Managing the Risk of Financial Crime PDF

Summary

This document discusses money laundering, terrorist financing, and the standards required of firms. It examines the concept of money laundering and terrorist financing, including the stages of money laundering: placement, layering, and integration. It also covers the role of international agencies in combating these issues.

Full Transcript

Managing the Risk of Financial Crime 1. Money Laundering, Terrorist Financing and the Standards Required of Firms 1.1 The Concept of Money Laundering and Terrorist Financing...

Managing the Risk of Financial Crime 1. Money Laundering, Terrorist Financing and the Standards Required of Firms 1.1 The Concept of Money Laundering and Terrorist Financing 3 Learning Objective 3.1.1 Understand the concept of money laundering and terrorist financing Financial services firms must reduce the risk that their services are used for terrorist financing or money laundering purposes. Although these two areas are related, the issues and risks faced by firms differ and so employees need to be aware of both aspects. Terrorist financing relates to the financial support of organisations or groups that seek to perform terrorist acts and also to any financial transactions undertaken to move such money around the globe in order to enable terror attacks to be carried out. Money laundering has a wider remit and is related to financial transactions aimed at turning money derived from criminal activities (‘dirty money’) into money which appears to have been legitimately acquired and which can, therefore, be more easily invested and spent (‘clean money’). Money laundering can take many forms, including: handling the proceeds of crimes such as theft, fraud and tax evasion handling stolen goods being directly involved with, or facilitating, the laundering of any criminal or terrorist property, or criminals investing the proceeds of their crimes in a whole range of financial products. There are similarities between the movement of terrorist funds and the laundering of criminal property and, because terrorist groups can have links with other criminal activities, there is inevitably some overlap between anti-money laundering (AML) provisions and the rules designed to prevent the financing of terrorist acts. There are two main differences to note between terrorist financing and other money laundering activities: 1. Although the overall funds required may be significant, terrorist financing usually involves small amounts of money, making identification and tracking more difficult. 2. The source of funds may be legitimate, thus, making it difficult to identify when the funds become terrorist funds. The cross-border nature of money laundering and terrorist financing has led to international coordination to ensure that countries have legislation and regulatory processes in place to enable identification and prosecution of those involved. 95 Examples include: The Financial Action Task Force (FATF), which has issued recommendations aimed at setting minimum standards for action in different countries to ensure AML efforts are consistent internationally; it has also issued special recommendations on terrorist financing. European Union (EU) directives targeted at money laundering prevention. Standards issued by international bodies to encourage due diligence procedures to be followed for customer identification. Sanctions by the United Nations (UN) and the EU to deny individuals and organisations from certain countries access to the financial services sector. Guidance issued by the private sector Wolfsberg Group of banks in relation to private banking, correspondent banking and other activities. 1.2 Stages of Money Laundering Learning Objective 3.1.2 Know the stages of the money laundering process: placement; layering; integration There are three stages to a successful money laundering operation: Placement – introduction of the money into the financial system. Typically, this involves placing the criminally derived cash into a bank or building society account, a bureau de change or any other type of enterprise which can accept cash, such as a casino. Layering – involves moving the money around in order to make it difficult for the authorities to link the placed funds with the ultimate beneficiary of the money. This might involve buying and selling foreign currencies, shares or bonds in rapid succession; investing in collective investment schemes; or insurance-based investment products; or moving the money from one country to another. Integration – at this final stage, the layering has been successful and the ultimate beneficiary appears to be holding legitimate funds (clean money rather than dirty money). The money is regarded as ‘integrated’ into the legitimate financial system. Each of these stages impact financial services firms. During the ‘placement’ stage, the money launderer introduces cash into the financial system. This requires cash in hand to be replaced by some valuable claim on assets or benefits. In recent years, the use of electronic currency (eg, Bitcoin) has raised much interest regarding the disruptive impacts of technology, but should also be considered in the light of money laundering considerations. Any transaction by which someone converts actual currency for an electronic currency could be an example of placement. For most financial services firms, ‘layering’ represents the biggest risk – as any transaction that exchanges one asset for another, or changes the registered owners of an asset, could be a step of layering. Because the purpose of layering is to disguise the original source of the money and the eventual end recipient, layering processes will often be protracted and detailed – yet each individual step will be designed to appear innocent, such as the usual activity of an investor managing their affairs. For this reason, the ability to assess behavioural trends in account activity has become increasingly important. 96 Managing the Risk of Financial Crime Where a firm processes many thousands of transactions – each of which seem ordinary – they are investing in systems and procedures that look for patterns or series within the transactional data, such as where an investor might change their bank details or address and shortly afterwards redeem their holding. In many cases, such transactions may still be genuine – but the firm must exercise due care. ‘Integration’ can be more difficult to demonstrate, because the cleaned money may not actually be removed from the financial system. The money launderer’s purposes are satisfied provided the illegal 3 source of the money can no longer be identified by firms or law enforcement. In some cases, the integration phase may see the criminal making withdrawals from a bank account, while in others, the money may remain invested in some long-term project or investment. The aim of firms is to ensure sufficient records make it more difficult for the criminal to achieve this stage of integration. 1.3 Role of International Agencies Learning Objectives 3.1.3 Know the role of international agencies in combating money laundering and the financing of terrorism: United Nations Office on Drugs and Crime (UNODC); International Monetary Fund (IMF); World Bank 3.1.4 Know the role of the Financial Action Task Force (FATF) in combating money laundering and terrorist financing; jurisdictions with strategic deficiencies; the challenge of jurisdictional differences 1.3.1 United Nations Office on Drugs and Crime (UNODC) UNODC is mandated to assist member states in combating illicit drugs, crime and terrorism. In the Millennium Declaration, member states also resolved to intensify efforts to fight transnational crime in all its dimensions, to redouble the efforts to implement the commitment to counter the world drug problem and to take concerted action against international terrorism. The Law Enforcement, Organized Crime and Anti-Money-Laundering Unit of UNODC is responsible for carrying out the Global Programme against Money-Laundering, Proceeds of Crime and the Financing of Terrorism, which was established in 1997 in response to the mandate given to UNODC through the United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances of 1988. The Unit’s mandate was strengthened in 1998 by the Political Declaration and the measures for countering money laundering adopted by the General Assembly at its 20th special session, which broadened the scope of the mandate to cover all serious crime, not just drug-related offences. The broad objective of the Global Programme is to strengthen the ability of member states to implement measures against money laundering and the financing of terrorism and to assist them in detecting, seizing and confiscating illicit proceeds, as required pursuant to UN instruments and other globally accepted standards, by providing relevant and appropriate technical assistance upon request. 97 1.3.2 International Monetary Fund (IMF) As a collaborative institution with near-universal membership, the International Monetary Fund (IMF) is a natural forum for sharing information, developing common approaches to issues, and promoting desirable policies and standards – all of which are critical in the fight against money laundering and the financing of terrorism. In addition, the IMF’s broad experience in conducting financial sector assessments, providing technical assistance in the financial sector, and exercising surveillance over members’ economic systems has been particularly helpful in evaluating countries’ compliance with the international anti-money laundering/countering the financing of terrorism (AML/CFT) standard and in developing programmes to help them address identified shortcomings. In 2006, the IMF executive board confirmed the general principle that every Financial Sector Assessment Program (FSAP) and Offshore Financial Center (OFC) assessment should incorporate a full AML/CFT assessment. The IMF has been a substantial contributor in this area, by cooperating with the FATF and the FATF-style regional bodies (FSRBs), conducting AML/CFT assessments alongside the FATF’s and FSRBs’ peer evaluations of their members’ compliance with the FATF 40 Recommendations (see section 1.3.4), providing technical assistance, and contributing to policy development and research. The IMF launched a donor-supported trust fund – the first in a series of topical trust funds (TTFs) – to finance technical assistance in AML/CFT in 2009. Canada, France, Japan, Korea, Kuwait, Luxembourg, the Netherlands, Norway, Qatar, Saudi Arabia, Switzerland, and the UK committed to collectively provide US$25.3 million over five years to the financing of the TTF to contribute to the strengthening of global AML/CFT regimes, using the fund’s proven expertise and infrastructure. Many projects were successfully completed and, due to the continuing high demand for capacity development in this area, a new five-year phase of the TTF started in May 2014. Donors (France, Japan, Luxembourg, the Netherlands, Norway, Qatar, Saudi Arabia, Switzerland and the UK) have together pledged more than US$20 million over the next five years to support this new phase. The IMF’s update in March 2016 notes that US$6.5 million is being used annually to help over 30 countries through technical assistance and training. In 2018, emerging areas in the AML/CFT space were identified including FinTech, correspondent banking and transaction laundering. The increased demand for integrity advice and capacity development lead to the goal of at least one or two assessments per year going forward. Since 2020, IMF staff participate in AML/CFT assessments carried out by other assessor bodies. 