Speech by Rob Gruppetta, Head of the Financial Crime Department, FCA, delivered at the Accuity AML Risk Reduction and Compliance Europe Conference on 8 December 2015. This is the text of the speech as drafted, which may differ from the delivered version.
“Thank you for the opportunity to be here this morning to talk about the future of the anti-money laundering regulations.
Fourth money laundering directive
It is a good time to discuss this important topic. The new European money laundering directive is now out, and, as a result of this, we in the UK will need to upgrade our own domestic legislation, and the associated guidance and regulatory rules, over the next couple of years. The government will soon publish a consultation paper looking at how the UK will put the new European requirements into effect.
The Directive raises some potentially controversial questions. For example, it expects firms to "screen employees": what does this mean in practice? We do not yet know. Another issue: the accounts of foreign public officials – "Politically Exposed Persons", or "PEPs" as we call them - who are in a position to abuse public office for private gain – have long received greater scrutiny from UK-based bankers or other British providers of financial services, such as financial advisors. This is a requirement of the UK’s Money Laundering Regulations. But, the new directive requires British law to explicitly demand financial firms apply such checks to British public officials as well for the first time – quite a big and controversial step.
How will these requirements be put into effect? Well, the detail is not yet decided, so I would encourage you to engage with this consultation: it is you in the industry who must take practical steps that put anti-money laundering measures into effect, and if the law starts to ask for things that are unduly burdensome, the Treasury’s officials will want to be told this. While the directive is now "set in stone", the UK does have some degree of flexibility in how it implements the European requirements – how the gaps on which the directive is silent are filled, so don’t think engagement with the consultation is futile.
It is not only the UK government consulting as a consequence of the new Directive. The European-level financial regulators – like the European Banking Authority and European Securities and Markets Authority – are also inviting comment on their own jointly-prepared guidance notes about anti-money laundering, including guidance on the "risk-factors" that financial firms should consider as part of their AML measures. EU law means national regulators like the FCA, and financial institutions, must make every effort to comply with these guidelines. Regulators must incorporate them into their supervisory practices, by, for example, amending their own guidance. Regulators must either comply, or publicly explain why we have not done so. So it is important Europe gets this text right; consultation closes on 22 January 2016 (EBA press release, ESMA press release, EIOPA press release).
Financial crime return
Another consultation I would encourage you to feed into is about our proposed new data return. We have just published a consultation paper proposing that, for the first time, we will systematically gather statistics from firms about their financial crime risks. This new data return stems from a cross-FCA review of how we gather information from firms.
The data on this proposed new form will allow us to detect emerging financial crime risks, and also to target our supervisory work more accurately – it will increase our level of confidence that we are focusing our limited resources on the firms that face higher inherent financial crime risk. This data will be useful both to our mainstream line supervisors, and to our financial crime specialists.
The dedicated financial crime supervisors in my department do a range of work: we provide expert support to mainstream generalist supervisory teams on particular cases or issues. We also perform a programme of rolling in-depth reviews of the anti-money laundering controls of the biggest institutions – the “Systematic AML Programme” as we call it. A third important strand is thematic reviews into topics of particular concern or interest, such as the reviews of small banks’ AML controls published last year and how banks control financial crime risks in trade finance, the year before that. And finally we conduct inspections of firms that, while not among the very largest institutions that are subject to the Systematic AML Programme, nonetheless pose potentially higher risk.
It is this last programme of work where the proposed financial crime return would help us most; we use risk-metrics we have developed to determine which firms to look at, and the data from the return will allow us to focus our resources more accurately – and in proportion with the risks - than has previously been possible.
It would also allow us to collect aggregate statistics that we might publish and which could inform your own risk assessments. For example, we propose asking firms which countries you operate in that you assess to be high-risk. We also propose asking your perceptions of whether types of fraud you encounter are falling or rising in incidence. An industry-wide – and importantly, wholly anonymised - aggregation of such information sounds like something I’d want to see if I were a Money Laundering Reporting Officer or worked in a counter-fraud team in a regulated firm. If you agree, let us know!
But, financial crime is not always a topic that lends itself easily to statistical analysis, and it can be tricky phrasing the questions on the forms; we don’t want staff in firms whose job it is to compile these returns to be left struggling, asking themselves "what does the FCA mean by that?". So comments and suggestions now about how the form can be tailored, clarified or otherwise improved are very welcome.
The Senior Managers Regime and financial crime
An important area of recent change in UK’s regulatory system is the introduction of the Senior Managers Regime. The Parliamentary Commission on Banking Standards convened in the wake of the financial crisis recommended an overhaul of the regulators’ existing approved person regime. The reforms they proposed are close to going live, and are intended to transform corporate governance of the financial sector. One of the new requirements is for firms affected to give a senior manager at the top of the organisation explicit responsibility for overseeing the firm’s efforts to tackle financial crime. An obvious question is how does this sit alongside the role of the Money Laundering Reporting Officer (or "MLRO")?
