ACFE ASIA PACIFIC 2022 SINGAPORE
Good morning.
Before I launch into my paper, I have some housekeeping to do.
First is to thank the Association of Certified Fraud Examiners for the opportunity to address you today.
Secondly, there are no slides. I don’t use slides.
There are two reasons for this: the first is that there is ample research that says that slides distract you from the totality of what is being said and encourages you to reduce carefully crafted prose into a series of bullet points and in doing so to miss the nuance that is built into the presentation. This is because it is difficult to read and to listen. And also because you pre-read the bullet points and then listen for the passages that support them, you don’t listen between the lines on the slides. So, in summary, it’s because I want you to pay attention to me and what I’m saying.
The second is that there is also ample research that you learn more when you make your own notes. This is because it is easy listen and write.
Also, so far as I’m concerned, only boats have decks. Presentations have, well, me.
Third, I know I speak fast. I have been trying to slow down for half a lifetime. I can do it until I get excited about my subject then I’m off and running, words pumping out like bullets from a machine gun. When that happens, I want you to shout out and tell me to slow down. Or just whistle or something. But don’t let me run away. To be clear, you are not in any way at fault. I’m the communicator and it’s my job to make sure you get the message. When I speak too fast, I’m failing.
That said, let’s go.
------------------------------------------
Hello.
I’m Nigel and I’m an addict.
I am addicted to the design and implementation of effective systems, policies and controls to detect and deter financial crime and to the making of reports of suspicion.
I am also addicted to the concept of simple, low-friction legislation and regulation which is focussed on the objective not on the manner in which that objective is achieved.
And I am addicted to the ideal that there should be punishment where there is actual money laundering, etc. rather than punishment for the breaching of codes of practice, often on an arbitrary ex post facto analysis interpretation of those codes.
I am an advocate against authoritarian systems be it in government, law or regulation and in favour of personal responsibility. I want people to think, not simply to do.
I am, in particular, against the codification of laws and regulation because I am convinced that the more clearly defined the systems, the more easily criminals learn and circumvent them.
And, especially, I am against the codification of, in particular, industry-wide risk and compliance systems because it not not only discourages thought by the very people who are required to identify risk and to provide compliance to mitigate and to militate against that risk but actively prohibits the development of company-specific, even risk specific, systems to detect and deter a wide range of financial crime.
I am an advocate for clarity and against the use of vague buzzwords and acronyms that are often misleading and sometimes plain wrong. I want you to be able to listen to and read legal, regulatory and otherwise relevant material without having to pick your way through a morass of verbiage which does not help you to identify and deal with the specific things you need to deal with.
Defence lawyers know that in order to sow reasonable doubt, they only need to sow confusion in the minds of the arbiters of fact, be that a judge or a member of a jury.
It is easy to sow doubt when the very people making the policies, laws and regulations – and even enforcing them – are so busy avoiding clarity of language and thought.
For example, around the world regulators have adopted the false term ″red flags″ and then listed what they consider identifiers of risk. They say their list is only a starting point but in reality we all know that the human mind, being what it is, says that if there is a list, that it’s conclusive and comprehensive.
Here’s the consequence: if it’s not on the list, staff stop looking.
If staff stop looking, they fail to identify the risk of e.g. money laundering, financing future crime including terrorism and the payment of bribes.
In this way, over-prescription is counter-productive.
This is an example of how the entire regulatory industry, from the Financial Action Task Force through various self-appointed industry groups through those that draft law and those who produce regulations are bound by group-think and make a false assumption that the rest of us are like them.
Here’s a shock: we aren’t. Your staff aren’t. You aren’t.
In 2017, I wrote ″It’s strange: in a world that some claim is racing towards globalisation, many people exist in their own bubble world, where only those like them are allowed and is, therefore, exactly the opposite of global. While geographically without obvious limit, their ability to think, analyse and respond is hampered by the fact that only opinions that match their own are admitted.
″One might imagine that that the bubble would become bigger, but it doesn’t. The bubble just fills up and its walls become ever stronger. If a stray thought tries to enter, it’s turned away. “Halt who goes there? Someone who challenges the new orthodoxy that is the only acceptable thinking in here? No, you can’t come in.”
″It’s intellectual apartheid. It’s discrimination by those who follow fashion. They drive BMWs because someone told them that’s what thrusting young executives drive; the man with the Alfa Romeo is weird, they think.
″The result is that, within the bubble, a single thought takes on the momentum of a cheese rolling down a hill, followed by those who don’t think whether it will be edible if they do, indeed, catch it. The failure of the bubble dwellers to think outside the incestuous, circular, mindset within the bubble means that bad ideas are not challenged. It means that, within the bubble, the focus is not on whether to do it but rather how to do it. Ideas rapidly become, or even arrive as, a fait accompli and while there is often extensive debate on the best way to implement them, the hard question – (should we do this?) – is never asked.″
(Me: The falsely accused contrarian and the bubble people. 2017
https://financialcrimeriskandcompliance.com/elan/web/20171207_contraria…)
The pace of material from everything from the FATF down accelerated out of all recognition during the pandemic.
Across the world, countries drafted and passed new laws and regulations at an unprecedented rate. Much of it was ill-thought out and had no valid purpose. Vast tracts of legislation and regulation poured forth when a few lines amending existing legislation would have achieved the required purpose.