1.3.3 World Bank The World Bank consists of two main organisations: the International Bank for Reconstruction and Development (IBRD) and the International Development Association (IDA). Both the IBRD and the IDA are involved in supporting developing countries and in the case of the IDA making grants to the poorest countries. Emerging markets are increasingly becoming the venue for large-scale money laundering operations. If left unchecked, this activity will eventually undermine the credibility of the formal financial sector. In its financial sector operations, the World Bank promotes measures to counter the flow of illicit funds into the financial systems of countries and arranges for external assistance. In doing so, the Bank recognises that measures to prevent and detect money laundering activities cannot focus only on banks. Effective measures must also address the securities, insurance, and money-changing sectors. 98 Managing the Risk of Financial Crime The Stolen Asset Recovery Initiative (StAR) is a partnership between the World Bank Group and UNODC that supports international efforts to end safe havens for corrupt funds. StAR works with developing countries and financial centres to prevent the laundering of the proceeds of corruption and to facilitate a more systematic and timely return of stolen assets to their country of origin. Somewhere between US$20 and US$40 billion every year is stolen from developing countries through bribery, misappropriation of funds, and other corrupt practices. This figure is equivalent to 15–30% of official development assistance funds. 3 1.3.4 Financial Action Task Force (FATF) The FATF is an intergovernmental body whose purpose is the development and promotion of national and international policies to combat money laundering and terrorist financing. The FATF is, therefore, a policy-making body that works to generate the political will necessary to bring about legislative and regulatory reforms in these areas. Over 180 countries participate in the formulation and implementation of the 40 Recommendations. The FATF’s 40 Recommendations on money laundering plus 9 Special Recommendations on countering terrorist financing were combined in 2012 to make 40 Recommendations that cover both money laundering and countering terrorist financing. The main changes included: adding tax crimes as predicate offences for money laundering the extension of obligations on financial institutions to conduct enhanced due diligence on a risk basis to domestic politically exposed persons (PEPs) the introduction of more rigorous requirements in relation to the information which must accompany wire transfers the requirement for countries to establish mechanisms to record basic company information and to enable financial institutions, competent authorities and others to determine beneficial ownership and conduct appropriate customer due diligence (CDD) the introduction of a new step-by-step process for the identification of beneficial ownership and control of companies as part of CDD measures. The FATF monitors members’ progress in implementing necessary measures, reviews money laundering and terrorist financing techniques and countermeasures, and promotes the adoption and implementation of appropriate measures globally. In performing these activities, the FATF collaborates with other international bodies involved in combating money laundering and the financing of terrorism. What does the FATF do? Sets international standards to combat money laundering and terrorist financing, and provides best practice papers and guidance including implementing a risk-based approach. Assesses and monitors compliance with the FATF standards, and provides a list of non-cooperative countries for use by countries to help apply Recommendation 21 (see below). Conducts studies of money laundering and terrorist financing methods, trends and techniques. Responds to new and emerging threats, such as proliferation financing. 99 The following is an example of a FATF Recommendation (in this instance, Recommendation 21). Example Measures to be taken with respect to countries that do not or insufficiently comply with the FATF: Financial institutions need to give special attention to business relationships and transactions with persons, including companies and financial institutions, from countries which do not, or insufficiently apply the FATF Recommendations. Whenever these transactions have no apparent economic or visible lawful purpose, their background and purpose should, as far as possible, be examined, the findings established in writing, and be available to help competent authorities. Where such a country continues not to apply or insufficiently applies the FATF Recommendations, countries should be able to apply appropriate countermeasures. The FATF’s Working Group on Terrorist Financing and Money Laundering (WGTM) Project Team on Proliferation Financing (PFPT) was created in October 2008 to develop policy options to consider as measures that could be considered in combating proliferation financing within the framework of existing United Nations Security Council Resolutions. Proliferation financing refers to the act of providing funds or financial services which are used, in whole or part, for the manufacture, acquisition, possession, development, export, transfer or use of nuclear, chemical or biological weapons and their means of delivery and related materials (including both technologies and dual-use goods used for non-legitimate purposes). The crime of proliferation financing does not require knowledge, intention or negligence. However, when a jurisdiction specifies the responsibilities of financial institutions or a possible criminal offence of proliferation financing, the legal principles governing these two regimes in that jurisdiction will apply, including the roles of knowledge, intention or negligence. The FATF Recommendations are continuously reviewed and updated. The following amendments have recently been made: March 2022 – Recommendation 24 amended and definitions for ‘nominator’ and ‘nominee shareholder or director’ were added to the glossary to strengthen the standards on beneficial ownership of legal persons. October 2021 – Recommendation 23 amended to add an explicit statement that the qualification for designated non-financial businesses and professions extends to everyone who is part of the group. In addition, environmental crime including criminal harvesting, extraction or trafficking of protected species of wild fauna and flora, precious metals and stones, other natural resources or waste has been added to designated offences. June 2022 – Revision of Interpretive note 15, which permits countries not prone to higher risk of money laundering or terrorist financing to introduce simplified measures to ensure any risk is avoided or mitigated to expand the scope of the provision, and to specifically state that national policies should include provisions for the examination and investigation of virtual assets and the activities of virtual service providers. 100 Managing the Risk of Financial Crime 1.3.5 Predicate Offences in Financial Crime Learning Objective 3.1.5 Understand the role of predicate offences in financial crime: fraud; embezzlement; bribery; corruption 3 According to Article 23 of the United Nations Convention Against Crime (UNCAC), ‘laundering of the proceeds of crime’ constitutes a criminal offence, when committed intentionally. Article 23 prohibits: 1. a. the conversion or transfer of property, knowing that such property is the proceeds of crime, for the purpose of concealing or disguising the illicit origin of the property or of helping any person who is involved in the commission of the predicate offence to evade the legal consequences of his or her action b. the concealment or disguise of the true nature, source, location, disposition, movement or ownership of or rights with respect to property, knowing that such property is the proceeds of crime. 2. Subject to the basic concepts of its legal system: a. the acquisition, possession or use of property, knowing, at the time of receipt, that such property is the proceeds of crime b. participation in, association with or conspiracy to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the offences established in accordance with this article. A predicate offence is the underlying criminal offence that gives rise to criminal proceeds, which is then the subject of a money laundering charge. The following crimes are examples of predicate offences in financial crime: Fraud Fraud is the practice of obtaining value by deceptive means. That value might be obtained in the form of goods or services. This implies that fraud can cover a wide range of illegal activities. Credit/debit card fraud sees criminals purchase goods or services using the debit/credit card of their victim, and if the true cardholder is not diligent in reviewing their transaction records, such fraud can go unnoticed for long periods. Larger transactions can also be fraudulent – such as where one party misrepresents their part in a contract. Securities fraud is a specific type of fraud, where investors are encouraged to enter into investment transactions based on untrue statements about the assets being traded. 