Money Laundering Deterrence in Europe: Time to Get Serious

EU AML

Introduction

2019 and it is 30 years since the Sommet de l’Arche in Paris established the Financial Action Task Force (FATF) to combat money laundering. So where have we come to in Europe and what remains to be done?

Money laundering has been criminalised not just in Europe but the world over. Predicate offences have widened from drug trafficking to the proceeds of all crimes. Europol has established itself internationally in AML terms. The Egmont Group has grown to a large international organisation of 159 financial intelligence units, representing the operational arm of AML/CFT deterrence to complement the strategic arm of the FATF. Fifteen EU Member States (plus the European Commission) are direct FATF members and the remaining thirteen are members of Moneyval, the European regional version of FATF. Moneyval includes non EU/EEA Member States such as Russia and Ukraine. European governments evaluate each others’ AML performance every so often. The term “money laundering”, unheard of in 1989, is now in common parlance. However, the amount of proceeds of crime recovered as a result of successful money laundering prosecutions, as compared to the amount thought to be available to be laundered, is around 0.1% at best. It is small wonder that commission of the underlying predicate offences remains rife, and increasing, particularly in relation to emerging criminality, such as cybercrime. So why is the European AML system so ineffective in reducing the impact of the underlying crimes upon European citizens?

Key Issues

The major AML issues in Europe can be divided into three distinct areas: governance, risk management and capability. Some feel it is a simple question of reforming the European AML supervisory architecture, but the answer is much more complex and nuanced than that. True, AML deterrence in Europe does need better governance, but improved structure of European authorities alone will not keep organised crime lords and other members of the dark economy awake unless it is allied to action, commitment and improvements in capability.

1 Governance

There are many fault lines across Europe in relation to AML governance:

  • There is no clear stated focus on what the objective of AML should be across Europe. Yet without clarity of vision, mission and modus operandi, it is difficult to see how progress can be achieved. It should be greater than merely securing the financial and operational integrity of the EU, though that would be a good start. The focus of most governments seems to have switched to fining the gatekeepers rather than convicting the perpetrators of the predicate offences. This is ineffective in terms of reducing the scourge of drug trafficking across Europe, for example;
  • Only 15 EU Member States are members of FATF. The remaining 13 Member States are members of Moneyval, a 28 state European FATF equivalent which includes members such as the Caucasus states, Russia and Ukraine. 19 of the 28 EU Member States are members of the Eurozone. These fault lines all cause dislocation across the EU in terms of deterrence not just of money laundering, but of financial crime in general;
  • There is no EU co-ordination body for AML policy except for the European Commission, certain monitoring and supervisory functions carried out by the European Central Bank and European Banking Authority, and certain loose information sharing arrangements between national Member State authorities;
  • Laws relating to crime are reserved to individual Member States. True, there is some co-ordination of investigation through Europol, and instruments such as the European Arrest Warrant have been created, but usage of such instruments varies wildly across the EU;
  • Governance is not just about architecture, however, but also about “battle rhythm”:
  • The gestation periods of European legal and policy measures are far too long. In relation to MLD 4, for example, the “flash to bang” time (carrying out policy development within FATF to implementation of the associated directive) was well over a decade. This is far too long in relation to deterrence of money laundering, a problem which will be exacerbated by the need to respond to the explosive growth of cybercrime
  • The mutual inspection cycle is also around a decade long. With virtually all EU businesses subject to so much annual control and monitoring, why should this concept not apply in AML deterrence at governmental level? There is currently no annual assessment of EU Member State performance against the FATF 40 Recommendations

2 Risk Management

No Key Performance Indicators (KPIs) have been set by the FATF or Moneyval, and Member States are not even collecting figures on the underlying offences in a co-ordinated manner, yet this is vital for effective policy development and the combat of money laundering and its predicate offences. How can policies possibly be effective if you don’t know the numbers? True, FATF has developed some indicators (known as “Immediate Outcomes”), but these are not the same as KPIs related to the predicate offences. An assessment of what really needs to be measured is urgently required, in order to develop the correct tools, fund the most effective action, and reduce the ever growing scourge of the underlying crimes. Even the most advanced EU Member States are assessed as having a number of areas where major improvements are required, so greater government commitment is necessary.

