Home | Resources | dq:view Blog | Risk & Regulation | Customers: Corporate Asset or Corporate Liability?

Steve Tuck wrote, on 14 Apr 2007

Customers: Corporate Asset or Corporate Liability?

Financial services companies are risking their reputation and possible fiscal and custodial penalties by failing to recognise their exposure to potential criminal activity. As the deadline for implementation of the 3rd EU Money Laundering Directive fast approaches (15 December 2007) many money laundering reporting officers (MLROs) appear to be oblivious to the size of the problem they face.

The new directive further tightens the screw on financial services suppliers to know their customers. It requires them to take a ‘risk-based’ approach to screening their customers against prescribed sanctions lists and to also identify any client that is a politically exposed person (PEP). The legislation builds on existing efforts to prevent criminals access to the European Union’s financial systems.

It is up to individual firms to decide where they draw the line in the battle against organised crime and terrorists and there is little guidance from the Financial Services Authority (FSA), but any company that is subsequently judged to have acted negligently in this respect faces a heavy penalty.

I have to confess to a feeling of déjà vu. Following the Financial Services and Markets Act of 2000 and the Proceeds of Crime Act of 2002, Northern Bank and Bank of Scotland were each fined £1.25 million by the FSA for failing to take appropriate steps to prevent money laundering. Add to this the immeasurable damage these cases (and the headlines they attracted) did to the reputations of these organisations.

I have talked to many MLROs in a range of organisations, from small private banks to international asset management companies and retail banks with tens of millions of customers. Regardless of the size of the organisation, all of these people face the same challenge; deciding where to draw the line in customer screening to strike a balance between operational efficiency and crime prevention.

Attitudes range from the sublime to the ridiculous. Best practice is exemplified by the MLRO who measures every decision by what she describes as the Cornflake Test – doing everything necessary to ensure her employer does not appear in the morning paper for all the wrong reasons. This is stark contrast to the MLRO who suggested that doing nothing was a valid response to the risk-based approach required by the new directive.

Ineffective and uneconomical approaches

Anybody thinking of playing Russian Roulette with watch and PEP lists should bear in mind that World-Check, the leading supplier of consolidated lists, estimates that their file will contain approximately 500,000 names by the end of this year when the new directive comes into force. Financial services companies will need to regularly screen their entire customer base to ensure compliance.

Unsurprisingly, criminals do not like to be easily identified. So, despite the growing number of names on the lists supplied by the likes of Bank of England and the United States Office of Foreign Asset Control, they are becoming increasingly difficult to identify when hidden in a large corporate database. Whilst some resort to identity theft to cover their tracks, others simply manipulate their own names and personal details to create multiple personae.

Traditional approaches to matching customer names are proving ineffective and uneconomical when it comes to finding hidden criminals. They are typically unable to identify more complex matches, thereby missing the critical records.

These deficiencies have been evident in recent audits performed by my own company; each of them has found suspicious data that had been previously overlooked and each has resulted in new Suspicious Activity Reports (SARs) being filed by the company’s MLRO. The crimes involved have ranged from trading whilst insolvent to money laundering and even terrorism.

Meanwhile, some companies are loosening fuzzy match rules in an effort to perform a more thorough search. The main consequence of this is a large increase in the number of false positive matches produced, each of which takes time to review and approve. To make matters worse, compliance with the directive requires regular repeat screening of the entire customer base.

In the case of one large retail bank, this has resulted in the employment of 30 full-time personnel whose sole purpose is to review suspect matches. Whilst this is well intentioned, it is hugely inefficient and almost entirely unnecessary.

Thin end of the wedge

Manual review on such a large scale is a recipe for disaster. The operatives who perform such work soon become disheartened when it becomes apparent that they have to look at the same records time after time after time. This increases the chance of genuine matches to the sanctions lists being missed.

Because of the amount of manual review work involved, the bank is also unable to screen its complete customer list more than once per month and runs the risk of responding late to a new threat. This could be avoided by using a system capable of remembering and repeating previously made decisions so that only new or changed records required review.

Compliance with the 3rd EU Money Laundering Directive requires a blend of people, processes and technology:

• Money laundering reporting officer - all firms must have an MLRO, who must be sufficiently senior and be competent. The MLRO is responsible for internal and external reporting of exceptions.

• Training – the relevant staff must receive appropriate anti-money laundering training.

• Record keeping – details of suspicious individuals, organisations or activities must be reported.

• Customer screening – customers should be screened against the sanctions and PEP lists; not only at the inception of a relationship but on a regular basis.

• Suspect review – any possible matches should be reviewed in a timely manner; this may require referral to a client relationship manager. Once a review has been completed and the decision made, this does not need to be revisited unless circumstances change.

In today’s commercial environment, the damage caused by publicity following a breach of the EU directive could be devastating. Certainly, any fine imposed by the FSA is likely to be only the thin end of the wedge.

Post Your Comment