101 Embezzlement Embezzlement is the act of dishonestly appropriating or secreting assets by one or more individuals to whom such assets have been entrusted. Embezzlement is a kind of financial fraud. For instance, a clerk or cashier handling large sums of money could embezzle cash from their employer, a lawyer could embezzle funds from clients’ trust accounts, a financial adviser could embezzle funds from investors, or a spouse could embezzle funds from their partner. Embezzlement may range from the very minor in nature, involving only small amounts, to the immense, involving large sums and sophisticated schemes. More often than not, embezzlement is performed in a manner that is premeditated, systematic and/or methodical, with the explicit intent to conceal the activities from other individuals, usually because it is being done without their knowledge or consent. Often it involves the trusted person embezzling only a small proportion or fraction of the funds received, in an attempt to minimise the risk of detection. If successful, embezzlements can continue for years (or even decades) without detection. It is often only when the funds are needed, or called upon for use, that the victims realise the funds or savings are missing and that they have been deceived by the embezzler. Bribery Bribery, a form of corruption, is the giving of money or something else of value, with the intention of influencing the behaviour of the recipient. Bribery constitutes a crime and is defined by Black’s Law Dictionary as the offering, giving, receiving, or soliciting of any item of value to influence the actions of an official or other person in charge of a public or legal duty. The bribe is the benefit bestowed to influence the recipient’s conduct. It may be any money, good, right in action, property, preferment, privilege, emolument, object of value, advantage, or merely a promise or undertaking to induce or influence the action, vote, or influence of a person in an official or public capacity. Corruption Corruption involves the abuse of power and may range from bribery of high foreign officials to secure some type of favourable action by a foreign government to so-called facilitating payments that allegedly were made to ensure that government functionaries discharged certain ministerial or clerical duties. Corruption can also take place within financial firms where, for example, senior officials or executives use their position to obtain bribes for awarding contracts. 1.3.6 Financial Firms and Crime Learning Objective 3.1.6 Understand how financial services firms may be utilised for financial crime: Ponzi schemes; boiler rooms; money laundering; offshore trusts; beneficial ownership; cybercrime By choosing to invest in financial services products, an investor accepts certain risks. However, where the product or service has not been designed with the investor’s best interests at heart, they will be exposed to greater risk of loss than they expect. In some cases, an unscrupulous firm or individual might set up a product designed to further their own self-interest rather than to provide a transparent and honest opportunity for investment returns. 102 Managing the Risk of Financial Crime Ponzi Schemes The term ‘Ponzi scheme’ is used to describe a financial services product that claims a level of investment return that is not supported by the investment activity undertaken. The shortfall between the returns generated and those claimed is made up by using the money of new investors, who have been attracted to the scheme due to the high headline returns being publicised. For a short time period, such a product can be sustained – provided sufficient new money is received 3 to cover the returns being paid to older investors. However, as this new money is paid out to earlier investors it is not, therefore, put to any investment purpose; the scheme builds up a substantial unpayable debt to its clients. At some point there will be insufficient new money to sustain the false profits, and the product will collapse – resulting in losses for those investors that unfortunately joined the scheme too late. Financial services practitioners – particularly those with successful, market-leading products – must, therefore, guard their motivations. A successful honest product may become a Ponzi if those running the product become dependent on the fame of their success, or the fees it provides, and sacrifice their integrity to sustain high performance rates regardless of current market conditions. Financial services firms must, therefore, be aware of any products they offer which appear to be providing excessive returns and ensure that the firm has not become host to a Ponzi scheme. Similarly, firms acting on behalf of their clients should ensure they perform solid due diligence reviews of any products recommended/supported to reduce the risk of their clients becoming victims of a Ponzi scheme. Warning signs might include an investment approach that the scheme cannot explain or guaranteed/high rates of return at little investment risk. Boiler Rooms ‘Boiler room’ scams involve fraudsters selling customers overvalued, if not worthless, securities by means of an intensive selling campaign through numerous salespeople by telephone or direct mail. They do not consider the suitability or the needs of the customer, and the sales tactics used are designed to induce a hasty decision to buy the securities being offered, without disclosure of the material facts about the issuer (hence the name ‘boiler room’ due to high-pressure selling tactics). Modern techniques include the use of internet bulletin boards to promote certain securities and entice buyers. Money Laundering Financial firms are likely to be used predominantly in the first two stages of money laundering. Banks are among the firms likely to be recipients of cash, ie, the placement stage. Other firms, such as fund managers or stockbrokers, may be used as part of the layering stage where the criminals are attempting to disguise the origins of the dirty money by placing layers of transactions between the original deposit and the ultimate receipt of ‘clean’ money from the redemption of any investments. This clean money will then be used to invest in legitimate businesses which may or may not include financial firms. See section 1.2 for further details on money laundering. Fines that relate to money laundering include the following: December 2021 – HSBC was fined £64 million by the FCA for failings in their AML process. October 2021 – Credit Suisse was fined £147 million for serious financial crime due diligence failings in relation to loans worth in excess of $1.3 billion, arranged for the Republic of Mozambique. 103 June 2020 – Commerzbank AG was fined £37 million by the FCA for failures in AML systems and controls. April 2019 – Standard Chartered Bank was fined £102 million by the FCA for failures in AML controls in their wholesale correspondent banking business and branches in the UAE. In addition, the bank reached a settlement of $1.1 billion with the US Treasury for various violations. January 2018 – Western Union settled a $60 million fine with the New York Fed for failing to implement and maintain an effective AML programme aimed to deter criminals’ use of its electronic network to facilitate fraud and money laundering. January 2017 – Deutsche Bank was fined £163 million by the FCA and $425 million by the New York State Department of Financial Services (DFS) for carrying out a series of mirror trades and other suspicious transactions through their offices in London, Moscow and New York. Offshore Trusts A trust is essentially an agreement whereby assets are donated by one person (the donor or settlor) for the benefit of another (the beneficiary) with a third party acting in the interests of the beneficiary until the assets completely become the property of the beneficiary. An offshore trust is such an arrangement located in a different jurisdiction – usually in order to benefit from the taxation regime there, or some other feature. As such, it should be noted that use of an offshore trust is not, therefore, criminal or suggestive that any impropriety exists. In most cases, the identities and relationships between the parties are clear, though in some cases, the trust might be established such that the identity of the beneficiaries is not stated. Such models are referred to as ‘orphan structures’, and the use of orphan models might be used to disguise the chain of ownership for certain assets – either because the assets have dubious origins or because the beneficiary is trying to evade tax. Some offshore trusts are, therefore, used by criminals – as are offshore companies, trusts and financial institutions situated in certain financial centres. Slowly, but surely, this is changing with the greater international focus on fighting financial crime whereby offshore centres are taking away the cloak of anonymity which has hidden so many proceeds of crime in the past. For example, offshore trusts may be used in the layering process of money laundering by moving monies around different accounts; breaking the proceeds down into different amounts and utilising numbered accounts and/or offshore companies with ownership hidden by offshore trusts, nominee directors or bearer shares. This can, at this stage, make it almost impossible to trace ownership and if the funds are then moved to other offshore companies or bank accounts, the funds are separated even further from the original amounts. Offshore companies or trusts can then be used to purchase property, both domestic and foreign. Although offshore trusts may be used by people for legitimate tax avoidance, ie, minimising an individual’s or family’s tax liability within the tax regulations relating to their country of residence and the offshore centre, such trusts may also be used for tax evasion. While tax avoidance is legal, tax evasion is a crime and any suspicion is reportable as with any financial crime. 104 Managing the Risk of Financial Crime Beneficial Ownership According to FATF, the beneficial owner is the natural person or persons who ultimately own or control a customer and/or on whose behalf a transaction is being conducted. Beneficial owners include those persons who have ultimate effective control over a legal person or arrangement. In order to ensure the firm is not subject to financial crime, it is important to know who the beneficial owner of a transaction is. Know your customer (KYC) processes play an important role in assessing the ownership structure of the client and the ultimate beneficial owner. 3 The CDD Rule outlines explicit CDD requirements and imposes a new requirement for these financial institutions to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions. In the US, the Financial Crimes Enforcement Network (FinCEN) intends that the legal entity customer identifies its ultimate beneficial owner or owners and not ‘nominees’ or ‘straw men’. The CDD Rule requires covered financial institutions to establish and maintain written procedures that are reasonably designed to identify and verify the beneficial owners of legal entity customers. These procedures must enable the institution to identify the beneficial owners of each customer at the time a new account is opened, unless the customer is otherwise excluded, or the account is exempted. Cybercrime Cybercrime refers to the use of computers for illegal means such as fraud, trafficking, identity theft and violating privacy. The increase in the use of computers has resulted in an increase in cybercrime in which criminals seek to exploit human or security vulnerabilities to steal passwords, data or money. The most common forms of cybercrime are: Hacking – including social media and passwords. Phishing – fake emails asking for security information and personal details. Malicious software – including ransomware. Distributed denial of service attacks (DDoS) – ensuring a website becomes unreachable. The scale and complexity is wide-ranging and can vary from a poorly executed email pretending to be from the bank hoping the recipient will click the link and leave their bank details to complex operations such as cryptomining malware attacking digital currencies. Cybercrime is global, and is for a large part, undertaken by email. The annual cost for 2019 was estimated to be in excess of $3.5 billion. The number of occurrences as well as the cost are expected to be exponentially higher in 2020, largely as a result of the increased vulnerabilities associated with home working during the coronavirus (COVID-19) pandemic. Although types of cybercrime have been added to laws in many countries, the criminal justice system in most countries is not yet up to date with the severity of the crimes. In the UK, for example, the conviction rate for hacking is relatively high, but the penalty when convicted is low, and typically does not include a prison sentence. In the US, the number of cybercrimes continues to grow, but litigation rates do not, and penalties when convicted do not represent the severity of the crime. 