Drawing from landmark penalties in 2020, FINTRAIL’s Payal Patel and Sara Abbasi identify key lessons to help financial institutions guard against financial crime.
APAC overtook the US in terms of the value of enforcement actions for the first time since 2015, with regulators imposing approximately USD 5.1 billion in fines for AML and KYC violations in 2020. This was largely a result of two landmark fines imposed against Goldman Sachs for its 1MBD involvement and Australian bank Westpac for its money laundering scandal with links to serious crimes.
Drawing from 2020, a landmark year for AML penalties, what are some of the key high level takeaways for APAC and how can financial institutions prevent these occurrences happening in future?
Back to basics
The material failures of Goldman Sachs and Westpac highlighted the need for financial institutions to go back to basics in understanding the underlying reasons for AML laws and why financial crime controls and oversight are so important. So often financial institutions approach financial crime compliance with a checklist attitude failing to understand the complex and evolving nature of financial crime risk, as well as forgetting the human impact of the underlying predicate crimes of money laundering.
After the material failings of last year, compliance professionals, senior members of staff, and board members should pause to reflect and ask themselves why AML and KYC controls are so critical in not only mitigating money laundering risk but also in preventing harm to the victims of financial crime.
Both landmark cases of 2020 highlighted significant failings of financial institutions in performing adequate customer due diligence. In the case of Goldman, the initial red flags identified regarding the source of wealth and suitability of Malaysian businessman Jho Low as a private banking customer were allegedly dismissed by the deals team. The team proceeded to actively pursue business with Low and his associates indirectly through the three 1MDB bonds held with Goldman Sachs.
While the wrongful actions of the deals team highlight a fundamental concern around bank culture, the fact that Goldman’s ongoing monitoring and due diligence controls did not identify the ongoing connection between the 1MDB bond transactions and Low was also an area of concern. The ability for the deals team to circumvent controls as well as failures in the ongoing monitoring of customers and transactions highlight several lessons for financial institutions:
- Due diligence is by no means a one time event. It should be conducted at the start of a relationship but also holistically and throughout all relationships.
- All business decisions should be recorded in sufficient detail and accessible to all business areas. If at any point a relationship is terminated or declined, a clear rationale should be recorded in the customer’s due diligence records and used as intelligence for ongoing monitoring activity.
- Deliberate dismissal of financial crime red flags for the purpose of lucrative and unsavoury business or the personal gain of employees may exist and there must be adequate internal controls and oversight to mitigate this type of behaviour.
Similarly, the Westpac scandal in which the bank admitted to “breaking the law by failing to monitor whether a dozen customers were making transactions consistent with child exploitation” also touches upon the importance of ongoing customer due diligence and monitoring.
Allegedly it was known to the bank that a customer had an existing conviction for child exploitation offences and was one of many customers sending funds to the Philippines, where child exploitation has been a serious concern. AUSTRAC identified this as a failure to carry out appropriate customer due diligence in relation to suspicious transactions associated with possible child exploitation cases. Here we can learn that:
- Customer risk evolves and ongoing monitoring solutions should be robust enough to detect and monitor any changes to customer behaviour or suspicious activity, particularly those customers and transactions that are considered higher risk.
- AML professionals should be regularly trained on current and evolving money laundering typologies by regions, products, service offerings, customers types etc. Criminal groups and those responsible for laundering money are getting smarter. It is therefore important for transaction monitoring systems as well as the individuals monitoring the alerts to stay relevant and up to date.
Financial crime compliance is everyone’s responsibility
In this increasingly competitive climate with traditional banks losing footing to digital banks and fintechs, the reputational damage and hefty fines as a result of AML/CTF breaches is no longer something banks can take lightly. As such, financial crime compliance should be at the forefront of everyone’s agenda across the business including at the most senior levels.
The Goldman scandal showcased how the siloed approach between the sales team, senior management and the compliance function can lead to information slipping between the cracks, thereby exposing the bank to bribery and corruption risk. The case provided one example of how a siloed approach to KYC allowed its sales team to circumvent controls and onboard Low as an indirect customer via the 1MDB bonds.
Meanwhile, allegations surrounding bribery in relation to the 1MDB transactions were allegedly known to Goldman long before the Malaysian unit admitted to “knowingly and willingly” paying bribes to foreign officials. These red flags were allegedly ignored by the relevant personnel instead of alerting higher-ups to problems with the bonds.