In order to reduce compliance burdens and increase effectiveness, the concept of risk based deterrence has been introduced. Although highly attractive conceptually, the risk based system has been stymied since it has become the regulator who decides what the risk is, rather than allowing firms to carry out their own risk function, with regulators checking that the risk process works and the firm developing its risk assessment skills. This initiative needs become less dirigiste to succeed.

In assessing how deterrence should work, many regulators have latched on to a principle of three lines of defence. This follows the old military principle of castle building, the outer wall representing the first line of defence, the inner wall the second line of defence, and the keep the final line. Fine for castle building in mediaeval Europe, but the only organisation building castles these days is Walt Disney. This concept of defence as applied to financial institutions has the customer facing staff as the front line, compliance as the second line and audit in the castle keep. This concept is outmoded, ineffective and encourages the wrong mentality in
crime fighting. Better a system of integrated active defence, where all anti money laundering assets are designed to work together, as currently used by the world’s militaries to great effect in defences such as Integrated Air Defence Systems and Integrated Carrier Battle Groups.

3 Capability

Training of law enforcement in how financial markets work is generally below what it could be. Virtually all law enforcement officers are given some financial investigation training, but this is not the same as instruction in the operation of financial markets such that law enforcement has a chance of recognising egregious behaviour, apprehending the perpetrators and obtaining necessary evidence. Some kind of specialist financial police are needed, properly trained and supported, in all countries. Commitment currently ranges from Financial Investigation Units consisting of just one law enforcement officer, to specialist financial police like the Guardia di Finanza with a force of around 70,000 persons.

Fines levied on banks are in the billions, yet at the same time governments appear unwilling to fund even small law enforcement projects. One Member State agency, for example, promised funding for its creaking IT system to cope with suspicious activity reports, requiring just over €5 million, has finally been promised the funding, but not until 2023.

AML compliance has become an end in itself, highly bureaucratic, with the real objectives having become lost in a mass of organisational data kleptomania. Digitisation of business has given rise to a search for an automated AML nirvana, reducing human input to a bare minimum. Yet money laundering deterrence is a human issue and programming errors can increase costs dramatically, as battles to reduce false positives have shown.

Compliance is also often seen as all cost with little or no benefit. CEOs appear to prefer running the risk of massive fines than investing sufficiently in ensuring that their business models and compliance functions are properly aligned, effective and efficient. Far from scandals having changed such attitudes, they have been perpetuated, as the recent response by Scandinavian banks demonstrates.

The Way Forward

So where does the solution lie? The following steps and options are recommended for consideration:

Governance

  • Develop clarity of vision and mission. Processes need to have an impact on the underlying threats, or there is no point introducing them;
  • Assess whether a new AML body is needed within Europe at policy co-ordination level. This could be separate, or be the policy arm of Europol, for example;
  • Ensure co-ordination works between EU Member States, EEA Member States, and non-EU/EEA states, at all levels, and with similar bodies in related areas, such as ENISA;
  • Improve cross border co-operation, at all levels, including data collection, intelligence generation, policy making, investigation, information exchange, prosecution, etc.

Risk Management

  • Adopt key performance indicators (KPIs) which relate to the underlying criminal threats which AML laws are intended to impact. These need to be thought through, rather than being measures which are adopted purely as they are a measure and/or are easy to measure (such as the number of suspicious activity reports filed with law enforcement). The right metrics are needed to combat the threat. Data collection techniques in this area are also in need of improvement;
  • Allow firms to develop and use risk based systems to improve effectiveness;
  • Carry out effective Benefit Cost Analysis (rather than Cost Benefit Analysis) of proposed new measures;
  • Adopt active, co-ordinated defences, rather than the static three lines of defence model with all its attendant difficulties referred

Capability

  • Encourage training and spending on specialised financial police;
  • Increase funding and support of law enforcement, particularly of undercover operations and IT systems, enabling law enforcement to follow the money trail from commission of crimes;
  • Improve training standards to a new EU level, including the courts process, policy makers, investigators and intelligence analysts.

