Episode 4, Corporate Crime and Investigations: Anti-Money Laundering and Compliance

Neil:

Hello, and welcome to the Ashurst Corporate Crime and Investigations podcast series, where we explore a range of aspects of investigations. And bring to you some of the insights that we've gained from carrying out investigations for our clients across different sectors. I'm Neil Donovan. I'm a Senior Associate in Ashurst's Global Corporate Crime and Investigations team, based in London. And, today, we're looking at anti-money laundering and compliance, which has been a longstanding focus area for regulators globally, and continues to drive enforcement activity. I'm joined today by Adam Jamieson and Matt Russell. Adam is a partner in our dispute resolution practise in London. And specialises in representing financial institutions and their senior management in regulatory investigations. Matt is a partner and member of the leadership team in our Ashurst risk advisory business, specialising in financial crime compliance. Adam, Matt, welcome and thanks for joining.

Adam:

Thanks, Neil, for having me.

Matt:

Hi, Neil.

Neil:

So a great panel for what should be a really interesting discussion. I'm going to kick off by asking Adam, as we near the end of the first quarter of 2023, how seriously should firms be taking AML risk?

Adam:

Well, it's a great question. And I think I always look at these things from an enforcement perspective, and what I'm seeing on the investigation side. And I do think this is an area where the enforcement risks remain significant, as they have been for a number of years. Since October last year, the FCA's published four cases, fining firms for anti-money laundering system and controls issues. And we saw two in early January. There was also the highest penalty imposed for any regulatory breach by the FCA last year, just over £100 million, in December. And, again, that was an AML case. So on that side, the risks, I think, are high. There's also other cases in the pipeline. We know from the FCA's annual report that they opened 10 financial crime cases in 2021/2022. And they reported they had a total of 47 open cases at the end of '21/'22, some of which, of course, we've now seen published. So it's clear that there's a heavy caseload on the AML side, and more to come, and more cases being opened.

And I guess that flows from the fact that it remains a supervisory focus for the FCA. There was the review of AML controls at challenger banks, which they published last year. The FCA's '22/'23 business plan in their three-year strategy to 2025 called out AML as a priority area to tackle financial crime. And it's also clearly been an enforcement priority under the current Director of Enforcement, Mark Steward. And I think it's quite notable that he gave a speech in 2021 that was specifically on the importance of purposeful AML controls. And that's not a speech being delivered by someone at the FCA on the supervisory side, that's the Director of Enforcement giving that speech, which I think shows where it is on their agenda. And it'll be very interesting to see the approach of the new Director of Enforcement when Mark Steward stands down this spring. Including whether that individual favours regulatory cases, criminal cases, or dual-track cases, where there are AML issues identified at firms.

Neil:

Thanks, Adam. So it's clear a lot of enforcement activity already this year. Matt, what would you add from an advisory perspective?

Matt:

I suppose a couple of things, Neil, building on what Adam said. So I think the first thing to reinforce is that a lot of these cases, as Adam highlighted, are from those organisations that perhaps, historically, traditionally weren't necessarily being a focus of the regulator when it came to AML. So Adam mentioned the challenger banks, and I think some of those other enforcement notices relate to businesses that perhaps weren't necessarily within that regulatory focus. And I think, from an advisory perspective, what they highlight as well is that there are often then different challenges, I think, that are presented by those either business processes, business models, or the different types of risks that they're going to be exposed to. So I think it is making sure that organisations are reflecting on, what are my risks? What are my AML risks? And have I got the appropriate controls to do that? Because I think, again, in some of those enforcement actions that

Adam highlighted, I think that's where there is a clear gap between expectations, in terms of what they thought was appropriate and clearly what the regulator thought was suitable for those organisations.

I think, though, the other factor would be some of these cases are, unfortunately, with organisations that have had AML failures in the past. So NatWest, Santander, to name just two. And I think it reinforces the importance of, not only responding to those original issues and demonstrating to the regulator that you've done something appropriate to address those gaps that have identified.