In their bubble, no one heard the shouts of ″we really don’t need this″ from those that truly understand.
Here is our starting point: it is literally impossible for one compliance officer in one country dealing with one jurisdiction to stay on top of the amount of law and regulation, to say nothing of so-called advisories, guidance notes, recommendations from self-appointed groups, the output from the Financial Action Task Force which has expanded it own sphere of influence to directly address businesses and – of course, commentary from every form of consultant imaginable – including me, of course.
The nett effect of this – and of the focus of regulators – has been that there is an overwhelming compliance burden which leaves far too little time for the thing which is actually important – the assessment and dealing with risk. And, not to put too fine a point on it, the important topic of crime prevention.
For here is the irony: if organisations are left to build and maintain effective crime prevention models tailored to their business, then the very forms of compliance that are demanded will fall into place and be integrated within, not bolted onto, business processes.
Instead, businesses are told to build their compliance frameworks and to do business within them. It’s back to front.
Financial Crime Risk and Compliance is the target of a legislative and regulatory onslaught in almost every jurisdiction in the world – and in those where it is not, there is pressure from , quote, the international community, to follow suit.
Dealing with just one jurisdiction is impossible. And yet every commercial concern that conducts business across borders is thrown into the firing line for law and regulation in those other jurisdictions, too.
If your company buys and sells widgets, then the situation is far, far simpler than if your company provides any form of service to a third party that, for example, buys and sells widgets. In short, as a financial institution, for example, your risk arising from activity is exponentially greater the further you are from the actual business activity.
The risks a financial services business faces is amplified not only by more complex regulatory requirements but also by the fact that those to whom services are provided may not comply with the requirements placed on them.
I’ll give you a very simple example: a courier company ships a package from the USA to Hong Kong. In Hong Kong it is re-addressed to India. In India, it is readdressed to Russia. Shipping direct from the USA to Russia would be in breach of sanctions. Payment from Russia would be in breach of sanctions.
The label says ″widgets″ But at each stop in the process, the delivery is declared as the final destination. Nothing in any of the documents indicates that the package will be forwarded. And the money travels by a circuitous route, too.
The sanctions have in fact been breached. The question is whether the courier or the payments services provider can be held responsible.
Here’s the important thing for the purposes of this paper: so far as regulators are concerned, it doesn’t matter.
What matters is whether the company can demonstrate whether there were adequate policies and procedures to prevent such transfers. A failure is, primarily, seen as evidence that the systems were inadequate.
Spoiler alert: systems fail. Criminals are sneaky. They win. And they win even when the systems are as good as can be reasonably expected without actually closing down the business. Regulators need to understand that. The valid question is actually ″was a crime committed?″
Here’s why it matters and why it fits in with the thesis I advanced earlier: there might be a penalty for the shipment and there should be if criminal intent is shown. But the primary risk for such businesses is large penalties for failing to take steps to prevent it happening, even if no criminal intent, or even recklessness, is proved.
Worse, penalties might then be applied to those who failed to prevent the payments relating to it.
So the important question is not one of paper but one of people.
Criminals will find a way around whatever preventative systems are created. It’s just how it is.
What we, every one of us involved in financial crime risk and compliance, in whatever part of the disciplines we operate in, need to ask, of ourselves and of our rulers, is this:
a) is it right that the authorities, however that term is defined, should define systems that we must follow; and
b) is it right that where those systems are open to interpretation, that a business should be penalised for an ex post facto decision by the authorities as to what it intended to say?
--------------------------------------------------------------
As this is the Association of Certified Fraud Examiners, let’s talk about fraud.
Ultimately, fraud is a social crime, committed by one individual who in some way manipulates another.
We teach our children that cheating is fun: we say ″look over there″ as we steal a chip from our child’s plate. We condition our children to see being a victim as normal and something to be laughed off.
I’m not saying we shouldn’t play with our children – such games are an essential part of bonding and, ironically, of teaching awareness of risk.
Yet it is important that we recognise that there is, from an early age, a tolerance, even an acceptance, that deceit is something that we accept.
Does it amount to conditioning?
On some level it is but I don’t think we should make too much of it beyond noting that when we are trying to combat fraud, we have to understand that we are having to overcome something that is – albeit innocently – ingrained.
But it’s also primal.
Cheating is as natural as living. We call it fraud to make it sound impressive but cheating predates man. Animals that hunt use tricks such as pretending to be injured to lure a predator into a trap, turning it onto prey. Others have evolved to mimic predators so as to scare them away. Even plants have developed traps for insects or poisonous fruit to protect themselves.
Modern man as a hunter uses decoys to attract ducks and lures to attract fish.
Since man first scratched a mark on a rock, he has used images to represent - and misrepresent - for example quantities.
As means of communication have developed, there has always been a tendency to trust that which the latest tech reports. And so around the world hundreds of millions of people daily trust what they see on their computer screens or their phones.
And right now the latest tech is focussed on imagery with reliability of information taking a back seat.
Visual imagery is a strong messaging medium: from hand-drawn, prehistoric, marks on cave walls to the pseudo-realism of modern computer graphics, a picture tells a thousand lies if it is generated by a liar.
I’m doing some work on the financial crime risks of the metaverse and am completely unsurprised : the tech is shiny but the concepts are the same as always.
