City & Financial Conference - 21 April 2004
Philip Robinson - Sector Leader, Financial Crime, FSA

Introduction

I am delighted to have this opportunity to set out the FSA's position on anti-money laundering at a conference entitled 'AML - Next Generation Developments', because, as I hope you will see, we think the time is right to look at the necessary evolution of the UK's anti-money laundering regime and our contribution to it.
I was very pleased to be asked to be sector leader for financial crime, responsible for leading the FSA's efforts on this topic. Fighting financial crime makes a real difference to reducing social evils and human misery. The outrages in Madrid on 11 March remind us that the fight against terrorism includes the fight against financial crime. It is a fight that matters to us all as individuals and citizens.
Today I want to talk about the purpose of anti-money laundering, our objectives and priorities, what we would like for the regime as a whole, the risk-based approach to AML and the issue of identification. I will also give you some brief feedback on the responses to DP 22.


Three initiatives

For the reasons I will give, I am also announcing three initiatives by the FSA – joint work with the industry, NCIS, law enforcement and others on the topics of:

  • targeting AML activity;
  • achieving a better approach to Identification;
  • developing the risk-based approach to AML.

I would like to complete the work on targeting by the end of July, and the work on identification and the risk-based approach in time to be reflected in the JMLSG revision of their Guidance Notes.

Why anti-money laundering?

Why anti-money laundering? This may seem a surprising question to pose, just over 10 years after the first Money Laundering Regulations came into force. But our experience has been that far too many firms do anti-money laundering not because they understand and support its rationale, but simply because they are required to do it, initially by the law and now also by their regulator. And many find it easiest to follow the JMLSG Guidance Notes by rote, treating them as prescriptive obligation.

For these, anti-money laundering is all pain and no gain. They see the law and regulation as generating significant cost, constraints on the way they do their business and irritation for their customers. And they see little benefit to themselves or society.

Firms approaching AML in this way will do it mindlessly and insensitively, producing limited value and alienating their management, staff and customers.

In my view it is imperative that all of us – including senior management and firms, government, law enforcement and the other stakeholders - take time to understand the reasons for anti-money laundering. If we do not, our investment in people and systems will be misguided, our efforts will be unmotivated, and we will neither get nor give value for money. Oh, and if we carry on like this, we will lose what public support we currently have!

The reasons for anti-money laundering are quite simple. It is to deter criminals and terrorists from trying to use the financial system; and to make it easier to catch and punish those who do use it.

Success in this endeavour will make life riskier and more costly for the criminal and the job of law enforcement and the criminal justice system easier. That in turn will mean less crime in the UK than would otherwise occur.

I say less 'crime' not less 'financial crime' deliberately.

It is true that the Financial Services and Markets Act (FSMA) defines 'financial crime' as fraud or dishonesty, market misconduct, money laundering and other financial crime.

But money laundering has an extended meaning, significantly expanded by the Proceeds of Crime Act 2002. To oversimplify the legal language, it includes any benefit from any offence in the UK (or indeed – but let's not get hung up on this today - from conduct that would be an offence if it had occurred in the UK).

So anti-money laundering is not just about fighting 'financial' crimes like fraud or corruption or tax evasion, important though that it is. It is also about the proceeds or funding of drug-dealing, people-trafficking, theft, mugging, smuggling and other 'real' social mischiefs.

And again we can take our cue from FSMA, which says that, in considering the financial crime objective, we must have particular regard to the desirability of firms taking appropriate measures to prevent financial crime, facilitate its detection and monitor its incidence (and to devote adequate resources to that).

To this audience, all this may be self-evident. After all, it is crucial to what we do and how we do it, yet it is not well understood in the UK as a whole.

A Common Aim?

Do we not all share this common aim – to make criminals more catchable and more punishable, and to deter crime?

I say 'we'. By that I mean all the stakeholders, in the public and the private sectors – government, NCIS, law enforcement, the FSA, financial and professional firms subject to the AML regime, their trade bodies, system and data providers, and of course the public.

If we do share this common aim, we must work both independently and together, to pursue it. We must all use it to help us decide what to do, to measure our performance, to demonstrate our successes, to learn from our failures, and to explain, motivate, defend and secure support for what we do.