During our recent contact with stakeholders - in the industry and elsewhere - we have come across some possible confusion about this. Let me try to dispel it.
Our purpose in designating the MLRO as a Senior Management Function was to continue to recognise the importance of an approved individual being accountable for ensuring that anti-money laundering controls are properly designed and implemented. In effect, this role is the same as the MLRO under the existing Approved Persons Regime.
At the same time we are keen to ensure the overall responsibility for the firm’s policies and procedures – the systems and controls for countering the risk that the firm might be used to further financial crime - should be discharged at the right level in firms, that is to say by someone with sufficient seniority to ensure that the firm as a whole is meeting its financial crime obligations. We expect firms to allocate the prescribed responsibility to the most senior individual responsible for reporting to the firm’s governing body on financial crime matters. This may or may not be the MLRO. Where it is not the MLRO, the prescribed responsibility includes the supervision of the MLRO. This is because we recognise that the MLRO may not always be at a senior executive level.
It is worth further clarifying that, while the person assigned the prescribed responsibility is responsible for the firm’s financial crime policies and procedures, all senior managers of operational units in a firm should be taking reasonable steps to mitigate financial crime risk.
Derisking
Everyone can agree that tackling financial crime is desirable. The Government's recent National Risk Assessment found that banks, which make possible the great bulk of all transactions that take place in the economy, are the part of the system most vulnerable to money laundering. It also found they pose the highest overall risk even once all the mitigating actions taken by banks and regulators are taken into account.
But the steps that the financial services industry takes to tackle money laundering and comply with financial sanctions are not costless. They are, in fact, expensive, occupying the time of many thousands of staff across the financial services industry.
So have we – both regulators and firms – got the balance wrong? Do the costs of today’s efforts to tackle money laundering outweigh the benefits to society of doing so?
A range of people are asking this question. A consultation by the Better Regulation Executive into cutting the "red tape" that stems from anti-money laundering rules recently took place and they will report their findings soon. Meanwhile, another review, by the Competition and Markets Authority, explored what barriers might constrain competition among banks offering services to small businesses. The need for customer due diligence checks is one area they have been exploring. Is the need to provide documentary evidence of the identity a small business’s owners one of the reasons they do not switch provider? And could more uniform customer due diligence requirements for small businesses encourage more switching without significantly increasing money laundering risk?
Taking a risk-based approach does not require banks to deal generically with whole categories of customers or potential customers.
The measures taken by industry to detect and prevent money laundering pose burdens on the public, particularly on some types of firm, like small businesses. Some people – a minority, but not an insignificant group - may also be left without banking facilities as a result of decisions banks make about financial crime risks. Again, some types of business or customer may be particularly affected. Money transmitters, charities and financial technology companies say they are affected and some banks are also withdrawing from providing correspondent banking services. This is a matter of widespread concern in some sectors, social groups, among regulators and at senior political level. It has even been given its own name: "derisking".
Banks are commercial organisations managing the risks they face. But we are clear that effective money-laundering risk management need not result in wholesale derisking. Taking a risk-based approach does not require banks to deal generically with whole categories of customers or potential customers: instead, we expect banks to recognise that the risk associated with different individual business relationships within a single broad category varies, and to manage that risk appropriately. While the decision to accept or maintain a business relationship is ultimately a commercial one for the bank, we think that there should be relatively few cases where it is necessary to decline business relationships solely because of anti-money laundering requirements.
There is a lot of ‘noise’ around derisking, but much of what we hear is anecdotal or an isolated case study, with little good quality data to size the problem. And our own supervisory work has found that there may be other factors at play here: decisions to close accounts are sometimes rooted in ethics and reputation, as well as profit, with anti-money laundering rules sometimes appearing to be a convenient excuse to exit accounts.
In summary, we need a much clearer picture of what is going on here. We have therefore commissioned research to try to shed some light on the "derisking" phenomenon. We want to gather evidence about the nature, scale and drivers of the issue so we can ensure our response to the issue is measured and proportionate. We are grateful to those who have given their time to speak to our researchers and provide information. But resolving this issue will not be easy; it is a difficult balance we are asking financial firms to achieve.
Innovation and new technology
Many of the criticisms of the AML regime, and the burdens it imposes, relate to the due diligence checks – commonly referred to as Know Your Customer checks, or "KYC" – that take place at the start of a customer’s relationship with a firm. As I have mentioned, there is a perception that anti-money laundering checks like this are a barrier to business, innovation and, ultimately, competition. This worries me.
Today’s AML regime was mainly conceived of in the 1990s, and it can sometimes feel that way: talk of photocopies of passports and utility bills can sound quite analogue, while the world has gone increasingly digital.
We are more than happy to see innovative methods being deployed by financial services firms. If we are doing anything that creates barriers to this, we want to know, so that we can stop.