Here’s the golden rule: ask yourself ″if we take away the tech, would we do what we are being asked to do?″
Now in an apparently global environment as this: ″if it were not for the tech, would be be involved in that kind of conduct or, even, would be be in a commercial arrangement with that company?″
==============
All fraud includes some form of misdirection or misinformation.
Here’s a phrase to remember:
clarity is the enemy of fraud.
And, while we are here, let’s remember that hiding assets is also primal and modern– even a squirrel hides his nuts – and that storing those assets amongst the assets of others is normal; co-operative wine makers all put their grapes in the same hoppers. You and I put our money into banks where, historically, it would have been something physical that was pooled with that of other customers. Today, it’s data and that data is pooled. We have moved from things to value, from intrinsic value to perceived value.
----------------------------
We have moved from certainty to uncertainty in everything including the identification of persons and laws. We are driven by some crazy notion that each individual has some kind of rights that exceed those of society collectively. We are racing ahead of our ability to build that into our risk and compliance models.
We will have to learn to deal with these changes not because someone posts a message on twitter and get thousands of people to join his cancel hashtag but because governments say we must. We must learn to work in an environment where some of our most basic certainties are no longer available to us.
Science tells us that there are four genders: male, female, hermaphrodite and neuter. The UK Home Office, I recently saw reported, has circulated a notice saying that it now recognises more than 100 of what it refers to as ″genders.″ This is only one of a massive range of challenges that we, as an industry have to face.
How, we have to ask, do we prioritise facts vis-à-vis opinions. How do we decide what are facts? Do we accept the opinions of others, which conflict with our own knowledge, as having the status of facts?
And how do we build those into our risk models?
Now I want to turn to another basic point in relation to financial crime and it directly refers to the clarity point.
On my backdrop, you will see that it says ″Counter Money Laundering″. In fact you won’t hear me use the term ″Anti Money Laundering″ or its annoying acronym AML.
Why is it annoying? It’s because the world and his dog that want to join the club say things like ″in the AML space.″ The more acronyms, buzzwords and vacuous expressions someone uses, the less they understand about the subject, in my experience.
But here’s the thing: the term ″anti money laundering″ fundamentally militates against understanding the subject.
We can be ″anti-fraud″ and ″anti-bribery.″ We should be ″anti-terrorist financing.″ This is not pedantic semantics. It’s because it tells you what we are trying to do i.e. to get ahead of the criminals and to prevent the conduct taking place. It’s pre-active. It’s crime prevention.
That’s exactly the opposite to money laundering. By definition, laundering starts after the predicate crime has been committed; at the moment that the predicate crime has been committed, the laundering is under way. There is, therefore, no opportunity to get ahead of it. We are always, always, always reacting and we can never be pre-active. It’s always re-active.
We can de-risk, we can deny an application for business but that’s not preventing money laundering: it’s preventing someone who may or may not be a money launderer using our services.
It follows that we are always ″countering″ money laundering.
This isn’t new and it’s not even my idea although these days I am one of only a handful of advocates for it. In the 1980s, the term used was counter-money laundering. It was still used into the mid 1990s. But somehow, and I don’t know how, someone managed to bulldoze through this mistake.
As a result, the world misunderstands the purpose of laws and the policies and procedures implemented under them.
Governments are not ″anti″ money laundering: they are quite happy for criminals to put their proceeds into the hands of those who are required to report suspicious activity. Counter-money laundering laws – as their primary purpose – are not about money at all. They are about information and the entire point of the engagement with the financial and other sectors is to create choke points where that information is collected, sorted and, where, relevant passed to the appropriate authority.
The secondary purpose, of confiscation of proceeds, is as important but it is consequential.
So, when we are looking at the law and regulation relating to e.g. bribery and corruption, we are pre-active but when we are looking at the law and regulation relating to money laundering, we are reactive.
These are very material differences and it’s why using the correct terminology is important.
Clarity matters and that’s why, in the Common Law, there’s 1000 years of judicially defined words and phrases. But over the past 25 or so years, there has been a woefully misguided move towards the use of ″plain English″. So far, jurisdictions such as Singapore and Malaysia have resisted this trend and their laws are all the better for it. Long may they continue. Jurisdictions such as the UK and Australia have incomprehensible laws – and the regulations made in the UK are insanely wordy and imprecise.
This matters because, I repeat, decisions as to compliance are made ex post facto based upon what, because of that imprecision, are arbitrary interpretations.
What is happening is that clarity is being added by enforcement, not designed in at the outset. It’s the after-market fitting of a speedometer because the car designers didn’t think to put one on the dashboard.
It is not for me to say what the motive is for such an approach but I can say that the effect is that millions of pounds, dollars, euros and everything else is wasted by the need to constantly fidget with systems and controls that could be designed, in the beginning, to take account of the risk of financial crime.
Here’s another one of those phrases I like to emphasise:
Money laundering is an offence in which the victim gets punished.
--------------------------------------------
Well, here we are. I’ve put out several apparently unrelated areas. Let’s think of them as Lego bricks.
Let’s join them up and see what we can make.
Let’s start with the financing of terrorism and to do that, let’s start with a definition. I’m using terrorism because we all think we know what it means.
How many of you have seen the film Die Hard where terrorists took over a building to steal some bearer bonds?
Let’s have a vote: hands up if you agree that was terrorism?
Hands up if you disagree that was terrorism?
