Speech by Rob Gruppetta, Head of the Financial Crime Department at the FCA, at our Financial Crime Conference.
Speaker: Rob Gruppetta, Head of the Financial Crime Department
Event: FCA Financial Crime Conference, London
Delivered: 10 November 2016
Note: this is the speech as drafted and may differ from delivered version
- It is crucial that we work together across industry, regulators and government to fight financial crime.
- We know that there are unintended consequences of the anti-financial crime regime and we want these to be minimised wherever possible.
- We take a risk-based approach to regulation and focus our efforts where we think the risk is greatest.
In 1968, in Canning Town, a gas explosion in a tower block called Ronan Point led the building to partly collapse. Four people were killed. A report into the disaster by the eminent structural engineer, Sir Alfred Pugsley, led to swift and dramatic changes to Britain’s building codes. But Professor Pugsley also worried about regulation. He wrote that rules about the strength of structures will inevitably stifle development and innovation. At worst, he felt, building regulations not only stultify, but can be the actual cause of accidents.
In a world where it is possible for buildings to collapse and for banks to fail, and, my own area of interest, where it is possible for criminals to abuse the finance sector, we need regulation to protect the public from these dangers. But we need to be alive to the unintended consequences of regulation.
As you all know, the Money Laundering Regulations require certain businesses – like banks, solicitors, accountants and casinos – to take active measures to detect and prevent money laundering. I guess most businesses would do this anyway, even without the law. You would check a new customer’s identity to protect yourself from conmen and bad debtors. Civic duty would lead you to call the police if you suspected a crime.
But some businesses may be tempted to turn a blind eye – a firm under financial pressure, for example, could be tempted to profit from catering to criminals. And so the requirements have been formalised into the law. If a business falls short of the Money Laundering Regulations this does not usually mean that they themselves are money launderers, but they cannot claim to have solid defences against accepting dirty money.
Our supervisory staff focus their efforts where we think the risks are higher.
We have been given the job of policing what financial firms are doing to detect and prevent money laundering. Our supervisory staff focus their efforts where we think the risks are higher: cross-border business with riskier countries, wealthy politically-exposed clients, things of that sort. We are sometimes disappointed with what we find. But our supervisors mainly find that the steps the industry is taking to manage the risks of the vast majority of its standard-risk customers are, when subject to our scrutiny, broadly adequate and any necessary follow-up is usually informal.
We are also seeing better senior management engagement in both large and small firms. In short, the great big machine that seeks to know who your customer is, why they are banking with you and whether what they are doing is suspicious, works pretty well in the majority of institutions’ dealings with standard risk customers, who are of course the vast majority.
That is not to say things cannot work better. But I think we in the regulatory and law enforcement agencies should be honest with ourselves and say that we must ourselves actively contribute to any improvement.
A great example of this in practice is the new Joint Money Laundering Intelligence Taskforce (JMLIT): this partnership of banks, law enforcement and regulators has made very quick progress in aiding voluntary information sharing between industry and the authorities, and has quickly demonstrated the benefits of this kind of working.
Getting more intelligence about launderers has many benefits for industry. Sharing information can help banks form a picture of whether a transaction truly is suspicious, for example, or can allow suspicious patterns to be detected that would otherwise be missed. Feeding back cases of laundering into transaction monitoring systems will help spot the patterns associated with these crimes, and aid future detection.
There will be challenges. For example, how can this arrangement be scaled up, while still fostering the trust that voluntary information sharing relies upon? And we, as the regulator, also need to foster trust. I am making clear now that our supervisors will stand back from JMLIT: they will not seek to probe or second-guess how banks participate. We want to be seen as an equal partner contributing to JMLIT who understands the etiquette for participation as it evolves over time.
Overall I think JMLIT is a great step and I am very optimistic about what it can achieve in future.
Minimising unintended consequences
I said we need to be alive to the danger of unintended consequences. We need to be aware that regulation has costs. The emotive nature of crimes like terrorism and fraud and many of money laundering’s predicate offences – like drug trafficking– can lead some to conclude we should ‘stop it at any cost’.
Meanwhile, the difficulty of measuring the prevalence of terrorist plots or of how much money laundering is taking place makes it tough to know if the volumes are falling or rising, and whether our efforts are having the desired effect. Money laundering is, after all, a secret activity designed to conceal other secret activity.
The lack of clear data can lead to impressionistic and anecdotal evidence informing policymakers and commentators. For example, when law-abiding customers are inconvenienced or lose access to banking facilities, this can create an impression of an inflexible regime that is unduly burdensome.