Options:

So what are the options for Europe? In essence they are to carry on as now (“EU AML 1.0”), with little success. Alternatively Europe can counter money laundering with renewed vigour, centralising that which needs to be centralised, integrating all AML defence systems, and ensuring that this “EU AML 2.0” works in each of the various Member States, particularly given the differences in threat, vulnerability and risk of those Member States.

Looking at the figures on drug deaths, terrorism, fraud, cybercrime, organised crime, etc., in each of the Member States, and the negative impact this has on the whole of the EU, things could be different. Money laundering, like climate change and the threats to the natural world, is a truly European issue and needs a truly European response. We must not be found wanting.

Richard Parlour
Financial Markets Law International

CEPS intends to create a Task Force on how to progress the combat of money laundering at EU level. Interested parties are invited to contact the author, or CEPS direct.

Read More

Corporate Governance: The Latest

Corporate Governance The Latest

In the UK, the debate about corporate governance has been running since the Cadbury Code of 1992. Since those early days, a number of corporate scandals have provoked various revisions of the code. The latest iteration has just been issued in July 2018 by the Financial Reporting Council (FRC). There is no requirement to follow the Code, but the Code operates a principle of “comply or explain”. This is clearly rather more dirigiste than just leaving companies to decide whether to follow it or not, though there is only one mention of compliance throughout.

There are five elements of the revised Corporate Governance Code, with related principles. All are ones which should form part of the overall system of governance of a company, but there are others, some elements of the Code do not sit well with each other, and other areas are omitted entirely. Let’s take a look:

1. Board Leadership and Company Purpose

A. A successful company is led by an effective and entrepreneurial board, whose role is to promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society.
B. The board should establish the company’s purpose, values and strategy, and satisfy itself that these and its culture are aligned. All directors must act with integrity, lead by example and promote the desired culture.
C. The board should ensure that the necessary resources are in place for the company to meet its objectives and measure performance against them. The board should also establish a framework of prudent and effective controls, which enable risk to be assessed and managed.
D. In order for the company to meet its responsibilities to shareholders and stakeholders, the board should ensure effective engagement with, and encourage participation from, these parties.
E. The board should ensure that workforce policies and practices are consistent with the company’s values and support its long-term sustainable success. The workforce should be able to raise any matters of concern.

The place to start is with the vision for the organisation and its rationale. It is extremely difficult to work out what to do effectively if the corporate destination is unknown. Start with “Why?” Once current and future locations are known, the company’s mission is far easier to set. The final part of setting a governance structure is culture. This is also vital from an intellectual property perspective. Whilst products and services can be copied, and values mimicked, culture is almost impossible to steal. Clarity on the above is the foundation upon which the other elements referred to can be built and operated.

2. Division of Responsibilities

F. The chair leads the board and is responsible for its overall effectiveness in directing the company. They should demonstrate objective judgement throughout their tenure and promote a culture of openness and debate. In addition, the chair facilitates constructive board relations and the effective contribution of all non-executive directors, and ensures that directors receive accurate, timely and clear information.
G. The board should include an appropriate combination of executive and non-executive (and, in particular, independent non-executive) directors, such that no one individual or small group of individuals dominates the board’s decision-making. There should be a clear division of responsibilities between the leadership of the board and the executive leadership of the company’s business.
H. Non-executive directors should have sufficient time to meet their board responsibilities. They should provide constructive challenge, strategic guidance, offer specialist advice and hold management to account.
I. The board, supported by the company secretary, should ensure that it has the policies, processes, information, time and resources it needs in order to function effectively and efficiently.

The best starting point for the above is to map an organigram of the organisation, both in its current state and future desired end state. Go through it to ensure all business functions are included. Next, check against all potential conflicts of interest, and assess ideal reporting lines, finally checking the balance between all elements and ensuring against a 50/50 lockout.

3. Composition, Succession and Evaluation

J. Appointments to the board should be subject to a formal, rigorous and transparent procedure, and an effective succession plan should be maintained for board and senior management. Both appointments and succession plans should be based on merit and objective criteria and, within this context, should promote diversity of gender, social and ethnic backgrounds, cognitive and personal strengths.
K. The board and its committees should have a combination of skills, experience and knowledge. Consideration should be given to the length of service of the board as a whole and membership regularly refreshed.
L. Annual evaluation of the board should consider its composition, diversity and how effectively members work together to achieve objectives. Individual evaluation should demonstrate whether each director continues to contribute effectively.

