In assessing how deterrence should work, many regulators have latched on to a principle of three lines of defence. This follows the old military principle of castle building, with the outer wall representing the first line of defence, the inner wall the second line of defence, and the keep the final line.
Take our Anti-Money Laundering Professional Refresher to earn two hours' CPD
The Sommet de l’Arche in Paris established the Financial Action Task Force (FATF) 30 years ago to combat money laundering. Where have we come to in Europe and what remains to be done?
The term ‘money laundering’, unheard of in 1989, is now in common parlance, and has been globally criminalised. Predicate offences – crimes that are components of more serious crimes – have widened from drug trafficking to the proceeds of all crimes. Europol has established itself internationally in anti-money laundering (AML) terms. The Egmont Group has grown to a large international organisation of 159 financial intelligence units, representing the operational arm of AML and counter financing of terrorism (CFT) deterrence to complement the strategic arm of the FATF. Fifteen EU member states (plus the European Commission) are direct FATF members and the remaining 13 are members of Moneyval, a 28-state European FATF equivalent which includes members such as the Caucasus states, Russia and Ukraine.
European governments evaluate each other’s AML performance occasionally. However, the amount of proceeds of crime recovered as a result of successful money laundering prosecutions, compared to the amount thought to be available to be laundered, is around 0.1% at best. It is small wonder that commission of the underlying predicate offences remains rife, and increasing, particularly in relation to emerging criminality, such as cyber crime. Why is the European AML system so ineffective in reducing the impact of the underlying crimes upon European citizens?
The major AML issues in Europe can be divided into three distinct areas: governance, risk management and capability. Some feel it is a simple question of reforming the European AML supervisory architecture, but the answer is more complex and nuanced than that. True, AML deterrence in Europe does need better governance, but improved structure of European authorities alone will not keep organised crime lords and other members of the dark economy awake unless it is allied to action, commitment and improvements in capability.
There are many fault lines across Europe in relation to AML governance:
There is no clear stated focus on what the objective of AML should be across Europe. Yet without clarity of vision, mission and modus operandi, it is difficult to see how progress can be achieved. It should be greater than merely securing the financial and operational integrity of the EU, though that would be a good start. The focus of most governments seems to have switched to fining the gatekeepers rather than convicting the perpetrators of the predicate offences. This is ineffective in terms of reducing the scourge of drug trafficking across Europe, for example.
- With only 15 EU member states being members of the FATF, the remaining 13 member states members of Moneyval, and 19 of the 28 EU member states members of the eurozone, there is dislocation across the EU in terms of deterrence, not just of money laundering, but of financial crime in general.
- There is no EU coordination body for AML policy except for the European Commission, certain monitoring and supervisory functions carried out by the European Central Bank and European Banking Authority, and certain loose information sharing arrangements between national member state authorities.
- Laws relating to crime are reserved to individual member states. True, there is some coordination of investigation through Europol, and instruments such as the European Arrest Warrant have been created, but usage of such instruments varies wildly across the EU.
Governance is not just about architecture, however, but also about 'battle rhythm':
2. Risk management
- The gestation periods of European legal and policy measures are far too long. In relation to the Fourth Money Laundering Directive, for example, the ‘flash to bang’ time (carrying out policy development within FATF to implementation of the associated directive) was well over a decade. This is far too long in relation to deterrence of money laundering, a problem which will be exacerbated by the need to respond to the explosive growth of cyber crime.
- The mutual inspection cycle is also around a decade long. With virtually all EU businesses subject to so much annual control and monitoring, why should this concept not apply to AML deterrence at governmentallevel? There is currently no annual assessment of EU member state performance against the FATF40 recommendations.
No key performance indicators (KPIs) have been set by the FATF or Moneyval, and member states are not even collecting figures on the underlying offences in a coordinated manner, yet this is vital for effective policy development and the combat of money laundering and its predicate offences. How can policies possibly be effective if you don’t know the numbers? True, the FATF has developed some indicators (known as ‘immediate outcomes’), but these are not the same as KPIs related to the predicate offences. An assessment of what really needs to be measured is urgently required, in order to develop the correct tools, fund the most effective action, and reduce the ever-growing scourge of the underlying crimes. Even the most advanced EU member states are assessed as having several areas where major improvements are required, so greater government commitment is necessary.
To reduce compliance burdens and increase effectiveness, the concept of risk-based deterrence has been introduced. Although highly attractive conceptually, the risk-based system has been stymied since it has become the regulator who decides what the risk is, rather than allowing firms to carry out their own risk function, with regulators checking that the risk process works and the firm developing its risk assessment skills. This initiative needs to become less dirigiste to succeed.
In assessing how deterrence should work, many regulators have latched on to a principle of three lines of defence. This follows the old military principle of castle building, with the outer wall representing the first line of defence, the inner wall the second line of defence, and the keep the final line. Fine for castle building in mediaeval Europe, but the only organisation building castles these days is Walt Disney. This concept of defence as applied to financial institutions has the customer-facing staff as the front line, compliance as the second line and audit in the castle keep. This concept is outmoded, ineffective and encourages the wrong mentality in crime fighting. Better a system of integrated active defence, where all AML assets are designed to work together, as currently used by the world’s militaries to great effect in defences such as integrated air defence systems and integrated carrier battle groups.
About the expert
Richard Parlour is principal at Financial Markets Law International.
Training of law enforcement in how financial markets work is generally below what it could be. Virtually all law enforcement officers are given some financial investigation training, but this is not the same as instruction in the operation of financial markets such that law enforcement has a chance of recognising egregious behaviour, apprehending the perpetrators and obtaining necessary evidence. Specialist financial police are needed, properly trained and supported, in all countries. Commitment currently ranges from financial investigation units consisting of just one law enforcement officer, to specialist financial police like the Guardia di Finanza with a force of around 70,000 persons.
Fines levied on banks are in the billions, yet at the same time governments appear unwilling to fund even small law enforcement projects. One member state agency, for example, promised funding for its creaking IT system to cope with suspicious activity reports, requiring just over €5m, has finally been allocated the funding, but not until 2023.
AML compliance has become an end in itself, highly bureaucratic, with the real objectives having become lost in a mass of organisational data kleptomania. Digitisation of business has given rise to a search for an automated AML nirvana, reducing human input to a bare minimum. Yet money laundering deterrence is a human issue and programming errors can increase costs dramatically, as battles to reduce false positives have shown.
Compliance is also often seen as all cost with little or no benefit. CEOs appear to prefer running the risk of massive fines than investing sufficiently in ensuring that their business models and compliance functions are properly aligned, effective and efficient. Far from scandals having changed such attitudes, they have been perpetuated, as the recent response by Scandinavian banks demonstrates.
This article was originally published in the July 2019 print edition of The Review. All members, excluding student members, are eligible to receive the quarterly print edition of the magazine. Members can opt in to receive the print edition by logging in to MyCISI, clicking on My account, then clicking the Communications tab and selecting ‘Yes’.
Once you have read the print edition, keep coming back to the digital edition of The Review, which is updated regularly with news, features and comment about the Institute and the financial services sector.