Effective AML - The UK story
Speech by Philip Robinson, Financial Crime Sector Leader, FSA
Asia-Pacific Financial Crime Conference & Exhibition 2006,
Singapore
July 27 2006
Mr Vice Chairman, Ladies and Gentlemen
I am honoured and delighted to be asked to speak to you today on behalf of the Financial Services Authority. I would especially like to thank the Association of Banks in Singapore and Mr Peter Hazlewood for inviting me. At this important and timely conference we will jointly examine some of the challenges we face together in fighting money laundering and terrorist finance. These are high profile challenges for us all, with an international political consensus that these are global threats, which need to be addressed by effective global mitigation.
Any international financial centre, such as the UK or Singapore, has to play its part in identifying and mitigating the risks within its shores, and within its financial systems. Success needs a continuing effort, as any significant international financial centre will attract those who want to hide what will always be a relatively small number of illegitimate transactions within the many millions of legitimate international transactions carried out every year. How to effectively eliminate these toxins from the system without killing the patient, (or should I say eliminate money laundering and terrorist finance without slowing global economic growth), is a key challenge.
Since money laundering and terrorist financing are global problems it is vital for any international financial centre to do as much as it can to promote effective cross border co-operation and information sharing and to build effective international partnerships. In the UK, the FSA seeks to do this in a number of ways, both formally - for example, through Memoranda of Understanding such as the one we signed with the Monetary Authority of Singapore in October last year - and informally, through building effective relationships with our partners, both regulatory and otherwise, in overseas jurisdictions and working with them to promote good international AML and CTF standards. This is why I was particularly pleased to be invited to speak to you today.
I wish to talk in particular about the core of the UK's AML and CTF regime, the risk based approach. This is our attempt to rise to the challenge of focussing our AML/CFT efforts where the greatest harm can be prevented. I hope to give you a clear understanding of what it is, what it means in practice for the FSA as a regulator and what in means in practice for the firms we regulate.
Social Harm
But let me first recall why all this matters so much. The purpose of the UK's anti-money laundering regime is ultimately to contribute to reducing crime and the social harm it causes. As this slide demonstrates, money laundering supports numerous activities which are cause harm to society as a whole; drug trafficking, people smuggling, fraud and terrorism.
And it is this connection between the crime that affects us all and money laundering that drives the way in which we assess the impact of financial crime.
Let's consider £10,000 of dirty money illegally obtained through a robbery and laundered through our financial system. How do we quantify the impact of such an event occurring?
Clearly, there is a direct impact on our objective to reduce the extent to which the firms we regulate can be used for a purpose connected with financial crime. And there is also a direct victim, either an individual or firm who has suffered a financial loss.
But how important is that £10,000 to society as a whole?
Well let us imagine that the £10,000 is used to buy a quantity of drugs to sell on. Suddenly, you are dealing with much bigger issues of social harm; you are talking about drug users who may be forced to commit other crimes to pay for the drugs; whose health problems might cost the Health Service significant sums and who are likely to suffer an untimely death.
Furthermore, the £10,000 we started with will have been turned into a significantly larger sum through this drug dealing and that money will need to be laundered again.
So let us consider what might happen if this money is laundered successfully. What further harm could it do to society? Maybe more drugs are purchased or maybe the money funds other types of crime, like people trafficking. Suddenly the impact of our original thousand pounds is starting to look more and more serious.
Worse still, what if that money is channelled into a terrorist cell? The UK learned last year that a few thousand pounds in the hands of determined terrorists can be converted in to actions that wreck the lives of hundreds of people and their families. That financial equation has been successfully replicated by terrorists around the world, in New York, in Bali, in Madrid, in Amman, in Mumbai and many other places
It is clear that there are significant multiplier effects in terms of the total harm to society when one is dealing with money laundering. Eliminating this negative externality from the operations of the financial markets needs Government intervention, because it will not be eliminated by financial market forces alone. But as I said before challenge it to target the intervention so as reduce the problem without creating unnecessary damage to the market, and to do so cost effectively, since this is government mandated spending, paid for ultimately by you and me.
