Anti-money laundering update

In recent years the FCA has levied significant fines on banks for having weak anti-money laundering controls. Such fines have ranged from from £525,000 to £8.75m. In addition, in some cases the bank’s money laundering reporting officer has also been fined. In light of these fines it has never been more important for banks to have strong anti-money laundering systems and controls and keep track of developments in this area.

In this banking updater we briefly cover at a high level the regulatory framework for anti-money laundering and set out some of the key developments that have occurred so far this year.

The international standards on combatting money laundering and the financing of terrorism are set by the 36 member jurisdictions of the Financial Action Task Force (FATF). These standards form the basis of EU legislation (currently the Third Money Laundering Directive although this is due to be replaced) which, from a UK perspective, is incorporated into various pieces of law, predominantly the Money Laundering Regulations 2007 (MLR 2007) and the Proceeds of Crime Act 2002 (POCA). The MLR 2007 place requirements on financial institutions to know their customers, and POCA criminalises money laundering and addresses the making of reports to law enforcement concerning money laundering activity. Guidance on the MLR 2007 can be found in the materials produced by the Joint Money Laundering Steering Group.

Financial institutions that are authorised under the Financial Services and Markets Act 2000 must adhere to specific anti-money laundering rules and guidance. Such rules and guidance can be in the FCA Handbook (see 3.2.6 of the Senior Management Arrangements, Systems and Controls sourcebook).

Importantly, a risk based approach is the cornerstone of the anti-money laundering (AML) and counter financing of terrorism (CFT) regime. What this means is that financial institutions must identify and assess their money laundering and terrorist financing risks and put in place systems and controls to manage and mitigate them.

The FCA’s risk based approach to AML supervision enables it to focus its resources on firms that are particularly exposed to money laundering risk. It uses a variety of tools to do this including the Systematic Anti-Money Laundering Programme (SAMLP) focused on major banks, thematic reviews looking at risks across a sector and ‘event driven’ work where AML issues have arisen within individual firms. In 2014 the FCA developed a strategy to enable it to use its financial crime resources more effectively, classifying all regulated firms subject to the MLR 2007 in terms of money laundering risk. The 14 major banks covered by the SAMLP continue to be subject to the most intensive AML/CFT supervision, with detailed assessments taking around six months to complete, firms in the second highest risk category are subject to a regular inspection programme, consisting of two or three day on-site visits. The FCA reassesses the categorisation of firms periodically.

In July 2013 the FCA published its first ever annual report on anti-money laundering covering the period 2012/13. A second annual report was published in May 2014 covering 2013/14. So far, the FCA has not published an annual report for 2014/15 but it is worth keeping an eye out for it.

The emerging risks and trends that were noted in the May 2014 annual report were:

• many of the money laundering risks that firms face are well known, for example corrupt politicians attempting to move their money offshore, or the use of corporate vehicles and shell companies to move the proceeds of crime;
• the use of mobile banking to pay overseas remittances from the UK was at relatively low levels when compared with the popularity of these services in other parts of the world. As mobile banking products and services are developing rapidly, it is important for firms to keep money laundering risks under review;
• virtual or digital currencies are not regulated for AML purposes in the UK or elsewhere in the EU. The FATF published a paper on 27 June 2014 covering the key definitions and potential AML/CFT risks of virtual currencies. The FCA is monitoring the development of virtual currencies and working with other regulators to understand the risks virtual currencies may pose, as well as their potential competitive advantages for consumers; and
• on derisking the FCA mentioned that it had seen examples where firms were able to manage the financial crime risk presented by higher risk customers effectively without exiting the relationship. It added that any decisions taken by a firm to derisk their business should not unduly impede legitimate access to financial services or financial inclusion.

Since the FCA’s last annual report on anti-money laundering there has been further activity on derisking.

Earlier this year (27 April 2015) the FCA updated its webpage on money laundering to include a statement on derisking and its expectations on banks’ management of money laundering risk. The FCA stated that it was aware that, due to legal and regulatory obligations in the UK and abroad, some banks were no longer offering financing services to entire categories of customers that they associated with higher money laundering risk, such as money transmitters and FinTech companies, as well as withdrawing from providing correspondent banking services.

The FCA stated that where a bank does not believe that it can manage the money laundering risk associated with a business relationship effectively, it should not enter into, or maintain, that business relationship. However, the regulator added that the risk based approach did not require banks to deal generically with whole categories of customers or potential customers. Instead, the FCA would expect banks to recognise that the risks associated with different individual business relationships within a single broad category varies, and to mange that risk appropriately.