Diversity is an interesting topic. The assumption appears to be that diverse boards and organisations produce better decisions than those which are not so diverse. A word of warning, however, to avoid diversity for diversity’s sake. Ensuring that the necessary skills, knowledge and experience exist and work well together is one thing. Ending up with a Tower of Babel where the decision making process is mired in correctness and there is no effective organisational culture is quite another. Getting people who align with the culture will be more of a key to success. A warning on evaluation settings too, as these can take over a decision making process and heavily distort success. Make sure they are useful, and aligned with organisational culture.

4. Audit, Risk and Internal Control

M. The board should establish formal and transparent policies and procedures to ensure the independence and effectiveness of internal and external audit functions and satisfy itself on the integrity of financial and narrative statements.
N. The board should present a fair, balanced and understandable assessment of the company’s position and prospects.
O. The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.

Avoidance of bias and conflict is crucial, as indicated above. Yet this needs to be applied to other functions of the organisation than audit. Remember that risk is not necessarily a bad thing. No risk, no action. No action, no success. Carry out a benefit cost analysis, not a cost benefit analysis.

5. Remuneration

P. Remuneration policies and practices should be designed to support strategy and promote long-term sustainable success. Executive remuneration should be aligned to company purpose and values, and be clearly linked to the successful delivery of the company’s long-term strategy.
Q. A formal and transparent procedure for developing policy on executive remuneration and determining director and senior management remuneration should be established. No director should be involved in deciding their own remuneration outcome.
R. Directors should exercise independent judgement and discretion when authorising remuneration outcomes, taking account of company and individual performance, and wider circumstances.

This element has become highly politicised, essentially since remuneration multiples have increased as between the highest and lowest paid in organisations in recent years. What might be more useful is to avoid taking on the corporate “surfers”. These are easy to spot as they are the directors who move on every two years, are really only in it for themselves, almost guaranteed to be a drag on your organisation’s success, usually massaging results by cutting vital elements of the organisation’s services to improve profitability with no thought to the future (as they will be gone within two years anyway).

The latest version of the Code thus has some useful elements, but do not view them as comprehensive, and do not ignore the practicalities behind organisational success. It would be interesting to gain your views on the new Code and what has been set out above. Do not hesitate to get in touch!

Read More

EU Cybersecurity Policy in the Financial Sector

EU Cybersecurity Policy in the Financial Sector

With the inexorable rise of e-commerce comes the inexorable rise of the e-criminal. Cybercrime is now the world’s fastest growing crime. It has leapt to number two of the top ten business risks worldwide, from not even appearing in that list five years ago. For certain countries, cyberattack is now the risk of greatest concern. Gone are the days of concern about a low level hack of a website by a script kiddie. Today’s attackers are multi-faceted and increasing in sophistication, ranging from advanced persistent threats, corporate espionage, organised crime and “hactivists” to cyberterrorists, ever more competent, and ever better funded. Cybersecurity has moved from being a technical issue to a political and boardroom issue. Financial markets are particularly important as they oil the wheels of all member state economies.

So what should the priorities of cybersecurity be? There are three core themes to address:

  • Governance (at all of organisational, international and national levels)
  • Risk Management (both contextually and intelligence driven)
  • Capability (cybersecurity by design and by default, using a standard framework applied to context)

Amid several large cyberattacks in 2017, the European Commission adopted its multi-sector cybersecurity package. Nonetheless, a multitude of issues remain that the financial sector needs to address in order to bolster its resilience against current and future threats.

An EU Task Force on Cybersecurity Policy for the Financial Sector was established, chaired by Richard Parlour of FMLI. The key policy recommendations are set out below.

The policy recommendations

1. Convergence in the taxonomies of cyber-incidents is needed.

2. The framework for incident reporting needs to be significantly improved to contribute fully to financial institution cyber-resilience.

