Regulators send insistent messages with a steady beat of anti-money laundering and financial crime enforcement actions.
A few recent examples are USAA Federal Savings Bank’s $140 million in civil money penalties for Bank Secrecy Act violations, announced by the Financial Crimes Enforcement Network (FinCEN); Wells Fargo Advisors’ $7 million settlement with the Securities and Exchange Commission for not filing Suspicious Activity Reports; and Anchorage Digital Bank’s signing an Office of the Comptroller of the Currency consent order to correct AML deficiencies. Charges against the former president of Paris’ Louvre museum show how the AML detection net now extends beyond banking to, in this case, alleged antiquities trafficking.
Yet AML enforcement is in a time of transition. U.S. regulators and regulated institutions alike are working through the Anti-Money Laundering Act of 2020, which took effect last year, while authorities around the world are coalescing around Russia sanctions and related anti-corruption initiatives. The international Financial Action Task Force promotes AML and CFT (counter financing of terrorism) standards and works to identify, and hold to account, “high-risk jurisdictions.”
In a June 1 report, the European Supervisory Authorities – the European Union banking, insurance and securities market regulators – advocated laws across the EU allowing revocation of licenses for serious AML/CFT breaches.
Himamauli Das, FinCEN
Acting FinCEN director Himamauli Das pointed out in April that the U.S. AML/CFT regime until recently was geared toward “the post-9/11 moment” and suspected use of the banking system by al-Qaida and other terrorist organizations.
“The AML Act has helped put FinCEN in the position to address today’s challenges, such as illicit use of digital assets, corruption, and kleptocrats hiding their ill-gotten gains in the U.S. financial system, including through American shell companies and real estate,” Das said in House Financial Services Committee testimony. “It also highlights FinCEN’s unique tools and expertise to combat both longstanding threats, as well as new ones, such as ransomware and other cyber-enabled threats and the use of the dark web to engage in illicit activity, such as the online exploitation of children.”
This transitional aspect may help explain why, despite outward appearances and expectations, financial industry AML and privacy non-compliance penalties declined by 49%, to $5.4 billion, in 2021, according to client lifecycle management and compliance vendor Fenergo. The company’s global director of financial crime, Rachel Woolley, said the decrease “is largely attributed to a reduction in the number of multibillion-dollar fines compared to previous years,” as well as a pandemic-related slowdown in initiated investigations. Behind the numbers, Woolley said, are indications that “institutions aren’t adequately equipped to manage the financial crime risks to which they are exposed. Without effective AML/KYC [Know Your Customer] systems and controls . . . the door will be left open for criminals.”
Eric Young, senior managing director of consulting firm Guidepost Solutions, believes the statistics are a lagging indicator and are reversing. In the U.S., the deregulatory leanings of the Trump administration gave way to the more activist Biden Administration and the Democrat-controlled Congress. And there are global geopolitical realities.
Eric Young, Guidepost Solutions
“The frequency and severity of AML and economic sanctions penalties will increase because of the AML Act of 2020 foundation, focusing on national security, especially with the Russia-Ukraine war and growing geopolitical threats in Asia and the Middle East,” Young says. “One variable is that it remains to be seen how much the Russian-Ukraine war may spread."
Young notes that the U.S. Department of Justice is very visible in bringing sentencing guidelines to bear for both punishment and deterrence. “Their prosecutorial approach is broader and deeper in scope, rightly in my view, and considers a holistic, recidivist record of corporate misconduct regardless of type of violation,” Young says. The approach is “very much synchronized with the more aggressive banking and capital markets regulators around financial crimes.”
Chris Ludwig, managing director in Protiviti’s Risk and Compliance practice, says aggregate global data does not tell the whole story: “North America and APAC financial penalties decreased by 73% and 86%, respectively, year-over-year, and EMEA and LATAM increased by 244% and 46%,” he points out. “To some extent, the year-over-year changes reflect the timeline of regulatory enforcement actions; for example, the enforcement actions and penalties imposed by U.S. regulators on large U.S. banks occurred largely in the past, while in other jurisdictions, such as EMEA, large financial institutions continue to face significant regulatory scrutiny and enforcement activity.”
