The new era of anti-financial crime compliance
By Marios M. Skandalis, Director Group Compliance Division, Bank of Cyprus
Following the Panama papers and to a lesser extent the Bahama papers scandals a number of persons, physical and legal, have been revealed as potentially exposed in corruption and/or other forms of money laundering activities. This scandal was a reminder of the need for an enhanced anti- financial crime framework encompassing enhanced due diligence, identification of beneficial ownership, assessment of third party risks and hyper-analytic tools and systems to enable effective risk monitoring in all financial institutions.
This paper presents the current measures imposed by the European Union regarding customer due diligence, beneficial ownership, reliance on third parties, continuous monitoring of accounts and transactions, proposed amendments under consideration aiming at further strengthening and enhancing the existing frame- work and the view of the author that a cultural transformation of Financial Institutions and the incorporation of anti-financial crime activity into their daily operations will successfully apply the les- sons learned from the Panama papers. An effective anti-financial crime function is no longer a checklist of regulatory obligations or list of rigid rules and procedures but rather a corporate culture built on ethos. Its effectiveness is measured not in terms of the degree of conformity to the vast amount of regulatory frameworks in place but rather on the degree of integrity and clarity that corporations adopt in a practical sense.
On 9th May 2016 the International Consortium of Investigative Journalists released a searchable database that contained data on a significant number of entities (legal and physical) related to the Panamanian Law Firm, Mossback Fonseca. This information was based on a leaked set of internal records of said Law Firm and alleged that these records reveal how offshore companies were used by high net worth individuals including politicians, celebrities, etc. to hide wealth, evade taxes and commit fraud.
These records, at the time of their publication and as per the International Consortium of Investigative Journalists1, include 11.5 million records dating back nearly 40 years, containing details on more than 214,000 offshore entities connected to people in more than 200 countries and territories, revealing offshore holdings of 140 politicians and public officials worldwide, including the names of at least 33 people and companies blacklisted by the US government and the subsidiaries and branches of 500 banks including HSBC, UBS and Société Générale that created more than 15,000 offshore companies for their customers through Mossback Fonseca.
Analysis of the Panama papers scandal some time later leads to consideration of responsive changes, as well as what is amiss with the current regulatory framework and its implementation that such alleged financial crimes cannot be prevented: regulatory framework may require serious remediation, implementation might need to be more effective, ineffectiveness of its monitoring and oversight might need to be improved or focus on an underlying issue outside the rigid boundaries of regulation.
ANTI-FINANCIAL-CRIME FRAMEWORK IN THE EU
Financial Institutions’ anti-financial crime program should be built on a sound, effective and simultaneously efficient as well as flexible legislative and regulatory foundation.
Current regulatory framework
The current regulatory framework2,3 in the European Union requires financial institutions to collect and maintain sufficient information about customers to ensure services offered are not used for illegal purposes so as to enable them to recognise suspicious transactions and activities in a timely manner.
Financial institutions are required to apply such measures at all stages of a business relationship; at the stage of accepting a customer or any time when there are doubts about the veracity or adequacy of previously obtained customer identification documents or information, at specific appropriate times for all existing customers depending on the level of risk the financial institution estimates for each customer of being involved in financial crime activities and also whenever important events or incidents occur, such as an unusual or significant transaction compared to the normal pattern of transactions and economic profile, or when there is a material change in the legal status and operations of the customer.
Customer due diligence
The regulation requires customer identification procedures and due diligence measures to comprise of:
- The identification and verification of the identity of the customer on the basis of documents and information obtained from a reliable and independent source. The proof of identity is deemed sufficient if it is reasonably possible to establish that the customer is the person he or she claims to be and the person examining the evidence is satisfied the customer is actually the person who he or she claims to be.
- The verification of the identity of the beneficial owner, taking risk-based and adequate measures to understand the ownership and control structure of the customer. This also comprises of verifying his or her identity based on documents, records and information issued or obtained from an independent, reliable source so as to be convinced of who the beneficial owner is. In the case of legal entities the financial institution is required by the EU directive to identify the beneficial owners who ultimately own or control a legal entity through direct or indirect ownership or control with a threshold of 25 per cent plus one share (in Cyprus this is set to only 10 per cent). Moreover, as per the current Cypriot regulatory frame- work, beneficial ownership can also be established on the basis of significant control irrespective of any shareholding.
