By Sven Stumbauer, Senior Advisor, Norton Rose Fulbright LLP
The financial-services industry has been disrupted and roiled by a perfect storm of forces. Complex regulatory-compliance requirements, aging legacy systems, dated operating models, digital innovation and fintech (financial technology) have rapidly changed the environment for many financial institutions worldwide.
Increasing regulatory enforcement, geopolitical changes and record-setting monetary fines have made adequate anti-money laundering (AML) risk management a significant challenge for financial institutions globally.
Stakes are high for any financial institution—regulatory actions across the world have produced a wave of investigations and fines, jeopardized licenses and forced C-level executives and regulators to resign while increasingly holding key individuals personally accountable and liable for failures.
The uptick in fines against financial institutions and penalties for money-laundering continued in 2020, reaching more than $14 billion.1 To further amplify the challenges for financial institutions globally, various regulatory bodies across the globe have enacted major legislative changes, increasing the pressure on boards and C-level executives significantly. Unlike in previous years, this new regulatory focus on AML can be seen globally as various regulatory regimes converge closer to a global standard as promulgated by the Financial Action Task Force (FATF).
Given the amount of focus the world is placing on AML, enforcement actions and fines can be expected to increase as financial institutions continue to be sanctioned for repeat and/or new failures. Changes in regulations paired with increased regulatory scrutiny will force difficult conversations at C-level and board meetings as AML-risk management becomes center stage (again).
The US overhaul of AML legislation: turbocharging enforcement
The passage of the US Anti-Money Laundering Act of 2020 (AMLA) (part of the National Defense Authorization Act for Fiscal Year 2021) will ring in a new era of anti-money laundering (AML) enforcement and regulatory exposure for financial institutions in the United States and by extension to their counterparties and affiliates across the globe.
The 2020 AMLA may well have the most significant impact on the AML landscape since the enactment of the USA PATRIOT Act2 in 2001 and presents a considerable overhaul to the Bank Secrecy Act (BSA).
While the AMLA contains numerous changes to the existing AML rules and regulations, the following three changes deserve particular attention and should drive the agendas of boards and C-levels over the coming months:
- Increasing penalties for AML violations,
- Enhancing the current AML whistleblower program,
- Increasing US regulators’ authority to seek documents from foreign financial institutions.
Increasing penalties for AML violations
The AMLA codifies additional civil penalties for repeat AML violations. For each additional violation, effective immediately, repeat offenders now are subject to further penalties of three times the profit gained or loss avoided as a result of the violation, or two times the maximum penalty for the violation, whichever is greater.
The new law also requires certain officers or employees of financial institutions convicted of AML violations to repay any bonuses paid to those individuals during the calendar year during which or after the violation occurred.
The significance of these provisions cannot be overstated since some financial institutions, based on their histories of regulatory-enforcement actions, appear to run afoul in the same or related areas of non-compliance.
Enhancing the “current” AML whistleblower program
While the BSA has had a rarely used whistleblower program in place, it has not provided significant incentives, with awards capped at $150,000. As a result, there has been very little, if any, activity under the program. The AMLA expressly increases the potential awards and thus the incentive to report violations. The new program incentivizes whistleblowers to report suspected AML violations by offering up to 30 percent of all monetary penalties and fines in AML-enforcement actions if the total penalties exceed $1,000,000.
This new whistleblower provision creates a significant incentive, similar to the SEC’s (U.S. Securities and Exchange Commission’s) whistleblower program created by the Dodd-Frank Act in 2010, which, since its inception, resulted in more than $2 billion3 in financial remedies.
Financial institutions should brace themselves for the heightened activity of whistleblowers, whether warranted or not, and subsequent internal investigations that will have to be carried out at significant cost.
The long reach of US regulators: expanded authority against foreign financial institutions
The AMLA significantly expands the statutory authority to seek documents from foreign financial institutions. The Department of the Treasury (USDT) and the Department of Justice (DOJ) are authorized to subpoena a foreign financial institution that maintains a correspondent account in the United States. This subpoena power is not limited to foreign financial institutions’ correspondent accounts but includes any account at the bank, as long as the records are relevant to the particular investigation.
While such subpoenas might certainly be challenged in courts, under the AMLA, if a foreign financial institution fails to cooperate, the DOJ can impose sanctions against the foreign financial institution and require the US correspondent bank to end its relationship with the foreign financial institution.
As some foreign financial institutions have experienced in recent history: Being shut out of the US banking market can have a detrimental impact on their business.