To be specific, we should look at all the various inputs across the whole anti-money laundering system to see whether they support the outcome of making criminals more catchable and punishable.

This has implications for all of us.

First, it means that we need to understand as well as possible what it is that deters criminals and makes them more catchable and punishable. So, we have to share knowledge, analysis and research.

Secondly, it means that we need to act together, in the light of this understanding, to deter criminals and to make them more catchable and punishable. Criminal threats and techniques, and our understanding of them, will change over time. So will the anti-money laundering controls available. So we must be flexible and responsive together, with improved joint working.

Thirdly, we should combine knowledge and techniques so that our AML activity is targeted, informing risk assessment and monitoring systems with the latest typologies through excellent feedback to each other.

The FSA's objectives and priorities

Before setting out our objectives and priorities for the future, I would like to take stock of what we have done so far, our baseline.

Our focus since N2, in December 2001, has been threefold.

First, we have sought to increase our understanding of risks and standards across the sectors, through our risk assessments of individual firms, through thematic work on different sectors, and through our in-depth AML reviews of individual firms.

Secondly, we have sought to raise standards of systems and controls in the firms we regulate. The Abacha case, and what we have seen on the ground in our supervisory and enforcement work, showed that, when we took up our financial crime role, firms awareness and application of basic AML requirements and controls were very weak, even though the Regulations had been in place since 1994 and the Guidance Notes since 1990. The use of our monitoring, investigatory and enforcement tools has led to a galvanisation of effort across the industry – and, inevitably, a significant increase in compliance costs. Much of this is catch-up expenditure, not the results of a new AML regime.

Thirdly, we have invested a lot of effort in contributing to the work of other key stakeholders – for example, helping the Treasury in the negotiations on the revised FATF Recommendations, and inputting to the Home Office, KPMG and NCIS work on the reform of the SAR regime, the Treasury's Money Laundering Advisory Committee, and the work of the Home Office on the implementation of PoCA.
All of this work has been essential. And these broad strands of activity will continue. We must keep a good up-to-date understanding of industry risks, practices and standards. We must continue to make sure that the industry maintains adequate minimum standards of compliance with legal and regulatory obligations and we must continue to meet the heavy demand for input in the wider UK scene, for example in the negotiations on the third EU Money Laundering Directive.

But, looking forward, our priority now is to harness what we do, and what the industry does, more directly to the aim to which I referred earlier – namely, to deter criminals and to make them more catchable and punishable.

To this end our key objectives are:

  • to deliver a more targeted approach - to make use of the financial system more costly, more difficult, and more risky for the criminal and to increase the likelihood of detection;

  • to demonstrate value for money - to help the industry feel that its investment in anti-money laundering is money well-spent; and

  • consumer awareness and support - to help the consumer to understand and support anti-money laundering controls and to understand - and better protect themselves against - the risks to them – we are not yet 'policing by consent'.

We will pursue these objectives by:

  • doing our regulatory job well;

  • being a good team player – having strong partnerships with the industry, law enforcement, government, consumers and other stakeholders;

  • providing leadership or facilitation, where we are best placed to provide it.

More specifically:

  • a more targeted approach:

    • we will work more closely with NCIS, the police and other law enforcement agencies, and the industry, to make sure that we and the industry have a continuing flow of specific and generic feedback from the SAR system, and other sources, to enable crime and criminals to be targeted to a much greater extent than now;

    • we will be more focused on identifying and addressing generic money laundering risks in the financial sector, from the UK and abroad;

    • we will explain more fully what we mean by the risk-based approach;

    • we will expect each industry sector to have their own continuing arrangements to understand money laundering risks in their sector and to ensure that firms in their sector have access to adequate good practice guidance, typologies etc.;

  • value for money:

    • we will strive to achieve a sensible, proportionate, fit-for-purpose UK and EU approach to identification;

    • we will support the JMLSG in producing revised Guidance Notes that help all sectors not just to comply with their obligations but to manage their money laundering risks professionally and proportionately;

    • we will ensure that our guidance and training for our supervisors reflects the risk-based approach so that we deliver on the ground what we say in a speech.