- The collection of information on the purpose and intended nature of the business relationship, ensuring a complete and accurate customer profile is constructed including obtaining sufficient information about business activities, the source of funds and expected pattern and level of transactions (countries of operation and volume of transactions). The economic profile must be updated regularly or whenever new information emerges while documents, data and information held by the Financial Institutions must be kept up- to-date. Continuous monitoring of the business relationship, including focus on transactions carried out throughout the course of the business relationship, must be diligently conducted to ensure transactions are consistent with the economic profile of the customer, as this is reflected in the systems/records of the financial institution.
Enhanced due diligence
Financial Institutions are required to apply enhanced and additional customer due diligence measures in all instances which due to their nature entail a higher risk of money laundering or terrorist financing. The Customer Acceptance Policy of each Financial Institution should define the categories of high risk customers as these are defined in the Law and Directives, as well as customers that the Financial Institution on its own has classified as high risk on the basis of the policy it has established.
Reliance on third parties for customer identification and due diligence purposes Financial Institutions are permitted to rely on third parties for the implementation of customer identification and due diligence procedures, provided they are governed by the European Union Directive, are situated in the European Economic Area or third equivalent country and are subject to mandatory professional registration by law as well as subject to supervision with regards to their compliance with the requirements of the European Union AML Directive. The ultimate responsibility for customer due diligence, however, remains with the financial institution.
On-going monitoring of accounts and transactions
In addition to what is mentioned above, regarding the monitoring of business relationship and transaction scrutiny, financial institutions are required to have full understanding of normal and reasonable customers’ account activity and the means to identify and examine in detail transactions which by nature may be associated with money laundering or terrorist financing, complex transactions, transactions that fall outside the regular pattern of the activity of an account, unusual transactions or transactions without obvious economic purpose or clear legitimate reason.
Financial institutions are also required to have the means and ability to identify from their records all high-risk customers and produce detailed lists of each group of high risk customers so as to facilitate enhanced monitoring of accounts and trans- actions. In this respect they are obliged to apply automated systems for the monitoring and filtering of transactions, detecting and investigating unusual or suspicious transactions inconsistent with the business profile of the customer for the purposes of further investigation. This monitoring should take place both on a transaction centric as well as customer centric basis following assessment of the overall transactional behavioural pattern of each customer. When unusual or suspicious transactions are identified necessary measures and actions must be taken including internal reporting of suspicious transactions or activities to the Money Laundering Compliance Officer.
Staff awareness and training
Persons carrying out financial or other business activities are required to establish adequate and appropriate systems as well as procedures to make employees aware of laws, regulations, systems and procedures for the prevention of money laundering and terrorist financing. Regular training of staff to recognise and handle transactions and activities suspected to be related with money laundering or terrorist financing activities must be in place. The Money Laundering Compliance Officer is required to evaluate the adequacy of the seminars and training provided to the staff as well as maintain detailed data regarding these seminars.
The forthcoming 4th EU AML directive4
The 4th EU AML Directive (published in May 2015), expected to be transposed to Cyprus legislation in June 2017, introduces additional measures for combating money laundering and terrorist financing mainly relating to Politically Exposed Persons (PEPs), the beneficial ownership and management, the Risk Based Approach, the cash transactions and penalties.
The term of PEP, one of the customer types where enhanced due diligence should always be conducted, is extended to include politically exposed persons entrusted with prominent public functions domestically as well as those working for international organisations: additional measures are also introduced implement appropriate risk management systems to determine whether a customer or its beneficial owner, in case of legal entities, is a PEP. Senior management approval should be obtained not only for establishing but also continuing a business relationship with such persons. Financial institutions must consider the continuing risk posed by affiliation with such PEP for at least 12 months even when they are no longer entrusted with a prominent public function.
The information regarding the beneficial owners must be submitted to a central registry in each member state: tax crimes in the broadest definition permitted under individual Member states law will be a predicate AML Offence. Up to now third-country equivalent AML/CFT systems were ‘white-listed’: with the 4th EU AML Directive ‘white-listed’ juris- dictions will now be abolished. As per the 3rd EU AML Directive customers that are financial institutions located in the European Union/European Economic Area or in a third country that imposes equivalent AML requirements could be subject to simplified due diligence requirements. With the 4th EU AML Directive financial institutions must determine the level of AML risk posed by a customer prior to applying for simplified due diligence status to such customer and provide justification for such qualification. In addition, the risk based approach should also take into account nationwide AML risk assessments conducted by individual EU member states.
