MLRO’s in the regulatory “cross-hairs”
It is clear that financial services regulators are focussing on individual accountability within firms and it is equally clear that individuals with senior management responsibilities will be held to account when things go wrong. Personal consequences can be severe, including fines and industry bans.
So who’s responsible?
Whilst recent regulatory emphasis has been on the culture of compliance and accountability, there has been much industry comment about the seeming lack of action on the part of the authorities in terms of actual enforcement action against individuals. However, it is striking how often the Financial Conduct Authority (FCA) now refers to this aspect in its interactions with the regulated sector, particularly the banks, and in its 2018 “Dear CEO” letter about authorised push payment fraud.
The FCA’s letter pointedly asked which senior management function holders are responsible for financial crime compliance including payment fraud. The FCA considers that management ownership of financial crime risk does not sit with the second line of defence, but rather sits with the business. The FCA will consider it a poor move by senior management to point to the money laundering reporting officer (MLRO) and claim that they have sole accountability for financial crime compliance. Clearly, the MLRO has an assurance function in the controls hierarchy, notwithstanding their legal responsibilities. However, in reality, it is likely to be another issue landing in the already full to the brim in-trays of quite a few MLROs, if indeed, it has not already done so.
Anti-money laundering compliance
The role of AML compliance officer or as it is known in the UK, MLRO, is a defined senior management function under the Senior Manager’s and Certification Regime (SMCR), which currently applies to UK banks; shortly be extended further in the regulated sector. In outline, the MLRO has responsibility for oversight of a firm’s compliance with the FCA’s rules on systems and controls against money laundering. The MLRO must have a level of authority and independence within the firm and access to resources and information sufficient to enable them to carry out that responsibility.
Compliance officers and MLROs are often regarded as “essential partners” by law enforcement and regulators in the fight against financial crime. Recent enforcement actions against compliance officials risk straining that partnership and concerns are growing that the compliance community is being unfairly targeted and individuals held personally responsible for systemic financial crime compliance framework failures. However, authorities have been quick to point out that such enforcement action is taken when a “clear line has been crossed” by the compliance officers.
In October 2016, the FCA imposed a financial penalty of £17,900 on Steven Smith, the former MLRO of Sonali Bank (UK). He was also prohibited from performing compliance oversight or MLRO roles. The FCA found that he demonstrated a “serious lack of competence and capability”, in breach of Statement of Principle 6 (Due skill, care and diligence in managing the business). The bank itself was also subject to enforcement actions and a fine in relation to AML compliance failings. Crucially amongst the FCA’s key concerns where his failure to appropriately report concerns raised by internal auditors and the results of internal testing, and instead he reassured the board and the bank’s senior management that AML systems and controls were working effectively.
In Jersey, (AG v Jardine, 2015) a MLRO was prosecuted for failing to report potential money laundering suspicions. The Jersey legislation under which this prosecution was brought is consistent with the UK Proceeds of Crime Act. The case involved the handling of an application on behalf of a Ukrainian Politically Exposed Person (“PEP”) and funds indirectly routed through a company incorporated in Belize via a trust company based in Cyprus. The prosecution argued that as the application and funds originated from a PEP the application should have been treated as suspicious – not just high risk and subject to monitoring. Jardine and her employer undertook a risk-based assessment of the application and since there was no clear connection between the applicant and the source of funds, the funds were returned, and the application did not proceed further. It was argued that in the circumstances, there were reasonable grounds for suspicion and the MLRO was therefore obliged to make a report to the authorities, which she failed to do. In this case, the authorities were potentially setting an alarming precedent by signalling that the thresholds for suspicion needed to initiate a report are extremely low, going as far as proposing that PEP status, especially in an Eastern European context, is sufficient. In the end, fortunately for Jardine and her former employer, the Jersey Court acquitted them of the charges brought by the prosecuting authorities. Her defence successfully argued that Jardine, by undertaking a risk assessment, had taken into account the information available to her and had considered whether or not there was a risk of money laundering. Although the criminal prosecution failed, the Jersey Financial Services Commission (JFSC) imposed a prohibition on Jardine preventing her from engaging in employment with any regulated firm in Jersey. The JFSC found that Jardine failed to process 15 Suspicious Activity Reports (SAR) which she received, relating to 19 individuals or entities, some of which had been filed with her some 20 months previous.
