Nigel's Eyes

20230501 Financial Crime Risk and Compliance: The Tyranny of Regulators.

Financial services businesses are subject to an overwhelming amount of regulation which militates against the purpose of financial crime laws: that of catching criminals and confiscating the proceeds they have generated.

Law and regulation is necessary to require a wide range of businesses, many outside the obvious Banking, Insurance and Securities sectors, to detect, deter and report instances of suspected financial crime. That much is a given.

Counter-money laundering (widely mis-characterised as ″anti-money laundering″) laws were first introduced to create an offence similar to that of handling stolen goods but relating to the proceeds of crime. Contrary to common misconception, they apply to everyone, not only the financial sector. The regulatory framework within which, initially financial, businesses were required to operate, was developed against the backdrop that regulation was secondary to the criminal offences of being or helping a money launderer.

There was one obstacle to finding banks, etc. guilty of e.g. money laundering: historically, corporations could not be found guilty of offences requiring a state of mind. But regulations requiring compliance as a fact and where state of mind was irrelevant could be prosecuted. The precedent had been set in, for example, Health and Safety at Work.

But regulation, per se, has nothing to do with whether money laundering happens: it’s all about whether appropriate (or a similar word) systems are in place to detect and deter other people who may be trying to launder criminally derived funds through that business and, where there is suspicion that that is happening, to make reports to a specialist agency called a ″ Financial Intelligence Unit.″

A reversal of purpose

Since Regulations were first implemented in the 1990s compliance with them has become the priority. It’s reached the point where businesses are more afraid of the regulator than they are of being prosecuted for a crime. They have been forced to prioritise compliance over financial crime risk, to be seen to be doing something.

The UK’s Bribery Act 2010 created a obligation on companies to prevent bribery. It requires companies to ensure that their staff and representatives do not commit bribery in order to obtain or retain business or some other advantage for the company. There is a presumption of guilt with the only defence being ″ for [the company to prove that [it] had in place adequate procedures designed to prevent persons associated with [it] from undertaking such conduct.″

That question of adequacy is not a question of intent. It is a question of extent.

This is dangerous: in a civil action in the USA, recently, under a similar provision in the Foreign Corrupt Practices Act, against Rio Tinto the company settled the proceedings brought by the Securities and Exchange Commission which suggested some sympathy with the company. By the standards of SEC penalties, the USD15 million settlement was not harsh.

Charles E. Cain, Chief of the SEC Division of Enforcement’s CPA Unit said "Here, deficient controls were no match for managers determined to hire a consultant whose only ostensible qualification was a personal relationship with a senior government official."

The question, then, arises as to what controls would not be deemed ″ deficient?″ And how do companies deal with "managers determined" to evade controls? Is failure always proof of deficiency?

The answer, across the entire spectrum of financial crime risk and compliance is this: no one knows.

Regulatory Tyranny

Tyranny is authority without responsibility; the application of unreasonable or arbitrary power or control. That’s the very definition of many regulators which set Regulations, enforce breaches and determine penalties. Often, following a bruising encounter, the regulated business "settles" with the regulator with no outside supervision of the Regulator, or worse, recourse to the courts by the affected business.

Those businesses stand no chance of establishing that they have done all that was reasonably doable in the pursuit of the objective of compliance.

Too much regulation

There is too much regulation. Too much of it overlaps and too much of it is muddled and too much enforcement lacks a clear result upon which other businesses can rely.

Financial services businesses are subject to incredibly detailed, prescriptive, regulations in relation to financial crime. The Hong Kong Monetary Authority’s Guidance (which is in addition to Regulations) for banks fills 90 pages. That’s small compared to many.

Concentration on compliance means less attention to preventing money laundering.

Compliance has come to dominate risk, in time and money and in intellectual capacity. There is a reason for this: compliance failures are, relatively, easy to identify and measure and therefore penalties are, relatively, easy to order. They turn regulators into potential profit centres, or at least provide subsidy beyond such fees as are levied for authorisation.

For example, in those jurisdictions that have requirements to report, non-pejoratively, transactions in cash or certain other stores of value, it is quite a trivial matter to examine computerised records for cash, etc. transactions and to match them to the records of reports. There is no room for opinion: there was or was not a qualifying transaction and there was or was not a relevant report. In some jurisdictions, each failure to file in these circumstances attracts a flat rate penalty.

It’s a simple, readily enforceable and very attractive formula: was + was not = penalty.

However, outside those simple binary choices, regulators are making value judgements on a basis that is not and never has been communicated. There are no objective standards.

A regulator decides if controls are adequate on, essentially, subjective opinion. Worse, unlike decisions in courts, there is no system of precedent and, as a result, it’s subjective opinion on a case-by-case basis.

As more governments and regulators begin to consider creating obligations to prevent offences including fraud, sanctions breaches and money laundering, in addition to bribery, the complexity, expense and risk for businesses will increase dramatically.

Farming out the making of law, the enforcement of that law and the sitting in quasi-judicial determination of conduct to a single entity (or a closely connected tribunal) is fundamentally wrong. It is against the separation of powers and it is in breach of the principles of natural justice.

Even more startlingly, the installation of "monitors" within financial institutions and regulatory inspections to ensure strict compliance with micro-managed policies and procedures is coming dangerously close to shadow management.

It’s time to stop. It’s time to unravel the complex approach to financial crime risk and compliance which is, almost everywhere except government and government-adjacent circles, widely regarded as a very expensive failure.

It’s time to put responsibility where it belongs, within companies, and for the existing criminal law of attempts, wilful blindness and vicarious liability to be used to create and/or enforce corporate liability for criminal acts. It worked when draymen recklessly drove horse-drawn carts through busy streets; it will work now for Financial Crime.

In Malaysia, recently, there are the green shoots of this idea as individual employees in banks have been identified as having facilitated money laundering and now face prosecution.

It’s time to end tyrannical, capricious, regulation by enforcement, with no clear picture of how businesses should avoid action.

It’s time to end the Uber-like approach of ″let’s just do it and sort out the problems later″ that regulators adopt.

Instead, let companies be responsible for their own policies and procedures and to assess their own risks: all businesses are different and they are best placed to assess what works for them. When failures occur, as they will, the penalties should be for the offence rather than for an ad hoc qualitative assessment of a compliance failure.

What is needed is for relevant businesses to be told what to do in broad terms and let them work out how best to manage that within their businesses. Some things do need legislating for but those are remarkably few.

In short, let’s get back to the original purpose of counter-money laundering laws and their supporting regulations. Let’s let financial institutions concentrate on collecting information and handing it to the authorities so they can catch bad guys and confiscate their proceeds - and on making sure that the organisation itself does not become a victim of a money laundering, etc. scheme.