Cash payments of €10,000 (instead of €15,000) or higher, made either as one or multiple related transactions, must be reported. Penalties will also become stricter: for serious, repeated and/or systematic failures in the areas of customer due diligence, suspicious transaction reporting, record keeping and internal controls, minimum penalties may include public reprimand, cease and desist orders, suspension of authorisation, temporary ban from managerial functions and maximum pecuniary sanctions of at least €5m or ten per cent of the total annual turnover (and at least €5m for a physical person). For non-financial institutions penalties can rise to double the amount of the benefit derived from the breach, or at least €1m.
Proposed amendments of the 4th EU AML Directive5, 6
In July 2016 the European Commission issued a proposal for amending the 4th EU AML Directive (2015/849). The proposed amendment, the so called “5th EU AML Directive”, constitutes a priority for the European Commission and is expected to be published before the end of 2017. As stated in the explanatory memorandum the proposal sets out a series of measures to better counter the financing of terrorism and ensure increased clarity of financial transactions and corporate entities. In addition to the 4th EU AML Directive the proposal also amends Directive 2009/101/ EC, the Union legal act that lays down the rules on disclosure of company documents.
The main amendments proposed, according to the most recent report issued by the European Parliament on 9th March 2017,7 are the following:
- Virtual currency exchange platforms and custodian wallet providers are now designated as obliged entities which fall within the scope of the 4th AMLD. With this proposal virtual currency transfers will be monitored by public authorities within the EU under the rules of the 4th AMLD. The inclusion of virtual exchange platforms and custodian wallet providers will not entirely address the issue of anonymity attached to virtual currency transactions, as a large part of the virtual currency environment will remain anonymous because users can also transact without exchange platforms or custodian wallet providers. To combat the risks related to the anonymity, national Financial Intelligence Units (FIUs) should be able to associate virtual currency addresses to the identity of the owner of virtual currencies.
- Lower maximum transaction limits for certain pre-paid instruments are set. The proposal lowers the threshold in respect of non-reloadable prepaid payment instruments to which customer due diligence measures apply from €250 to €150 and suppresses customer due diligence exemption for online use of prepaid cards. This will limit the anonymity of prepaid instruments by widening customer verification requirements and make prepaid instruments less attractive for terrorist and criminal purposes.
- In order to overcome the current cooperation difficulties which exist between national FIUs, a Union FIU should be set up in order to coordinate, assist and support Member Sates FIUs in cross-border cases. It would also be particularly suited to an integrated Union financial market and effective in combatting money laundering and terrorist financing in the internal market. The Member States FIU would still be primarily responsible for receiving suspicious transaction reports, analysing them and disseminating them to the national competent authority. The Union FIU would lend support to those Member States especially in maintaining and developing the technical infrastructure for ensuring the exchange of information, assisting them in joint analysis of cross border cases and strategic analysis, and coordinate the work of Member States FIUs for cross-border cases.
- Financial Intelligence Units (FIUs) are better enabled to request information for money laundering and terrorist financing from any obliged entity, information which is currently limited in certain member states by the requirement that a prior suspicious transaction report has been made by an obliged entity. The proposal takes out this limitation and allows FIUs to obtain such information without this prerequisite in place. In all cases of suspected criminality and, in particular, in cases involving terrorism financing, information should flow directly and quickly without undue delays. It is therefore essential to further enhance FIUs’ effectiveness and efficiency, by clarifying the powers of and cooperation between FIUs.
- The EU approach towards high-risk third countries is harmonised. Member States should enact and apply additional mitigating measures regarding high risk third countries identified by the Commission by taking into account calls for countermeasures and recommendations such as those expressed by the Financial Action Task Force (FATF) and responsibilities resulting from international agreements. In July 2016 the EU issued a list of high risk third countries with deficient AML/CTF regimes in place and therefore constitutes an important risk for money laundering and terrorist financing. The proposal sets out a minimum set of Enhanced due diligence (EDD) measures towards clients connected with high risk countries which will encompass checks on the customer, the purpose and nature of the business relationship, source of funds, monitoring of the transactions and systemic approval of the senior management.
- The latest proposal provides for compulsory disclosure of certain information on the beneficial ownership of companies, trusts and other entities and legal arrangements, A fair balance should be sought in particular between the general public interest in corporate transparency and in the prevention of money laundering and the data subjects’ fundamental rights. The set of data to be made available to the public should be limited, clearly and exhaustively defined, and should be of a general nature, so as to minimize the potential prejudice to the beneficial owners.
The specific factor determining the Member State responsible for the monitoring and registration of beneficial ownership information of trusts and similar legal arrangements should be clarified. In order to avoid that, due to differences in the legal systems of Member States, certain trusts and similar legal arrangements are not monitored or registered anywhere in the Union, and to avoid distorting the internal market, all trusts and similar legal arrangements should be registered in the Member State(s) where they are created, administered or operated.