    • consumer awareness and support:

    • we will work with government, NCIS, the Assets Recovery Agency, the industry and consumer bodies to put in place and maintain a continuing communication strategy on anti-money laundering and on threats to consumers;

    • we will expect the industry to deal with and communicate to customers sensitively and proportionately.

Let us be clear about what is required of us – we have to provide an effective Radar system to spot the unwelcome intruders in the system. It isn't our job to "take out" the money laundering intruder, that is the job of law enforcement agencies but we and the industry have to communicate well with those agencies, and we need to get feedback about the accuracy of intruder alerts so we can improve them in the future.

Our wishes for the UK regime as a whole

We are only one player in the UK regime, and we have a different role to the police, NCIS and the ARA. To do our job well, and to maximise the difference that we and the industry can make, we need to be part of an effective overall UK AML regime, working effectively with the other parts of that regime.

These would seem to us to be key characteristics for an effective UK AML regime:

  1. there is a clear UK anti-money laundering strategy; roles and responsibilities for delivering that strategy are well-understood; and resources are delivered to implement the strategy.

    As with everything important and complex, the lead must come from the top. We welcome the Treasury's lead in preparing the forthcoming UK AML strategy and look to its continuing leadership as this evolves over time. This is the first time such a strategy will have been published. With a complex regime, a clear strategy will ensure we are all working to the same end and in a mutually supportive and reinforcing way.

  2. the key stakeholders work effectively together. Inter-stakeholder contact has increased and improved enormously over the last two years, through informal contacts and the various forums set up by the Treasury, the Home Office, the Association of Chief Police Officers, for example. We see scope for much deeper, more practical cooperation over time and are confident that that will happen;

  3. we have an efficient SAR regime that delivers value to law enforcement and is used to target the efforts of reporting institutions.

    We welcome the work done by the Home Office, NCIS and law enforcement since the KPMG paper was published. But as a member of the Home Office's Reporting Task Force, we agree with its interim report, published on 25 March, which indicated that much still needs to be done. We also welcome the work by the industry on providing better quality SARS. We will play our part in improving the quality of reporting by the financial sector and in targeting efforts in this area.

  4. law enforcement has adequate resources, and is organised, to do justice to SARs and to provide good, continuing feedback to NCIS and the industry.

    This was identified as an issue in the interim report. We recognise that the government has to determine law enforcement priorities and resources, but I am sure they recognise that it will not be tenable to have a continuing regime in which the industry (and other regulated sectors) make a large investment to detect possible intruders, the fruits of which are not used;

  5. the legal framework, from the EU down, is risk-based and proportionate and allows for the dynamic evolution of anti-money laundering techniques over time. We encourage the Home Office to continue to monitor the practical impact of the Proceeds of Crime Act and to be ready to review it if its application proves unduly burdensome over time and we suggest the industry takes a keen interest in the Third Money Laundering Directive, a proposal for which the Commission will publish in the summer. Since this will determine the framework for UK law, it is vital that it should be risk-based, practical and proportionate.

The risk-based approach

From our contacts with the industry it is very clear to us that there is very strong demand for us to clarify both what we mean by a risk-based approach to AML and how we will apply it in practice. This is usually combined with complaints that we are responsible for a 'fear factor' in firms, in that, it is said, our supervisory style and enforcement actions promote tick box overkill rather than risk-based proportionality.

'Risk-based approach' is the mantra of the age. A Google search, UK sources only, throws up 20,300 entries. Gratifyingly the FSA's 1998 paper on a risk-based approach to the supervision of banks is top of the list. But the first page – as far as I went, I confess – contained references to the risk-based approach in hazardous area classification, school inspection, the regulation of chemical use in marine cage salmon farming, food and drugs regulation and internal audit. So this is not some esoteric concept that we have invented.
We have set out our general risk–based approach many times since the early days of the FSA (for example, in our New Regulator series of papers). We know that industry supports the concept of a risk-based approach in principle.

But it is clear from responses to DP 22, and from other industry comment, that the application of a risk-based approach in AML generates mixed views. Many are unsure how to apply it themselves and prefer a prescriptive approach in which firms are told or guided what to do, without having to exercise much judgement. Others say a risk-based approach can be attractive to senior management, but is difficult to apply to volume business distributed across thousands of branches or call centres.