The Risk Based Approach
So how do try to do that in the FSA? How do we focus our resources on the areas of greatest risk? The FSA is a self confessed risk based regulator and our risk assessment framework - what we call 'ARROW' - is highly risk sensitive. Whether assessing credit, market, liquidity, operational or financial crime risk in firms, sectors and the market as a whole, the risk based approach is deeply engrained in the way we operate. Of course it is not just the FSA that does this. Firms in the industry have always been ahead of the public sector in risk assessment and mitigation, but now regulators, policy makers and law enforcement agencies are becoming increasingly risk based, seeking to focus their finite resources on the areas where they can maximise marginal benefit.
A well-implemented risk based approach should deliver three key elements to the UK's AML regime: cost effectiveness, flexibility and proportionality. Cost effectiveness not cost control
For all of us involved in the fight against money laundering and terrorist financing, resources are limited. It is therefore essential that we use resources effectively and efficiently. By ensuring that resources are focused on real money laundering risk, the risk based approach can help us to maximise our return investment in fighting money laundering and ensure that we get the best possible bang for our buck.
The risk based approach is not an easy option and nor is it necessarily the cheapest. It's all about value for money, making sure that costs that we are all mandated to spend are focussed to deliver the maximum benefits.
The so called 'tick box approach' to AML, where firms look to manage regulatory risk associated with financial crime is inherently wasteful. If a firm invests in systems that are focussed not on reducing the financial crime risks, but simply to avoid regulatory sanction, this is no good for anyone. It imposes financial costs the firm, irritates large number of honest customers and doesn't maximise harm reduction for society as a whole.
That is why we seek a more risk based regime, to ensure every penny invested in money laundering is done so effectively and efficiently, reducing wastage, concentrating on real risk and maximising the benefits to society.
Flexibility
Our approach recognises that no one is capable of understanding a firm's money laundering risks better than the firm itself. They are the ones who have the deep understanding of their products, markets and customers. Good risk based regulation requires firms to manage AML risk, and empowers senior management to use their knowledge of their firm to develop systems that uniquely address the specific risks that they face.
It is important to remember that money launderers themselves operate in a risk based fashion too. They constantly adjust their strategies in light of the evolving risks that they face the risk of capture and detection. In fact, I recently heard an anecdote suggesting that the most frequently borrowed book from UK prison libraries is the Proceeds of Crime Act 2002 - our primary money laundering legislation! It is therefore vital that our AML regime is flexible enough to respond quickly and effectively to trends in money laundering behaviour. The risk based approach offers the possibility of a highly dynamic regime; giving firms the freedom to adapt and evolve their AML processes as the risks they face change over time.
Proportionality
Of course, a firm's investments into AML systems must be proportionate - both to the risks that the firm faces and to the benefits that the investment is likely to produce. What we want to see is firms taking reasonable steps to identify and strengthen the weak links in their defences. The FSA neither expects, nor desires a zero failure regime.
Proportionate spending on AML targeted at the real weak points in our systems means that it becomes more difficult and therefore more costly for criminals to launder their ill gotten gains. It also increases the chances that their activities will be detected and prosecuted.
Firms
So what does the risk based approach mean for firms?
As I have touched upon, it is a regime in which it is firms' assessments of risk, rather than their perception of regulatory requirements, that should drive their actions to fight money laundering and terrorist financing. They should be looking at the risks presented by their customers, the products they offer, the delivery channels they use, and the areas of the world in which they operate. This approach will allow them to target their resources to the areas of greatest risk and vulnerability in a flexible, cost-effective and proportionate way.
Central to the approach is the concept of senior management responsibility. The FSA is very serious about this and where senior managers neglect their responsibilities they can expect to be held personally responsible. A good example of this is the action that the FSA took last year against a firm called Investment Services UK Ltd, where, not only was the firm fined, but so too was its Managing Director personally.
I see it as essential that senior managers are fully aware of the money laundering risks that their firms face. They should also have a good understanding of the processes for identification, assessment, mitigation, monitoring and documentation of risk.
It is not our place to tell firms exactly what they should be doing to prevent money laundering; our task is to put in place a regulatory regime that incentivises and empowers firms to manage their own risks effectively and this requires certain key ingredients:
- good quality intelligence from law enforcement and other sources such as FATF typologies;
- data sharing with other firms, trade associations, government and the regulator.