Hands up if you didn’t vote.
OK, I’m not going to embarrass anyone by asking them to justify their answer. I’m going to give you a definition but before I do that I’m going to talk about the influence that that one word in that film has had.
It’s not terrorism. But that one enormous blockbuster which is repeated with great frequency on TV all over the world has convinced many that any very violent crime is terrorism.
No: violent crime is violent crime no matter how many people or how much property is harmed. And that’s a good thing – again, I’ll explain why it’s a good thing in a minute or two.
Terrorism is defined as .. well, actually there is no standard definition but there are standard elements so let’s create a definition containing those elements.
Terrorism is the use or threat of serious harm to persons or property with the intention to influence government policy.
So: first terrorism is an act against the state in which the victim is a tool or conduit.
Secondly, the threat of serious harm to persons or property covers an enormous range of conduct and this modern definition takes account that harm can result without violence, for example bioweapons.
Third, because we have moved from ″violence″ to ″harm″ it includes attacks on data which, of course, includes all currency, virtual assets and the like. This is not widely recognised but what it means is that a group that attacks a banking network or a health service system can be prosecuted under the same law as one that attacks a pipeline.
Fourthly, and here’s where the main complexity comes in, there must be an intention to influence government policy.
This, then is on the face of it simple. It’s not simple.
Some governments have confused this by adding a list of offences to anti-terrorism laws which do not require the specific motive. So for example, any form of invasion of certain premises such as airports or services such as computers may be regarded as ″terrorist offences″ even though they are not, actually, terrorism.
For terrorism, per se, we need to separate out the ″intent″ to commit the act from the ″intention″ of the purpose.
Did A strike B? Yes.
Did A intend to strike B? Yes.
The offence of battery is complete.
Did A intend to cause B serious injury? Yes
The offence of e.g. grievous bodily harm is complete.
That is intent and that is an essential element of a crime.
Why did A strike B? In all but one case, that doesn’t matter insofar as guilt or innocence is concerned. The ″why″ is motive and motive does not go to guilt or innocence. It is a matter for sentencing, although very few judges make this clear to juries. What they should do is to tell the advocates that, except in two cases, motive should not be led by either side during the trial. Those two cases, incidentally, are self-defence or necessity.
So the creation of the offence of terrorism by the adding of motive requires, in broad terms, evidence that the act was committed for theological, ideological or political purposes. That includes, for example, the conduct of activists which use direct action. Their only safety net is if their actions could not lead to serious harm.
Classifying violent acts as violent acts and not as terrorism is a good thing because the proof required for the offence is simpler. This is because there is no need to prove motive.
Why does that matter to you? Your company is required to report suspicious activity for money laundering purposes. But terrorist financing is, usually, not money laundering. So there is also an express requirement to report suspicions of supporting terrorism. Here’s the problem: if your staff think the customer is supporting some criminal conduct other than terrorism, then no report is required. That is not the case in Singapore, by the way, where there has long been a requirement to report suspicion of funding any future crime.
I should, for the sake of completeness, draw attention to an interesting position in The Philippines: there are two discrete offences: terrorism, which is broadly in line with what I have outlined is one. The other is the offence of rebellion. Under that offence, an organised uprising for the purpose of replacing the government is not terrorism. It’s a fascinating distinction that is explored in an article by political science lecturer Antonio Contreras in the Manila Times only yesterday.
This talk of definitions is not esoteric. It’s especially important when a business operates internationally because it has obligations in each jurisdiction in which is operates which are, prima facie, identical but in practice are significantly different – and different means complexity, cost and an increased risk of failure with all the consequences that flow from failure.
In a case in the UK in 2019, protesters illegally gained access to an airport and immobilised an aircraft which was, just hours later, due to deport a number of people. Before that let’s have some context.
There’s a protest group in the UK called Plane Stupid – plane spelt as in aircraft. They have a muddled agenda ranging from trying to prevent a third runway being built at Heathrow to unclear climate issues. They’ve been getting arrested for illegally accessing airports for more than 20 years and some have been convicted. Their cases were dealt with in Magistrates’ Courts and therefore no reports are available other than those in the general media. In 2016, 13 members of the group were convicted of aggravated trespass and sentenced to jail six weeks’ jail, the sentence being suspended and ordered so serve community service. Their protests had been designed to create maximum economic damage by blocking a runway at 03:45 hours, shortly before the first aircraft was due to land.
Clearly their actions were politically motivated with the intention to influence government policy but there was clearly no intention to cause serious harm.
In 2019, the trial took place of a very different type of case occurred and included three of those convicted in 2016. In 2017, The Home Office had decided to deport a number of persons whose immigration applications, if one had been made, had failed. It chartered an aircraft which it parked overnight at Stansted Airport, London’s designated high-security airport. The protesters gained illegal entry and some of them used various methods to attach themselves to the aircraft. In this case, the charges were much more serious and were ″terrorist related.″
That was ″endangering the safety of an aircraft″ for which the maximum sentence is life imprisonment. The 15 members of the group were all convicted and, again, sentenced to jail with sentences suspended, community service and other non-custodial penalties.
It’s that ″terrorist related″ thing that we now need to turn to for while the definition of terrorism as noted above is quite straightforward, the tendency of governments to try to define everything in legislation or regulations has created a horrible complexity. The first thing is that many countries now have multiple Acts which cover terrorist acts. In those Acts, there are lists of type of conduct which may be considered to be terrorist acts or acts that are preparatory to terrorism.