3. Authorities should assess how and to what extent data held by the centralised hub should be shared and with whom.

4. Ambitious policies are needed to develop consistent, reliable and exploitable statistics on cyber-trends.

5. Best practices for cyber-hygiene should be continuously enhanced.

6. The European Cybersecurity Certification Scheme needs to be strengthened to contribute better to cybersecurity, cyber-risk management and capability.

7. The reinforcement of cross-border cooperation and legal convergence remains a priority, both within the EU and more widely.

8. Best practices in remedies in case of cyberattacks need to be further encouraged.

9. Policy-makers should further assess the pros, cons and feasibility of creating an emergency fund in case of large cyberattacks.

A common taxonomy for cyber-incidents

A common taxonomy across regulations, jurisdictions and sectors should ease the understanding of multi-country and multi-sector cyberattacks, and eventually strengthen the quality of responses. Given the ever-changing nature of cyberspace, the reference taxonomy should be flexible enough to be revised regularly. This common taxonomy should include specific variants applicable to different sectors.

Wherever possible, convergence in templates for incident reporting is needed across legislation. However, given the diversity of purpose of legislation, full harmonisation in those templates remains challenging.

Incident reporting framework

The emergence of different reporting requirements (notably in GDPR, PSD2, NISD, ECB/SSM, eIDAS regulation and Target 2) raises questions as to the best cyber-incident framework to boost financial institution cyber-resilience financial.

First, national templates for the NISD and GDPR should be harmonised across the EU. Secondly, large firms active in different countries need to develop adequate consolidation processes of the “overall cyber-risk” at group level. Thirdly, authorities should be able to exploit the content of incident reporting to inform and advise CSIRTs in return. For that purpose, policy-makers and firms should assess together the risks and opportunities of developing a standard messaging system.

Fourthly, the creation of a European sectoral hub in charge of centralising all incident reports, dispatching the right information to stakeholders and advising both authorities and CSIRTs could greatly reinforce the incident reporting framework. Finally, in order to create a resilient cybersecurity framework that could efficiently handle multi-sectoral cyberattacks and prevent contagion from one sector to another, the hub should also be able to cover all economic sectors.

Data sharing by a centralised hub

Authorities should encourage the set-up of platforms to facilitate voluntary exchange of cyber-information between financial institutions. In parallel, incident reporting requirements should fully contribute to financial institution cyber-resilience. Incident reporting data should be quickly shared with relevant stakeholders.

First, a centralised hub in charge of incident reporting should quickly provide relevant supervisors with the right information on cyberattacks. Secondly, the hub needs to share relevant information with financial institutions, provided there is balance between building up an efficient collective response to cyberattacks and safeguarding firms’ interests. To provide technical assistance to those firms, the hub would need a clear mandate.

Sharing information with firms’ potential clients through development of cyber-ratings that mirror the cyber-risk to which each supplier, and therefore their potential clients, is exposed should be based on market rather than regulatory initiatives. Tight security of the data managed by the centralised hub should be the main priority.

Macro statistics benchmark

The absence of a macro statistics benchmark on cyber-trends and the poor consistency across sources raise the risk that the cyber-strategies of firms and cyber-policies are not well-founded. If a centralised framework is developed for incident reporting, robust and relevant macro statistics could be developed at national and European level.

Specifically, robust statistics on the financial impact of cyberattacks will enable better understanding of the overall impact of attacks and inform cyber-policies and strategies. However, the complexity of measurement at firm level has so far made consistent methodologies impossible. A principle-based list should operate at EU level, with the aim of enhancing best practices to measure both “tangible” and “intangible” factors. Convergence should be achieved provided that collaboration is improved between cyber-authorities, CSIRTs, CFOs and CIOs, authorities, etc.

Promoting cyber-hygiene

Authorities should continue to enhance best cyber-hygiene practices. Principle-based lists should be updated on a regular basis. At present they should for example include conducting adequate education and awareness activities, updating programs regularly and patching systems, creating complex passwords and changing them frequently, using micro-segmentation, multifactor authentication and encryption of sensitive data, implementing the least privilege principle, developing an adequate strategy to handle shadow IT and establishing an incident response and reporting plan.