Such information flows allow firms to fine-tune their risk based systems to ensure their effectiveness. But this type of knowledge needs to be coupled with relevant training should empower individuals to exercise sound risk based judgement.
Finally we need to ensure that the FSA, as the regulator, is aware of the real risks firms face. We wish to encourage innovation, flexibility and diversity in terms of how financial crime risks are dealt with and this means that our supervisors need to be sensitive to the fact the what constitutes good processes in one firm does not necessarily constitute good practice in another. (I will talk about how we are training our staff to ensure their understanding of the risk based approach shortly.)
We also need to make sure that firms are confident that they will not automatically find themselves subject to enforcement action in the event of money laundering occurring. As I said earlier, we do not seek a zero failure regime and, as such, we will not automatically take action against a firm that has good AML processes with full senior management backing just because a particular incidence of money laundering has occurred.
That is not to say that we are as a toothless regulator. When I sent an open letter to the Chairman of the UK's Joint Money Laundering Steering Group last April, I covered the issue of how the FSA enforces against weaknesses in firms' anti-money laundering systems and controls. I reminded him that we have worked very hard to ensure that firms can concentrate on the management of real money laundering risk rather than compliance with detailed rules. But we will take appropriate action if a firm does not mitigate its money laundering risks effectively. More often than not, that action will take the form of a remedial programme through the normal supervisory process. But in instances where there have been significant and persistent or egregious systems and controls failures, we will take Enforcement action, as we have done in the past.
The Right AML Framework
The UK's has a multi agency AML/CFT strategy led by HM Treasury, involving Law Enforcement, Policy Makers, Regulators and the Industry itself. I want to explain to you the role of the FSA within that strategy. What value do we add to the fight against dirty money?
First of all we are not law enforcers. Our main focus is not catching and punishing money launderers but ensuring that firms have the proper systems and controls in place to avoid being used by money launderers and terrorist financiers. Our aim is to create the right AML framework to ensure firms operate a risk based approach to money laundering prevention. By our actions as a regulator we must incentivise Firms' behaviour towards achieving this aim
Of course, regulatory intervention can sometimes distort firms' in unexpected ways, so something the FSA has had to do is tackle the so called 'Fear Factor' created when we disciplined a number of firms soon after we received our Financial Crime responsibilities in 2001.
Disciplining firms for failing to have adequate ID procedures led to firms to focus unduly on the ID part of customer due diligence. At the same time as appearing over-bearing and inconvenient for law abiding citizens, the ID regime was not seen to be particularly effective at making it more difficult for criminals to open accounts in the financial system. After all, criminals are generally dynamic, adaptive, deceptive and intelligent and unlikely to be deterred by rigid and formulaic ID requirements.
There was also the potential for those without access to the standard identity documents like passports and driving licences - people like students, those on state benefits and refugees - to lose access to financial services. This 'Fear Factor', the fear of regulatory sanction, led firms to focus unduly on the input of collecting and verifying ID rather than the output of managing the AML/CFT risk in the customer base. Essentially, firms were too focussed on managing regulatory risk rather than real money laundering risk.
To address this, the FSA worked with industry and law enforcement to 'defuse the ID issue' and clarified its approach to supervision and enforcement in the AML/CFT context. Details of this work are available from our website - progress reports on 'Defusing ID' and fear factor letter to JMLSG chair. We emphasised that we do not expect a zero failure regime, indeed a zero failure regime is undesirable, since it is unlikely to be proportionate. What we do expect is good performance by firms in assessing AML/CFT risk, and where risk does exist good performance in mitigating it.
To assist in achieving this outcome, we conducted a review of the detailed money laundering rules in the FSA Handbook to identify how they might be changed. We decided that the detailed rules in our Money Laundering Sourcebook should be replaced with high level provisions in the Systems and Controls section of our Handbook. These provisions require firms to:
- ensure that their systems and controls enable them to identify, assess, monitor and manage their money laundering risk;
- make specific directors or senior managers responsible for meeting their objectives on money laundering systems and controls; and appoint, (as required previously in the detailed rules), a Money Laundering Reporting Officer or 'MLRO' to oversee the firm's AML activities. Firms will continue to need FSA approval for the person put forward to be MLRO.