But they are not actual terrorism.
These often include conduct such as illegally entering a restricted area at a port of an airport or the dealing or possessing, without lawful authority, certain things or things made, adapted or intended to be used in a terrorist act.
And, of course, there’s the financing of terrorism and I assume you are all familiar with the law and regulation in your own jurisdictions.
All of these issues require robust internal systems and controls and policies and procedures.
Some countries – for example here in Singapore – provide that a person or class of persons maybe be required to conduct an audit ″to determine on a continuing basis whether they are in possession of property owned or controlled by or on behalf of any terrorist or terrorist entity.″ That’s in the Terrorism (Suppression of Financing) Act 2002, section 9.
That clause is unusual in that form and therefore when companies operate internationally there will be differences between the legislative approach in Singapore and the legislative approach in other jurisdictions.
The big question is whether it matters.
The big answer is yes, but it shouldn’t.
The reason is this: without going into the technical arguments about belief, knowledge and suspicion, if a person has reason to know, believe or suspect that he has possession, custody or control of terrorist assets, he is guilty of an offence. His only defence is to make an appropriate suspicious activity report as promptly as he can and to follow instructions arising from that report. So it’s in everyone’s self- interest to make sure they are not holding such assets. To have a law requiring it seems like overkill. But is it?
Those in financial services are under an obligation to know their customer and his assets and this must be kept under review. But that obligation does not, in the vast majority of countries, extend to those outside the financial sector and the various extensions of that sector to which Regulations apply.
This clause, then, creates the facility for industries that are outside the scope of money laundering etc. legislation to be required to put at least this in place to identify the risk of terrorist financing.
That then raises another question: why restrict this to terrorist-related assets?
Singapore is a massive freeport, both marine and air. Under this provision the freeport operators can be required to identify assets that might be related to terrorism but not money laundering, counterfeiting, smuggling, etc.
Here’s the thing: there are various provisions. My argument is that they should be standardised and they should all be in one place to make sure that when one changes, they all change.
But that is Singapore. It’s one jurisdiction. If you are involved in any international business, is this an area that you have identified as requiring specific attention in each jurisdiction that you deal with?
I have taken one topic and demonstrated that the obligation to be aware of assets is inconsistent within one jurisdiction and that every jurisdiction will deal with this area differently.
I said I’d come back to sanctions so I will but, now we have all of the above context, we can deal with sanctions in a few sentences.
First, sanctions are not the same thing as embargoes. Embargoes are those things where one government says a product or a type of product may not be sold to specified classes of persons in a particular jurisdiction.
So Ford in the USA was found guilty of breaching an embargo on the sale of items that might be used for military purposes when Land Rover in the UK, which Ford then owned, sold vehicles to the government of an African country.
Companies have been prosecuted for selling stab-vests to the police in some countries because they could be used by soldiers.
An infra-red camera sold to an individual in Iran and fixed to his house to monitor his driveway resulted in a prosecution because infra-red cameras might be used in a military operation.
Sanctions are different. Sanctions are general instructions to not deal with certain person or classes of persons or things. Sanctions are easy to deal with from a compliance perspective: whether a transaction is subject to sanctions is, basically, looking at a list and seeing if there’s a match.
Embargoes are less precise which is why there is a licensing system – sometimes a general licence and sometimes a specific licence. If in doubt, get permission. This, you will see, is not very different in principle to the rules relating to money laundering: if a transaction is in some way suspicious, permission to continue can, in some jurisdictions, be sought.
From an inspection point of view, then, the primary question is whether there is a system in place to identify transactions for which permission should be sought and what to do depending upon the result.
Beware: even if the transaction is authorised, the proceeds may be subject to counter-money laundering reporting.
This is your big challenge.
If you are, for example, the chief internal auditor for an international commercial enterprise is every member of your global team fully prepared for all the nuances that they will come across, and the inter-relationship between them, as they review operations around the globe?
It should by now be clear: even though we are looking in this paper only at financial crime and not at all the many other forms of compliance which are often even more disparate, I think that in the current state of law and regulation, you stand absolutely no chance of that being the case.
If I may make a plea for everyone across the entire risk and compliance universe to come together and argue in favour of simplified and universal legislation and regulation that leaves the operational aspects of compliance to those in the regulated businesses.
To quote Sir Winston Churchill in his first speech as British Prime Minister, ″I feel sure that our cause will not be suffered to fail among men. At this time I feel entitled to claim the aid of all, and I say, “come then, let us go forward together with our united strength.”″
So back to my addiction.
What I’d rather see is that the obligation to avoid being involved in financial crime, be it money laundering, terrorist financing, bribery, corruption, fraud, embezzlement is not subject to such tight legislative and regulatory controls.
The mandate from government should be what , or what not, to do and should not specify the process.
In 1998, the perceived major evil of the day was drugs trafficking. The Bank for International Settlements issued its first statement of principles with regard to money laundering. It fit on one side of a piece of A4 and it was addressed to central banks. It said, in summary, ″banks will take all reasonable steps to prevent themselves being used for the laundering of the proceeds of drugs trafficking.″
Swap ″drugs trafficking″ with ″crime″ and add ″or the funding of future crime″ and that’s pretty much all that’s needed, plus a few words about avoiding involvement in bribery.
