Which supervisor should be the regulatory body?

Decisions about which bodies or organisations should have responsibility for counter-money laundering regulation frequently appear illogical. First, a history lesson: when the Bank for International Settlements wrote the Basel Accord, it was providing global support for the UN's Vienna Convention. In the late 1980s, the idea of an independent central bank was still somewhere over the horizon. They were still very much a part of the Treasury, as they are in most countries even today. As the Bank of International Settlements has always been, for this purpose, the central bankers' club, it follows that its actions were closely tied with countries' treasury departments.

When, a year or so later, the Financial Action Task Force was formed, it was created by the treasury departments of the G7 countries. This shaped the future of how the regulatory aspect of counter-money laundering laws would develop. When the EU began the preparation of what would become the First Money Laundering Directive, EU law demanded that each country should nominate a ministry that would be responsible for the implementation of the directive, which did not need primary legislation in member states. In most EU countries, the department which was nominated was the treasury.

As a result, FIUs are more often than not part of the treasury (although in some cases, Chinese walls are erected between the FIU and other parts of the department). In other cases, the FIU is part of the central bank, again with Chinese walls between the FIU and other departments.

When the first FATF Recommendations and the First Money Laundering Directive were published the almost universal position was that banks were regulated by the central bank while other financial sectors had independent regulators. The merits or otherwise of a single financial regulator are outside the scope of this paper, except to the extent that the issue is live in relation to counter-money laundering.

The idea of reporting the proceeds of crime (limited to drugs under the Vienna Convention) and of providing support for terrorism (in the UK, at least) began in the mid-1980s. The development of a common approach to risk management (although it was not regarded as such at the time) did not begin, however, until the FATF set out its recommendations and the EU produced the first directive.

From the outset, it was clear that there were core principles which applied to all businesses that were required to put in place systems to manage such risk. The disparity of regulators, and turf wars between them, and the decision by some regulators to absent themselves from the regime because national law applied the Vienna Convention narrowly and took the Basle Accord at face value, meant that some sectors were entirely outside the regulatory regime in certain countries while within it in others and that, even where multiple sectors were included, they would receive different instructions on how to comply.

This provided criminals with the opportunity to slip between regulatory regimes even in the same country. Add in the differences between countries and enforcement began to look like playing chess in 3D. The FATF/EU approaches brought some improvement but even so some countries, notably the U.S., failed to produce a comprehensive policy covering even banking, insurance and securities; indeed, even today, it has not done so.

In response to these issues, the BIS, the International Organisation of Securities Commissions (IOSCO) and the International Association of Insurance Supervisors (IAIS) in Joint Forum produced a set of core principles, recognising the peripheral differences between the sectors. Some countries, for example, Malaysia, have adopted this concept despite having multiple regulators. Even so, outside the banking, insurance, securities sectors, monitoring and enforcement of compliance is largely in the hands of individual regulators.

This is not an acceptable situation. The risk management and compliance costs are substantial. It cannot be acceptable for different standards to be applied, either regarding the systems required or the enforcement and compliance with those systems. Further, in complex financial institutions, it is unacceptable for different divisions to be regulated for the same purpose either by different or by multiple regulators. Nor is it acceptable for there to be multiple regulators, or regulators and criminal prosecutors, which deal with the same institution for the same conduct. This is costly to the state, costly to business and diverts resources away from other potential investigations or activity.

It is therefore imperative for the design, implementation and regulation of compliance with counter-money laundering systems to fall within one department or agency which covers all those businesses that are regulated for counter-money laundering purposes. In this author's view, the most appropriate body to deal with such issues would be the FIU, and compliance with statutory obligations should be enforced through the criminal justice system rather than through the financial sector or other regulatory bodies.

Who should be regulated? (defining the regulated sector)

The list of business activities which are subject to a requirement to put in place systems to detect and deter money laundering has grown significantly in the past two decades. In the absence of any better term, those within its scope are generally referred to as "the regulated sector". This term, however, breaks one of the cardinal rules of drafting, i.e., that one should not use the same term for two things unless they are the same thing, and of course here the term "regulated" is being used in relation to two entirely different things: financial services (or other industry-specific) regulation and regulation for the purposes of counter-money laundering laws.