Removing this detail from the FSA rulebook has a number of benefits.
First, it puts a much sharper focus on senior management responsibility for AML systems and controls and on the need for firms to manage real money laundering risk, rather than simply to treat AML as a compliance issue. The previous Money Laundering sourcebook gave undue emphasis to some AML controls, such as ID checks, compared with others.
Second, it creates a much better fit with the relevant UK legislation and the government endorsed industry guidance than we had before. The old sourcebook duplicated matters covered by the UK legislation on money laundering and the Guidance issued by the industry's own Joint Money Laundering Steering Group (JMLSG). In a rapidly changing world that didn't make sense.
And, finally, it gives firms and senior managers greater flexibility to implement systems and controls in the most appropriate way for their firms.
So you can see that these new provisions are focused on outputs and they challenge firms to innovate and deliver effective money laundering risk management as efficiently as possible. But how firms reach that goal up is to them within the framework of the Government enacted ML regulations and the industry produced guidance. This move away from detailed rules is in keeping with an FSA-wide drive to move to a more principles-based regime as part of our 'Better Regulation' agenda. As our CEO John Tiner said when speaking on the subject recently, "the focus shifts from the means to the end".
Our rule changes come in to force at the beginning of September at the same time as the latest edition of the JMLSG Guidance, endorsed by the Chancellor on 13 March this year. The effect of such his endorsement is to give the guidance a legal status, so a judge has to take into account this guidance in the event of prosecutions for various money laundering offences. We worked closely with the JMLSG (a body representing 16 financial sector trade associations), during the production of their new Guidance and we and they have seats on the UK Government's Money Laundering Advisory Committee.
The Guidance is used extensively by firms seeking to develop their AML systems and it reflects the UK's focus on a risk based approach and the emphasis on senior management responsibility for the management of money laundering risks. The Guidance also advocates a more streamlined approach to customer identification.
So you can see there is a high degree of interdependence between the JMLSG Guidance and the new FSA Handbook and together they form a significant part of the UK's AML framework. Indeed, our Handbook states that, when considering whether a breach of money laundering rules has occurred, we will have regard to whether a firm has followed relevant provisions in the JMLSG Guidance.
Training
I mentioned the training of FSA staff a moment ago and I consider our efforts here crucial to delivery of a risk based approach. Over the past six months or so, we have overhauled the training available to our staff and introduced a major new four part financial crime training programme.
The first part of this programme is a computer based training course - compulsory for all staff - intended to give them foundation level knowledge of money laundering and fraud issues.
The second level is intermediate face to face workshops, designed and delivered by external experts. These give supervisors a deeper understanding of financial crime issues, threats and emerging trends; the practical ability and insight to probe further when questioning firms; and a clear understanding of the risk-based approach, what it means for firms and what proportionate risk mitigation looks like. At present, we are around half way through our schedule of workshops and some 350 of our staff have completed this training.
In addition, we have put together a programme of detailed briefings on the new JMLSG Guidance. The editor of the JMLSG guidance has already been in to speak to our staff about the general material in the Guidance, and the industry sector trade associations will give briefings to our supervisors later this year on each sector's risk based sectoral guidance. And finally, we run a series of financial crime presentations from specialists in industry, law enforcement and government agencies on current and emerging issues.
Framework part 2
Another key factor in getting our AML framework right is putting in place effective partnerships and ensuring that intelligence is accessible to the organisations that can use it most effectively. Here there are two issues I want to touch on: firstly, typologies, and secondly, co-operation between the various agencies involved in delivering the UK's AML/CFT strategy.
Typologies provide an insight into the evolution and prevalence of particular criminal techniques and over time help us to understand both current and emerging threats. This information is vital in allowing law enforcement, regulatory authorities and the private sector to help prevent, detect and investigate specific money laundering and terrorist financing activity.
Although we are becoming more creative in the gathering of information for typologies work, we have not, up to now, fully exploited the additional information that is held by the private sector to develop and enrich these typically law enforcement products. This is something that we in UK are keen to do better, and along with other UK stakeholders have been working on a mechanism to facilitate this interactive typology development between the public and private sectors.
