Yesterday I had the good fortune to moderate a compliance forum on financial crime, hosted by RANE Network and Exiger. As you can imagine, anti-money laundering compliance is a huge concern for financial firms these days, so let me distill a few themes from the conversation here.
Conflicting messages from regulators came up quite a bit—because compliance officers often mention “the regulators” as short-hand, as if all regulators speak with one voice and have a unified message about what they want financial firms to do. That’s not how reality works at all. One participant gave the example of one regulator telling him, “yes, you can woo clients by taking them to sporting events” immediately followed by another regulator saying, “no, you cannot woo clients by taking them to sporting events.” And these regulators were in the same country, telling the world they work together routinely.
We might dismiss contradictory regulators as a fact of life in compliance, but beware the larger point: if compliance officers get mixed messages about what regulators expect, you cannot develop a sound strategy to implement global AML programs. You can’t easily place big bets on new technology, or adopt global policies and procedures. Instead, you’re trapped reacting to one regulator’s request after another. And without an effective strategy, you can’t implement cost-effective techniques to manage compliance—you just throw bodies and money at the problem of the day.
Building a strong corporate culture also came up for discussion, as it always does in the compliance world these days. One person said good culture “can be seen right away.” So I stopped that person and asked for details, which led to a few other people describing effective corporate culture. It really boils down to three traits:
A strong CEO, who can send a clear message to the whole enterprise, “This problem is important and we will not tolerate it, or we will investigate fully if the problem has already happened.”
An independent compliance officer who can speak about misconduct risks to the board, CEO, and business unit leaders without fearing for his or her job.
A middle management that will take compliance concerns seriously. They may not argue for compliance on their own initiative, but at least they won’t pooh-pooh compliance when the CCO comes calling.
Your internal audit and compliance testing functions are critical here to keep culture on track. And while nobody brought up this point in the forum itself, I also believe that for anything you do with corporate culture, you must keep one eye on the HR department at all times.
Consider how your customer data and your AML screens interact. Fundamentally, a Know Your Customer program works by taking one list of customer names and screening them against other lists: of suspected money launders, of suspected terrorists, of politically exposed persons, of people named in the Panama Papers; the list of lists, so to speak, is endless.
First, we can stipulate right here that simply creating a global repository of customer data for your KYC program is difficult. You will face privacy regimes around the world that might make the task impossible. You will risk false positives, duplicate names, and so forth. Assuming you somehow do build it, maintaining it will require vigorous attention from the IT department and business operating units.
Once you have that database, however, the best practice will be to run customer names through multiple filters at once. For example, it’s not enough that one of your customers’ names turns up in the Panama Papers; you should see whether his name turns up in the Panama Papers and something else—say, a list of PEPs in the Petrobras scandal. A double-whammy like that is a red flag.
Keep up with Suspicious Activity Reports. We had considerable talk about how SARs fit into the self-disclosure regime. As someone who has spent much of the last 15 years associating self-disclosure with anti-bribery issues under the Foreign Corrupt Practices Act, I found the differences striking.
In FCPA world, the decision to self-disclose is a serious matter, and you still find people who say it isn’t always a smart move. In AML world, the consensus is almost that filing an SAR is routine. Several people noted that when regulators do inspect your compliance program, they always focus on what you missed, rather than what you’re doing well—so in that context, the wise move is to file an SAR at even the remotest chance it might be necessary.
Participants did say they wonder what happens to all those SAR reports. You might get a call months after filing one, from an FBI or Treasury Department agent you’ve never heard of, asking more questions. You might never hear anything more about it at all.
On the other hand, I know other compliance gurus who have worked in federal law enforcement for years; that is, they are the persons on the other side of that black hole, receiving all those SARs. Do the reports sometimes get filed away and sit in a drawer? Yes, those ex-law enforcement guys (they all tend to be guys) tell me. But they always say law enforcement still wants as many SARs as the banking world will file, since nobody knows when any two random SARs will connect in an unexpected way.
All in all, an excellent event, and we owe thanks to RANE and Exiger for having it.