The term "financial sector" is inadequate because the range of businesses that are required to take action extends far outside the financial sector and therefore includes businesses that are not "regulated" for financial or professional purposes. Despite these objections, there would appear to be no more suitable term given the wide scope of laws today. The most fundamental question in relation to defining the regulated sector is whether to define businesses by type or by activity.

To define by type is unsatisfactory because it requires that a list be created and maintained. When new business types appear, or an omission is discovered, then the amendment of that list is time-consuming and potentially politically problematic (as with lawyers who held up the EU's second directive for several years). A list of activities which, if a business undertakes them, will bring that business within the regulated sector, can, however, take account of novel business types which conduct the relevant activity. Further, an activity-based list can be much simpler and shorter than a type-based list.

Instead of "providing banking services" (which often itself has to be defined by reference to other legislation) the following may perhaps be suitable: "any business which maintains an account for a customer or client receives, holds and pays out any sum from, for or on behalf of that customer or client".

This simple phrase includes: all deposit-taking institutions; all stockbrokers (including those offering execution-only services); law firms and accountancy firms which hold money in client accounts; all insurance companies and brokerages; all money transfer businesses; estate agencies that take deposits or collect rents. In fact, the only argument against a clause of this nature may come from those who wish to avoid it being applied to them and seek to complicate it or seek a specific exemption.

Customer identification

Timing: Much has been written and even more said about the timing of customer identification and due diligence procedures. Financial institutions argue that the conduct of business should not be delayed while a customer produces essential paperwork. Risk management principles say that criminals know that such an approach gives them a short period in which to do illicit business and then to disappear.

That period is not necessarily very short. In one case known to the author, a bank took on customers and allowed up to six months for the completion of verification of identity. Suspicious activity often arises during the first six months of an account's opening. If the financial institution does not have sufficient information upon which it can analyse possible suspicion, then arguably it is wilfully blind to any money laundering transaction that might occur.

There is little justification for a customer claiming a banking emergency. An obvious reason for a firm to take in business before the due diligence process is complete might be where it does not want to lose business to another firm just down the road which will not have such scruples. Rather than provide for a work-around, then, to give full impact and effect to the law, a more proper approach is to ensure that all financial institutions are bound to the same standard. That standard should protect the system and the specific financial institution and should therefore adopt the strongest position, i.e., that no transaction may take place until full due diligence procedures have been followed.

It should be noted that this should not prevent the opening of an account and the placing into that account of moneys. This might seem illogical but in fact it fits perfectly with the objective of being in a position to freeze and, ultimately, forfeit the proceeds of criminal conduct. What should not be permitted is the release of those funds back to the account holder or any third party unless the financial institution is entirely satisfied with the due diligence information and is confident that there are not reasons to be suspicious.

Further, no financial institution should issue any receipt for money deposited, including statements or any form of acknowledgement, until it is entirely satisfied as above. The reason for this is to prevent such a note being used to prove the deposit and to use it as a form of security, thereby releasing the value even though the funds remain in the hands of the original institution. Provided that this system is applied globally and in all forms of financial institution, then money launderers will have a much harder time making short-term deposits.

Procedures

Although many have tried, it is impossible to produce a clearly defined list of acceptable documents which will be available or appropriate in all cases. Each country will therefore need to have regard to what official identification documents are available to it but must also take account of those persons who do not have or are not entitled to those documents. In addition, provisions must be made for foreigners.

There should be no "simplified" due diligence, although due diligence processes should take into account the reality of life, which includes that the majority of the population in some countries have a salaried job, no other outside source of income except, perhaps, specified investment income, or a pension. Their expenditure follows a broadly standard pattern (people have mortgages, pay rent, utility bills and hire purchase) and broadly similar credit card bills.

It follows, then, that the question of customer due diligence is much more than simple name and address verification. It also involves asking for and obtaining the information that would set the customer's financial profile against a risk matrix and therefore define the customer's risk profile. A customer's risk profile will, however, vary depending upon how his income is derived, whether his job exposes him to the risk of being offered, or in a position to demand, corrupt payments, or whether he is "independently wealthy" and therefore has no discernible source of income.