The FCA statement was followed in June by a statement from FATF. FATF felt that derisking was a “complex issue” that goes far beyond AML and CFT. The FATF approach to derisking is based on its 40 Recommendations which require financial institutions to identify, assess and understand their money laundering and terrorist financing risks, and implement AML/CFT measures that are commensurate with the risks identified.

When establishing correspondent banking relationships, FATF stated that banks are required to perform normal customer due diligence on the respondent bank. Additionally, banks are required to gather sufficient information about the respondent bank to understand the respondent bank’s business, reputation and the quality of its supervision, including whether it has been subject to a money laundering or terrorist financing investigation or regulatory action, and to assess the respondent bank’s AML/CFT controls. Whilst FATF recognised that there will be exceptions in high risk scenarios, its Recommendations do not require banks to perform, as a matter of course, normal customer due diligence on the customers of their respondent banks when establishing and maintaining correspondent banking relationships.

FATF stated that it would be undertaking work to further clarify the interplay between its standards on correspondent banking (Recommendation 13) and other intermediated relationships, and the FATF standards on customer due diligence (Recommendation 10) and wire transfers (Recommendation 16). However, there have been no further FATF publications on this topic so far.

In February 2013, the European Commission published a proposal for a Fourth Anti-Money Laundering Directive (4MLD). Once adopted the new Directive will be transposed into UK legislation through new Money Laundering Regulations. These will replace the MLR 2007.

On 5 June 2015, the 4MLD was published in the Official Journal of the European Union. Like other Member States the UK must transpose the requirements of the Directive into its national law by 26 June 2017. So far, HM Treasury has not published a consultation paper setting out the proposed changes for the MLR 2007.

Why is the 4MLD important? The Directive provides a common European legal basis for the implementation of the revised Recommendations of the FATF, which sets global anti-money laundering standards on combating money laundering and terrorist financing (the FATF 40 Recommendations). The 4MLD also strengthens the risk-based approach to AML and CFT and is intended to achieve the consistent application of provisions across Member States.

Significantly, the 4MLD proposes to delegate responsibility for shaping important parts of Europe’s AML/CFT regime to the European Supervisory Authorities (ESAs). The ESAs are tasked, among other things, to draft guidelines on key aspects of the customer due diligence process and on the risk-based approach to supervision. They are also tasked to:

• draft binding regulatory technical standards on central contact points (a single point of contact for overseeing the AML/CFT compliance of agents of payments institutions and e-money institutions based in another country) and measures firms should take where a third country’s legislation does not permit the application of equivalent AML/CFT measures;
• provide an opinion on the money laundering and terrorist financing risks facing the internal market; and
• collect, analyse and share information in relation to non-EU countries that have AML standards equivalent to those in the EU and those that do not.

When looking at the regulatory framework that AML and CFT it is easy to overlook the papers produced by the Wolfsberg Group (WG). This group is an association of thirteen global banks that aims to develop frameworks and guidance for the management of financial crime risks, particularly with respect to know-your-customer, AML and CFT policies.

On 8 September 2015, the WG published frequently asked questions on risk assessments for money laundering, sanctions and bribery & corruption. Numerous questions often arise as a result of a financial crime risk assessment and this document sets out some of the more frequent ones, as well as providing guidance on how to address them. Banks and other financial institutions would be well advised to look at this document.

As the document notes the key purpose of a money laundering risk assessment is to drive improvements in financial crime risk management through identifying the general and specific money laundering risks a bank is facing, determining how these risks are mitigated by a firm’s AML programme controls and establishing the residual risk that remains for the bank.

In the summer the European Securities and Markets Authority (ESMA) published questions and answers (Q&As) in order to promote the consistent application of EU rules on AML and CFT to investment-based crowd funding platforms. The Q&As are aimed at Member State regulators to support them in ensuring that their supervisory approach to investment-based crowd funding is effective. However, market participants should also find them helpful by providing clarity on the issues involved.

The Q&As cover the following issues:

• What are the risks in relation to terrorist financing and money-laundering related to investment-based crowd funding and how could they be mitigated?
• Is the risk profile of the platform affected by whether it is regulated under MiFID or not?
• How should investment-based crowd funding be treated under the Third Anti-Money Laundering Directive?