Six practical steps for MLROs
In the current regulatory climate, the role of AML compliance officer/MLRO has never been more challenging. This is evident in the high turnover of compliance roles and there is a risk that good practitioners will find the personal risk too great and leave the industry. However, there are some practical steps that can be taken now to protect yourself and your firm.
- Review your written job description and role profile.
Ask yourself whether or not you fully understand the terms and are confident that you can deliver your role an associated responsibilities. If you do have any uncertainties or lack clarity, make it a priority to resolve these as soon as possible. These are important written documents and if yours is a SMF17 position, they must comply with requirements of SMCR. If you are required to deliver any additional roles or responsibilities beyond those of SMF17, ensure you have sufficient time and resources available to carry them out.
- Review the firm’s AML Compliance Framework.
It is a regulatory expectation that a new MLRO should undertake a review of the firm’s AML Compliance Framework, in order to fully understand specific risks and priority issues for your firm. This should not be a one-time exercise and if you are already an MLRO, now is a good time to re-visit your original review to identify what has changed. Determine all the components of an AML Framework and how they are implemented in your firm.
Think about which areas are of primary concern, for example:
- the firm’s overall Money Laundering Risk Assessment and risk appetite
- your customer risk assessment methodology
- is the firm’s PEP register up to date and when was it last reviewed?
- has your firm tested any technology used within the compliance function, such as entity screening for sanctions and PEP’s, to ensure that it is effective?
- how effective is the firm’s transaction monitoring?
- is compliance monitoring and assurance activity being undertaken diligently?
This is not an exhaustive list of topics. There are a number of sources of data and information to consider such as the last MLRO annual report, the firm’s latest FCA Financial Crime Return (REP-CRIM), internal and external audit reports, correspondence from the regulator and not the least, the handover document from the previous role holder. The review should be your own work and reflect your own views.
- Gap analysis.
c. Consider bringing in an independent consultant to verify your findings and to provide an objective assessment. Finally, depending on the outcome of your review, create a risk prioritised action plan to resolve the issues you identify. Technology plays a crucial part here. Regtech platforms can ensure automated gap analysis via application of machine learning (ML) and natural language processing (NLP), that can be brought together within a cloud-based environment to store and process huge amounts of data, to perform in sophisticated tasks, without the assistance of humans. For instance, semantic similarity allows evaluating semantic distance or proximity between text. This gives compliance professionals an instant impact analysis of whether internal governance documentation is in line with related regulatory obligations or their risk framework.
- Get senior management buy-in.
Bring your review and its conclusions to the attention of senior management committees and ensure that it is a standing agenda item on your Compliance and/or Risk Committees.
- Have regular meetings with the C-Suite.
Make them fully aware of your issues and concerns and document all discussions. If significant enough, escalate directly to the board. Ensure your C-Suite and board understand they are equally obligated to maintain a robust AML governance framework. Keep in mind too that meetings are only effective when they result in outcomes, so ensure agreed actions and deadlines are recorded and tracked to completion. This does not mean that you should be responsible for all the resulting actions and be prepared to be assertive when accountability lies elsewhere.
- Educate your staff
Buy-in from the business is an essential part of any compliance program. To do this, ensure every member of staff is trained to understand their AML obligations. This may require different levels of training for different individuals. Training is not about ticking a box, but about understanding the nature of why AML and Combating the Financing of Terrorism (CFT) matters and building an appropriate mitigation strategy. You might consider adding the FCA’s AML TechSprint video to any training you design as a way to help staff understand why.
A unique role
The role of AML compliance officer is unique in that it entails accountabilities and responsibilities to the employing firm but also to regulators and law enforcement. Balancing the sometimes-competing demands from both sets of stakeholders require a high level of skill and the exercise of sound judgment in very challenging circumstances. That being the case, competent AML practitioners will be constantly developing their knowledge and skills and seeking out new techniques and best practice in order to perform effectively. So, whilst the current environment is full of risk, the best AML practitioners should find themselves in high demand.
By Andrew Jackson, Anastasia Dokuchaeva, Malcolm Wright, ClauseMatch