So-called "enhanced due diligence" arose not because it was anything special but because some jurisdictions, notably the U.S., had failed to adopt a standard similar to that already in place across much of the world. When it came up-to-speed, it needed a name and so it was termed "enhanced". It had previously used the term "simplified", which in this author's view was insufficient and amounted to little more than name and address details.

There are cases where, arguably, limited customer identification measures are sufficient, for example: a public company trading its shares on a recognised exchange (itself a term that needs to be clearly defined); a contract for life insurance with low premiums; a pension policy which cannot be used as security and cannot be surrendered until a specified age, not being more than five years younger than the national retirement age; certain low-value schemes such as pre-paid cards or services; and one or two others.

Nevertheless, no bank account, for example, could be included in this scheme, and indeed a business activity or trade, profession or business should not be included simply because it has its headquarters in an FATF member country (using the "measures of equivalent effect" argument). In the case of corporations, where more than 25 per cent of the shares are held by an individual or close group, then the public company exception should not apply.

Where the public company exception does not apply, regardless of the size of the company, all shareholders holding more than 10 per cent (alone or in concert with others) should be identified as if they were themselves account holders. All signatories on any accounts opened for the business should be identified as if they were themselves account holders. All corporate customers, regardless of size and listed status, must be subject to a risk assessment including the nature of their business, where they do business and with whom they do business. Transactions should be monitored to identify exceptions against the expected business profile.

Special risks

It is here that the question of dealing with, e.g., politically exposed persons (PEPs), arises, but this will not only be in relation to PEPs: special risks arise in relation to those who have substantial wealth, including that derived from family interests, but no other known means of support. This is also where one would find private banking and wealth management. Any properly drawn law should therefore require a proper assessment of the customer and, where special risks arise, additional due diligence and monitoring.

Staff Due Diligence

Unpopular as it will be, it is important that financial services businesses perform due diligence checks on their staff, similar to those which they carry out on their customers. Some countries, for example, Malaysia, have had this requirement in place for a decade. Most countries have not, even though it is established in dozens of reports that some 80 per cent of financial crime against or using a company involves an insider. Asset statements should be an essential part of this due diligence and staff should be required to attest to the truth of their statements. Any properly drawn law should require such a process.

Dealers in high-value goods

Almost all countries have fallen into line with FATF Recommendations for a customer identification process for dealers in high-value goods, but in fact these are not only flawed but actually create an opportunity for laundering. Any properly drawn law therefore needs to provide for a considerably more effective approach. The current position is that dealers in high-value goods are required to perform identification only in relation to one-off transactions in cash exceeding an amount which, in local currency, exceeds the equivalent of US$15,000.

Any transaction made using any form of payment card is therefore outside the scope, no matter where or by whom that payment card was issued. Secondly, there is no provision for aggregation, so that there is nothing to require a jeweller to take any identification steps in relation to a person who spends, say, $10,000 per day in his shop every day for a week. Of course, the jeweller may be suspicious and file a report, but equally he may simply write seven different names on the receipt book and deny any knowledge of repeat transactions and therefore any reason to be suspicious.

An example of the issues caused by this approach was demonstrated as this article was being written in a case reported at http://www.complinet.com/global/news/news/article.html?ref=144052 the proceeds of theft from ATM machines were used to buy readily portable branded goods. Any properly drafted law should therefore require both basic identification for transactions exceeding a lower figure than $15,000 and aggregation to $15,000, with full identification once the higher figure has been reached.

Money transmitters

The question of money transmission is complicated by the multiplicity of delivery channels, both formal and informal, legal and illegal, and by developing technology, some of which does not appear to be a method of transmitting money. Further complications are special bank accounts used to enable families of overseas workers to draw down against the account into which the worker is paid, effectively making an international payment. Finally, the informal passing of ATM, credit or debit cards creates an administrative if not a legal inconsistency.

Any properly drawn law must therefore take account of all of these techniques and provide for the development of others to be included as they emerge. This means that provisions in this area cannot be prescriptive or narrowly descriptive. They must allow for flexibility. Limits on international money transfers for identification purposes should be $2,500 or local equivalent, including aggregation over a 14-day period. It is difficult to see any justification for domestic transfers to have a higher limit.