The prescriptive approach which regulators constantly ramp up has created an entire industry which generates massive expense in, in particular, financial services business and considerable friction.
When you operate across borders, you must comply with all those thousands of pages of similar but not identical legislative and regulatory requirements – and of course you have to be aware of the extra-territorial reach of the laws of several countries.
If a simple approach, not too far removed from the Bank for International Settlements approach, were adopted then you would be able to adopt standardised policies and procedures across international groups. There would be no need for localised policies.
That means everything from training to internal audit is the same – and that reduces friction and costs.
But what has happened is that, instead of simplifying things, international bodies, governments and regulators have added complexity and then said ″use tech.″ Sadly, they mostly have little comprehension of the tech. beyond a delight at all things shiny.
So let’s finish with a look at tech.
You might think that I'm anti-tech. Nothing could be further from the truth. I’ve programmed, I’ve designed, I’ve tested and implemented. I have had an excellent relationship with computers and their ability to make my life better since the late 1970s. Please note that I don't speak about any particular product or service and I don't recommend products or services nor do I deprecate any.
I do look behind the ″mere puff″ as it was described in an old English case to see what it does and what it should do but doesn’t. I ask ″what can go wrong?″
So, that said, if you cut through all the puff that characterises everything to do with dealing with fraud and other financial crime, and view the tech as a tool not a solution, then you can specify, implement and use technology to your advantage.
But getting the wrong tech is very expensive with costs wasted in many different directions - and the high risk that a regulator will be very interested in your failure.
The second thing to remember is that the tech is a form of outsourcing and you can outsource function but you can't outsource responsibility. If the tech doesn't work, it's the compliance team and the company that bears the responsibility and the consequences that flow from that.
True, there have been examples of where RegTech providers have settled claims with customers as a result of failures but that's no help in relation to regulatory consequences which include reputational damage and the risk of suspension or cancellation of licences.
So, in the next two or three minutes, we are going to open the door to things you must think about when you are specifying or purchasing tech.
First: do you know how algorithms work? For the past 15 years or so, I’ve run courses on how to build a financial crime risk matrix and today that subject is more important than ever. Here’s why:
An algorithm is a switch: yes or no. Either of those may have consequences which may be an action or may be to process another algorithm.
Algorithms must be programmed. Someone must say ″If A, then… ; if B, then…
I’m not going to go into fuzzy logic except to say that fuzzy logic is a subset of the YES/NO algorithm in that it provides a maybe but the maybe is more like an instruction to pause and re-run the YES/NO algorithm, repeating the process until a YES or NO results.
To repeat, you must realise when deploying tech that you can outsource function but you can’t outsource responsibility. Aside from the legal aspects of indemnity, you have to know what’s happening inside that block box.
There’s a list of articles I’ve written about so-called artificial intelligence in the on-line version of this paper or you can just make a note to find them at pleasebeinformed.com, countermoneylaundering.com or the-yuan.com .
In 2016, I published ″Understanding Suspicion in Financial Crime″ the culmination of some 30 years of experience and a dozen years of research into how individuals do, or do not, form suspicion and why they do, or do not, report it. The book has been taken out of print and an updated edition is now an e-learning course.
It is important to realise that suspicion is not empirical. The fact that a person deposits 10,000 dollars in a US bank account is not a measure of suspicion: the reporting of that sum of money is a purely clerical exercise. Computers can do that.
But what they cannot do is assess all the information that one individual gathers about another and form a view as to whether, cumulatively, that information creates a feeling that might be called suspicion.
The increasing dependence on technology, by definition, means a move from risk to compliance.
Worse, in its attempts to do so, it depends on the prejudices, views and opinions of those who design the algorithms – and that’s rarely anyone that knows your business and your customers.
Sure, buy in watch-list monitors – they are a dime a dozen and they all list different things. You might want to consider an aggregator. Yes, buy in something that monitors for certain types of transaction that you identify as worthy of investigation – based on your own analysis of what’s important. Yes, work with specialists to identify the kind of data to collect and feed into your algorithms but make sure that they are your algorithms. There are many valid and varied uses for tech – but you must be in control.
The underlying tech is not complicated, but it is big. For every piece of information there are many possible relationships. That’s what your company needs to understand and work on. When you design, you work on classes of information not individual pieces, so you don’t need a massive team, a huge consulting contract, a global IT company.
You just need to know your own business and, at the risk of sounding just a little bit trite -
that’s what every one of you in this room is for.
Thank you.
======================================
Notes.
1 Fuzzy logic was first described in an academic paper in 1977. In the 1980s, appliances began to appear : toasters and washing machines. The toaster is the example I like to give because I can make it amusing. ″is the toast browned yet, is the toast browned yet, oh, bother, it’s burned.″
In terms of risk and compliance technology, it could be something as simple as ″have we had x document yet″ to run on a particular date. I had these trigger events in the solicitor’s office system I worked on in the 1980s. We didn’t call them algorithms but they were: every day a list of actions would be called up and the system would look to see if, for example, we had had a defence in litigation or a deposit in conveyancing. An automated response would happen – either issuing an application for default judgment or a reminder letter. They would spew out of a printer for the attention of the relevant fee earner who also had a list of the requirements for the day.