Ludwig says it’s important to keep in mind that one or two large financial penalties can have an outsize impact on yearly totals. What’s more, the pandemic likely limited or delayed on-premises investigations the last two years, which may have affected 2021 numbers. Given the recent rounds of sanctions against Russia, financial institutions can expect heightened scrutiny of financial crimes compliance more broadly.
“Compliance functions in many financial institutions are likely to be stressed by the unprecedented challenges posed by the Russia sanctions, and we’re likely to see an uptick in enforcement actions aimed at those institutions that do not allocate the effort and resources necessary to comply,” Ludwig says.
There is wide agreement that the Russia-Ukraine conflict has upped the enforcement ante. Patrick Kelly, head of sales, Americas for AML/KYC service provider Shufti Pro, says those trying to evade sanctions “hide behind complex corporate structures, including shell companies, trusts and limited liability companies to shield the identities of the ultimate beneficial owners” – identification of which was addressed in the AML Act.
“While the Russian elite consistently look for weaknesses in financial operations, investment firms are pressed to ensure that they remain compliant with the latest sanctions,” Kelly says. “That means these firms must now be thinking of deploying the most advanced technology to strengthen their KYC and KYI [Know Your Investor] compliance regimes.”
Leslie C. Bender, Clark Hill PLC
Leslie C. Bender, senior counsel, Clark Hill, says the challenge is bigger than “the Russia-Ukraine conflict and the more creative means by which the Russian elite may be trafficking a wide range of public or luxury goods to fund the Russian military. FinCEN remains vigilant with updates related to kleptocracies in North Korea, the Balkans, Libya, Iran and several other countries.”
Tools and Methods
Protiviti’s Ludwig says that financial institutions are leveraging advanced technology and analytics for compliance and surveillance. “We would expect to see more progress as innovative tools and approaches are more broadly adopted,” he says. “We also need to review and continually update detection scenarios based on new trends and cleanse the set of data feeding into the models. A regular tuning exercise, or model validation, is also a necessary step to ensure that the monitoring tools work as expected.”
While surveillance systems might be more robust with artificial intelligence and improved compliance officer skill sets, Young of Guidepost Solutions says regulators will also look at the effectiveness of data governance. “Pristine integrity over the front-to-back processes” should yield “meaningful alerts and timely and thoughtful investigations, leading to substantive reporting of suspicious activity reports.
“Filtering and screening systems, particularly those which can identify, block, freeze and report meaningful hits against fluid sanctions lists, continue to be projects-in-progress rather than fit-for-purpose,” Young adds. “This is especially true in view of the increasing use of digital assets and other non-fiat instruments. In some instances, we have also seen first-line surveillance systems abusing, overriding or disregarding second-line authority to flag and escalate suspicious activities. That is a conflict of interest which could lead to misconduct and violations.”’
Confluence of Risks
“The nexus of cryptocurrencies, ransomware and sanctions evasion has significantly raised the sophistication level for financial-crimes risk managers,” says David Stewart, director of financial services in the Fraud and Security Intelligence global practice at SAS. “We’re seeing financial institutions spend more time analyzing ‘on chain’ activities. Data orchestration and alert/case management technologies will be useful for sharing information across AML, fraud and cybersecurity – functions that historically have worked in silos. Taking a more holistic approach to addressing complex risks will work in institutions’ favor.”
Amid complex and interconnected risks, attention must be paid to changes across the global regulatory environment and within jurisdictions.
“While we have focused on FinCEN, it is important also to note that from a consumer perspective, the Consumer Financial Protection Bureau has announced that it is reviving its dormant authority to regulate nonbank entities,” Leslie Bender says. “Although the bureau’s primary focus is on domestic issues, as a more modern regulator, it has robust technology and analytics capabilities that may prove helpful in other contexts. We will watch eagerly to see how the bureau uses this dormant authority under the Dodd-Frank Act.”