Now, we, as the regulator, are technologically neutral. The same can also be said of the Money Laundering Regulations. We are not wedded to any one technology or approach as being the sole way of working. We certainly do not endorse any one provider or product. We are just interested in what works. We are more than happy to see innovative methods being deployed by financial services firms. If we are doing anything that creates barriers to this, we want to know, so that we can stop.
And there are many ideas out there for how new technology can help financial firms fight financial crime. Indeed, could applying new approaches to, say, streamline AML checks actually be a way of a firm differentiating themselves and getting new business? Could the wealth of information on social media, or the use of biometrics, transform how customer due diligence is done, or how anti-fraud measures work, or how banks filter the wheat from the chaff when deciding whether to make a suspicious activity report. If a payment was initiated by a fingerprint – unique to one human being – does this mean that other controls – controls that place burdens on customers - can fall away?
Regulators are not always clever enough to imagine this future. But technologists in financial firms and elsewhere will be brimming with ideas. We are happy for these questions to be asked and to look at what we can do to smooth progress. A small example: now customers’ due diligence records and details are no longer in cardboard files, but on computer systems, my inspection teams need to work with firms on how to review this information without the need for paper copies to be printed, and for many trees to die. But there are challenges here – for example, some firms’ data security policies won’t allow our staff to be granted access to their systems so they insist on printing everything anyway! More broadly, what scope is there for laws, regulations, rules and guidance to be tweaked to allow the regime to move forward? We are certainly interested in exploring this and plan to do more work on how new technologies can make things more efficient, effective and frankly easy for both firms and consumers.
Last month we launched a "call for evidence" about so-called "reg-tech". This asks for your views on what role we should play in fostering new technologies, including technologies that would aid the detection and prevention of money laundering, including by removing any regulatory barriers that exist. Another consultation for you to respond to!
We will not, of course, let techno-utopian visions blind us to the risks new approaches may introduce. The way in which firms identify and manage potential downsides related to such changes is something we are interested in. It is, for example, important not to lose sight of people who might be left behind. Innovative financial technology firms are newcomers who have the luxury of cherry-picking customers, but we should not let more vulnerable consumers slip from our view.
Many customers still lack common forms of ID, and it is important they are not disenfranchised as a consequence. Can, say, a mother in a women’s refuge, or a widower in a care home, still open a bank account, despite not having the documentary evidence of identity firms typically ask for? The Joint Money Laundering Steering Group’s guidance notes – which set out the bulk of the detail about how firms can meet their AML obligations - provide plenty of pointers about how firms might handle more vulnerable customers like this, and the types of alternative evidence that would be appropriate.
International Monetary Fund and Financial Action Task Force
I have talked about how we inspect financial firms’ anti-money laundering defences. Firms we regulate may take some comfort from the fact that the FCA is not immune from being made to answer difficult questions itself. International standard setting bodies like the International Monetary Fund (IMF) and the Financial Action Task Force (FATF) periodically evaluate the effectiveness of our work - and that of other bodies like the Prudential Regulation Authority, HM Revenue and Customs, and the Treasury - with teams of inspectors from the IMF and FATF arriving on these shores to assess the UK’s approach. This is a big exercise; we complete pre-visit questionnaires the size of phone books and attend lengthy and probing interviews with the assessors. An assessment by the IMF is underway, and a Financial Action Task Force evaluation is fast approaching. This is a valuable exercise that helps us learn from good practice elsewhere in the world, and gives us an opportunity to consider how we can improve our own approach. However, as those of you who have received a visit from us will probably know all too well - it does not always feel like that at the time!
Enforcement
In looking at the effectiveness of a country’s anti-money laundering defences, the IMF and FATF assessments put a lot of weight on clear evidence of action, such as prosecutions and enforcement. It is a yardstick by which many judge a regulator. But I want to assure you that no firm is referred to enforcement lightly. A lot of consideration is given to these decisions. Our Enforcement proceedings on financial crime issues are - and always will be - based on material failings in high risk areas. I have no interest in initiating enforcement action against firms for quibbling technical transgressions. An enforcement referral is in many ways a sad and bad outcome, not a signal of regulatory virility; it arguably shows failure by the regulator as well as failure by the firm.
But you will understand we must act when firms fall well short of the standards we expect. And we will continue to act where we need to: you will have seen the £72m fine we imposed on Barclays Bank late last month. In 2011 and 2012, the bank ignored its own process designed to safeguard against the risk of financial crime when arranging and executing a £1.88bn transaction for a number of ultra-high net worth clients who were also politically exposed persons. This is wholly unacceptable.
But it is important that Enforcement work is not the whole solution and that it complements our role in spreading and promoting good practice in a constructive manner, something we try to do through our thematic reviews and the non-binding guidance in our publication Financial crime: a guide for firms.
I hope that firms engage with us in that spirit - I want to take that forward so we and firms can ensure we are more effective in reducing the risk of money laundering through UK financial services firms. Otherwise, what’s the point of all this effort?
Thank you.