Conference and Academic Papers

2011 What's wrong with Counter-Money Laundering Laws? (part 3)

Part 1 of this article is here:
Part 2 of this article is here:
Part 2
Part 3 of this article is here: Part 3
Part 4 of this article is here: Part 4
Part 5 of this article is here: Part 5

Suspicious activity report v suspicious transaction report

There is a fundamental difference in principle between a suspicious activity report and a suspicious transaction report. This difference informs the nature of information that is contained in a report to a financial intelligence unit. It also changes, at the most fundamental level, internal risk and management policies and procedures and training.

The difference from an FIU perspective is the nature of the information obtained. Information relating to "transactions" is hard information. It relates to an actual movement or possession of assets, or change in ownership, and as hard information it can be viewed as evidence. Information relating to "activity" is much more nebulous and is best viewed as intelligence rather than evidence.

A transaction report provides direct access to information relating to the parties to the transaction, the movement or other dealings in assets and those involved in the transaction, including the financial institutions involved. An activity report may provide all of the information in a transaction report, but in addition includes information beyond the specific dealing, for example, as to suspicions relating to known associates. Within a financial institution, transaction reports may be triggered by internal exception reports based on such things as financial limits, high-risk persons or places or inconsistencies with the expected conduct of an account.

An activity report may include a raft of background information, for example: that a person drives a car which is inconsistent with the financial position which has been disclosed; wears clothes and accessories or lives in a district that he cannot afford on his own income. A home visit, perhaps for the purposes of will drafting or writing an insurance policy, may reveal a level of luxury or holdings in assets including cash that the declared employment would not deliver.

Arguably (and this is sometimes claimed by advisers) if a transaction is offered to a financial institution and declined, an STR would not be appropriate. There is no argument in relation to an SAR; it would be. It can be seen that SAR provides a much wider picture of a target's position which, when analysed by an FIU, can result in an investigation when an STR would not. Further, an SAR may provide a much more comprehensive picture of the target and his associates and may be the starting point for identifying a money laundering network.

An SAR system will result in many more reports being filed, leading to increased costs for both the FIU and financial institutions. The trade-off for the FIU is that its intelligence is greatly enhanced, and for financial institutions the trade-off is a reduction of the risk that they might be used for money laundering. In the U.S., there is a de minimis figure for an SAR. If the suspicion relates to laundering of less than $5,000 it is not necessary for a report to be filed. That, surprisingly, means that the vast majority of accountants do not have to report tax evasion on income of up to approx $20,000 (assuming a 25 per cent tax rate).

In the UK, accountants argued that they should not have to report evasion of less than £1,000.

Assuming that there are some 100 million taxpayers (corporate and individual) and that half of them impress on their accountants that they can without risk simply understate their due taxes by £1,000 and that, if the accountant refuses they will take their business elsewhere, that leads to an annual tax shortfall of 50 million x £1,000 = £50,000,000,000. This, it has to be remembered, is before any illegal tax shelters or large scale evasion are applied. Any properly drawn law will therefore need to provide for suspicious activity reports and exclude any de minimis figure below which a report need not be made.

Cash transaction reporting v suspicious transaction reports (suspicious activity reports)

The U.S. was the originator of the cash transaction reporting system and still considers it an essential tool in intelligence collecting. As inflation has eaten into the $10,000 limit applied under the Bank Secrecy Act, however, $10,000 is now a much smaller value. As late as the mid-1990s, the U.S. resisted the creation of an SAR regime but eventually fell in line, as it should given its membership of the Financial Action Task Force. When it did so, it introduced a system that had the narrowest application it could get away with.

Even now, the U.S.'s SAR system is weak compared with those of many other countries, including some which were criticised by the FATF in its Non-Cooperative Countries and Territories scheme. Indeed, some countries have not been allowed to be removed from the scheme despite the fact that some of them have regimes that, in all material respects, exceeded that of the U.S.

Australia, like the U.S., is convinced of the value of CTR, but included an STR regime from the outset. The U.S. and Australia have greatly influenced the development of counter-money laundering laws in the developing world, particularly Asia Pacific, and have insisted on a combined CTR/STR (SAR) system.

There are merits in reporting as a matter of course certain cash-equivalent transactions, provided they are set at an appropriate level. There is a considerable amount of low-level laundering by individual criminals in casinos, for example, notably those who have embezzled money from their employers or claimed state benefits to which they were not entitled to fund a gambling habit. These tend to be relatively small amounts individually, but collectively build up to a substantial amount over time. Similarly, expatriation of funds, and on the other side the receipt of funds from overseas, is a valuable source of data and may provide, over time, a picture of a target's financial position.

