By Brian Monroe
December 15, 2016
While doing a lookback of compliance trends in 2016, there are several common themes weaving through the panoply of historic events, enforcement actions and governmental guidance: a razor sharp focus on transparency, accountability and regulatory responsiveness.
The importance of those three trends – and related investigations, penalties and prison sentences that occurred over the year in their absence – has threaded their way through nearly every area of financial crime compliance, including anti-money laundering (AML), corruption, fraud, tax and cybersecurity.
The year included both broad regulatory trends that have emerged over the year out of necessity to combat criminal or hacking groups – such as U.S. regulators urging convergence, communication and coordination between AML and cyber departments – and an echoing of prior messages but with more urgency and less leeway, such as not blowing off examiner exhortations for program improvements, and no reticence when it comes to remediation.
But improving compliance programs – whether identifying money launderers, fraudsters, cyber attackers and corruption from without and within an institution – is no easy task.
Which is why 2016 saw more banks tinker with technology to see how artificial intelligence (AI), machine learning and financial technology or fintech could help institutions be more accurate, agile and innovative – and most importantly do more with less.
Not surprisingly, regulators in the U.S, Australia and other nations have followed suit. The U.S. Treasury’s Office of the Comptroller of the Currency (OCC) created an Office of Innovation earlier this year, and this month announced the creation of special purpose charters to give fintech firms the same privileges as brick-and-mortar national banks – but also encumber them with the same compliance responsibilities.
Australia’s national financial intelligence unit is also working with machine learning to better harness unwieldy data so that humans can have more time to review fewer alerts and those alerts of suspected suspicious activity will be of higher quality. The goal is to lay stronger foundations for law enforcement cases, and hopefully shrink investigative time and resources.
But the year will no doubt be remembered most for the first prong mentioned – transparency.
This year saw the largest leak in history with the Panama Papers scandal.
The voluminous data dump of more than 11 million records shined a harsh, uncompromising light into the shadowy world of offshore secrecy havens, and emphasized how murky ownership structures can help organized criminal groups, corrupt politicians and even terror groups move funds anonymously and legitimize their assets.
A lack of corporate transparency led the Paris-based Financial Action Task Force (FATF), the global arbiter of financial crime compliance standards, to sharply criticize a number of countries in their mutual evaluations, most prominently the United States.
The U.S., which holds itself out as a champion of AML standards and has levied the largest financial crime penalties in the world, was taken to task by FATF in its evaluation released earlier this month. The country received the FATF’s lowest scores in certain categories because the U.S. doesn’t currently capture beneficial ownership information at the time of legal entity formation, and therefore doesn’t have it available to law enforcement, financial institutions or the general public.
The second prong – accountability – is a word that causes even the most senior and seasoned financial crime compliance officer to wince.
A key focal point in 2015 was authorities pushing for “heads on a platter” through individual liability. That trend has only increased in 2016, with enforcement actions in the United States and United Kingdom, in banking and securities, including penalties against AML officers in the tens of thousands of dollars.
These actions against individuals, though clearly a fraction of the dollar figures associated with some of the largest AML and sanctions-related penalties to hit the sector in recent years, have sent shockwaves through the compliance space.
Reputation is important in most fields, but reputation is everything in financial crime compliance circles. Just being named in an enforcement action could make even the most accomplished professional radioactive – so a penalty on top of that could easily equate to a career death knell.
Compliance, business tensions increased in 2016
But a deeper look at many of the enforcement actions against individuals reveal a more nuanced story than just the apparent failings of one named and shamed compliance officer and resultant implosion of the systems and individuals below them.
The actions reveal a growing tension and clash between compliance and business line managers, where compliance officer recommendations were reviewed and then overruled by higher executives and where desperate pleas for more resources in the face of growing revenues, customers and related automated monitoring alerts were rebuffed.
Yet in some instances, being told “no” by others still seemed to be the fault of the compliance officer, bringing up the question of fairness and an examination of the issue of what truly is in the power and responsibility of financial crime compliance officers. It is a debate still raging within the various stakeholder communities of compliance staffers, regulators and law enforcement.
That brings us to the prong of regulatory responsiveness.
In short, it means that when regulators find gaps in an AML program, they don’t want to be given short shrift. They don’t want to come back the next year and see little, or nothing, was done to fix what examiners have already identified.
The term “repeated” is a key one in enforcement actions throughout the year. As in regulators told the bank “repeatedly” to improve areas x, y and z, and the bank didn’t over several exam cycles, resulting in an informal action becoming formal and a formal action becoming a monetary penalty.
Individual liability ruling a kidney shot to compliance community
The year had an inauspicious start for compliance officers.
In January a U.S. district court judge in Minnesota stated compliance officers can be held legally liable for anti-money laundering program failures at their institutions under Bank Secrecy Act regulations, an overall “frightening” prospect for professionals in already challenging roles, said individuals in the field at the time.
The decision by U.S. District Court Judge David Doty was a significant blow to former MoneyGram Chief Compliance Officer Thomas Haider, who is fighting a $1 million penalty for alleged missteps handed down in 2014 by the US Treasury’s Financial Crimes Enforcement Network (FinCEN).
“The ruling is definitely a big deal,” said a compliance officer at a large bank headquartered in the United States. “It’s pretty darn frightening. It sets up a bad precedent for compliance people who really are trying to do the right thing. Most compliance officers or chief compliance officers have their hearts in the right spot.”
The action against Haider occured at a particularly fraught time in the history of financial crime compliance and enforcement.