Many are not at all confident that they understand how FSA will approach the risk-based approach in the anti-money laundering context. And, in the world of AML, they perceive us as ambivalent (or two-faced, to use plainer English) - preaching the risk-based approach, but still practicing a mechanistic, tick-box approach.
It is also argued that key elements of the AML regime – the PoCA reporting requirements and the legal ID requirements – impose obligations that preclude a risk-based approach.

We very much welcome the fact that the concept is raising such interest and debate. The concept is not straightforward to apply, and we would be worried if it were perceived as being so.

In the specific context of anti-money laundering we have sought to spell out what a risk-based approach should involve, most recently in, for example, our work on the current customer review and in DP 22 (Know Your Customer and Anti-money laundering monitoring).
Although we believe in a risk-based approach in its own right, it is important to note that the Financial Services and Markets Act specifically directs us to focus on risk in pursuing our financial crime objective. It tells us that we must have regard in particular to the desirability of firms 'being aware of the risk of their business being used in connection with the commission of financial crime'.

Like any good methodology, the risk-based approach is at one level very simple. We provided in DP 22 a pithy summary of a risk-based approach. We said that it involved:

  • risk identification and assessment – identifying the ML (including related legal, regulatory, and reputational) risks facing a firm, given its customer, product and services profile and having regard to available information including published typologies, and assessing the potential scale and impact of the risks if they were to crystallise;

  • risk mitigation – identifying and applying measures effectively to mitigate the material risks emerging from the assessment;

  • risk monitoring – putting in place management information systems and keeping up to date with changes to the risk profile through changes to the business or to the threats;

  • and documentation – having policies and procedures that cover the above and deliver effective accountability from the board and senior management down.

Risk management in financial firms is long-established in the areas of credit risk, market risk, and liquidity risk. But that does not mean that it was easy to develop the mature systems now in place. Any risk area can be very simple to manage or very complex. Those concerned with developing the risk-based approach for anti-money laundering need to be realistic in their expectations. Neither we nor consultants can offer a black box.

To go back to basics, the drivers for a risk-based approach are effectiveness and proportionality.

It has long been recognised that different customers, activities, countries etc present different anti-money laundering risks. For example, the standard texts give exemptions for insurance products and for small transactions, but refer to added risk for non-face-to-face transactions. The whole point of typologies, as produced by the FATF and the Egmont Group, for example, is to identify situations that seem to create greater ML risk. It is a statement of the obvious to say that a pension policy compared to a private banking relationship or a UK customer with a stable employment compared to a new customer from a country well-known for corruption, terrorism or financial crime carry different inherent money laundering risks.

It cannot be proportionate to treat a portfolio of low, medium and high risks alike. It must result in doing too much for some and too little for others.

It cannot be effective to apply the same controls to each element in the portfolio. Higher risk situations must demand stronger controls than lower risk situations.

So the starting point for development of a risk-based approach to AML must be to differentiate risks and to discriminate in the treatment of them.

For the firm, it must mean looking at the profile of their customers, and of their products and services, and the interaction between the two.

An old age pensioner who opens a basic bank account with limited functionality, and whose only sources of income are social security payments, is different from the nouveau riche customer from and still resident in a nouveau riche country and wanting full-scope private banking services.

A listed company seeking standard corporate facilities is different from a trust or a charity.

Dealing in shares in an ISA is different from using bearer shares and an annuity or pension policy is different from a current account or execution-only dealing service. Yes, some can argue that nearly all products could be abused, but taking such a view would not be proportionate, as some clearly carry greater probability of abuse than others.

But to grow to maturity, a risk-based approach needs to be improved by empirical feedback from the world of actual experience. We therefore fully support the industry's wish to have a continuing flow of advisory typologies and profiles from NCIS and law enforcement. This is no different than in the development of techniques for managing credit risk or market risk, for example, which have been improved by scientific research and a steady flow of data about real market experience.

What about how do we in FSA apply the risk-based approach?

We have set out the detail of our risk assessment model in “The Firm Risk Assessment Framework” published in February 2003.