But also, perhaps more importantly, that you're putting controls in place that ensure that you've got that sustainable control environment. So that you're continuing to address and demonstrating you address the AML risk. Because, again, like a lot of financial crime, these are risks that, by their nature, will be changing. Particularly, the moment you put up controls to try and prevent, frustrate, or detect. So, again, it's this idea of the agility of the organisation to be able to, I think, deal with this particular risk. For me, I think it's highlighted in those cases that Adam identified. And really is the lens through which I think organisations need to think about AML risk, in terms of what they do about them.

Neil:

Thanks, Matt, that's really interesting. And, Adam, some of the fines that you've mentioned are really quite significant. And we've seen those continue into 2023. How have those actions been triggered? And what are the common themes that we're seeing?

Adam:

Yeah, thanks, Neil. I think on the issues and themes, there's a number of themes that you can take across the wide range of AML cases that we've seen more recently and in recent years. The AML specific issues, very commonly systems controls in relation to politically exposed persons, PEPs. Client due diligence, including enhanced due diligence for high risk customers. How the firm deals with significant cash operations, for example, money service bureaus. Correspondent banking and trade finance operations. AML awareness within the organisation. And suspicious activity reporting. And then, perhaps finally, transaction monitoring.

In terms of themes, I think it's noteworthy that there doesn't have to be any evidence of actual money laundering in the majority of these cases. It can be just this hypothetical risk. And the focus is very much on the adequacy of the AML framework. The FCA tend to look at culture within the organisation, particularly, obviously, in relation to AML tone from the top. Do people see AML compliance as an important part of their role? How does it feel within the organisation? Is it simply a box ticking exercise? Obviously, training's a part of that. And I think Matt's going to come onto to talk about that in due course. I'd be interested in his views on that. There's also record keeping can be an issue within these investigations. Confirmed evidence that they're doing the right things, and particularly complying with their own policy standards.

And then, just finally, Neil, on triggers, it's obviously case specific. But, in my experience, there's very commonly a failure to remediate known issues. And then an issue with the firm satisfying the FCA, in relation to the same, that they are dealing with those issues in an appropriate and timely way. And this response by the firm to what I would say is a red flag. And, normally, you see in these cases, there's a clear line in the sand, where the FCA will say, "Clearly this issue should have been identified, and it wasn't." Or if it was identified, it wasn't dealt with in the right way. And that, very often, can be the trigger. And it might be an FCA supervisory visit, or a deep dive, or a thematic review. It could be a Section 166 Skilled Person Review. It could be a red internal audit report. It could be a whistleblower. Or it could be an issue that's been self-reported by the firm. There's a number of different ways these cases are happening but, very often, it's this response to red flags.

Neil:

Yeah, that's a really interesting observation, Adam, that money laundering risk does not necessarily need to crystallise in order for an enforcement outcome to follow. And the focus very much being on the compliance programme. So I'd like to ask Matt, what are the key features of an AML compliance programme that the FCA expects firms to have in place?

Matt:

Neil, I suppose on one level those key requirements are elements that haven't really changed over the last 15 years. But I think, as Adam think quite rightly highlighted, it's quality of those controls. And it's actually what organisations are doing, in relation to each of those pillars, that I think is important. So, for me, obviously, the starting point, and my colleagues would hopefully reinforce this, would be it's around the risk assessment. And, again, for me, that's the piece that often organisations are failing to get right. And the FCA, and others internationally, have perhaps questioned the quality of the risk assessment.

But, equally, it shouldn't just be a standalone document that is there that can be pulled off the shelf to explain to the regulator what is being done. And dare I say, in some organisations, taking a year to pull together. And then you've got to start the exercise of refreshing it again. For me, that risk assessment is the key document, and the key tool, that not only helps with that dialogue with the regulator and other third parties, but also should be the tool that then guides the nature of all of those downstream activities. Whether it's the due diligence controls, like onboarding and screening, or the ongoing monitoring, such as transaction monitoring systems, automated or manual. As Adam said, the training. And then, also, helping guide and prioritise what sort of remediation actions need to be in place. So getting that risk assessment right is critical.