- the personal data of beneficial owners should be publicly disclosed in order to enable third parties and civil society at large to know who the beneficial owners are. The enhanced public scrutiny will contribute preventing the misuse of legal entities and legal arrangements, including tax avoidance. Therefore, it is essential that this information remains publicly available through the national registers and through the system of interconnection of registers for 10 years after the company has been struck off from the register.
- To ensure a proportionate and balanced approach and to guarantee the rights to private life and personal data protection, it is recommended that Member States should provide for exemptions to the disclosure of and to the access to beneficial ownership information in the registers, in exceptional circumstances, where the information would expose the beneficial owner to the risk of fraud, kidnapping, blackmail, violence or intimidation.
- The proposal provides a clarification on the definition of ‘competent authorities’. It states that Competent Authorities granted access to the central registers shall include tax authorities as well as those bearing a function for investigating or prosecuting on the basis of money laundering offences.
- The proposal also clarifies that electronic identification (as set out by the e-IDAS Regulation) is recognised as a valid means of identify proof. Therefore, it stresses the necessity to recognise secure electronic copies of original documents as well as electronic assertions, attestations or credentials as valid means of identity.
- Competent authorities supervising financial institutions for compliance with this Directive should be able to cooperate and exchange confidential information, regardless of their respective nature or status. To this end, such competent authorities should have an adequate legal basis for exchanging confidential information and cooperate to the widest extent possible, consistent with the applicable international standards in this field.
Implementing an effectively robust anti-financial crime framework
The above regulatory developments illustrate that the volume, complexity and diversity of the anti-financial regime has been significantly enhanced, which will undoubtedly lead to increased compliance cost, effort and resources. This shows no signs of slowing down in the forthcoming years, following a survey of KPMG8 carried out in 2014. The primary success factor now is to invest these extra resources in the most rightful way so new anti-financial crime challenges are effectively addressed.
Following the Panama papers scandal the prime objectives of any anti-financial crime framework for financial institutions are:
- To know their customers
- To fully and truthfully record this knowledge of their customers
- To monitor and update this knowledge on a consistent basis
There are certain tactics which can be adopted to effectively address these objectives and successfully accomplish them, which fall under three main categories:
- Tactics introduced by the regulatory authorities
The regulatory authority in Cyprus for financial institutions and more particularly the Central Bank of Cyprus is enhancing the regulatory framework on a consistent basis to ensure all recent challenges are effectively addressed and newly emerging compliance risks are effectively managed. In December 2013 it introduced an anti-financial crime framework which introduced nearly all of the enhanced provisions of the 4th EU AML Directive described above and in April 2016 implemented a revised framework with additional restrictive provisions especially on the operation of the high risk channel of professional intermediaries: financial institutions can now only rely on third parties at the outset of establishing a business relationship. Any data and information for the purpose of updating the business profile of the customer during the operation of the account should be obtained directly from the physical person in the name of whom the account is maintained. In the case of legal entities such information should be obtained from the physical persons who are the ultimate beneficial owners of the legal entity or who exercise ultimate control of the legal entity or who have the ultimate responsibility of decision making and who manage the operations of the customer. Financial institutions are obliged to arrange a face-to-face meeting not later than 3 months from the opening of the account, with customers introduced by a third party in order to verify data and information obtained: subject to certain conditions it is acceptable that such meetings are held over the internet (e.g. skype). For existing customers introduced by a third party a meeting must be arranged no later than the completion of the next review on a risk based approach: if a meeting cannot take place as described above the financial institution cannot execute any new transactions and must terminate the business relationship. If the reason for not holding the meeting is refusal of the customer or inability to locate the physical persons with whom the financial institution is obliged to meet, the latter must assess if it is appropriate to submit a suspicious activity/transaction report to the local Financial Intelligence Unit (FIU).
According to the same regulation, in order to establish cooperation with a third party the Money Laundering Compliance Officer (MLCO) is required to verify that the third party is subject to the requirements of professional registration on the basis of relevant legislation in force in the country of incorporation and/or operation, as well as subject to supervision for the purpose of ascertaining compliance with measures for the prevention of money laundering and terrorist financing, in accordance with the law. The MLCO evaluates the business relationship with said third parties on the basis of the scorecard containing both qualitative and quantitative factors of its cooperation with the Bank and clientele introduced as well as any other information composing the economic and risk profile of third parties. The MLCO must approve the third parties at the inception of the cooperation and re-approve the relationship at regular intervals on a risk- based approach. A register is maintained by the MLCO with necessary information (as set out in the Directive) on the third parties with which the Financial Institution has or had a business relationship.
