaches.
In the U.S, directors, officers or employees that wilfully violate the Bank Secrecy Act (BSA) can face civil penalties, and in 2020 this crystallised in the issuance of a consent order by FinCEN to a former senior staff member for their role in failing to prevent BSA violations.
The UK legislative framework also places high importance on personal accountability with respect to senior management acting in compliance roles. There is historical evidence of both firms and their MLRO receiving separate disciplinary penalties as a result of the organisation failing to meet their AML obligations. UK MLROs are also required to prepare an MLRO report on an annual basis which articulates the specific risk exposures faced by their business and comprehensiveness of the control environment in place to seek to mitigate these risks. In addition, the introduction and changes to accountability regimes such the Senior Managers and Certification Regime in the UK and the recent extensions to a similar regime in Australia are ways in which regulators are responding to compliance failures that are attributable to the MLRO.
Similarly in Hong Kong, the Securities and Futures Commission (SFC) has actively been assigning personal liability to supervisors, responsible officers and senior managers for compliance failings. The effect of a prosecution or enforcement action not only impacts the status of the organisation, but goes to whether that person is a fit and proper person to operate in that industry. This may also impact the ability for that organisation to apply and hold licenses in a regulated sector.
Access to C-Suite and the Board
With the recent willingness by regulators to initiate targeted enforcement action, boards and senior management have become increasingly reliant on MLROs. In this new regulatory environment, MLROs are growing in visibility with the board and senior management becoming more dependent on the timely escalation of instances of non-compliance, such that breach reporting and governance processes can be followed.
Many regulators are looking more closely at specific board decisions when undertaking enforcement action. As such, suitable governance arrangements are a pre-requisite and embedding the MLRO into key decision making processes is likely to prove more effective. Given the increasing complexity of the MLRO role, augmented with elevated personal liabilities and obligations, a strong MLRO presence within firms’ leadership teams is crucial to creating and embedding a strong compliance culture to aid in the global fight against financial crime.
As the regulatory remit further evolves, compliance technology embeds into business-as-usual and the conduct agenda continues to gain further prevalence, firms are under increasing pressure to ensure the MLRO position and AML/CTF function as a whole are fulfilled by the right individuals.
It is abundantly clear that the MLRO role has become increasingly multi-faceted and complex, requiring the role-holder to be not only a skilled compliance practitioner, but also a tech-savvy and proactive individual who has the authority and temperament to protect the strategic direction of the firm.
The MLRO cannot and must not take a back seat in terms of a firm’s risk management strategy, but would be involved in key business decisions in relation to how the firm acts and interacts in the market and with customers from a financial crime perspective. However, the MLRO role holders must be willing and able to take risk-based, considered decisions whilst remaining cognisant of how these could impact their personal liability as well as the reputation and regulatory risks of their employer.