Life beyond 4MLD
Chief Operating Officer
C6 Intelligence Group
The Fourth EU Money Laundering Directive (4MLD), which was enacted on 25 June 2015 and went into effect on 26 June 2017, is one of the most significant anti-money laundering (AML) legislations in Europe in recent history.
The Directive was created to improve consistency of AML rules across all EU Member States and provides stricter guidelines on identifying, assessing, understanding and mitigating money laundering or terrorist financing risks.
The June 2017 deadline has now come and gone – but there’s no rest for Money Laundering Reporting Officers (MLRO) and their teams. In fact, updates to 4MLD have already been proposed in the Fifth EU Money Laundering Directive.
So what’s top of mind for MLROs and compliance teams today?
Ben Gould, Managing Director EMEA & APAC at Opus, recently spoke to Emma Mills, Chief Operating Officer, C6 Intelligence Group, for her perspective. C6 is a global provider of risk intelligence and data, and works regularly with clients in the financial services industry.
Ben Gould, Opus: The deadline for implementation of the EU Fourth Money Laundering Directive (4MLD) has now passed. What do you think were some of the biggest challenges to firms in meeting the requirements, and how did they overcome them?
C6: It’s difficult to generalise. Prior to the need to become compliant with 4MLD there were significant differences in the levels of maturity of firms in terms of their adoption and implementation of AML processes.
Firms regulated under the 3MLD would already have had strong processes and systems in place. In my opinion, the most significant impact of the 4MLD will have been the need to review existing policies and procedures in light of the enhanced measures for domestic Politically Exposed Persons (PEPs). Specifically, ensuring alignment of any PEP remediation projects currently based on existing policies.
The biggest impact of the 4MLD will be for organisations that have not had suitably robust AML policies, processes and technologies in place, along with an appropriate governance and control function.
This is particularly pronounced for industries that were not subject to the 3MLD. The 4MLD also brought all gambling services into scope (previously only casinos were regulated), and these newly regulated organisations had to build their compliance programmes from scratch. Significant effort will have gone into, understanding their obligations, and implementing procedures and controls to ensure they comprehensively met the requirements of the Directive.
Firms had around two years to prepare themselves for the 4MLD – not a long time in an organisation’s business cycle. One interesting observation that we made was that smaller organisations, technology companies and advanced regtech firms, managed to implement solutions for customer due diligence; client screening; transactional monitoring; and governance and compliance, in an accelerated timeframe. In larger organisations, legacy technology and sprawling operations can be a hindrance in updating programmes in line with new regulatory requirements.
Whatever the size of an organisation, top-level business focus, clear ownership of the AML compliance programme and a culture of compliance are essential elements in a successful compliance operation. When these elements are present the perceived business burdens of compliance can be turned into an opportunity to get closer to your customers.
Opus: With those challenges now, we hope, out of the way, what’s top of mind for MLROs?
C6: I think MLROs are facing multiple challenges.
Personal liability and attestation that the policies, processes, and systems implemented within their organisation work effectively is a huge personal and reputational risk. If things go wrong, the best case scenario is a fine; the worst, a jail sentence and the prospect of never working in the industry again, as we saw recently with Sonali Bank (UK) Limited.
With the cost of compliance still climbing and business margins decreasing, it is imperative that businesses drive value from their compliance operations. The information gathered for the purposes of AML compliance gives businesses a deep insight into their customers’ needs and risk profiles. This understanding allows them to target customers with the right products, set premiums in line with risk and strengthen relationships to drive profitability – turning risk into an opportunity.
Opus: A key focus of the EU Fifth Money Laundering Directive (5MLD) is counter terrorism financing. What should financial institutions be doing right now to combat the increased terror threat we are facing?
C6: In general the current CTF regulations and controls implemented by financial organisations to meet these obligations are robust, and not all of the 5MLD changes will be applicable to all organisations; particularly if they do not deal in ‘virtual currencies’ or offer ‘Prepaid Cards’.