Domestic activity in small sums of cash is generally not particularly helpful. It tends to provide a great deal of statistical noise which contributes nothing in the vast majority of cases. For example, in cash economies (which includes certain ethnic groups living overseas and remote communities, such as small rural communities) cash is the normal way of doing business. It follows, then, that these communities are more likely than not to feature in the statistics, and therefore to suffer from a negative profile based on race or location.

Further, CTRs have a significant flaw built into them. As a result, much of the data which would prove most valuable is never collected and therefore can never form a part of a CTR. This is bound up with the process for taking on new customers. All countries provide that a person who conducts a one-off transaction below a specified limit is outside the customer identification system. Where a CTR system is in place, there is always a provision for aggregation, i.e., that a customer must be identified if he undertakes a series of transactions that would exceed that specified limit.

Such aggregation systems often come with time limits, some of which are as short as one day, which is useless for aggregation purposes. Of much more importance is if person conducts a one-off transaction for which no identification is required, then the institution has no information upon which to base any calculation of aggregation. A non-account holder could go into multiple different branches of the same bank on the same day and cash cheques and the bank would have no idea that it had performed that service in circumstances that required identification.

This is not the same as structuring transactions to avoid the making of an STR, and although it would be possible to modify the offence of structuring to include avoiding the identification procedures, the bank would still have no information which would allow it to identify the person it had dealt with. It is here argued that, except in specific instances such as those outlined above, the assessment of whether a cash transaction should be reported is best assessed by the financial institution that knows its customer. Internal systems should apply cash transaction limits outside which exception reports will require consideration as to whether an SAR should be filed.

This would lead to reduced costs for both the FIU and financial institutions, and particularly for smaller entities which do not have automated procedures for cash transaction reports and which already bear disproportionately high costs.

The question of aggregation is equally important in relation to CTRs filed with an FIU and in relation to exception reports within a financial institution. The limit below which identification is not required should therefore be set at a very low figure: perhaps as little as $250 or the equivalent. However, that identification should be on a greatly simplified basis such as production of a driving licence, passport or state-issued identification card. There should be no requirement for additional due diligence unless aggregation results in the total of transactions reaching the limit for full identification procedures. Also, aggregation should take place over a period that would present a reasonable picture, and inconvenience the money launderer; 28 days should be sufficient for the simple reason that a runner will soon run out of financial institutions to target if he can only visit each one once in a month.

Some kind of biometric cross-referencing should be deployed: a thumbprint reader, iris scanner or facial recognition. The cost of such equipment is now easily within reach of banks for use at their counter services. Financial institutions will not introduce such systems readily and so any properly drawn law will need to demand that they are introduced within a short time-frame simply to avoid the certainty that some will delay until the last minute. To protect privacy and human rights, this biometric data should not be released to the authorities unless it is as part of an SAR and the law should provide that it is not available to law enforcement agencies, even upon warrant.

List by activity or by business type?

In the same way that listing predicate crime leads to inconsistency, complication and cost, listing business areas is a poor idea. It is much simpler for activity rather than business type to form the basis of whether a business is to be required to implement risk management systems for counter-money laundering and anti-support for future crime. The UK demonstrated the benefits of this slightly "fuzzy logic" approach when the FSA found that so-called "land banking" fell within the range of activities classified as collective investment schemes. Other countries had to scurry to change law and regulation to deal with a sudden upsurge in this activity.

The advantages of having an activity-based approach were further demonstrated by the fact that, for several years, solicitors in the UK were included within regulations passed under the EU directive, whereas their equivalents in most other EU countries were not. It is to the UK's shame that it reduced the range of lawyers covered by the regulations to meet a lower EU standard (which is now the FATF-approved standard) instead of insisting that the broader range remained.

The activities that should be included in a list would include the following, non-exhaustive list:
1. Deposit taking.
2. The making of secured loans.
3. The making of unsecured loans exceeding $200 and/or interest rates (including fees or profit (in Islamic banking) converted for the purposes of calculation to equivalent of interest) exceeding 10 per cent per annum.
4. Making payments to a third party on behalf of a customer.
5. Providing trade finance including but not limited to factoring, forfaiting and letters of credit.
6. Advising on the setting up of business structures including but not limited to corporations, partnerships, foundations, etc.
7. Advising on the setting up of trusts.
8. Providing trustee services.
9. Providing company services including company secretarial, share register, nominee director or shareholder services, an address for delivery or collection of mail and/or packages, delivery services where the items delivered include precious metals, minerals, cash, credit or other payment cards.
10. Provision of legal advice including advice on payment or avoidance of tax, the creation of tax-efficient structures, tax shelters and so on.
11. Provision of legal advice including advice relating to any dealing in real property or any lease.
12. Advice on the sale and/or purchase or other transfer of shares.
13. Execution-only or brokerage services in relation to the sale and/or purchase or any other transfer of shares.
14. Sale of precious metals, minerals (raw or as jewellery or other items) or motor vehicles.
15. Operating any investment fund in which investors are not the manager personally and/or his spouse, parents, siblings or children.
A comprehensive list will be included in the draft law set out later in this series.