I think that second pillar, though, is around that onboarding process, in terms of not only what clients are you taking on. But also, potentially, what clients are you then, during the course of the relationship, do you feel like you're not willing to continue the relationship because some of the concerns that you have, based on the due diligence that you've done. And I think what's critical is, ultimately, that is a decision making process. Yes, there's a number of activities that need to be done increasingly to satisfy explicit regulatory requirements. But it is due diligence with a view that then the organisation has an informed decision around whether they either take on or maintain that relationship. And, again, the quality of that decision making, I'm reinforcing what Adam was saying, that how that decision making is documented, the nature of the rationale. I think all of those are the things that perhaps organisations aren't necessarily taking into consideration.

And then, that third pillar, is the ongoing monitoring. And, again, really due diligence is not just that onboarding, but it's that ongoing monitoring as well. Both in terms of is that client or that customer doing what we expect? And more particularly, what should we expect? And I think what's interesting for me in a lot of those enforcement actions is that, in many respects, a lot of those organisations potentially had a different relationship with those clients or customers. Which means that some of them, you would've expected them to have a full banking relationship. So their expectation would be that actually they should and could have identified what's unusual. Because, in theory, that bank had a line of sight in terms of the ongoing activity. So I think about the NatWest case, and obviously the jewellery entity or customer in question. Really, the organisation should have had a concern about the level of cash, in this particular case, that was being banked.

And it should have been concerned that that wasn't in line with expectations, not just for that organisation or that customer, but customers or organisations of a similar type.

But then, in other circumstances, the institution may not have the opportunity to see all of the aspects of that customer transactional activity. So what information do they need in order to be able to identify that something is unusual and out of the ordinary? Without necessarily capturing lots of information that, dare I say it, potentially opens them up to other risks, particularly around data protection or otherwise.So I think it's a really challenging balancing act that organisations need to make around that ongoing monitoring. Not just in terms of the process, but also some very important decisions around how much data do they need to capture, gather, and maintain, in order to do that effectively.

And then, the fourth pillar, that I think the regulators are looking at is training. And, again, unfortunately, organisations when they think about training, they think, "As long as we demonstrate that everyone's done their annual training, then that's sufficient." When, actually, what I think have been called out in some of the cases over the last 12 months, is that certain roles need certain types of training that's potentially going to be more intense than others. And, again, coming back to what I said about the risk assessment, the regulator is looking for an expectation that what's called out in that risk assessment, and also, other external sources of information around risk is then informing the training. Particularly of those that perhaps should have heightened awareness around some of the risks that they may be coming into contact with.

And I'm thinking now, again, back to the NatWest case. What level of training did the alert investigators have access to? And, again, can you demonstrate that that was informed by the risk assessment? So I think the expectations around the quality, the coverage, and just the nature of that training, I think the bar has been raised, in terms of what the regulator's looking for in light of those cases.

And then, again, I come back to that fifth pillar, in terms of remediation that Adam described. And, again, I think, particularly for those organisations where this is not the first time that they've been fined, I think there are some legitimate questions to be asked around the quality of their remediation programmes. And, for me, I think one of the things, from an advisory perspective, to reflect on is particularly where you've identified significant gaps in the organization's processes and you're looking to remediate them. Well, they may be the strategic aims that may take one, two, sometimes three years, particularly if technology's involved.

But what are the tactical mitigants that the organisation needs to put in place. That may not be as good as those strategic solutions, that may be more manual. But that need to, ultimately, be put in place for the organisation to demonstrate that, not only have we identified the gaps, not only have we got a plan. But we've also got some of those tactical activities that help us manage the risk in the meantime while we're waiting for that strategic solution to be put into place. And I think, again, if we reflect on some of those organisations that have fallen foul of the regulator around AML, I think you're seeing some of those weaknesses.