That ″are we there yet″ algorithm becomes fuzzy when the child in the back seat asks it for the 100th time in five minutes and goes back to the beginning every time he gets ″no″ for an answer until you arrive and say ″yes.″
It’s important not to muddle fuzzy logic with unstructured data. Lots of people do.
2 I am often asked which I think is more important, Risk or Compliance?
Compliance is easy to understand: it’s a clerical function. I don’t mean that it’s easy to do but that’s why machines can do it albeit subject to adult supervision.
Machines have the advantage that they don’t think and they do as they are told, like the robots in a car factory: the same thing over and over again without getting tired, bored or wondering if there’s a better way.
In fact, when it comes to compliance, people are often the weak link precisely because they get tired, bored and think of ways to do things differently.
Also, people exercise discretion which is the antithesis of compliance as it is apparently viewed by regulators.
Risk is exciting, it’s challenging, it’s where my brain gets turned on. Machines can’t do it because risk is not about fixed data, it’s about interpretation and feelings. It is literally an emotional reaction. Most of what tells a good investigator or internal auditor isn’t in the data: it’s in the spaces in the data, what some people call a gut reaction. So my heart says that’s the most important.
And I wish it was because that’s what counter-money laundering laws are designed to do. But it isn’t.
Compliance is more important for the simple reason that regulators can’t measure success, they can only measure failure.
In relation to their own requirements, they may be codified but they are properly defined only during enforcement proceedings and then often due to fad and fashion e.g ″you didn’t update your systems to make specific provision for harm x″
This approach is wrong because a properly set up system should take a long term view and harm x would be covered if not emphasised.
For all these reasons, regulators get to impose massive financial penalties for perceived breaches of regulations and to harm the reputation of those they regulated.
In several jurisdictions we are now seeing compromise agreements referring to ″alleged breaches.″ As a shareholder, I’d want to know why a company is paying hundreds of millions of dollars for conduct that is only ″alleged.″ I know the reasons but this isn’t the place to go into them.
As a result of this, all businesses have to pay more attention to avoiding problems with the regulator than to the actual risk of for example, money laundering.
3. I said we need to dramatically simplify law and regulation. How would we do that?
I could write a whole book on this and maybe one day I will. Or I can summarise quickly, so let’s do that.
First scrap, entirely, all law and regulation relating to money laundering, terrorist financing, bribery and corruption and fraud. They are almost universally not what’s needed.
Create simple offences. For example:
a) it shall be an offence for any person to have or at any time to have had possession, custody or control of any proceeds or benefit derived from criminal conduct;
b) it shall be an offence for any person to have or at any time to have had possession, custody or control of any property, asset or thing (corporeal or incorporeal) the value of which is in whole or in part derived from criminal conduct;
c) it shall be a defence for that person to prove on the balance of probabilities that he was not and could not reasonably have been suspicious that those proceeds or benefit were derived from criminal conduct.
That covers, without complexity, all the various approaches to money laundering.
And it puts liability where it belongs: in the hands of the person.
Here’s where it’s really interesting: by segregating the state of mind to c), it leaves the way open for the prosecution of companies which, in most jurisdictions, is very difficult.
The burden of proof as to actual laundering and the source of the proceeds remains with the prosecution; by moving the burden of establishing the defence to the defendant (which is why it becomes on the balance of probabilities) it takes away that defence from corporations – and robots, incidentally. So automated fintechs and e.g. cyber exchanges would not be able to argue that the company didn’t know so the company can’t be liable.
Regulations can be simple, too. It is not necessary, as some jurisdictions do, to specify the route by which internal suspicious transaction reports pass through the organisation. I have seen some very silly provisions which put internal reports directly into the hands of those most likely to be engaged in a money laundering scheme. Worse, it puts the identity of the person who is suspicious in the wrong hands, too.
The current rules are based in a time when internal messaging was rudimentary. Memos about the latest changes in counter-money laundering policies and procedures were literally sent in the internal mail and attached to the notice board with a drawing pin. If someone wanted to make a report, in many banks, etc. he or she would have to go to ask the manager for the appropriate report, fill it in and put it in the internal mail where, of course, it may be intercepted.
There were a couple of start-ups putting policies and procedures manuals on the intranet but there was little takeup. Branch managers were so resistant to technology that they had someone print out their e-mails and then they would dictate their replies which would then be transcribed. Incredibly, IT directors at banks were often unaware that this was happening.
Today, while there is still considerable resistance in some quarters, the intranet, or extranet, is where everything happens. This is where massive strides in technology and its effectiveness can be made – but they won’t because they are doing drudge work and techy people only want to play at what they think is the cutting edge.
But even at its simplest, provided adequate security is applied, forms should be accessible by all bank staff who complete them on a server, not locally, and then the form is locked, able to be accessed only by authorised persons in risk and compliance. I know some institutions do some of this but many, many do not.
So the regulation need only say that a business is ″required to make available to all employees a form for submitting a suspicious activity report in a manner which is secure to protect all information in the form including the identity of the person making the report.″
Equivalent simplicity can be created for confiscation and forfeiture provisions.
Make the funding of future crime, not only terrorism, a criminal offence. Then staff don’t have to try to work out what crime they are suspicious of. For a similar reason abandon all lists based approaches and rely solely on all crimes (i.e. that with a maximum jail sentence of 12 months or more) legislation.
