AML is not without its accomplishments. The UK has been instrumental in establishing the Financial Action Task Force. Money laundering has been criminalised and covers the proceeds of all crimes. Europol has established itself in the fight against money laundering. The Egmont Group of financial intelligence units has been set up. The UK and 14 EU member states (plus the European Commission) are full FATF members and the remaining 13 are members of Moneyval. Governments evaluate each others' AML performance every so often. The term "money laundering" is now in common parlance.
However, the amount of proceeds of crime recovered as a result of successful money laundering prosecutions, as against the amount thought to be available to be laundered, is around 0.1-1.1 percent at best. Commission of the underlying predicate offences remains rife, and increasing, particularly in relation to emerging and disturbing criminality, such as the exponential growth of green crime and cybercrime.
Brexit has thrown in more challenges:
• Title X of the Brexit Withdrawal Agreement advocates supporting international AML/CFT efforts, the need to cooperate and to share information, but this is much looser than previous arrangements. That part of the agreement relating to AML is a mere 2 ½ pages, of which 2 pages are focused on Ultimate Beneficial Ownership
• The UK no longer has access to the Schengen Information System and related crime fighting databases. There is liaison through British embassies locally, but it is very much a "dialled down" relationship
• Although the UK has implemented EU MLD 5, "implementation" of MLD 6 and copycat steps of future EU regulation remain to be seen. In many areas new UK regulation is being prepared which will diverge from the EU, making decisions of equivalence, and thus cross border trade and action against international organised crime, far more difficult
• At a practical level, UK firms will have to follow local rules when dealing with EU based clients, and vice versa. This impacts cost, speed, effectiveness and profit
• Criminal organisations will exploit areas of confusion uncertainty and bureaucracy around Brexit, and new scams are expected
Increasing AML Effectiveness: Three focal points
At the same time, the EU Task Force on Improving AML Effectiveness around Europe has just released its report (https://www.fmli.co.uk/aml-in-europe-time-to-get-serious/). In it, the major AML issues in Europe are divided into three pillars: governance, risk management and capability. Some feel improving effectiveness is a simple question of reforming the European AML supervisory architecture with a new EU AML supervisor, but the answer is much more complex and nuanced than that. Such a step needs to be matched with action, commitment and improvements in capability to fight money laundering.
Pillar One: Governance
There are many fault lines across Europe in relation to AML governance. Brexit only adds to them:
• Both Europe and the UK lack a clear objective for what the AML regime is meant to accomplish. Without clarity of vision, mission and modus operandi, it is difficult to see how progress can be achieved. Most governments seem to focus on fining gatekeepers rather than convicting the perpetrators of predicate offences. AML compliance has become an end in itself. This is ineffective in reducing the scourge of drug, people, wildlife and firearms trafficking across Europe, etc.
• Only 15 EU nations are FATF members of FATF. 19 of the 28 EU member-states are members of the Eurozone. These fault lines cause dislocations across Europe.
• There is no EU coordinating body for AML policy except for the European Commission, with certain monitoring and supervisory functions carried out by the European Central Bank and European Banking Authority, and some loose information-sharing arrangements between national authorities. The report recommends creation of a new EU AML body, but with caveats
• The enforcement of criminal laws is reserved for individual member-states. True, there is some coordination of investigations through Europol, and instruments such as the European Arrest Warrant have been created, but usage of such tools varies wildly across the bloc.
• There is a real bottleneck in the FIUs. However, care must be taken that removing this does not just shift the problem to law enforcement and judiciary
Governance is not just about architecture, however. It's also about "battle rhythm":
• The gestation periods of legal and policy measures are far too long. For MLD 4, "flash to bang" time (from FATF policy development to implementation of law) was well over a decade. This is far too long. Such lag times undercut efforts to respond to the explosive growth of green crime, cybercrime and other issues.
• The mutual evaluation cycle is also around a decade long. Businesses are subject to annual reports, examinations and monitoring. Why should this concept not also apply to AML deterrence at governmental level? There is currently no annual assessment of country performance against FATF recommendations.