Chief Executive David Solomon highlighted that the firm “did not adequately address red flags and scrutinise the representations of certain members of the deal team”. The 1MDB investigation highlighted a problem with the corporate culture in the Malaysian division, which emphasised revenue and sales over honest business and compliance.
Similarly, following the findings of AUSTRAC’s investigation and the headlines linking Westpac to child exploitation, Westpac’s Senior Management and Board of Directors openly discussed and committed to addressing the concerns of its corporate culture and governance and accountability frameworks and practices, admitting that Westpac had “been focused on finding individuals to blame for problems when they arose rather than addressing systemic issues”.
While Westpac follows the 3LoD (three lines of defence) model to detect and combat risk, it has admitted that the structure was not ‘consistently understood and embedded’ in the bank. This meant that roles, responsibilities and accountabilities were often misunderstood, which “blurred boundaries and meant some things fall through the cracks”.
How can cultural and structural issues within a financial institution be addressed? Consider the following:
- Compliance is everyone’s job. Even within the sales team, compliance should be at the forefront of the business agenda, ensuring that business is conducted honestly and transparently. Compliance should not be seen as a barrier to business but as a tool for the acquisition of good business to help achieve the firm’s commercial and strategic objectives.
- A positive compliance culture lays the foundation for an effective AML/CFT framework. When talking about culture, this should include active engagement from the firm’s leadership in terms of setting the ‘tone from the top,’ effectively integrating AML/CTF controls in business as usual and encouraging a healthy reward system where reward behaviour supports a positive AML culture.
- Allegations of bribery or misconduct should be taken seriously. Financial institutions should have in place suitable reporting and escalation policies and procedures to ensure red flags and concerns are identified and responded to by senior management where appropriate.
- Financial institutions should ensure that their staff are aware of, and trained on, the escalation policies and procedures on a regular basis.
- A speak up culture should be encouraged, where no issue or concern is too small or unimportant. But most importantly, any concern should be addressed appropriately and by the relevant personnel.
- Roles and responsibilities should be clearly defined and understood in order to rapidly identify, prioritise, escalate and remediate issues.
Slipping through the cracks
Since the 1MDB scandal broke in 2016, a series of events have unfolded throughout the US, Switzerland, Malaysia, Singapore, Hong Kong and the UK. Central to the scheme were several senior Goldman bankers who managed to circumvent financial crime controls in place to siphon off approximately USD 2.7 billion from 1MDB for their own personal gain as well as to pay a series of bribes to foreign officials.
The Goldman case is notorious as not only was there criminal conduct by a number of executives, but as we have seen there were a number of red flags from the onset and throughout the 1MDB relationship that were raised over the years, which should have allowed the bank to either identify misconduct and follow up on it or stop it altogether. Essentially the accumulation of letting things ‘fall through the cracks’ allowed for billions of dollars being laundered and stolen from the Malaysian people.
The series of failings linked to the 1MDB transactions highlight ineffective oversight of the internal money laundering controls at Goldman and also demonstrate a number of key takeaways:
- Documentation, record keeping and following up are critical. All decisions, rationales, investigations or resolutions made should be appropriately documented to ensure that any risk identified is assessed and addressed at a point in time.
- Corporate compliance programmes are not only adequate on paper, but companies need to ensure that they are adequately resourced, functioning properly, tested and that they can actually identify, stop and mitigate the type of conduct that leads to criminal charges.
- Escalate, escalate, escalate. Where there is a concern, escalate this through the relevant pathways and discuss these issues in a risk and compliance setting with individuals from the business and the compliance functions.
- Ensure there are appropriate measures in place to undergo “four eye” checks or reviews prior to opening or closing accounts, particularly high risk accounts, associated PEP accounts or accounts with any financial crime concerns.
As we begin 2021, following what was a milestone year for APAC in terms of regulatory enforcement action, there are critical lessons that all financial institutions should take away to prevent being subject to hefty fines and reputational damage in future.
Whether this is by encouraging firms to go back to the basics, pausing to reflect on the importance of a financial crime framework, ensuring that compliance is everyone’s responsibility, or maintaining a robust control framework that is adequately tested to ensure nothing slips through the cracks – these are fundamental activities that financial institutions should undertake to protect the financial system and any victims from the perpetrators of financial crime.
Payal Patel is Managing Director and Sara Abbasi is Consultant FINTRAIL Asia, a consultancy partnering with financial institutions globally enabling them to manage exposure to financial crime risk.