It should not be necessary to undertake any additional identification for inter-bank transfers domestically. Internationally, the current rules of collecting information are regarded as sufficient and, arguably, somewhat intrusive. However, in countries with exchange controls, the information which is sought for international transfers (excluding that relating to identification) is very similar and, therefore, there seems to be little merit in arguing for less information in relation to international transfers, even where no exchange control issues arise.

Company service providers

Company service providers fall into several risk categories: first, being concerned in an arrangement, i.e., conduct from forming companies, providing company secretarial services, nominee services, etc., but also the provision of virtual offices, mail boxes and collection points. In the latter case, they may be in physical possession of the proceeds. Indeed, in a recent investigation, it was found that drop-boxes provided by a virtual office centre were used for the delivery and collection of narcotics shipments. It follows, then, that in addition to actual involvement, there is also the question of the collection, analysis and management of information.

A service akin to company service providers and their mailboxes is the provision of e-mail services and social networking sites. It is here argued that no anonymous accounts should be permitted and that all persons should be identified with reference to a verified credit card account. The reason for this is simple, in that countering money laundering is mostly not about money, it is about information. It is known that both money launderers and those engaged in arranging terrorism make widespread use of anonymous mail accounts. Anyone who challenges this should simply look at the return and reply addresses for the spam they receive. Almost invariably, one or both of these will be a free, anonymous account.

Worse, by using the webmail services or posting to comments forms on websites, criminals avoid transmitting mail, thereby avoiding sniffer programmes. It follows, then, that one way of reducing both the initial fraud and the subsequent money laundering is to reduce the ease with which anonymous e-mail accounts can be opened and maintained. Further, e-mail providers must be required to monitor for spikes in either returned mail or incoming mail as these indicate current fraudulent or money laundering activity. In the case of webmail, providers must monitor for accesses in rapid succession from different countries or regions of the same country as this is an indicator that messages are being stored by one person and read by another without actually being transmitted.

Finally, off-site storage facilities, both physical and electronic, should be added to the list of business service providers that are required to identify their clients and keep records.

Pawn shops

Identification should be required to ensure that the person redeeming the pledge is the person who pledged the item. The ticket is not sufficient. Money laundering through pawnshops is remarkably simple and, as ever-higher-value goods are pawned, this area has become more attractive. A minimum asset value (not pledge value) should be set and it is recommended that this be similar to the limit for international money transfers.

Politically Exposed Persons

In order to try to reduce corruption and plunder of state coffers, it has been made clear that regulated businesses must take special care when dealing with politically exposed persons or PEPs. An illogical and unnecessary complication has, however, been introduced by stating that special due diligence measures should apply to "foreign PEPs". The argument behind this is that domestic PEPs are already subject to the full weight of domestic law, including those relating to fraud and corruption (where these exist). This argument is bogus, as is the limitation of the definition of PEPs to heads of state, government ministers, heads of department and the judiciary, heads of government-linked companies and their families.

A properly drawn law should not differentiate between foreign and domestic political figures, nor should it be limited to the most senior government staff. In many countries, especially developing countries, it is low-grade corruption that causes the most disruption to society. All government officials should therefore be required to file asset statements. They should be restricted to accounts with one local bank or, if more, the banks should be authorised to exchange information in relation to both credit and debit balances and loan facilities, even if not taken up. This can be achieved by the creation of a centralised record of bank and other accounts. Such a proposal in Germany in the late 1990s was heavily criticised; it is understood that the project was abandoned.

Any properly drafted law should, therefore, include a provision for the state to build a national database of accounts. Further, it should provide for a national database of PEPs (including historical data) and other due diligence information, e.g., prosecutions, asset freezes, convictions, confiscation (as is already widely done in relation to insolvency) and for this information to be made freely available by internet search or downloaded data, so that regulated businesses can plug it into their own systems. Although outside the scope of this paper, it is worth noting that this is something that the FATF or the G20 could usefully do and, in doing so, save the global financial sector a considerable cost which is suffered with no direct commercial benefit. If all countries contributed, it would be a low-cost, high-value reward for the huge demands placed on financial services businesses.

Part 1 of this article is here:
Part 2 of this article is here: Part 2
Part 3 of this article is here: Part 3
Part 4 of this article is here: Part 4
Part 5 of this article is here: Part 5