However, there are 3 main areas which organisations should be aware of and start planning accordingly, namely:
- Beneficial Ownership Registers – obliged entities should assess their current CDD profiles and identify any gaps in the beneficial ownership data held and determine the most appropriate way to source this information and when to remediate the profiles(s)
- Enhanced cooperation and information sharing among EU financial intelligence units (FIUs) – this is potentially a big change for obliged entities as they will have to determine how to respond to requests in a timely manner and ensure that staff are trained appropriately to handle this data and to be aware of applicable data privacy laws
- Consistent EU approach to ‘High-risk’ Third Countries – Organisations should review their existing list of ‘high-risk’ countries and harmonise with the EU list. Internal Risk Ratings will likely need to be updated.
However, one key area that companies can focus on right now to improve the robustness of their approach to CTF is to better monitor their existing customers for ‘adverse media’ risk events that relate to terrorist-type activity. This is particularly relevant at the moment given the known examples in the UK and Europe of people travelling back and forth to high-risk conflict zones such as Libya for example.
Many business functions within an organisation can benefit from new technology and solutions that would meet these requirements, which can also help to reduce the cost of existing operations, while at the same time providing the business with valuable insight into their customer base to avoid brand / reputational damage.
High quality, targeted and timely adverse media screening is an emerging standard for managing higher risk customer portfolios, helping organisations monitor existing customers daily and preventing high risk prospects being on-boarded in the first place.
Essentially, this approach provides an additional and highly valuable control point in an organisation’s financial crime risk framework.
Opus: What does Brexit mean for 5MLD in the UK?
C6: Very little, in my opinion, as I’m sceptical on the degree to which Brexit will affect this area. Leaving my personal views aside, the UK’s AML framework and FCA focus make us leaders in this field – and a considerable amount of the EU’s goals and direction on AML are aligned to the UK.
I’m more interested in the outcome of the forthcoming FATF country review of the UK in 2018 and what the observations there will be.
Where challenges could lurk would be if there are any significant changes to current guidance requiring different standards to be adhered to, effectively resulting in the need for separate UK and EU processes. However, I think the chances of this happening are low, at least in the short to medium-term timeframes.
Opus: What about the General Data Protection Regulation (GDPR)? The deadline there is looming. How will this impact AML/KYC activities, if at all?
C6: The primary impact of the GDPR will be on ensuring data protection policies and underlying technologies are strengthened to minimise any risks of data leakage or compromise. Training, breach reporting, drills and company-wide education will require focus and attention, since the costs for breaches will potentially be material to the balance-sheet.
Furthermore, the reputational damage for customer data breaches may be more significant that the financial penalty, so this will require a ‘culture’ change too in order to ensure that everyone within the organisation understands these risks and acts accordingly.
Opus: Any parting words of wisdom for MLROs and their teams?
C6: It’s not easy being an MLRO today, but it’s also exciting.
As MLROs, we have a strong responsibility to our organisations to instil a culture of compliance. The policing of tax evasion has now been squarely put on the shoulders of financial organisations. The potential for material consequence needs to be well understood and firmly embedded in the culture, processes, policies and systems to ensure compliance and avoid risk.
The combination of technology and human intelligence is a sweet spot to manage customer due diligence and screening processes. It has the potential to deliver true innovation and reduce costs, whilst, as mentioned before, delivering high quality information to the business for decision making purposes.
Fin/Reg tech offerings will support this. As one example, it was very interesting to read HSBC’s recent announcement that it will be partnering with a Silicon Valley-based artificial intelligence start-up to automate some of its compliance processes. It’s the start of a trend I’m confident we will see more and more of and something all MLROs should be at least aware of.
Another area I think is very exciting and has the potential to be a real game changer is ‘Block-Chain’ technology being used to create true and verifiable IDs along with all your ‘Know Your Customer’ history and documentation, for both individuals and organisations. The potential to rely and share this unique ID amongst different financial organisations is a very interesting development, and there are already Fin/Reg tech companies starting to do this. Whilst I doubt this will be a short-term focus for MLROs, it is worth understanding the benefits and capabilities Block Chain can offer and how your organisation could leverage this technology. I suspect early adopters will reap out-sized benefits.
Finally, it’s tried and tested wisdom, but sharing best practices is always critical, but never more so than in this industry. Legislations change quickly and we’re all in this together. Knowledge sharing of current issues and best practices is key.