Neil:

Great. Thanks very much, Matt. That's a really, really fascinating overview of the extent, and the scale, and scope of an effective AML compliance programme. So we've spoken a lot about what firms can expect from the FCA and what they should be doing in practise. Adam, if you had to identify one key takeaway for our clients, what would it be?

Adam:

This is both for firms and senior managers who might have accountability in this area. It's to look out for those red flags and take action where you see them. Ideally, if there's, for example, going to be a regulatory visit or a review of the controls, then try and get ahead of it. And, to the extent you can, make any enhancements before that review happens. Because, often, there's the opportunity to do that. Or at least identify where your gaps are. And have a plan in place that you can present to say, "Look, we're aware of this and this is what we're doing about it." Rather than let the FCA or external party discover that issue.

I guess, if you're in a situation where issues have been identified by the FCA or an external third party, then it's a case of taking advice. Getting a remediation plan in place, including adding additional resource. And resources is an issue that we see very often in enforcement investigations. Obviously, a lack of resource can lead to delays, backlogs in remediation. You've obviously got to deal with your BAU at the same time too. And it might require external support and additional budget. You need clear escalation of these issues to senior management and the board. You need governance around the remediation ownership and oversight of delivery. And, also, where necessary, positive regulatory engagement on the issues, early, proactive. Build confidence between the firm and the FCA that the firm is dealing with the issues appropriately. So that would be my takeaway.

Neil:

Great. Thank you, Adam. And, Matt, what would be your takeaway for clients?

Matt:

I think I'd build on what Adam's just outlined. And probably go back to what I was saying around the importance of the risk assessment. Because if this is a risk-based approach, and I think to be successful it has to be a risk-based approach, I think both organisations and the regulator need to acknowledge that things will go wrong. And I think the way in which an organisation responds, as I think Adam was outlining, is critical. And, again, that's why I think the risk assessment itself is so important. Because it either explains where the organisation was focusing its efforts and its resources. And, hopefully, supported by a well-reasoned and evidence-based rationale as to why that was appropriate for that business, at that time, in the context of the risks that they understood.

And then, if something else happens, perhaps not necessarily where they were focused on, then there's a legitimate question to say as to whether that now means that they need to recalibrate those controls to be able to address that risk. Or it might just be a one-off, that means that actually they were still justified in pointing the resources in a particular direction. But then, if that breach or that failure happens where the organisation had focused its resources, then particularly as the MLRO who's responsible for compliance with the regulations, they should be able to demonstrate what they've done. Which you would hope is proportionate and appropriate in the circumstances. And that, again, it may be, hopefully, the activity of either customer or sometimes member of the business or the organisation that really you couldn't predict. But all reasonable efforts had been made.

But I think to do that effectively, you need to be able to demonstrate, through the risk assessment, where you understood the risk to be, what you've done. And more particularly, picking up Adam's point, what you have done on an ongoing basis to get comfortable that the organisation is then complying with those controls that you've put in place. So it shouldn't be a zero failure regime. But I think in order to be in a robust position when it does go wrong... Because, by definition, this bait approach, it is more likely to go wrong. That you're in a very strong position to be able to have that dialogue with the regulator. Which I think was Adam's last point, which I absolutely agree with, it's making sure that you've got that transparency, that openness. But you've also got really good data that you're able to have that robust conversation with them. So for me, Neil, unfortunately, it comes back to the risk assessment.

Neil:

That's great advice, Matt. I think we can say with certainty that monitoring of AML risk should remain firmly at the top of legal and compliance agendas as we move through 2023. And I'm sure this is a topic that we'll revisit in future podcasts as enforcement activity continues, and the legislative landscape evolves.
Thank you very much to Adam and Matt for joining today. If any of our listeners want to get in touch with us or have questions, then you'll find our details on the Ashurst website. And if you'd like to learn more, then look out for the next podcast in this series. If you don't want to miss future episodes, do subscribe now, wherever you get your podcasts. And if you'd like to keep the conversation going, leave us a review or a rating. And let us know if there are any topics that you'd like us to cover. Until then, thank you very much for listening.