105 1.3.7 Misstatement of Financial Circumstances Learning Objective 3.1.7 Understand how a firm or its representatives may collude in the propagation of financial crime: misstatement of financial circumstances; corporate fraud A misstatement is defined as a difference between the amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance with the applicable financial reporting framework. Accordingly, a material misstatement of the financial statements may arise in relation to: 1. the appropriateness of the selected accounting policies 2. the application of the selected accounting policies, or 3. the appropriateness or adequacy of disclosures in the financial statements. Misstatements in financial statements can arise from a fraud or error. The difference is that one is intentional. Where the firm or multiple individuals collude, it is more difficult to detect misstatements of financial positions. Errors may be detected by auditors, and fraud perpetrated by an employee can be detected – subject to relevant controls being in place. It is more difficult to detect such fraud where two or more employees collude and even more difficult where management is involved. Typical objectives for such misstatements are: earnings management – where there is pressure to meet market expectations, minimise tax or inflate earnings to secure bank finance misappropriation of assets – eg, embezzling receipts through collections accounts, diverting write-offs to personal bank accounts payments for goods not received – payments may be made to fictitious vendors, or kickbacks received, and using entity’s assets – for personal use, eg, as collateral for a loan. Corporate Fraud Fraud is the use of deception to obtain goods or services, and is a criminal offence in many jurisdictions. As fraud is an illegal action, it follows that any money received as a result of fraud represents proceeds of financial crime. Corporate fraud arises when an organisation adopts such deceptive means as part of running its business. We have already seen that a firm running a Ponzi scheme will lie to its clients about the use to which their money has been put. However, there are other types of fraud that a company might commit. The bookkeeping of the firm is often key to corporate fraud events. The money or assets of an investor might be misused (eg, transferred to the company to support its balance sheet), or the money may be embezzled by an unscrupulous employee. The company’s financial accounts might be misstated (including deceiving the financial auditor, so the deception remains undetected) so that the company’s share price remains higher based on the inaccurate information released to the market. 106 Managing the Risk of Financial Crime This century has already witnessed some substantial corporate frauds, which have illustrated the need for all market participants to beware of any firm that seems to be generating unnatural profit levels in comparison with similar organisations. Some examples of corporate fraud are summarised below: Lehman Brothers Holdings inc. – the fourth largest investment bank in the US filed for Chapter 11 bankruptcy on 15 September 2008. The company experienced substantial losses due to the sub-prime mortgage crisis, owing to the level of gearing now understood as being built into such 3 mortgage products. In the aftermath, executives faced challenges over the earnings they had made during the period in which the firm was failing. The company’s auditors were charged by state prosecutors about the accuracy of the financial accounts they approved. No convictions followed. Enron Energy – the US energy company failed in 2001, in the light of multiple accounting irregularities which had maintained an artificially high share price. Two of Enron’s chief executive officers (Kenneth Lay and Jeffrey Skilling) were each convicted of multiple charges – including conspiracy, securities fraud, false statements, and insider trading. They had each sold substantial shareholdings in the company in the period shortly before the accounting frauds became known. Audit firm Arthur Anderson faced much scrutiny for its role in the scandal. A corporate conviction for obstruction of justice (relating to the shredding of Enron-related documentation) effectively prevented the firm from practising and the firm was disbanded (even though the criminal conviction was overturned in 2005). Goldman Sachs – in 2010, the Securities and Exchange Commission (SEC) charged Goldman Sachs with fraud in respect of some sub-prime mortgage-related securities. Goldman created a portfolio of mortgage-backed investments and sold an interest in that portfolio to a number of investors. However, what Goldman did not disclose to the investors is that the portfolio had been assembled in conjunction with a substantial client of the firm, John Paulson, and that he would then trade in the expectation that the portfolio would reduce in value rather than grow. Effectively, Goldman enticed investors who would lose their money to Paulson, without disclosing that it had a corporate interest on both sides of the security. Steinhoff International – an international retail holding company in the furniture and household goods business overstated profits for eight years (2009–17) by a total amount of $7.4 billion. The accounting fraud involved a small group of executives and outsiders entering into a transaction that substantially inflated the group’s profit and asset values. Although Steinhoff first disclosed irregularities in 2017, the accounting fraud was not revealed until 2019. Wirecard AG – a fully licensed German bank providing payment services filed for insolvency in June 2020 after disclosing that approximately €1.9 billion was missing. The missing funds are mainly attributed to balance sheet irregularities and inflated profits, a practice rumoured to have started in 2008. In November 2020, the assets of the main business unit were sold to Santander. Patisserie Valerie – a UK-based patisserie reported significant and potentially fraudulent accounting irregularities requiring an immediate capital injection of £20 million. The firm’s finance chief was suspended and arrested on suspicion of fraud having opened secret overdraft facilities totalling almost £10 million. Patisserie Valerie’s market capitalisation dropped from £446 million to £68 million in a period of two weeks. These cases illustrate not only the potential scale of fraud that can arise, but also the way that discovery of such cases can impact other market participants. It is vital that firms ensure their governance structures are sufficiently robust to protect against becoming victims of fraudulent activity. 107 1.3.8 Tax Evasion and Tax Avoidance Learning Objective 3.1.8 Know the concepts of facilitation of tax evasion and tax avoidance Tax avoidance is the use of legally permissible methods to reduce the amount of tax owed. This is generally achieved by claiming permissible deductions, credits and allowances. Tax avoidance is legal and includes aspects, such as transferring assets between spouses, or making pension contributions in order to reduce the level of income that remains subject to income tax. Tax avoidance is enabled by the complexity built into the taxation system, as such complexity can allow individuals to identify legal loopholes and exemptions by which certain monies do not give rise to tax liabilities. Tax evasion, however, is an illegal practice where a person, organisation, or corporation intentionally avoids paying part or all of their tax liability. Examples might include not paying income tax or VAT when working for ‘cash in hand’. Tax evasion would also arise if the capital gains made on investments were not correctly disclosed for taxation calculation. Although the difference between tax evasion and tax avoidance is clear, there is a grey area referred to as ‘tax-aggressive strategies’. Most developed countries have what are known as general anti-avoidance rules (GAAR) prohibiting tax-aggressive avoidance. 1.3.9 Dual Criminality, Extradition and Mutual Legal Assistance Learning Objective 3.1.9 Know the concepts of dual criminality, extradition and mutual legal assistance Extradition law is an amalgamation of international and domestic law that sets the structure for an individual living in one country to stand trial in another. Generally, extradition is only supported in conditions of ‘double criminality’ (also known as dual criminality), ie, where the allegation relates to an action that constitutes a crime in both the country where a suspect is being held and the country asking for the suspect to be handed over or transferred to stand trial. In other words, a crime in one country has to also be a crime in the country extraditing you. Cases of extradition can involve a combination of legal arguments and diplomacy, and can prove controversial. Consider the cases of ‘The NatWest Three’ or Gary McKinnon, both of which raised questions of political balance within extradition arrangements between the UK and the US. Under an Organisation for Economic Co-operation and Development (OECD) convention, each country shall, to the fullest extent possible under its laws and relevant treaties and arrangements, provide prompt and effective legal assistance to another country for the purpose of criminal investigations and proceedings brought by a country concerning offences within the scope of the convention and for non-criminal proceedings within the scope of the convention brought by a country against a legal person. The country receiving the request shall inform the country making the request, of any additional information or documents needed to support the request for assistance without delay and if asked, of the status and outcome of the request for assistance. 