Who should report?

Almost all laws require the general population to report their suspicions of money laundering required to report to the FIU and, as they are not employed by a business in the regulated sector, they will not, generally, report internally. Indeed, even if a business outside the regulated sector does put in place internal measures to detect and deter money laundering, arguably an internal report within such a business would prima facie constitute tipping off.

This makes some sense because there would be no controls as to who is (it's a current issue) responsible for receiving reports and if the company is knowingly involved in money laundering then it would be likely to want to know if a member of staff was suspicious. As a result, he receiver of reports would not, be independent. Some have suggested that the regulated sector is so large that it is pointless to draw a distinction. This is probably not the case, primarily because the fact that it is regulated does allow some vetting of compliance/risk management/report receiving officers.

Provisions certainly need to be made to enable businesses outside the regulated sector to enter into voluntary registration, including the approval of officers. In this way, they would be able properly to implement a risk management system for these purposes. It may also be the case that the regulated sector excludes some who should be in it. All transactional and litigation lawyers should be included within the regulated sector, as should those advising on corporate structures, taxation, trusts and a number of other areas.

The UK's original definition, which tied solicitors (in particular) into the activities under the Financial Services Act 1986 provided a satisfactory range. Changes in legislation and specific provisions limiting which parts of legal practice are within the scope have undermined the effectiveness of the law. Auditors (including external internal auditors) are a voluntary class under the FATF R40. They should be included.

The funding of future crime, including terrorism

There is no technical reason why terrorism should be singled out from a funding of future crime perspective. Indeed, from a risk and compliance perspective, it is better that it is not.

A car dealer might say, "He bought the van for cash, it was only £200. I thought he was going to go ram-raiding" (this is a car/robbery offence and nothing to do with sheep). That would be a reasonable defence to a charge that he should have made an STR, the van having in fact being used to deliver a bomb. Or a family might say, "We knew he was a robber but we let him stay with us because we know his family; we had no idea he was a terrorist."

Permitting any kind of differentiation between terrorism and other crimes opens the door for defendants to argue that they cannot be convicted of an offence of funding or providing material support to a criminal who is not a terrorist. This position is very similar to that which relates to lists of predicate crimes. Both the UK and Singapore have removed the distinction and that is a sensible course that other countries should follow. In a belt-and-braces approach, however, both maintain independent legislation relating to the funding of terrorism.

Status of regulations, guidance notes, etc.,

There are time and costs implications in relation to modifying primary legislation and keeping it up-to-date. There are also disadvantages in the alternative, i.e., the use (in Europe) of directives (under which national governments are severely constrained as to what modifications they may make), secondary legislation and non-legislative provisions that are, sometimes, given the status of quasi-secondary legislation.

At the moment, however, the position in almost every country is that this approach has led to inconsistency, due largely to there being multiple regulatory/professional bodies and, in some cases, the fact that the guidance notes have been drafted by the industry itself, which has sometimes led to a tendency to sidestep some of the difficult issues.

It is therefore desirable that the broad framework of the systems and policies required in the regulated sector (a term examined below) is set out in primary legislation, but that detail is handled by secondary legislation. Guidance notes should be exactly that and should not be elevated to the status of law, nor be allocated a power to enforce them. In cases where they are issued by regulators, they should have the status of industry or professional regulations and be enforceable as such. Moreover, the status of industry guidance notes in courts should be clarified: some regard it as a defence to demonstrate that guidance notes have been followed but that approach the jurisdiction of the court under the primary (or, where appropriate, secondary) legislation. Where rules and/or guidance are required, they should be issued by the FIU under the regulatory powers discussed below. Such a course of action would enable rapid change without the need to revert to parliament.

Powers of and FIU

There are several discrete models for an FIU. The FATF requires only that an FIU receives, analyses and in some way refers that analysis to prosecutors. Such a minimal application of the requirements is common, but becoming less so.