In recent years, judges and the general public have voiced a desire for more individual accountability in systemic AML, sanctions and fraud-related compliance failures that have resulted in penalties in the billions of dollars on organizations, but few jail terms.
Judge Doty made the ruling in response to a motion by Haider’s defense attorneys to dismiss FinCEN’s case against him on several grounds, including that AML regulations don’t grant the authority to go after individuals for corporate missteps, and that he was also denied due process, among other legal jousting.
Doty, however, disagreed on the individual liability front, writing in the 13-page order that the aspect of AML rules requiring institutions to establish money laundering detection and prevention programs is governed by the act’s broader civil penalty provision, which allows monetary actions against a “partner, director, officer, or employee.”
April showers turn into Panama Papers deluge
Criminals, of course, don’t want any liability.
They want to hide that they are a part of anything. And usually, they do a pretty good of it with the easy availability around the world of shell companies with opaque and impenetrable ownership structures and a veritable army of gatekeepers and banks ready and willing to help move whatever illicit funds they want.
That all changed in April with the Panama Papers.
The massive leak of documents exposed the offshore holdings of 12 current and former world leaders and revealed how associates of Russian President Vladimir Putin secretly shuffled as much as $2 billion through banks and shadow companies, according to the International Consortium of Investigative Journalists (ICIJ).
The cache of 11.5 million records from law firm Mossack Fonseca revealed how a global industry of law firms and big banks sells financial secrecy to politicians, fraudsters and drug traffickers as well as billionaires, celebrities and sports stars, according to the group.
The documents also included records on at least 33 people and companies blacklisted by the U.S. government because of evidence that they’d been involved in wrongdoing, such as doing business with Mexican drug lords, terrorist organizations like Hezbollah or rogue nations like North Korea and Iran.
Some other details included:
- Files on the offshore holdings of 140 politicians and public officials from around the world
- Current and former world leaders in the data include the prime minister of Iceland, the president of Ukraine, and the king of Saudi Arabia
- More than 214,000 offshore entities appear in the leak, connected to people in more than 200 countries and territories
- Major banks have driven the creation of hard-to-trace companies in offshore havens
In the aftermath of the leak, many governments, regulators and investigators started to make changes to cut down on criminals abuses such loopholes. Some of the actions include:
· The European Union Parliament called a 65-member committee to conduct a 12-month inquiry into possible violations of EU law related to money laundering, tax evasion and fraud revealed by Panama Papers
· Regulators in Hong Kong and Singapore reportedly requested institutions to disclose dealings with individuals and firms named in Panama Papers; following reports of an April sweep by the New York Department of Financial Services (DFS)
· British Virgin Island’s top regulator, Financial Services Commission, hit the offices of Mossack Fonseca with its largest-ever $440,000 administrative penalty for AML and CTF failings in dealings with clients
· Europol has reportedly connected almost 3,500 suspects to entities, individuals named in Panama Papers, per UK media reports
· A KPMG survey found that many large financial institutions set up Panama Papers “response teams,” with up to ten employees dedicated full time to review and remediation.
Without adequate resources, compliance functions foundered
On the issue of compliance responses, several actions in 2016 made it clear that when compliance officers don’t get support from senior management, or are actively overridden, the entire department suffers – and this can lead to increased regulatory scrutiny and monetary penalties. This is another example of the accountability prong twanging.
Some notable enforcement actions that embodied this trend included:
· Finra fined the institution $17 million in May, and implemented a $25,000 individual penalty on the chief AML officer
· Regulators stated that the compliance program had apparently not grown along with the rapid expansion of the securities firm, and the end results was an understaffed, under-resourced compliance department that led to variety of AML failings
Agricultural Bank of China
• NY DFS penalized the New York branch of this Chinese institution $215 million for willful violations of AML and sanctions regulations in November.
• The enforcement order found that the bank had “silenced and severely curtailed” the chief compliance officer at its New York branch after she repeatedly raised concerns over operational failings and tried to investigate
• The bank reportedly altered SWIFT messages to disguise transactions to sanctioned entities, among other issues
• In the UK, the Financial Conduct Authority hit a Bangladeshi bank with $4 million penalty for AML and financial crime compliance faults
• The order noted “serious and systemic weaknesses” attributed in large part to disregard of senior management for an adequate compliance program
• The FCA also penalized the institution’s AML officer $18,000 and effectively barred him from holding future compliance roles
In 2016, most vociferous push for compliance convergence
In October 2016, a FinCEN “Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime” represented the strongest push for collaboration to date between AML, fraud, and cyber functions.
The advisory called for greater teamwork between BSA/Anti-Money Laundering (AML) units and in-house cybersecurity units to identify suspicious activity. It also pushed for more sharing of information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing, and cyber-enabled crime.
Moreover, it called for for BSA/AML and cyber information and skill-sharing to better identify suspicious activity patterns and suspects.
“BSA/AML units can use cyber-related information, such as patterns and timing of cyberevents and transaction instructions coded into malware among other things, to (1) help identify suspicious activity and criminal actors and (2) develop a more comprehensive understanding of their BSA/AML risk exposure,” according to FinCEN.
While convergence won’t solve all of a bank’s compliance challenges or patch up every existing vulnerability, it can help make compliance teams more nimble, proactive and intelligent, bringing to bear a wider breadth of understanding than a person pigeonholed in one silo looking through a very narrow slit of activity.
Looking forward to 2017, time will only tell if the lessons learned for this year will make operations more transparent, accountable and responsive to regulatory suggestions and requirements, a crucial necessity to deal with heightened compliance scrutiny at nearly every level and greater risks and liability for individuals when failures occur.