108 Managing the Risk of Financial Crime Where a country makes mutual legal assistance conditional upon the existence of dual criminality, it shall be deemed to exist if the offence for which the assistance is sought is within the scope of this OECD convention. A country shall not decline mutual legal assistance for criminal matters within the scope of the convention on the grounds of bank secrecy. 3 2. Practical Implications Learning Objectives 3.2.1 Understand how external financial crime issues may impact on a firm: reputational; systemically; counterparty risk; unreliable market valuations 3.2.2 Understand how financial crime may directly impact a firm: theft of data; theft of assets 2.1 Impact of Financial Crime on Firms Financial crime can impact a firm in various ways. If a specific crime becomes public knowledge, any firms directly connected with the crime face reputational damage. A previously respected company name can become synonymous with fraud or poor governance, reducing the potential for the firm to gain further clients and retain the business it already holds. The company’s reputation will also be impacted if its regulator imposes a public penalty upon it – such as a regulatory fine or reprimand. For example, if a regulator fines a company for failing to satisfy AML rules, other clients may wish to move their affairs to a more respectable firm. Firms can also be impacted by events taking place in other parts of the industry – even if they have no direct involvement in those events. Financial crime poses a systemic risk for the industry: the risk of collapse of an entire financial system or entire market, as opposed to risk associated with any one individual entity, group or component of a system. Such risks can lead to instability in the financial system with the outcome for one firm being potentially exacerbated by the action or inaction of other financial intermediaries. Because of interdependencies in a system or market, the failure of a single firm or group can cause a cascading failure, which could potentially bankrupt or bring down the entire system or market. The Madoff Ponzi scheme is an example of such a crime which led to huge losses across the market. The malfeasance at Lehman Brothers prompted a global financial crisis with unprecedented support from governments being needed to prevent the banking system from collapsing. The market requires participants to have trust in each other – even if that trust is built on regulatory obligations and a fear of sanction. The potential that a firm may be unable to deliver on its promises to another is termed ‘counterparty risk’ (or sometimes ‘default risk’). While it is rare for a firm not to honour its obligations to, for example, pay out on a bond, credit derivative, credit insurance contract, or other trade or transaction, the risk of such failure is increased significantly where financial crime may be a contributing factor. The inability of the counterparty to meet a claim may be the result of financial crime, including fraud, market abuse and misstatements. Again, the Lehman case is an example where the value of credit default swaps (CDSs) based on sub-prime mortgages collapsed and many financial institutions faced major losses and potential ruin. 109 Firms can also face unreliable market valuations which may lead to securities being over or undervalued as a result of market abuse and misstatements. To counter market abuse, firms have been required to develop sophisticated reporting systems; failure to provide effective reporting can be serious. Transaction reports are vital in detecting and investigating potential market abuse cases. Since the FCA replaced the FSA, it has fined three major institutions for failings in transaction reporting. RBS was fined £5.6 million in 2013, and Deutsche Bank was fined £4.7 million the following year. In 2015, Merrill Lynch was fined £13.3 million for transaction reporting failures over a seven-year period. In 2019, Goldman Sachs was fined £34.3 million for failing to report timely and accurate reporting, and UBS was fined £27.6 million for failings in relation to transaction reporting. 2.2 Direct Impacts of Financial Crime One of the downsides to the rapid development of electronic communications is the portability of data in large quantities, using the internet or small storage devices. Increasingly sophisticated criminals are targeting financial service companies to steal the data they hold on customers. The data a firm holds about its customers (eg, their personal details, names, addresses, bank details and passwords) are all types of data that are attractive to those attempting, for example, account takeover and credit card fraud. There are many ways that criminals can target financial firms with a view to stealing data, including: infiltrating firms and placing people as employees who download data onto USB sticks theft of computers, laptops and data files on tape or disk hacking into systems, breaching firewalls and other security systems, using logger tools to gather data, and social engineering, deceiving call centre associates into providing information unwittingly. Once criminals have a customer’s personal details, including bank accounts and investments, they can attempt the theft of the customer’s assets. They may take over the accounts of their victims, impersonating the customer to instruct a change of address or bank account details. Having usurped the original customer, the criminal will instruct the sale of assets, and have the proceeds sent to the address/bank account they control – often a fraudulently opened bank account, to ensure the account owner name will match the name on the redemption cheque. The criminal then withdraws the cash and absconds with the proceeds. The financial firm may be left with an angry customer and, depending on the circumstances, may have to compensate its customer and reinstate their accounts. Firms can be subject to asset thefts too. This may be as a result of account takeover, or other fraudulent activity which may be internal or external to the firm. For example, forged transfer of assets and forged sale instructions. This may involve proceeds being directed to bank accounts set up by the fraudsters specifically for the purpose of laundering the proceeds. In some cases, the amounts involved can be very significant. The impact of such thefts can include: reduced profits and potential risks to the financial stability of the firm damage to the firm’s reputation, which may arise from supervisory or other regulatory action, such as fines increased costs arising from investigation of theft, forensic work by expert or specialist firms and remediation where required such as new systems and controls, and 110 Managing the Risk of Financial Crime increased insurance costs following revised premiums based on recent claim experience, or the need to take out additional insurance cover where perhaps the risk had not previously been identified. 2.3 Firms’ Responsibilities for Financial Crime Prevention Learning Objective 3 3.2.3 Understand the responsibilities of directors and senior management in relation to anti-money laundering (AML), combating financial crime (CFC) and anti-corruption (AC) initiatives The directors and senior management of an authorised financial firm are expected to: identify, and manage effectively, the risks in their businesses and this will include ensuring appropriate action is taken in relation to combating the financing of terrorism (CFT), AML, combating financial crime (CFC) and anti-corruption (AC) appoint a nominated officer to process disclosures appoint an MLRO with certain responsibilities ensure the MLRO has adequate resources devoted to AML/CFT, and understand the potential personal liability if legal obligations are not met. Accordingly, the directors and senior management will ensure the policies and procedures established include systems and controls that: 1. enable the firm to identify, assess, monitor and manage money laundering risk, and 2. are comprehensive and proportionate to the nature, scale and complexity of its activities. 2.3.1 Anti-Money Laundering (AML) In many respects, compliance with AML is an integral part of the overall compliance requirements of the regulated sector. The expectation is that senior management are aware of and take responsibility for all compliance activity within their institution. This is embodied through senior management being able to provide evidence of having adequate systems and control procedures in place, which should be tested to prove effectiveness. These general compliance requirements obviously also apply to AML and related initiatives. Indeed, there is plenty of evidence of banks having been fined by regulators for failure to meet these requirements. It is generally expected that senior management establishes the AML policy, setting out how the organisation will comply with the legal and regulatory AML regime; it will set out the reporting framework with the various responsibilities and accountabilities of the employees and management. The internal information systems will set out the application of the risk-based approach and how it is interpreted together with the client and transaction monitoring, record-keeping and reporting criteria. 111 2.3.2 Combating Financial Crime (CFC) International efforts to combat financial crime have focused on a number of objectives to: reduce financial crime and deter the use of financial systems ensure that firms have in place policies and procedures designed to minimise the risk that the firms’ businesses may be used as a vehicle for money laundering and other financial crime raise consumer awareness of financial crime issues contribute to an effective wider fight against crime through international cooperation encourage a balanced, joined-up approach to AML and fraud through standards and guidance improve the effective use of regulator resources through risk assessment processes, and improve coordination with partner agencies. The expectation is that businesses are aware of the risk, have appropriate measures to prevent, detect and monitor financial crime, and provide adequate resources to do so – and that: trade associations work together closely and provide leadership over fraud management senior managers accept that fraud is a significant threat that needs managing strategically and effectively more work is done on the risks and scale of fraud and better ways of tackling it, and improved organisational cultures and information sharing are developed. This means that, using a risk-based approach, regulators will be looking for evidence of: a strong anti-fraud culture, with the lead being given from the top a clear allocation of responsibility for the day-to-day management of the risk satisfactory staff training robust know your customer (KYC) procedures, and how the firm identifies potential criminal behaviour, and what management information on fraud is captured and how it is used. Regulators will be looking for ‘reasonable steps’ to be aware of, and tackle fraud risks by being able to identify and report on the following: Who is responsible for managing fraud risks? How many frauds has the firm suffered recently? What are fraud losses? What whistleblowing arrangements are in place and how successful are they? How much is spent on preventing and detecting fraud? How does the firm monitor the effectiveness of fraud systems and controls? What information on fraud goes to the board or senior management? Regulators have an important role as gatekeeper of those working in regulated businesses (granting authorisation to firms and those individuals seeking to perform controlled functions), and another role ensuring that the expected standards of behaviour and practice are met. Regulators, therefore, monitor firms and individuals to ensure risks are appropriately managed and fraudulent activity reported, confirming that businesses have in place, the systems and controls to meet various legislative requirements. This will include looking at IT and manual systems, separation of 112 Managing the Risk of Financial Crime duties within a firm, the role of internal audit, risk assessment, mitigation and monitoring programmes, documented policies and procedures, organisational cultures, collection and use of internal information, and reforms following frauds. 