You will know from this that, first we look at the potential impact that a firm could have on the FSA's objectives by reference to quantitative criteria. Then, for firms above a certain threshold, we undertake a more in-depth risk assessment. In this we look at a range of factors by reference to the risks to our objectives. Those risks include ML risk and fraud risk. We score each factor against each risk as High, Medium High, Medium Low or Low. That rating determines the intensity of our supervisory relationship with the firm and the level of risk mitigation required.

We do not routinely publish aggregate data about the results of our assessments. However, I thought that it would help to shed light on the application of our risk-based approach in this area if I presented some aggregate information about Money Laundering Risk from our first full round of risk assessments carried out mostly in 2003.

The FSA authorises around 12000 firms but only around 15% of these (representing the larger firms and groups) receive a full arrow risk assessment.

Of these we have only assessed the money laundering risk as High in 46 cases, mainly on account of the firm's customer and product profile, its strategy or the quality of its systems and controls.

We have assessed the money laundering risk as Medium High in 507 cases, again mainly for the factors mentioned above, but also for a broader range of business and control risks. (These overall risk scores are also broadly the same for the risk of fraud and dishonesty)

So our perception is that we have a proportionate perspective on money laundering risk in the industry, and we believe our risk mitigation programmes reflect this assessment.

A lot of recent comment has been about our enforcement approach. We discipline only those cases where we see particularly significant control failures. And the need to have an effective system to detect possible hostile participants in the financial markets drives our continuing requirement for adequate systems and controls, and the desire that firms' senior management take this requirement seriously. Let us remember we and the industry have to create a system to detect possible intruders, not to stop them ourselves – that is for others with different powers.

So, we do not see a particular reason for a special industry fear factor in relation to anti-money laundering. But we are willing to recognise that it exists. And we are putting in place a programme to issue revised internal guidance to our supervisors, and new training, to ensure they understand the latest industry guidance, and are properly addressing risk in the context of that guidance.

Identification

We all know that identification is a problem. Firms do not like getting ID from customers. Customers do not like having to provide it. Both read about the insecurity of standard ID documents and question their anti-money laundering value. The regime in general, and the FSA specifically, are perceived as too preoccupied with ID, and the voluntary review of current customers' ID being carried about by the major retail banks and others is criticised as unnecessary and costly.

There can be a funny side to this, such as the Oxford College required to produce its 15th century charter, complete with seal in order to open a new account. More often, it just seems mindlessly irritating, as it seemed for the senior colleague of mine trying to open an account for his daughter at a branch, only to be told (wrongly) that a council tax bill is not a utility bill!

Whatever the rights and wrongs, the present perception of the ID issue is very unhelpful and damages the support of the industry and their customers for the anti-money laundering effort.

We all have an interest in looking at the issue very seriously with a view to achieving a greater effectiveness, value for money and customer buy-in. But in doing so, we need to recognise some starting points.

First, identification is and will remain a legal obligation and international standard. It has been an obligation on Member States since the first EU Directive was adopted in June 1991. It has been an obligation in UK law since 1 April 1994. It is part of the revised FATF 40 Recommendations.

Second, identity information does contribute valuable intelligence to law enforcement for the investigation and prosecution of crime and terrorism whether the original information is true or false.

Third, ID fraud and theft are amongst the highest fraud concerns, of firms and of consumers. Witness all the reportage over the last year.
Fourth, the government has announced the introduction of ID cards on a phased basis commencing in 2007/8 on current plans, and is already taking steps to improve the security and integrity of existing official documents such as passports and driving licences. We and the industry are part of the Home Office's extensive consultative arrangements.

So, there is no point in talking about dropping ID requirements altogether. Nor is it fair to say that identification is pointless. The issues are rather - what are the most efficient and effective ways of dealing with ID? How can consumers be helped to feel that they are being asked to do something valuable and relevant and proportionate?

We need to get one important message across to the Consumer. By providing ID, they are helping in the fight against financial crime and terrorist finance. Nowadays, no one minds the inconvenience of security when boarding an aircraft, because they see the benefit to themselves and the other passengers of tight security. Being prepared to provide ID in financial transactions has the same benefit.

After all, society suffers from crime and terror and we are all part of society. We must all be prepared to provide valid ID, so that those who do not wish to do so can be more readily identified. After all, would you go on a plane if some of the passengers had refused to go through the metal detector but were still allowed to board the flight?