From a consultation we have just undertaken, it is also apparent that we need to get the worked up typologies to the industry a lot faster to help inform their risk mitigation strategies. Issuing something in our own countries two years after the threat is first identified is of little preventive use in a fast moving environment, especially as the criminals may have moved to another country and are repeating the technique there. That is why the annual typology approaches taken by the APG, GAFISUD and of course FATF are to be welcomed, but we also need a more dynamic distribution of intelligence, real time. As I have begun to hear from Law Enforcement - "We have to move from 'need to know' to 'need to share'. After all, what is the point in making the financial services industry spend a lot of money to create a radar system to spot intruders and then fail to give it accurate targeting information.
The second aspect that underpins a good information sharing regime is trust and cooperation between law enforcement, regulators and the private sector. Following last years bombings and the attempted bombings in London there was excellent co-operation between financial institutions and law enforcement. This led directly to law enforcement to a number of immediate intelligence leads, providing critical assistance in the early days of the investigation. These early leads would not have been available if the financial sector had not worked around the clock in order to report relevant information.
We know that the more intelligence a firm has about the real threat, the better it is able to use its judgement to implement an effective and risk based AML system. Partnership working between regulator, firms and law enforcement agencies promotes knowledge sharing and the effective use of intelligence on money laundering trends and risks.
Law enforcement agencies are a major source of intelligence. And, of course, they themselves rely on the suspicious activity reports produced by firms and the AML regime to inform their investigations. We already have a close working relationship with the Serious Organised Crime Agency. By bringing together the National Criminal Intelligence Service with the National Crime Squad, and investigative resources from, HM customs and the Immigration Service it will provide a range of intelligence and law enforcement support about Organised Criminality that will be invaluable in our AML regime.
SOCA have now established governance arrangements for the UK Suspicious Activity Reporting regime that reflect this partnership, involving Industry and Regulators at the highest level, and a group of vetted industry specialists able to participate in operational assessment of the SARS regime. We will continue to use these to encourage the sharing of targeting information between this new agency and the firms that we regulate.
The FSA has its own intelligence capability which we have strengthened, both in terms of the skills that we possess and the depth of analysis that we conduct. The aim of our work is to develop a better understanding of the threats facing the UK financial system, and to identify areas of poor AML/CFT performance in the industry.
Some of the most important relationships we have though are of course with the firms we that we regulate. These relationships are both direct with senior management and staff in firms and indirect through the various trade associations. They allow us to gather raw data for our own and others' analysis and ensure that the intelligence that we and our law enforcement and Governmental partners produce is tailored to the industry's needs.
All of this work allows us to develop a clearer picture of the way criminals work and allows firms to have the information they need to refine and optimise their AML systems. This partnership approach is central to the risk based approach; if firms are going to manage their risks then they need good information. And we do what we can to ensure that firms are fully empowered by having the best possible intelligence at their disposal.
The future
In the UK we are seeing a new approach to AML beginning to emerge. The key risk based policies now in place are the foundation. We must now achieve effective implementation. This transition has allowed a time for looking forward to what we want to achieve in the next phase of our financial crime work. FSA has identified three high level aims for our work to 2010: To focus our effort on poor performing firms and sectors To develop better information about the scale and incidence of financial crime To contribute to ensuring that an effective risk based approach is understood and implemented not just in policy but in practice, domestically and internationally.
We are confident that if these are met then we will achieve our objective of reducing the scope for firms to be used for purposes connected to financial crime. We will be looking to implement our new risk assessment model - 'ARROW 2' - to drive our supervisory focus on anti-money laundering to where the biggest risks arise. This will be complemented by improved communications and co - working domestically and internationally to ensure that firms are fully equipped with the information they need to manage their money laundering risks properly and that new ML typologies identified in other jurisdictions are quickly made available within the UK.
A key challenge will be to better understand the social harm multiplier, and to understand how this should inform the development of our regime so that it is demonstrably proportionate and effective.
Conclusion
To conclude, I hope I have given you a good understanding of how we believe the UK's AML regime should work. Firms should be incentivised and empowered by good regulation to manage their ML risks in the most cost effective, proportionate way possible. In the UK, we believe we now have the framework to achieve this. By identifying and managing real ML risk, firms can expect to reduce inconvenience to honest customers, and get better value for their outlay, not just for themselves, but for society as a whole.