2.3.3 Anti-Corruption Initiatives Corruption and bribery are harmful for business and form important barriers to investment growth. The 3 development of anti-corruption systems, policies and procedures can help prevent corruption. In order to be effective, organisations must commit to an anti-corruption programme from the board down to senior management and lower levels of the organisations. Policies must be put in place and acted upon, with regular monitoring being an integral part of the plan. The UN launched a call for action in 2014, urging governments to introduce anti-corruption measures and good governance as fundamental pillars of a sustainable and inclusive global economy, and that included anti-corruption initiatives in the UN Sustainable Development Goals. More than 250 companies and investors globally have signed up to the Anti-Corruption Call to Action. 2.4 Identifying Money Laundering Learning Objective 3.2.5 Understand the implications of using a risk-based approach to identifying money laundering Many types of transactions can potentially conceal money laundering activity – particularly as the layering stage may feature multiple normal transactions in order to obscure the audit trail. To perform a full set of AML checks on every transaction undertaken would impose a significant cost upon the industry. Given the importance of trust to the financial services sector, it is important that firms also appear to trust their clients – rather than performing intrusive identity checks on transactions of trivial value. To help balance this difficulty, the FATF Recommendations note that a risk-based approach to the identification of money laundering is acceptable. When adopting a risk-based approach, competent authorities and financial institutions must first determine which activities are most likely to conceal money laundering efforts, and also determine how the suspicious nature of such transactions might be revealed. For example, firms that accept physical cash from clients will generally be considered as higher-risk, as these businesses offer a means for ‘dirty money’ to find its way into the financial system. In other cases, a minimum value threshold might be applied, below which the firm need only perform limited scrutiny. Some types of savings and investment products may be determined as being intrinsically lower-risk in terms of potential money laundering activity (eg, a pension scheme, if an investor’s money cannot be withdrawn in the short term without incurring a tax charge). In some cases, the firm might be able to accept a certificate from another regulated firm – confirming that the earlier firm has already completed full client identification checks on a mutual client. 113 The rules recognise the potential that such mechanisms could mean that some cases of abuse are not identified, but that major abuses should still be captured, and that each firm must still ensure that its staff are sufficiently trained to identify any suspicious activity taking place. 2.5 Prevention of Money Laundering Learning Objectives 3.2.4 Understand the role of the Money Laundering Reporting Officer (or equivalent) in relation to financial crime 3.2.6 Know the measures firms can adopt to inhibit the likelihood of financial crime Firms must develop and implement a set of measures that are relevant to the type of business it performs, and sufficient to deliver a risk-based control over potential financial crime activity impacting its business. Some of these measures will be structural (eg, ensuring all relevant staff are sufficiently trained to understand the ways in which financial crime could affect the company), while other measures will apply when processing specific transactions. A firm must carry out a regular assessment of the adequacy of the systems and controls to ensure that it continues to comply with relevant regulations and relevant legal requirements. In identifying its money laundering risk and establishing the nature of these systems and controls, a firm should consider a range of factors, including: its customers, products and activity profiles its distribution channels the complexity and volume of its transactions its processes and systems, and its operating environment. Systems and controls must include: appropriate training for its employees in relation to money laundering appropriate provision of information to its governing body and senior management, including a report at least annually by that firm’s MLRO, or another responsible senior executive, on the operation and effectiveness of those systems and controls appropriate documentation of its risk management policies and risk profile in relation to money laundering and other financial crime, including documentation of its application of those policies appropriate measures to ensure that money laundering and other financial crime risk is taken into account in its day-to-day operation, including in relation to: the development of new products the taking on of new customers changes in its business profile, and appropriate measures to ensure that procedures for identification of new customers do not unreasonably deny access to its services to potential customers who cannot reasonably be expected to produce detailed evidence of identity. 114 Managing the Risk of Financial Crime A firm should allocate to a director or senior manager (who may also be the MLRO) overall responsibility within the firm for the establishment and maintenance of effective AML systems and controls. 2.5.1 Money Laundering Reporting Officer (MLRO) The MLRO is responsible for oversight of the firm’s compliance with the regulator’s rules on systems and controls against money laundering; and the firm should ensure that its MLRO has a level of authority 3 and independence within the firm, and access to resources and information sufficient to enable them to carry out that responsibility. It is a senior role, sometimes referred to as a ‘nominated officer’, and the incumbent should report at a senior level and be able to take precedence over business lines operating, for example, in an international context. The following sets out the usual responsibilities. It is the MLRO’s role to be aware of any suspicious activity in the business that might be linked to money laundering or terrorist financing, and if necessary, to report it. They are responsible for: receiving reports of suspicious activity from any employee in the business considering all reports and evaluating whether there is – or seems to be – any evidence of money laundering or terrorist financing reporting any suspicious activity or transaction to the appropriate law enforcement agency (LEA) by completing and submitting a suspicious activity report (SAR), and asking the LEA for consent to continue with any transactions that they have reported and making sure that no transactions are continued illegally. The firm might decide to make the MLRO responsible for other tasks that need to be done to make sure the business complies with money laundering regulations. For example, they could be made responsible for: putting in place and operating AML controls and procedures carrying out money laundering risk assessments record-keeping, and training staff in preventing money laundering. 2.6 How Individuals Can Protect Themselves Learning Objective 3.2.7 Know the measures individuals can adopt to inhibit the likelihood of financial crime Investors can do a number of things themselves to reduce the likelihood that they would be a victim of financial crime. They should: keep personal information secure and if disposing of financial/bank statements, use a shredder to shred the statements before disposal keep plastic cards in a secure place 115 keep documents safe keep passwords and PIN numbers secure check the qualification and authorised status of any financial adviser, and remember that if an investment sounds too good to be true, it probably is. 2.7 Sanctions Checking and Politically Exposed Persons (PEPs) 2.7.1 Sanctions Checking Learning Objective 3.2.8 Understand the rationale behind sanctions screening Where an individual, company, organisation, or even country is considered to have acted illegally, it is possible for the rest of the global community to take action against that abuse. One mechanism by which such action might be taken is the use of financial sanctions. Financial sanctions prevent the use and movement of monies relating to certain individuals or organisations considered by the international community to be unfit (usually due to relationships with crime or terrorism). In this way, those committing illegal actions should not be able to benefit financially from those actions – which should, in theory, reduce the motivation to commit those abuses. Organisations such as the UN maintain a sanctions list, and financial services firms should seek to minimise the risk that they are servicing customers who are subject to financial sanctions. In some countries (such as the UK), legal sanctions are imposed on firms or individuals found to have breached financial sanctions. Aside from any legal penalties, failure to recognise such cases exposes the firm to reputational risk (as bad publicity that a firm indirectly supported terrorism, for example, may result in other people not doing business with that firm). The international frameworks for financial sanctions do not prescribe the processes which firms have to adopt to achieve compliance with their legal obligations. The guidance below is intended to provide an indication of the types of controls and processes that firms might adopt in order to enable them to comply with sanctions obligations in an effective and proportionate manner. Firms