Pillar Two: Risk Management
No key performance indicators (KPIs) have been set by FATF, and countries are not even collecting data on underlying offences in a scientific manner, yet this is vital for effective policy development. How can policies be effective if you don't know the numbers? FATF has developed some indicators ("Immediate Outcomes"), but these are not the same as KPIs directly tied to predicate offences. An assessment of what really needs to be measured is urgently required to develop the correct tools, fund the most effective action and reduce the ever-growing scourge of underlying crimes. Greater government commitment is necessary. The report recommends better use of OKRs and KPIs at national and institution level.
Risk-based deterrence has been introduced to reduce compliance burdens and increase effectiveness. Although highly attractive conceptually, it has stumbled in practice, largely because the regulator decides what the risk is, rather than allowing firms to carry out their own risk function, with regulators verifying that the risk process works and firms honing their risk-assessment skills.
In assessing how deterrence should work, many have latched on to the three-lines-of-defence principle. This follows the old concept of castle building—the outer wall is the first line of defence, the inner wall the second, and the keep the final line. While fine for mediaeval strongholds, the only organisation building castles these days is Walt Disney.
For financial institutions this concept has customer-facing staff as front line, compliance as second line and audit in the castle keep. As a fortification against money laundering, the principle is outmoded and ineffective. It encourages the wrong mentality. Better a system of integrated active defence, where all AML assets are designed to work together in a manner similar to Integrated Air Defence Systems or Carrier Battle Groups.
Pillar Three: Capability
Training of law enforcement in how financial markets work is generally below what it could be. Virtually all law enforcement officers are given financial investigation training, but this is not the same as instruction in the operation of financial markets. Specialist financial police are needed, properly trained and supported. Commitment currently ranges from FIUs of just one officer, to specialist police like the Guardia di Finanza with around 70,000 persons.
Huge fines are levied on banks, yet governments appear unwilling to fund even small law enforcement projects to upgrade creaking IT systems. They even talk of special levies. Transparency over fines money is needed.
AML compliance has become an end in itself, with the real objectives lost in organisational data kleptomania. Digitisation of business has given rise to a search for an automated AML nirvana, reducing human input to a bare minimum. Yet AML is a human issue and programming errors can increase costs dramatically, as battles to reduce false positives have shown. Certain banks employ more staff on false positives than their national police force has in fighting money laundering. This needs rethinking.
Compliance is often seen as all cost with little or no benefit. Do some CEOs prefer to run the risk of fines to ensuring their business models and compliance functions are properly aligned, effective and efficient?
The Way Forward
So where does the solution lie? The following steps and options are recommended:
Governance:
• Develop clarity of vision and mission. Processes need to impact the underlying crimes, or there is no point introducing them.
• Develop a new AML body within Europe but be careful on governance. Sort out FIU.net.
• Ensure coordination between EU member states, and third countries, at all levels.
• Improve cross border cooperation at all levels, including data collection, intelligence generation, policymaking, investigation, information exchange, prosecution, etc.
Risk Management:
• Adopt OKRs and KPIs that relate to AML objective and underlying crimes. Measure what matters. Use the right metrics. Improve databases.
• Allow firms to develop and use risk-based systems properly.
• Carry out effective benefit-cost analysis of new laws and procedures.
• Adopt aggressive, coordinated defences.
Capability:
• Encourage training and spending on specialised financial police.
• Increase funding and support of law enforcement, enabling following the money trail.
• Improve training standards, including the courts process, policy makers, investigators and intelligence analysts.
The Future
We cannot go on as we are. Money laundering, like climate change and the threats to the natural world, is a truly international issue and needs a truly international response. We need a new agenda aligned to climate change and biodiversity steps the world needs to take urgently for its own survival. We must not be found wanting.
This is a guest blog post by Richard Parlour. Richard is a co-rapporteur for the EU Task Force on Increasing AML Effectiveness Across Europe. His focus is on all aspects of AML from policy to due diligence, investigations and training.