4. I said ″money laundering is an offence for which the victim gets punished″ and perhaps I should expand on that?
I really do not accept the baying in the media for the blood of bankers, lawyers and others who are accused, as a class, of wilfully and willingly aiding criminals to hide, move and invest the proceeds of crime. Some do. Of course they do. There are corrupt people in every walk of life. But at the end of the day, criminals tend to be cleverer than bankers and lawyers, etc. or at least more sly.
Yes, on the one hand there were the people at Deutsch Bank in New York who specifically set out to move the accounts of Jeffery Epstein to Deutsche but if you read the reports carefully, the bank was itself a victim of fraudulent conduct by a new employee.
Should the bank have been more cautious, should it have performed more checks – absolutely but the fact remained that everyone has to trust someone.
As Thomas Renyi, the CEO of Bank of New York said twenty odd years ago ″we put our trust in senior employees, that trust was misplaced.″
Are we being told that every decision by every bank officer must be second guessed by the employer? Are we told that every employee is untrustworthy until proven otherwise, if ever?
I have done and published extensive research into suspicion in financial crime and the single thing that most militates against suspicion is this: we are inherently trusting of those with which we have something in common and inherently untrusting of those we have nothing in common with.
Criminals play on that to build personal relationships with staff and banks trust their staff. So the bank becomes the victim of a fraudulent scheme that started when a criminal identified and bumped into a banker in the queue to get a cup of overpriced coffee in an environmentally dubious disposable cup. Or a church. Or a golf-club. Or …. fill in the gaps as you think fit.
5. I said governments are not ″anti money laundering″ and some might think I’m saying that governments are not trying to stop it.
I did and they are not. What they are trying to do is to compel criminals to deal with businesses that are required to collect and analyse data and to make reports.
At that point, the laundering has already started so as I said everything is reactive and that’s counter not anti.
The secondary purpose is to freeze and ideally confiscate the assets that the report relates to. But that’s stopping a laundering scheme that is already in progress and, again, it’s reactive.
What governments are trying to stop is – in some but far from all cases – the laundering scheme reaching a conclusion but if relevant authorities can work fast enough then the scheme may be permitted to run and the money traced so that the pipeline can be identified.
Often, the money disappears because no one knows which stage is the last but, again, with adequate cooperation, banks can be told to hold the money if it’s not going to another bank in a cooperating jurisdiction.
At least that’s the theory. As soon as we had 24 hour telephone banking and even rudimentary internet banking in the1980s, the speed with which money could arrive in an account and be distributed far exceeded the capacity of the bank to monitor it and act on it.
Laws designed in the 1980s and early 1990s were ill equipped to take account of that but most laws and regulations, even though the language has changed, are still based on those laws that are now 30 odd years old.
Addendum: in the Conference I was asked about aggregation and I described the system as ″moronic.″ I was pressed for time and was not able to explain why this is.
Aggregation is where the amounts of multiple transactions over a set period of time are added together to reach a trigger amount. That trigger amount is different from country to country and from market sector to market sector. The most famous example is the trigger amount for Cash Transaction Reporting which, in the USA, is USD10,000.
That cash transaction reporting figure is an administrative figure and has no relevance to suspicious transactions.
However, financial institutions may set an internal figure, which may or may not be the same as the cash transaction reporting figure, as a trigger figure for initiating an internal suspicious activity inquiry – and in my view, they should, but that figure should be assessed with reference to individual customers or classes of customer, not a universal amount.
There is also a trigger figure below which one-off transactions may be conducted by persons with whom a financial institution does not have an existing relationship and has no expectation of entering into one. Again, that trigger amount is different from country to country and from market sector to market sector. If the amount is reached, then that person must be identified as if he were a customer.
Superficially, that all makes sense but the system contained a fundamental flaw when it was created in the 1980s and that flaw has been perpetuated as near-standard provisions have been introduced around the world. It is extraordinary that the flaw remains and the reason why it’s moronic is that it does not take account of this:
the first transaction, being below the trigger figure, never gets recorded for the purposes of aggregation and therefore there is no known starting point to calculate the value of transactions within the specified period.
We might assume that those first designing the system were focussed entirely on cash arriving in a single bank account.
But the opportunities for a single person to credit multiple accounts in multiple names within the same financial institution are facilitated, not prevented, by the lack of information relating to the person making the deposit.
Aggregation works ONLY in the event that the accounts of a single person (and who is known to be such) are credited. A single person can make deposits into multiple accounts provided he goes into multiple branches – and under the system as it is designed, no one will ever know. And that’s why I say it’s moronic.
References:
My boss keep saying he wants an algorithm. Is it a soup or a sandwich?
https://www.pleasebeinformed.com/publications/Uncle_Bert_and_Auntie_Ger…
Algorithms aren't omnivores
https://www.pleasebeinformed.com/publications/content/algorithms-arent-…
Financial adviser's AI back end is pants.
https://www.pleasebeinformed.com/publications/BankingInsuranceSecuritie…
Yes, no, maybe (part 1 of a series)
https://www.the-yuan.com/329/Yes-no-maybe.html
https://sso.agc.gov.sg/Act/TSFA2002?ProvIds=P13-#pr9-
Rebellion is not terrorism: https://www.manilatimes.net/2022/09/27/opinion/columns/rebellion-is-not…