should have processes to manage the risk of conducting business with, or on behalf of, individuals and entities on the list provided by their government or directly from the UN and other appropriate sanctions lists. Some countries provide a consolidated list (which includes all the names of sanctioned persons and entities under the UN and, for example, EU sanctions regimes which have effect in the country concerned). Firms should consider screening their customers and transactions on a periodic and/or ongoing basis. The scope and complexity of the screening process will be influenced by the firm’s business activities, and according to the profile of the firm. An effective screening process should include the following elements: it should flag up potential name matches against the consolidated list and names against which measures have been issued, for example, in the UK under the Counter-Terrorism Act 116 Managing the Risk of Financial Crime potential matches should be reviewed by appropriately trained staff where matches are confirmed as true, appropriate action should be taken to freeze the account true matches should be reported as soon as is practicable to the relevant LEA or government department, and the firm should maintain an audit trail of actions around potential and true matches. Many firms use automated customer screening software provided by a commercial provider; other firms 3 rely on manual screening. Firms may consider whether and what type of screening software to use in line with the nature, size and risk profile of their business. A key element of a screening system is that it will flag potential matches clearly and prominently. Firms should document the reasons for choosing whichever screening method they decide to use. Where commercially available automated screening software is implemented, firms should understand its capabilities and limits, and make sure it is tailored to their business requirements, data requirements and risk profile. Firms should also monitor the ongoing effectiveness of automated systems. Where automated screening software is used, firms should be satisfied that they have adequate contingency arrangements should the software fail and should periodically check the software is working as they expect it to. It is important to consider ‘fuzzy matching’ (a term used to describe partial or potential matches). Some software solutions identify possible matches where data – whether in official lists or in firms’ internal records – is misspelled, incomplete, or missing. They are often tolerant of multinational and linguistic differences in spelling, formats for dates of birth, and similar data. A sophisticated system will have a variety of settings, enabling greater or less fuzziness in the matching process, as appropriate to the risk profile of the business. The generation and resolution of an undue number of false positives may have a negative impact on the efficacy of the resolution process. Firms should, therefore, consider the level of appropriate human intervention to assess which results may be false positives. All customers should be screened during the establishment of a business relationship or as soon as possible after the business relationship has commenced. Firms should be aware of the risks associated with screening customers after a business relationship has been established and/or services have been provided, ie, that they may transact with a sanctioned party in breach of sanctions prohibitions. Firms must be aware of the absolute restrictions embedded in the financial sanctions regime. Where there is any delay in screening, firms risk breaching the legislation. A firm must apply enhanced due diligence measures on a risk-sensitive basis in any situation which by its nature can present a higher risk of money laundering or terrorist financing. As part of this, a firm may conclude, under its risk-based approach, that the standard evidence of identity is insufficient in relation to the money laundering or terrorist financing risk, and that it must obtain additional information about a particular customer. As part of a risk-based approach, therefore, firms may need to hold sufficient information about the circumstances and business of their customers for two principal reasons: To inform their risk assessment process, and thus manage their money laundering/terrorist financing risks effectively. 117 To provide a basis for monitoring customer activity and transactions, thus increasing the likelihood that they will detect the use of their products and services for money laundering and terrorist financing. 2.7.2 OFAC Sanctions The Office of Foreign Asset Control (OFAC) is part of the US Department of the Treasury and acts under presidential national emergency powers, as well as the authority granted to it by specific legislation. OFAC has the right to impose controls on transactions and to freeze assets under US law. In addition, they administer and enforce economic and trade sanctions, many of which are based on the United Nations Security Council (UNSC) resolutions and other international mandates. OFAC is responsible for the administration of the specially designated nationals (SDN) list which contains individuals and organisations with whom US citizens and permanent residents are prohibited from transacting and doing business with. Under Chapter VII of the UN charter, the sanctions process of the UN typically starts with a matter of concern taken up by the Security Council. At an early stage, knowing the Security Council may impose sanctions can be sufficient to prevent escalation or outbreak of conflict. Sanctions are a last resort imposed in a variety of instances, including in the combating of terrorist financing and proliferation finance. The sanctions process can be depicted as follows1: Security Sanctions Resolution Designation Council Measures Sanctions are imposed by means of a UNSC resolution establishing a sanctions regime and a sanctions list. Names of countries, individuals and groups on a sanctions list may change over time with names added to and removed from the list. Sanctions committees are subsidiary organs of the Council and are composed of all 15 of the Council’s members. The role of the sanctions committees is to implement, monitor and provide recommendations to the Council on particular sanction regimes. Committees meet regularly to consider reports from expert panels and to meet with Member states, UN actors and international organisations. Sanctions need to be implemented with due regard for human rights. The range of sanctions can vary from comprehensive financial and trade sanctions to more targeted measures, such as arms embargoes, travel bans, financial or diplomatic restrictions. 1 https://news.un.org/en/story/2016/05/528382-un-sanctions-what-they-are-how-they-work-and-who-uses-them 118 Managing the Risk of Financial Crime Sanctions Measures Travel Asset Arms Bans on Commodity Bans on items, materials, bans freezes Embargoes export bans, like equipment, goods and 3 of luxury diamonds technology related to nuclear goods ballistic missiles and other weapons of mass destruction programmes 2.7.3 Politically Exposed Persons (PEPs) Learning Objective 3.2.9 Understand the purpose behind screening individuals: risk-based approach; politically exposed persons (PEPs) PEPs are individuals who have (or have had) a high political profile, or who hold (or have held) public office. Such persons can pose a higher money laundering risk to firms as their position may make them vulnerable to corruption. This risk also extends to members of their immediate families and to known close associates. PEP status itself does not incriminate individuals or entities. It does, however, put the customer, or the beneficial owner, into a higher risk category. A PEP is defined as: ‘an individual who is or has, at any time in the preceding year, been entrusted with prominent public functions and an immediate family member, or a known close associate, of such a person’. EU Directive 2006/70/EC sets out the implementing measures for defining PEPs, and so provides a definition of positions that constitute prominent public functions. That definition includes: heads of state, heads of government, ministers and deputy or assistant ministers members of parliaments members of supreme courts, of constitutional courts or of other high-level judicial bodies whose decisions are not generally subject to further appeal, except in exceptional circumstances members of courts of auditors or of the boards of central banks ambassadors, charges d’affaires and high-ranking officers in the armed forces, and members of the administrative, management or supervisory boards of state-owned enterprises. This definition is reinforced in 4MLD and maintained in subsequent editions of MLD, and extended to include members of the governing bodies of political parties; as well as directors, deputy directors and members of the board or equivalent function of an international organisation. In addition, the definition of a PEP extends to direct family (spouse or equivalent, children and their spouses (or equivalent), and parents) as well as close associates. In this context, close associates are: natural persons who are known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a PEP, and natural persons who have sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a PEP. 119 In all six categories, the definition excludes middle- and junior-ranking officials. The governmental legislative/judicial positions noted in the first five categories may relate to posts at national or community (ie, EU) level. Firms are required to take a risk-based approach to PEPs and need to: have appropriate risk-based procedures to determine whether a customer is a PEP obtain appropriate senior management approval for establishing a business relationship with such a customer take adequate measures to establish the source of wealth and source of funds which are involved in the business relationship or occasional transaction, and conduct enhanced ongoing monitoring of the business relationship. 3. Policies, Procedures and Controls Required of Firms Learning Objectives 3.3.1 Understand the risks to a firm posed by its clients, products and delivery systems 3.1 The Risks Posed to a Firm Similar to individuals, firms are also exposed to financial crime risks when they perform financial services for clients. Some of these risks arise because of the firm’s clients: are they honest, or seeking to deceive the firm to achieve criminal outcomes? Other risks arise in respect of the different products that the firm may offer: products such as individual savings accounts (ISAs) or pensions allow certain tax benefits, and the firm should be alert to the risks associated with tax evasion. The delivery systems chosen by the firm to provide its services can also affect the financial crime risks that the firm is managing; for example, it is important that the firm is confident that any instructions it receives are made by the actual customer (rather than a criminal seeking to impersonate the customer in order to take over the account and acquire the assets). The mechanisms that the firm can use to validate a person’s identity will vary for different communication channels: telephone calls enable ID questions to be asked; written material must contain all necessary information; and electronic communications are usually protected by some form of username and password. The firm must be able to recognise such areas of risk and understand how these different elements apply to its own business model. In this respect, senior management should ask themselves a number of questions. 