I know that identification is seen as a key topic in the revision of the JMLSG Guidance Notes. Within our present framework, that is the right place to deliver a new approach.

In that context, I would like to issue a joint challenge, to the Industry, law enforcement and consumer interests that we should work together to produce guidance on ID - and its application practice that:

  • is risk-based – which therefore include clear differentiation between what is expected in lower risk situations and what is expected in high risk situations;

  • is balanced – what is done for ID needs to take into account what is, or might be done, for monitoring and reporting – ID plays a role, but cannot bear the whole weight of anti-money laundering controls;

  • imposes the least necessary burdens on consumers - not only should customers not be expected to provide the same level of identification; third party data sources should also be used to the fullest extent practicable;

  • minimise the likelihood of disproportionate, inept application of ID at the counter or in the call centre. The industry must invest time and effort, and, yes, cost, in 'the consumer experience', looking at their internal guidance, training, support, systems and processes.

  • provide for active education of customers in the reasons for ID and what may be expected of them. AML is for the benefit of consumers as citizens and as potential victims of identity theft or fraud;

  • do not constrain access to financial services, for example, on the part of those without driving licences, passports or other documents. Industry practices have improved considerably in this in recent years.

  • deal sensibly and sensitively with special groups for whom special processes may be appropriate – overseas students, ex-prisoners, asylum seekers, foreign workers etc... Again, industry practices have improved considerably, but continuing effort is needed.

Our joint aim should be that, by the end of 2005, we have between us defused the ID issue and effectively managed consumer expectations and the consumer experience.

I will bring together a broadly based group to look at the challenge and propose any solutions in time for the JMLSG re-write.

DP22 Responses

The response period for DP22 (Reducing money laundering risk – Know Your Customer and anti-money laundering monitoring) ended on 30 January. In the DP we sought to stimulate debate on two topics generally seen as crucial to anti-money laundering but which raise difficult practical issues and important questions about proportionality and risk management.

We were very pleased by the number – 79, a high figure for us - and thoughtfulness of the responses. We were also pleased by the range of firms, service providers, credit reference agencies and other organisations that commented.

You will recall that we presented four options in the paper –for us to develop new specific rules or guidance for our Handbook, for us to develop new high-level rules or guidance, for us to rely on the JMLSG Guidance Notes, or for us to leave the topic open for a period and to take stock again in the light of the evolution of the Guidance Notes, the evolution of the SAR regime and longer experience of the impact of PoCA.

The responses indicated broad agreement that KYC and monitoring do play a key role in anti-money laundering monitoring, but that they need to be applied according to a risk-based approach. We received useful feedback on what are perceived to be the main costs and benefits and on the other practical issues that we raised. A significant number of firms, particularly investments firms, were sceptical about whether benefits outweighed costs. There was significant demand for clarification of the risk-based approach and for much improved feedback from law enforcement in order to help industry apply a risk-based approach in practice.

Some respondents expressed support for more than one option. We do not make policy by referendum, but I will note that, perhaps not surprisingly, the largest support was for the last option – Wait and See. But interestingly, this did not attract majority support – some 40% of preferences supported it. Otherwise, there was fairly even support for each of the other options and of those who expressed no preference for a particular option.

We have not completed our own consideration of the options in the light of the responses. You will gather from our general approach, however, that our strong preference would always be to look to the industry itself to provide the necessary standards.

FSA initiatives

I referred at the beginning to our intent to be a good team player and to provide leadership or facilitation if appropriate.

On the three key issues that I have covered today, we see a lot of good work going on. But we also have a perception of less coordinated activity and less urgency than is necessary to move the issues on within an adequate timescale. I have discussed this with other stakeholders. And I believe our joint task will be made easier if we work more closely together in addressing them, so I am establishing three working groups to address targeting, the risk-based approach, and identification. These will include representatives of all the key stakeholders, with agreed terms of reference and a challenging timetable. Their outputs will be for the system as a whole, not for us in particular. We are therefore acting very much as facilitator and we will work together to deliver the next generation of AML activity in the UK, which is proportionate and serves our common aims to make criminals more catchable and punishable and to deter crime.

More Speeches: