It has been a familiar story for over a decade.

Since 2008, regulators have been imposing substantial financial penalties for money laundering and sanctions failures. Moreover, during the 10 or more years that have followed, banks invested heavily in their Anti-money laundering (AML) functions to try to up their game.

Despite all the effort, we currently have over a dozen banks embroiled in the ongoing Europe-wide Russian money-laundering scandal, and some have collapsed under the weight of their financial crime failures. Given the focus of both regulators and financial institutions on financial crime risks, why are banks continuing to fail in this area? And what should they be doing differently?

Why are banks still struggling to mitigate financial crime risks effectively?

In our view, there are several reasons for this:

• The regulatory standards are increasingly stringent, while becoming more globally applicable

The 4th and 5th AML Directives in Europe have been cranking up the pressure on the regulated sector to identify and manage their money laundering risks more effectively. In addition, supranational organisations (e.g. European level bodies) and international governments (particularly in the U.S.) are pressing regulators to be more rigorous in their supervisory and enforcement activity. In our view, this pattern will continue as the various money laundering scandals have dealt a severe blow to the global reputation of European banks and regulators.

• The European Central Bank (ECB) is enhancing its oversight of firms and supervisors

The ECB, in cooperation with the European Banking Authority (EBA) and domestic supervisors, is increasing its monitoring of the implementation of AML/CFT standards. The aim is to drive greater consistency of supervisory and enforcement practices across Europe. In our view, the focus will particularly be on those countries which have both a history of corrupt funds being funnelled through their institutions and a comparatively low rate of regulatory actions against financial institutions for AML/CFT breaches.

• Lack of risk ownership by the first line of defence

Firms have not been successful in driving ownership of financial crime risk into the first line of defence. Many banks are still relying too heavily on their compliance and risk functions, with resulting gaps in effective ongoing monitoring of customer activity. This has been a central root cause of many recent enforcement cases.

• Lack of effective risk oversight by senior management

In many recent cases, a lack of senior management oversight has been apparent. Management have either taken ineffective action to correct deficiencies, or in some cases taking no action at all, despite there being multiple indications of an unacceptably high risk of money laundering.

• Underinvestment in technology

The regulated sector has been slow to upgrade technology platforms and have been slow adopters of new technologies. This is partly down to underinvestment, and risk adversity on the part of regulated firms to move away from existing systems. However, providers of new technology are also in the early stages of demonstrating how their tools can drive effective enhancements to financial crime processes. Banks that have grown through acquisition are particularly susceptible to technology issues, as their use of legacy systems and the ‘patchwork’ approach to technology infrastructure can lead to control gaps and difficulties in the ability to evidence compliance to regulators.

• Firms have not fully implemented a risk-based approach to financial crime

Although many banks across Europe have well-embedded risk assessment processes, for others this is a new concept that has only been introduced in the last 12-24 months, and these banks are often behind the curve. Risk assessments have not accurately identified or assessed risks, and control frameworks have not been tailored to specific geographies, customer types and transaction flows that bring with them the greatest level of financial crime risk.

What should banks be doing to meet these challenges?

The challenges – and the solutions that are required – are wide-ranging.

1. Seeking of ‘outliers’ in the business

Banks should try to identify ‘outliers’ in their business, that may be signs of money laundering or financial crime. For instance, banks should identify:

• Products, branches, and customer types which provide a substantially higher volume of Suspicious Activity Reports (SARs) than expected
• Business units that are generating disproportionately higher income or profit
• Any area of business that is experiencing an inflow of higher risk customer types (e.g. non-resident customers) or customers that are processing a more significant number of higher risk transaction types (e.g. payments to/from high-risk countries)

Some of this information – particularly concerning income and profit – has not traditionally been thought of as data relevant for financial crime risk, recent cases have shown that a more holistic review of the business is required to effectively understand risk exposure.

2. Embedding risk ownership in the first line of defence

This requires a cultural shift in many banks, which have historically seen compliance as the money laundering risk owner. Those that own client relationships and have the best view on the risk of clients and their transactions should also be responsible for identifying and managing the resulting risk. In the U.K., this will be further highlighted by the Senior Manager and Certification Regime (SM&CR), which will require clear statements of senior responsibilities and responsibility maps for financial crime risks and controls. Processes such as senior management attestations and the documentation of end-to-end processes with accompanying risk and control ownership documentation will also drive ownership into the first line.

3. Enhanced suspicious activity processes

Many of the findings from recent money laundering investigations could have been identified sooner with more effective suspicious activity monitoring. For instance, investigations have identified that some banks have been doing business with multiple shell companies that had:

• The same registered address
• The same mobile number and/or email address
• Submitted accounts to Companies House that showed low (<£30,000) annual turnover, even though millions of pounds were being funnelled through their bank accounts
• The same authorised signatory for the company accounts

Automated systems should be able to identify the signifiers of shell companies (as well as other high-risk customer types) and these identifiers should be subject to thorough investigation and analysis.

How A&M can help

For more information about A&M's Financial Crimes & Investigations services, please click here.