On the other hand, perceptions that the London property market depends on foreign money of doubtful provenance leads many to conclude that today’s AML requirements are just a fig leaf. So all our decisions take place amidst much uncertainty about the benefits and the costs.
We should not lose sight of the fact that the ‘machine’ I mentioned a minute ago is not cheap to run and some are questioning whether it is a top-heavy burden on the industry.
Anti-money laundering measures across the UK economy cost billions of pounds a year. I know the BBA has estimated its members collectively spend £5bn each year on financial crime compliance. Of course, even without the money laundering regime, you would want to know who you are doing business with to protect yourselves. A good portion of this cost is just a consequence of doing business. But £5bn is nonetheless a huge figure. It is, for example, about half the size of the entire UK agricultural industry. It is the same size as the economy of Brighton and Hove.
This suggests that each SAR you submit is the product of thousands of pounds-worth of work. Is the average SAR yielding thousands of pounds-worth of intelligence to the authorities? Would the police spend thousands from their own budget to get the information in the typical SAR?
Likewise, we recognise the measures required by the anti-money regime impose burdens and inconvenience on law-abiding companies and members of the public. The costs of it will ultimately be borne by customers.
We, in the FCA, want to support industry’s considered steps to reduce compliance costs. We cannot change the law, but if you think guidance we have produced is a hindrance or unrealistic, please tell us.
And so we must reach a balance. We, in the FCA, want to support industry’s considered steps to reduce compliance costs. We cannot change the law, but if you think guidance we have produced is a hindrance or unrealistic, please tell us. If there are new methods or innovative technologies that can help streamline the experience for customers and lower your costs, I want to be clear that we are not standing in your way.
We have spoken to businesses with sophisticated new transaction monitoring technologies and with ideas for fostering new ways for firms to share information. And I am keen on supporting businesses that come to the FCA’s Project Innovate scheme with new ways of addressing financial crime risks.
Likewise, I am encouraged by initiatives like the Government’s ‘Verify’ digital identity project, which we will hear about today; I understand several financial firms are exploring how these government-sponsored digital IDs can complement or replace aspects of their own customer due diligence checks, and this sounds like a promising cost-saving idea.
I want to be clear that, if you are taking steps to tackle money laundering that, on reflection, are not effective, then stop or adjust them. If a big expensive transaction monitoring system ends up costing tens of thousands of pounds for each piece of reportable intelligence, then it is only right that you question that.
And what other measures could regulators, law enforcement and government take to help you cut costs? We think several reforms are worth exploring – and we are raising these points with the Government.
First, could some aspects of transaction monitoring be centralised – whether it is done by industry or the public sector, could centralisation help achieve economies of scale, lessen duplication and, most importantly, help firms and law enforcement see the bigger picture more clearly so they can make more refined judgements about what is – and is not – suspicious?
Second, is the criminal liability attached to the Money Laundering Reporting Officer role actually doing more harm than good – does it lead to overly conservative or defensive reporting which muddies the water for law enforcers?
Lastly, would some limited relaxation of the reliance provisions in the Money Laundering Regulations reduce firms’ reluctance to share customer due diligence information?
These are ideas for long-term reforms. The last one would require international standards to be renegotiated. But we certainly think they are worth exploring.
Our approach to supervision and feedback from SAMLP
I have talked about our perceptions of firms’ efforts to tackle financial crime, and the picture is looking better than it did a few years ago. How do we assure ourselves our views are valid?
Firstly, in addition to the work we carry out on firms we think have higher risk business models, we will soon begin inspecting a random sample of other firms we supervise under the Money Laundering Regulations. This will include businesses like financial advisors, stockbrokers, safe deposit box providers and life insurers. We will review about 100 of these firms each year.
Our general view is that smaller firms’ efforts to tackle financial crime are policed to some extent by bigger businesses – for example, the larger firms who manufacture the investment products or mortgages that brokers sell. When we reviewed 159 smaller firms as part of a thematic review six years ago we generally found a positive picture. I am looking forward to seeing whether our sampling finds that is still the case.
This exercise is not intended to catch small firms out: in fact, I’d be delighted if it found that firms large and small in most sectors are doing a good job. But it helps us in three ways: it should help raise standards by making clear that any firm we regulate – regardless of size, location or business model – could face a visit from our financial crime specialists; it will give us a better picture of the risks posed by different sectors; and it will give us assurance that our assessment of risk is correct.