120 Managing the Risk of Financial Crime For example: What risk is posed by the firm’s customers? Does the client satisfy the definition of a PEP, and is the firm able to give such an account the extra care required? Is a customer based in, or conducting business through, a high-risk jurisdiction – and is the firm equipped to perform the additional due diligence that may be required? 3 Is the customer’s own business within a sector that places them at a higher risk of exposure to financial crime or corruption? A firm would not want to be associated with a customer who could be exposed as committing or facilitating financial crime – both from a public relations perspective, and due to the practical implications of ‘dirty money’ being found to have passed through the firm’s financial products as market transactions. What risk is posed by a customer’s behaviour? Has the firm established relevant controls over dealing patterns and trends, to identify whether a customer is performing unusual deals that could be suspicious? How would the firm react if a customer asks questions about the levels of secrecy regarding a transaction – or requests additional secrecy measures? Is a customer seeking to transfer assets or money to the firm in such a way that the origin of wealth or the source of funds cannot easily be verified? If the customer is not a private individual, is the operator of the account willing to provide relevant information about the underlying owners and controllers? What risk is posed by the way the customer became a customer? Was the firm able to complete the necessary due diligence review of the customer? Where the customer came to the firm via a financial intermediary, is the firm confident in the due diligence material provided by that intermediary? Was the customer accepted after distance communication only, or was a face-to-face meeting held? What risk is posed by the products/services the customer is using? Does the product allow payments to third parties? Could the product be used to enable inappropriate assets to pass through the firm? Does the product include features that could enable money laundering or terrorist financing? The firm must, of course, consider all these factors against its normal expectations for the type of business it performs and the clients it intends to service. 3.2 Understanding the Controls Learning Objective 3.3.2 Understand the controls a firm should have in place to minimise its risk to fraud, money laundering and terrorist financing, including a training programme Firms are exposed to the risk that its business will become a victim of fraud or will be used by someone performing money laundering or seeking to support terrorist organisations. The firm must, therefore, assess where such risks primarily reside: what processes, products, and client types pose the greatest risk of being abused in this way. Having assessed the risk, senior management must then ensure that appropriate controls are designed and implemented to mitigate this risk. 121 In respect of fraud, firms must recognise the potential for both internal and external fraud. Internal fraud relates to the actions taken within the company: an employee misusing their position to enrich themselves at the expense of the company or its employees. Quality control checks (to ensure accuracy of processing) and segregation of duties (to ensure that work must pass through separate departments before payment is released) are examples of controls that can reduce the risk of internal fraud occurring. As regards money laundering and terrorist financing, managing and mitigating the risks will involve: measures to verify the customer’s identity collecting additional information about the customer, and monitoring transactions and activity, to determine whether there are reasonable grounds for knowing or suspecting that money laundering or terrorist financing may be taking place. Part of the control framework will involve decisions as to whether verification should take place electronically, and the extent to which the firm can use customer verification procedures carried out by other firms. Firms must determine the extent of their CDD measures on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction. To decide on the most appropriate and relevant controls for the firm, senior management should ask themselves what measures the firm can adopt, and to what extent, to manage and mitigate these threats/risks most cost effectively, and in line with the firm’s risk appetite. Examples of control procedures include: introducing a customer identification programme that varies the procedures in respect of customers appropriate to their assessed money laundering/terrorist financing risk requiring the quality of evidence – documentary/electronic/third-party assurance – to be of a certain standard obtaining additional customer information, where this is appropriate to their assessed money laundering/terrorist financing risk, and monitoring customer transactions/activities. Risk management is generally a continuous process, carried out on a dynamic basis. A money laundering/terrorist financing risk assessment is not a one-time exercise. Firms must, therefore, ensure that their risk management processes for managing money laundering and terrorist financing risks are kept under regular review. A firm should, therefore, keep its risk assessment(s) up to date. An annual, formal reassessment might be too often in most cases, but still appropriate for a dynamic, growing business. It is recommended that a firm revisits its assessment at least annually, even if it decides that there is no case for revision. Firms should include details of the assessment, and any resulting changes, in the MLRO’s annual report. 122 Managing the Risk of Financial Crime 3.3 Effective Training Learning Objective 3.3.2 Understand the controls a firm should have in place to minimise its risk to fraud, money laundering and terrorist financing including a training programme 3 It is essential that the firms train their employees in respect of fraud, money laundering controls, and the prevention of terrorist financing in order that staff will be able to recognise suspicious events, and will know how to escalate any such suspicions. Key criteria for a training programme include: understanding the internal controls established, and the risks they are intended to mitigate (eg, controls intended to prevent internal fraud) staff responsibilities under the firm’s arrangements for the prevention of money laundering and terrorist financing, including those for: obtaining sufficient evidence of identity recognising and reporting knowledge or suspicion of money laundering or terrorist financing the identity and responsibilities of the nominated officer and the MLRO the potential effect on the firm, on its employees personally and on its clients, of any breach of that law the content and frequency of training reflecting the risk assessment of the products and services of the firm and the specific role of the individual, and appropriate assessment at the end of a training session to ensure it has been effective. In addition, selected or relevant employees should be given regular appropriate training in order to be aware of: potential fraudulent activity the criminal law relating to money laundering and terrorist financing, and the regulations or guidance issued by the regulator. Staff will find it helpful to have illustrations of the type of situation that may be unusual, and which in certain circumstances might give rise to reasonable grounds for suspicion. Training programmes may also include: examples of fraudulent activity – whether previously identified within the firm itself, or relevant cases from similar firms the nature of terrorism funding and terrorist activity, in order that staff are alert to customer transactions or activities that might be terrorist-related, and trends and the changing behaviour and practices among those involved in money laundering and financing terrorism. 123 3.4 Effective Suspicious Activity or Transaction Reporting Learning Objective 3.3.3 Know the criteria for an effective suspicious transaction reporting system An appropriate system of reporting must be in place whereupon: All staff must raise an internal report where they have knowledge or suspicion, or where there are reasonable grounds for having knowledge or suspicion, that another person is engaged in money laundering, or that terrorist property exists. The firm’s nominated officer must consider all internal reports. The firm’s nominated officer must make an external report to the relevant LEA as soon as is practicable if they consider that there is knowledge, suspicion, or reasonable grounds for knowledge or suspicion, that another person is engaged in money laundering, or that terrorist property exists. The firm must seek consent from the LEA before proceeding with a suspicious transaction or entering into arrangements. The firm must freeze funds if a customer is identified as being on the sanctions list on the government website of suspected terrorists or sanctioned individuals and entities and make an external report to the relevant authority in its home state. Firms need to ensure that detailed records are maintained, relating to any suspicious transaction activity – whether as part of the reporting system or as separate records. Such record-keeping should include: Details of any disclosures made regarding enquiries on a case. The reasons why a SAR/suspicious transaction report (STR) was, or was not, submitted. Any communications made with or received from the authorities, including the LEA, in relation to the SAR/STR. Where relevant, details of the need for prior consent to be received from the LEA before releasing the proceeds of a transaction – together with details of any such consent received. The firm’s nominated officer must report suspicious approaches, even if no transaction takes place. Any actions required should be kept under regular review. It is normally a criminal offence for anyone, following a disclosure to a nominated officer or to the LEA, to do or say anything that might either tip off another person that a disclosure has been made or prejudice an investigation. 124

Use Quizgecko on...
Browser
Browser