European Cybersecurity Certification Scheme

Given the rising importance of digital technologies and their vulnerability to cyberattacks, authorities need to address information asymmetries and the fragmentation of standards in national certification. A European Cybersecurity Certification Scheme could be a powerful tool for reinforcing harmonisation, raising awareness and ensuring mutual recognition.

Yet the Commission’s current proposal lacks practical operability and adds unnecessary complexity. As the scheme’s success depends on voluntary participation, value added must exceed costs. With too many issues left unclear, the current European Cybersecurity Certification Scheme needs to be strengthened to have a positive impact on cybersecurity.

Reinforcing cross-border cooperation and legal convergence

The cross-border framework to facilitate exchange of information and electronic evidence for prevention, investigation and attribution of cross-border cybercrimes needs further development. When cyber-criminals are identified, convergence in national legal frameworks is needed to facilitate extradition.

Enhancing best practices in remedies after cyberattacks

Best practices in cyberattack remedies need encouragement by EU and national supervisors through core principles. These include robust methodologies to assess how firms and/or clients share cyber-liability. Principles should also cover the best remedies where data theft has no immediate financial loss.

Emergency fund in case of large cyberattacks

Authorities should assess the feasibility of developing an emergency cyber-fund to alleviate the risk of financial instability in case of major cyberattack. Criteria for a cyber-incident to qualify will have to be well defined in advance.

The benefits and costs of the different options to create such a fund require careful analysis. Could existing EU natural disasters funds be extended to cyberattacks or would it make more sense to create a fund that covers all operators of essential services?

Please contact us if you would like a copy of the full report, or to discuss any cyber issues you may have.

Read More

AML Latest Developments : Three Lines of Defence – Time for Something That Works!

Topolcany Castle - Slovakia - Aerial

Topolcany Castle in the Slovak Republic is often acknowledged to be one of the best examples of mediaeval castle architecture anywhere in the world.

It was built on the classic three lines of defence model. There is an outer wall, an inner wall, and a keep.

Three barriers for an enemy to surmount.

The only builder of castles in latter day history, however, is Walt Disney.

So why has the three lines of defence model been so trumpeted as the best model of AML defence for financial markets?

Rorke’s Drift in 19th century South Africa. At least the military had stopped trying to build castles and defence was a bit more fluid. Three lines of defence again, however, a front line, middle line and rear line.

Although the battle resulted in a victory for those using the three lines of defence, it was without doubt a pyrrhic one, and no military uses it today.

Again, why has the three lines of defence model been so trumpeted as the best model of AML defence for financial markets? Was the issue with Topolcany Castle one of bricks and mortar? Was the issue with Rorke’s Drift a lack of machine guns?

The key issue is a psychological one. If you are in the keep, you don’t really pay much attention to those at the outer wall, or even at the inner one.

If you are in the third line, it doesn’t feel as exposed as being in the front line. The key issue, however, is multifaceted:

Three Lines of Defence is a static model, yet enemies probe and probe again until they get past the barriers or overcome them.

The Three Lines of Defence model focuses on defence of a particular area of ground or asset. The focus of defenders is very much an inward facing one.

The Three Lines of Defence model does not encourage best teamwork or use of assets.

The UK has recently seen the launch of the Queen Elizabeth II aircraft carrier.

Many seem to think that this ship has a lot of capability.

It does, but to set sail without a task force of ships, submarines and air cover would be suicidal. An aircraft carrier group is required, fully integrated and constantly communicating between the various elements.

It is not just at sea that such a concept of active integrated defence is used, but also on land, whether that is of an Army Group, or an Integrated Air Defence System.

The AML landscape has changed markedly since the Sommet de l’Arche in 1989.

The original objectives of preventing crime by taking the benefit of the proceeds of crime, of tracing the monies through criminal groups and seizing them, has transmogrified into an environment where drug deaths, terrorism, organised crime, cybercrime, etc., are all on the up and it is the financial institutions which are proceeded against.

Compliance has become little more than a process to follow regulation, with little thought, and even less impact on the underlying crimes for which the whole AML edifice was established.

Moving from an ineffective three lines of defence policy to an integrated anti financial crime system will assist achievement of the original aims, both at market and financial institution level.

Read More