Second, we have introduced a new financial crime data return that all but the smallest firms we regulate for AML purposes will need to complete from the end of this year. This data will help us identify which firms are exposed to higher financial crime risk and let us focus our supervision accordingly – in short, it will aid our application of the “risk-based approach” to AML supervision. This will be the first time we have asked for data about financial crime risks.
You might think it is a bit rich to first say ‘we are concerned about the costs’ and then impose a new reporting requirement. But, because we plan to publish aggregated data from the return in due course, we think it will provide you with benefits too. For example, we are asking which countries firms assess to be high-risk, and we could publish the aggregated results. This might be useful to you as a ‘crowd-sourced’ picture of risk assessment across the industry and, in time, it could assist firms with their country risk assessments.
We have introduced the return part way through the first reporting year, and so we are asking for this data on a best endeavours basis for the first year. This will also help us flush out any practical problems you face when completing the report, so we value your queries and experiences.
The randomly-sampled inspections I just mentioned will take place at the same time as other strands of our specialist financial crime supervision: our case-driven work, our thematic reviews, our proactive inspections of smaller higher risk firms, as well as our systematic rolling inspections of a dozen or so of the very biggest institutions.
At previous conferences we have been asked to provide more feedback on the results of our ‘Systematic Anti-Money Laundering Programme’. We are coming to the end of the first cycle, and have now seen most of the institutions involved. What conclusions have we drawn from this experience?
First, we have found the process invaluable: detailed inspections allowing us to spend several weeks on-site – including at overseas service centres and other operations abroad – were new to us. They have given us a broader and deeper understanding of how the biggest, most complex institutions manage risk, and how UK-headquartered firms ensure their international operations apply UK standards. This has helped us see that in a lot of these firms much day-to-day work designed to tackle financial crime works reasonably well, but these inspections also helped us root out problems that might have gone unchallenged.
In some firms we found serious deficiencies and required substantial changes to be made.
But in some firms we found serious deficiencies and required substantial changes to be made. We often found a culture of wanting to do the right thing, but struggling to translate this into effective execution. Common root causes were weaknesses in governance and longstanding, significant under-investment in resourcing and relevant controls. This often led to an ineffective risk-based approach with poor due diligence and monitoring standards, particularly in the case of higher risk business.
Many firms now have extensive remedial programmes, a clearer tone from the top on the importance of managing financial crime risks, and better understanding at senior management level and across all three lines of defence on what is needed to achieve the effective outcomes.
And, while some firms had stronger arrangements in place from the start, much of the remedial work being carried out by firms where we found weaknesses is continuing and will take time – some of these firms really are the metaphorical super-tankers that need to be turned. But I am pleased that we are now seeing evidence of improvement overall.
These improvements are not limited to the major firms, however. We are also seeing good progress in smaller firms, where changes understandably can be made more quickly. But these improvements should not lead us to complacency; we still see firms with serious weaknesses and criminality continues to evolve: tackling financial crime will remain a key aspect of the FCA’s remit.
A heartening aspect of systematic inspections is that several of the firms involved now say they have come to value the close dialogue with FCA staff these visits made possible. This relationship gives them a better understanding of what we expect. They, perhaps against their better judgement, concluded that FCA staff can be reasonable people too.
My supervisory staff who specialise in financial crime are there to assess the effectiveness of what firms are doing. They will take judgements based on first principals. They should not be going in with preconceptions, but will want you to put your case. The risk-based approach means each firm’s controls are different and tailored to their circumstances, and my supervisors understand that. We have specific training and mentoring arrangements to ensure our specialist supervisors are able to perform the role effectively, as well as quality assurance measures to ensure our work is cross-checked for weaknesses and inconsistencies in judgement. We have a range of tools to ensure we are consistent when assessing a firm, based on the risks it faces.
I want to finish by talking about forthcoming changes to our guidance and how you can get involved. The government will be preparing new Money Laundering Regulations soon and next year we will need to update our publication ‘Financial Crime: a guide for firms’ in response. I know that many respondents to the Better Regulation Executive’s review of anti-money laundering supervision last year criticised how much guidance is out there, and we will bear this in mind when revising the text: there will not be reams of new material.
That said, Parliament has asked that new guidance is drafted about how to distinguish between higher-risk and lower-risk politically exposed persons, so there will be some new text for you to digest.
All our guidance will be subject to public consultation, and we will welcome your views: I encourage you to get involved when the time comes.
I opened with an engineering parallel. When an engineer gets her sums wrong, the consequences are soon clear: the overloaded bridge collapses; the top-heavy ship capsizes. Nothing so spectacular will happen to the AML regime but, with more and more voices asking whether it is demonstrably effective, we must continue to work together to improve it.