By Sven Stumbauer, Senior Advisor, Norton Rose Fulbright LLP
The stakes are high for financial institutions—regulatory authorities across the world are conducting a wave of investigations into suspected non-compliance with anti-money laundering (AML) regulations and imposing sanctions requirements that, in many cases, have resulted in substantial fines, jeopardized licenses and significantly damaged reputations. In addition, given the growth of individual-accountability regimes across the globe, C-level executives and board members may find themselves in the regulators’ crosshairs for AML and sanctions failures.
To assess global industry trends, Norton Rose Fulbright conducted its 2021 Global Anti-Money Laundering and Sanctions Compliance Survey of 375 financial institutions (including banks, asset managers, insurance companies, cryptocurrency operators, payment providers and broker-dealers) from 77 jurisdictions to gauge how institutions are addressing the challenge.
Increasing scrutiny
Across the board, our survey respondents indicated that they experienced a significant uptick in regulatory reviews in 2020, with 71 percent of financial institutions across the globe citing increased regulatory scrutiny.
As various countries intensify their focus on AML and sanctions enforcement and regulatory authorities continue proactively to investigate potential breaches and pursue enforcement action, this was a trend that the vast majority of our survey respondents (81 percent) expected would continue in 2021 and beyond. The highest level of perceived regulatory scrutiny was reported in APAC (Asia-Pacific), followed by North America and EMEA (Europe, the Middle East and Africa).
When survey respondents were asked what they believe is driving the increased levels of regulatory scrutiny, a variety of reasons were given, including:
- FATF (Financial Action Task Force [on Money Laundering]) mutual evaluations—particularly in Asia,
- Financial institutions that provide services for cryptocurrency operators,
- Continuous pressure by regulators on financial institutions in the United States, with a particular focus on non-US-headquartered financial institutions, both for AML and sanctions compliance,
- Legislative changes in AML laws across the globe and intensified use of the US sanctions regime for geopolitical purposes.
Cost of compliance
Overall, the cost of AML and sanctions compliance has increased and will continue to increase in the future. Around two-thirds (67 percent) of survey respondents reported spending increases over the past 12 months.
This does not appear to be a short-term trend. There was consensus that the overall cost of AML and sanctions spending will continue to increase, with 74 percent of survey respondents expecting an increased spend over the next 12 to 24 months.
While spending on AML and sanctions compliance is trending upwards, not all budgets at financial institutions have apparently kept pace. Across the board, 41 percent of survey respondents considered their budgets inadequate or severely inadequate.
The areas identified as the largest drivers for spending were:
- Risk-assessment finetuning,
- Reviewing and updating customer files and associated remedial actions,
- Updating policies and procedures with a particular focus on changes in customer-onboarding procedures,
- Recruiting compliance personnel.
Raising the bar on risk assessments
During our survey, more than half of all the financial institutions identified completing adequate AML (56 percent) and sanctions (58 percent) risk assessments as one of their top three challenges in 2021 and beyond.
Our survey results suggest that financial institutions around the globe largely realize that risk assessments, as conducted in the past, are not as useful as they once were if conducted with a “checklist” approach or by completing a simple matrix. Rather, a more agile and dynamic risk-assessment model is needed to allow boards and senior management to deploy often limited resources across areas of highest risk in their particular financial institutions.
The key question “Do we know our true risk?” emerged, showing that boards and senior management increasingly see less value in a risk assessment that is conducted to “just provide updated statistics over the past 12 months, with no change in risk, while our business changed significantly”.
Rather than creating static matrixes of AML and sanctions risks, financial institutions need a systematic way to resolve the question of what risks to take and which ones to avoid. Currently, many financial institutions think about their risk appetites in purely static terms rather than adopting a more agile risk-management approach. If a risk assessment becomes a pure check-the-box exercise summarizing statistics accumulated over the past 12 months, a financial institution will make decisions based on past information rather than forward-looking information.
Next steps
So how do financial institutions steer clear of the AML and sanctions hurdles ahead of them in 2021 and beyond? The following are key considerations for not only the financial institution’s compliance and risk-management professionals but also its business leadership team:
- Fostering an internal culture of “one business”, meaning that AML and sanctions risk management and compliance should not be seen as a “deal-breaking department” but rather an active part of the overall business culture with incentives aligned across business units.
- Shifting the mindset from a check-the-box exercise, which in certain institutions and regions still appears to be prevalent, to a true risk-management function. Without this shift occurring rather rapidly, we will continue to see regulatory actions and corresponding monetary fines in 2021 and beyond.
- Dynamic risk assessments should be implemented to identify changing business circumstances and shifting risk to properly address those shifts, rather than reacting to them retroactively.
- As lockdowns and restrictions start to ease around the world, financial institutions should take a hard look at potential risk and regulatory exposures during the global COVID-19 crisis. While some financial institutions were better prepared than others, none of our survey participants had tailored response plans in place as the global COVID-19 crisis started to unfold. Now is the right time for financial institutions to take a hard look at shifts in transactional and customer behaviors that occurred over the past 12 months and determine their potential regulatory exposures.
- In light of the above, financial institutions should consider an independent benchmarking exercise to not only assess strict compliance with AML and sanctions rules but also the efficiency and effectiveness of current internal processes. This will help them understand their strengths and weaknesses and refocus resources on problems that need immediate attention before they come to the regulator’s attention.
- As our survey respondents highlighted, traditional financial institutions are still plagued by legacy, often inflexible data repositories. In order to increase their ability to more dynamically assess their AML and sanctions risks and be able to immediately access data and deploy tools such as machine learning, data must also be re-platformed from legacy systems so it becomes widely accessible. This availability of data, of which traditional financial institutions have tremendous amounts, will make data enormously valuable and digitally accessible. To stay ahead of the curve in AML and sanctions compliance, it will become absolutely necessary to modernize.
- As consumer acceptance of fintech (financial technology) companies increases, evidenced by their tremendous growth over the past few years, certain activities are moving away from heavily regulated traditional financial institutions. This not only poses challenges for the fintech companies themselves but also shifting risks for traditional financial institutions that provide banking services to fintech companies.