- Tactics introduced by each financial institution to ensure a robust anti-financial crime framework
The Bank of Cyprus, the leading financial institution in Cyprus at the moment in terms of market share, is also at the forefront of the implementation of enhanced compliance measures to effectively address the various international challenges such as those stemming from the Panama papers scandal. In doing so, Bank of Cyprus introduced a six pillar compliance remediation programme to ensure:
- Effective compliance structure ensuring full independence
- A sound anti-financial crime policy and procedural framework
- An effective anti-financial crime aware- ness framework through rigorous and continuous training of all members of the staff, including the executive management and the members of the board of directors
- Advanced anti-financial crime risk monitoring activities through implementation of sophisticated financial crime systems
- Effective anti-financial risk management and assurance activities through the setting of a specialised team of qualified accountants/auditors specialised in pre- venting financial crime, which has as its terms of reference the carrying out of specialised onsite financial crime audits in all business lines/branches
- Effective and transparent channels of communication with all regulatory and competent authorities
- Tactics introduced by each Financial Institution to embed the three constituent parts of ethics, that of integrity, confidentiality and transparency, in the overall anti-financial crime framework
As mentioned at the beginning of this paper, an effort to ensure the functioning of an effective anti-financial crime function no longer entails a checklist of regulatory obligations but rather the establishment of a corporate culture of Ethics. Ethics is not a science but simply the branch of philosophy that studies the difference between what is behaviourally right and wrong: it aims to apply a cultural rather than regulatory frame- work which while easy to comprehend is difficult to implement in a corporation.
Actually reaching the ideal ethical level is not a real attainable objective.
Recent statistics issued by the CEB9 in 2016 revealed that corporations which focused on building a corporate culture of ethics had 59 per cent of their employees perceiving and observing misconduct/ corruption: with the right culture in place all objectives of the compliance program would result in a successful completion without any tedious monitoring effort.
Ethos, the cornerstone of ethics, is not an attribute that can be acquired through knowledge or formed through intense training and professional experience. Technical compliance competency can be easily found and acquired but the scarcity of real ethos at our times is what needs to trouble and worry us. Ethos is an inherent attribute built over the years of maturity of any individual, with values infused in an individual from young ages setting the foundations of ethos while life experiences develop this until becoming the basis of the thoughts and actions of that individual.
Financial Institutions should and can practically embed the core values of clarity, integrity and confidentiality into their core business operations, thus transforming compliance from an over- sight second line of defence function into an incorporated control within business activities. Once such values are infused these will drive relevant behaviours which in turn create desirable results that eventually bring about the successful achievement of the approach of a corporation.
The Panama Papers scandal revealed that the legislative and regulatory framework needs to be strengthened, enriched and enhanced. Financial Institutions, as well as other obliged entities have to build sound anti-financial crime programs to effectively address the new regulatory framework and embed these into the culture of Financial Institutions, so as to transform it into a corporate culture of ethics.
(1) ‘International Consortium of Investigative Journalists’, available at: https://panamapapers.icij. org/blog/20160403-key-findings.html (accessed 20th October, 2016).
(2) Central Bank of Cyprus. Amendment no. 1 of the Directive of the Central Bank of Cyprus to Credit Institutions for the Prevention of Money Laundering and Terrorist Financing. Cyprus: Central Bank of Cyprus; 2013.
(3) Central Bank of Cyprus. Directive of the Central Bank of Cyprus for the Prevention of Money Laundering and Terrorist Financing (4th edition). Cyprus: Central Bank of Cyprus; 2013.
(4) European Parliament. Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015. European Parliament; 2015.
(5) European Commission. Proposal for a Directive of the European Parliament and of the Council amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directive 2009/101/EC. Strasbourg: European Commission; 2016.
(6) KPMG International. Global Anti-Money Laundering Survey, KPMG International, 2014.
(7) 2016 CEB Publication – How Corporate Culture Affects the Enterprise.
Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing’.
(8) European Parliament Report dated 9 March 2017 ‘on the proposal for a directive of the European Parliament and of the Council amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directive 2009/101/EC’
(9) Council of the European Union, 16 December 2016, Proposal of the European Parliament and of the Council amending Directive (EU) 2015/849 and amending Directive 2009/101/EC
Journal of Financial Compliance Volume 1 Number 1