Nigel's Eyes

20211217 Of too much law and regulation


Well, that didn't go so well, did it?

Just a few weeks ago, it seemed that CoVid-19 containment measures were bearing fruit and more countries announced plans to re-open borders. That would have meant that, for the first time in almost two years, I would have been able to travel and, more importantly, once I'd finished an assignment overseas to re-enter Malaysia where I live.

Sadly, the Omicron variant has resulted in many countries returning to various forms of restriction of which quarantine is the most common. Others have imposed selective travel bans and others have postponed plans for a general re-opening. Moreover, changes are often made at short, i.e. less than a day's, notice.

For residents, more countries are now strongly recommending, or requiring, that many people work from home. It is this "work from home" thing that concerns me: over the past two years we have seen a dramatic increase in output of regulators and supranational bodies. "Think Tanks" are generating ever more material but of an ever narrower focus.

We see financial institutions setting up security systems that are effective silos. There are two reasons for this, I think. The first is that work from home has led to a high degree of autonomy for staff who operate without the usual checks and balances that in-office discussions provide. Thought processes become, like a plant in a pot, root-bound. Those who are thinking up policies or procedures are anxious that they do not fall into self-doubt and so they don't question what they have done: they don't ask the essential "what if" questions. The end result is that there is a tendency to fall into the "more is better" approach that, ultimately, becomes a quagmire into which risk and compliance - and front line staff - inevitably sink.

The deluge of law, regulation, guidance and so on that has landed in the past 18 months is, frankly, stupid. The world and his grandmother and her dog are determined to prove that they still have purpose. The fact is that we are presented with half-baked ideas that will, because this is what happens, end up as policy.

We do not need multiple, related, organisations producing their own documents. It's an easy target I know but let's think of the Financial Action Task Force. It's a club made up of representatives of, mostly, treasury departments. Its Recommendations are addressed to its members. It once said that it intended to take to itself the power to address financial services businesses directly but it has no standing to do that. So it has done the next best thing: it's created priorities that it publishes. Its members point at it and say to e.g. banks "that's the best practice so you should follow it." But is it?

One of the fascinating things in the recent NatWest case in the UK is that the Guidance approved by the Treasury and therefore more or less enforceable omits a relevant point whereas the Financial Conduct Authority's notes, which have regulatory effect but are not "approved" under the secondary legislation as more or less required for criminal prosecution purposes, do include it. Why are two sets of Guidance needed and why is the FATF adding another? In the USA the plethora of prosecution and regulatory bodies, many of which overlap, is resulting in a tidal wave of material that no risk and compliance officer can hope to manage. As the FATF, the Bank for International Settlements and national laws (many of which can be applied internationally), industry groups such as Wolfsberg and others all publish their own documents dealing with the same issues - mostly in similar ways - the pressure on financial crime risk and control officers is increasing exponentially. It always was a difficult job.

Now it's becoming impossible.

I have long argued that regulatory risk is bigger and more pressing than the risk of prosecution as a money launderer. In fact, in the 1980s and early 90s when I was still in legal practice a large part of my work was in identifying the legal and regulatory risk of new laws including EU law.

The NatWest case shows that: the bank has been convicted of the crime of failing to comply with regulatory measures intended to detect and deter money laundering: it has not been convicted of money laundering per se. This, then, is a criminal conviction for an essentially regulatory offence. This approach is not new: in the USA, Bankers Trust was convicted of failure to comply with the cash transaction reporting requirements under the Bank Secrecy Act well over a quarter of a century ago. There have been many such prosecutions since although, in terms of quantity, few come close to the case of a Las Vegas casino where completed reports were not submitted but were, instead, stuffed into cupboards. And, of course, all over the world companies are convicted of criminal offences for regulatory breaches in health and safety, environmental crime, etc.

Next week, I will add to our Case Studies module a detailed look at the judgment and supporting documents in the NatWest case. I look at the legal and regulatory background and analyse selected points of failure. One of the points of failure specifically mentioned in the judgment is something I drew attention to in "Understanding Suspicion in Financial Crime," a book which has now been withdrawn and updated and republished as an Advanced level course. To oversimplify the point in "Understanding Suspicion" an example of failure is where a member of staff does not perform as he should because he thinks that "they will do it".

The circumstances of the NatWest case long predate CoVid-19 and the difficulties set out above. Yet the problems of legal and regulatory over-reach, prescription and narrow, even isolated, thinking were present then. They are much worse now.

I have always argued that systems should be rigid but awareness must rely on flexibility. The current trend reverses that. It says that any tech is good tech, that the tech should be relied upon.

There's a reason why cars are designed by people, built by robots and tested by people. That same reason must be applied to risk and compliance. It's the people who face the customers who know their customers.

Spoiler alert: that's the core failing in the NatWest case.


Financial Crime Risk and Compliance Case Studies - GBP34.99 for one year's access.
Advanced: Understanding Suspicion in Financial Crime - GBP120.00 for one year's access

Buy online - instant access -


Stay safe, stay healthy, get your boosters and avoid high-risk environments but, most of all, have a great Christmas, a Happy New Year and, fingers crossed, a much improved 2022.


Nigel Morris-Cotterill