For example, in Thailand, Nigeria and, since very recently, Indonesia this model has been expanded by the addition of investigatory teams and prosecutors. In Malaysia, the model has been expanded by adding the power to freeze assets pending a decision on prosecutions and it has a preliminary investigatory function. It is also developing a prosecution function.

In the UK, where the FIU is part of a larger intelligence unit called the Serious Organised Crime Agency, it has a power to freeze. In fact, technically, assets are automatically frozen when an STR is filed, and the FIU has the power to release or continue that freezing. Although it has an analysis function, however, it has no investigatory or prosecution function. A dedicated asset-freezing and confiscation unit (somewhat improperly called "asset recovery") works alongside SOCA but is not part of the FIU. The equivalent body in Australia also incorporates investigations but prosecutions are handled by the Australian Federal Police.

The U.S. has expanded the function by the addition of a "regulatory" function, but its powers are not well-integrated with the regulatory sector as a whole, mainly because the U.S. has a very fragmented regulatory sector. It is here argued that the most suitable model for an FIU would be one in which the following activities were combined:
1. A regulatory function including the issue of rules and guidance notes.
2. Inspection and audit of counter-money laundering systems, policies and processes and compliance with them; prosecution of criminal failure to comply.
3. Receipt and analysis of SAR/CTR.
4. Pro tem freezing under administrative powers of assets referred to in SAR/CTR or which investigation shows are connected to those assets.
5. Defending applications to the court for extended freezing/seizing orders and cross-application for confiscation forthwith.
6. Investigating offences and preparing cases for prosecution either by its own prosecutors, a national prosecution service or the prosecution department of a relevant body.
7. Powers of entry, search, preservation of evidence, compulsory response to questions (with protection against the use for prosecution of self-incriminatory answers (although this is not the same as the right to refuse to answer for reasons of self-incrimination).
8. Power to hand over results of investigation to those prosecuting the predicate crime (where appropriate) and to provide technical assistance.
9. Power to enter into mutual legal assistance treaties/memoranda of understanding with domestic and foreign agencies including the power to question targets in foreign jurisdictions before commencing extradition proceedings.
10. Power to mount undercover operations including agents provocateur.
11. Power to bring criminal prosecutions, although the civil penalty regime should be removed.
Civil penalties

It is here argued that the concept of civil penalties is, at its heart, flawed. If the law requires that certain actions are taken, then breaches of that law are, prima facie, matters to be dealt with under the criminal law.

The civil penalty regime allows for the naming and shaming of a financial institution but this has been shown to be of little interest to the public at large. Indeed, the entire question of reputational risk, which was expected to raise the spectre of customers or clients decamping, has proved to be a damp squib. The only reputation risk of any significance is that of increased scrutiny by other regulators. The naming and shaming rarely makes it into mainstream media.

A criminal prosecution is, however, much more likely to hit the front pages. The U.S. provides a perfect example: it deals with domestic banks under the civil penalty regime but prosecutes foreign banks, and it is the latter which are the focus of publicity.

This is an iniquitous situation which is made still worse because it robs the public of justice. Criminal conduct should be punished by a criminal conviction and fine, not by a negotiated penalty, many of which are tied to a "without admitting or denying the allegations" clause which is, in effect, a gag on the media. Again, using the U.S. as an example, regulators carefully phrase their public relations statements to protect themselves against libel proceedings by an institution that has paid a substantial penalty. The statements are laden with get-out phrases such as "according to court documents" and "alleged".

As a result, the apparent protection under the Digital Millennium Copyright Act (which says that a web site or author of an e-mail is not liable for libel if it merely repeats what has been found published somewhere else on the internet) is subject to serious constraints. If one regards the "blogosphere" as a global village pump, then these constraints hamper the entire point of naming and shaming, i.e., that a company's reputation is called into question. It is therefore important that allegations are proved so that the qualifying statements are removed and that a conviction is obtained. Risk to reputation then becomes real rather than illusory.

Moreover, the question of civil penalties calls into question the independence of the regulator. In several jurisdictions, civil penalties are retained by the regulator which settles them. In short, it forms part of the regulator's funding. This is a clear conflict of interest as the interests of justice cannot be served when the party imposing a penalty has a direct financial interest in that penalty.

It is therefore argued here that the civil penalty regime has no place in relation to those matters that are criminal in nature, and that negotiated settlements of penalties for regulatory breaches must include an admission of liability and a finding of failure. Otherwise the settlement is, in principle, no different from a defendant saying, "drop the robbery charges and I'll make a voluntary tax payment of x".