The EU patchwork
During the past couple of years, the European Union (EU) has been plagued by a significant uptick in money-laundering scandals and enforcement actions, to a great extent initiated by US regulatory bodies. In the face of the slow implementation of past directives and following various banking scandals that have rocked Europe, the EU is attempting to harmonize and supervise the region’s response more tightly.
In 2021, the EU will see significant changes with the introduction of the 6th Anti-Money Laundering Directive (6AMLD). For the first time, financial institutions and their boards could be subject to criminal prosecutions for failing to have effective AML controls and systems in place. However, lacking an overall regulatory body that would oversee AML matters across the EU, financial institutions are still facing a patchwork of national laws and individual member-state regulators with various levels of sophistication. While the EU is struggling to establish uniform AML supervision across the union, some member states are still being fined for failing to implement the 4th AMLD, while others are being referred to the European Court of Justice (ECJ) for failure to implement the 5thAMLD.
This lack of common and level supervision, which sits at the heart of an effective AML framework, will continue to frustrate financial institutions as they try to meet the different expectations of various member-state regulators. The practical burden will fall on financial institutions to assess and build out their AML controls in such a way to not only meet the requirements of specific jurisdictions but a standard that is being set largely through enforcement actions driven by US regulators.
China: playing catch-up
The Asia Pacific (APAC) region has seen a significant uptick in regulatory focus on AML and correspondent enforcement actions. This is most likely a result of the mutual evaluations conducted by the FATF starting at the end of 2018.
A notable jurisdiction in the region would be China that, on December 30, 2020, issued draft Administrative Measures on the Anti-Money Laundering and Counter-Terrorism Financing by Financial Institutions (Administrative Measures). These Administrative Measures are supposed to augment the Measures for the Anti-Money Laundering Supervision and Administration of Financial Institutions, issued by the People’s Bank of China (PBOC) in 2014.
Weaknesses within China’s financial-supervisory system and China-headquartered financial institutions, their subsidiaries and affiliates have been highlighted in recent years through several money-laundering investigations and enforcement actions across the world involving Chinese banks.
China has responded to increased criticism by making ongoing improvements to its AML-regulatory framework, but the PBOC appeared to be more concerned with controlling the outflow of money from the Chinese financial system. Meanwhile, the broader issue of money laundering through Chinese financial institutions remains an international concern.
Looking at the Administrative Measures, they appear to intend to address shortcomings and comments raised by the FATF during its 2019 mutual evaluation and will be very familiar to financial institutions around the globe. Amongst other things, the Administrative Measures now require financial institutions to establish internal controls and risk-management mechanisms that cover the following:
- Conducting a self-risk assessment,
- Establishing internal controls according to the risks identified in the risk assessment,
- Creating or designating a member of senior management with responsibility for AML matters,
- Establishing an independent audit function for AML matters,
- Creating a system of internal controls on the group level to ensure affiliates implement the same level of controls.
While the Administrative Measures closely resemble those rules and regulations that have been in place worldwide for more than a decade, the true litmus test for the PBOC will be the actual level of oversight and enforcement that represents the cornerstone of an effective AML framework.
The board’s AML risk agenda
Given the sweeping changes in legislation and the increasing level of AML enforcement globally, the risks facing financial institutions are likely to intensify. Boards of directors should help their institutions get ready to manage the changing AML-risk environment; as they prepare their risk agendas for 2021 and beyond, AML-risk management should be front and center.
Specifically, it will be necessary to ensure that boards of directors are involved holistically across all jurisdictions to prevent further regulatory-enforcement actions and bring meaningful change to AML-risk-management efforts. While legal and cultural differences exist between the various regulatory systems worldwide, a globally operating financial institution needs to adapt to global standards and local legal and regulatory requirements.
Some boards might also have to rethink AML-risk management slightly differently, shifting from compliance, which implies sole conformity to current rules and regulations in a particular jurisdiction, to actual risk management, implying a more fluid and flexible approach to AML risks. Rather than plainly seeking to meet today’s regulatory standards, boards should realize the importance of more agile AML-risk-management approaches that truly address the institution’s AML risks.
Finally, boards should hold management accountable for shifting the culture and mindset of compliance versus risk management; this will require them to have a sufficiently thorough knowledge of potential AML risks and various consequences of management decisions. Boards lacking this sufficiently deep knowledge will have to obtain it soon to be appropriately equipped for the future.
1 Finbold: Bank Fines 2020
2 US Congress: Public Law 107–56—Oct. 26, 2001: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT Act) Act of 2001
3 U.S. Securities and Exchange Commission: Whistleblower Awards over $700 Million for Tips Resulting in Enforcement Actions