By Sven Stumbauer, Director in the Financial Crimes Compliance Practice at AlixPartners, LLP
Over the last decade, the business environment for financial institutions globally has undergone significant changes. However, anti-money laundering (AML) compliance has been well represented both in headlines as well as on agendas of board of directors over that time. In fact, it can be said that AML compliance has never been higher on the agenda of boards and senior management, with fines for non-compliance reaching hundreds or even billions of dollars.
However, a new trend seems to be emerging today that is likely to bring a new wave of AML-enforcement actions – global regulatory bodies are increasing the stakes for financial institutions to comply with compliance programs to the degree of in some cases making AML compliance a license-threatening issue and adding threats of criminal prosecutions not only against institutions but against senior managements of institutions as well.
As a result, across the globe financial Institutions continue making significant changes in response to increasingly higher demands by regulatory bodies, often investing millions of dollars in compliance processes and resources. Given the investments made by financial institutions over the last decade, many are asking themselves if it is even possible to operate globally, to establish a compliant AML program and to satisfy what appears to be the next tidal wave of AML regulatory-enforcement actions, during which previous “record” fines will likely be trumped again.
Meeting regulatory expectations
Given the current environment, minimum compliance, or compliance with just the “letter of the law,” may not be sufficient for a financial institution to meet regulatory expectations. However, in some cases what might be called a “knee-jerk” reaction has emerged – the so-called “de-risking” of operations. While de-risking – eliminating or significantly limiting – business activities and/or relationships that pose an increased risk to AML-compliance efforts seems prudent at any time, it also poses significant growth challenges for most financial institutions, especially in today’s economy. Given that, the question is: How far should you de-risk without limiting your business?
A prudent approach for financial institutions would be to take a new look at both the inherent and perceived risks given business activities and/or relationships pose from an AML perspective and contrast those risks against the realities of the current environment. All too often many financial institutions seem to follow a herding approach of either not emphasizing AML risk enough, or as a reaction to enforcement actions, taking a too conservative approach.
Back to the basics
By taking a fresh look at inherent as well as perceived risks, financial institutions can become more “risk intelligent,” even before conducting a formal AML risk assessment of operations, products, customers and distribution channels. Some of the basic questions that should be considered by senior management and the board are:
- Do we only have a compliance program or an actual culture of compliance – where throughout the organization, everybody does the “right thing” on a daily basis?
- Are our employees properly incentivized to consider AML risks as well as business benefits in their decision-making?
- Do we as senior management and the board “walk the walk” and show appropriate “presence” and involvement when it comes to mitigating AML risks?
- Are our policies and procedures aligned with our business operating model, taking into account all lines of our business?
- Do we have an overall perspective of our customers across geographies, and can we truly say that we “know” our customer from a holistic perspective to ensure AML compliance?
- Do we have integrated systems across geographies?
- Is our ongoing compliance monitoring and testing robust enough to identify potential weaknesses in advance of likely additional regulatory enforcement?
AML-risk assessments and risk management are generally seen in terms of keeping a financial institution “out of trouble.” The other side of the coin, often neglected, is that they may also serve as an opportunity to generate business value by adding another perspective that others might perceive as too, well, risky, by creating a control environment allowing senior management to pursue additional opportunities.
For example, entering into a new correspondent-banking relationship with a financial institution located in a jurisdiction with a high risk for money laundering, corruption and financial crime in general. Over the past decade, numerous financial institutions exposed themselves to fines, and currently in our experience it seems that many of the largest banks worldwide are re-visiting or exiting their current foreign correspondent banking relationship to avoid additional regulatory actions. While such moves might present a significant revenue opportunity, the AML and regulatory risks could be equally great or greater. As such, if the senior management of such a financial institution lacks confidence in its existing AML controls, it might not consider this opportunity in fear of regulatory repercussion. However, senior management at a financial institution with robust AML controls and confidence in its AML compliance team might seize the opportunity, while still keeping its overall AML risk at a tolerable level, through the implementation of additional controls to counter both perceived and inherent AML risks.
A risk view that considers both AML and other regulatory-enforcement risks along with the business opportunity at hand will provide added confidence to senior management that risk-management practices are in alignment with the overall business objectives of the financial institution and sufficiently robust to likely mitigate the newly added risk.
The role of the board
Many recent AML-related headlines have called for individual accountability for boards as well as members of senior management. Without sufficient board involvement, financial institutions will likely struggle to implement a robust, enterprise-wide AML-compliance programs. In addition, several regulatory-enforcement actions over the past years have not only called for the establishment of AML-compliance committees comprised of outside directors, but also held board members personally accountable for financial institutions’ lack of compliance and expose themselves to shareholder litigation risk like in the case of Stone vs. Ritter (Court of Chancery of the State of Delaware in and for New Castle County C.A. No. 1570-N).
Under U.S. regulatory requirements (The Bank Secrecy Act and the Patriot Act), the board of directors of a financial institution is required to approve an enterprise-wide AML-compliance program, which at a minimum must include:
- policies, procedures and controls to mitigate the money-laundering risks posed by the institution;
- designate an AML compliance officer with sufficient authority by the board across the institution to implement the policies, procedures and controls;
- ongoing and adequate training for all employees of the financial institution; and
- independent testing/auditing on an ongoing basis.
However, in order to comply with more than just the technical regulatory requirements, boards should also adopt a mindset that they may be ultimately responsible for a financial institution’s AML-compliance efforts and the establishment of a culture of compliance to possibly avoid significant regulatory action citing a lack of board oversight and minimize shareholder litigation risk.
Tone at the top
While the “tone at the top” has become an often-used phrase, it remains one of the key ingredients that will often make or break an AML-compliance program. It is ultimately the board of directors and senior management that establish the strategic vision for a financial institution, in line with this vision; a clear AML compliance tolerance should also be established. And that includes establishing the proper incentives, including compensation measures, to meet needed goals.
While current enforcement trends may indeed turn into a tidal wave, establishing a robust AML-compliance program can provide safety from storm, as well as provide a foundation for business growth.
Photo by ChameleonsEye
A very well articulated article.Can i pick up some points from the article to include in my article on Derisking