Christmas is a time for families, reflection and a well-earned rest. This year of course will be different for everyone, in many ways. I for one, however will be looking back on the year with enormous gratitude for the many key workers who have kept us going throughout. I’m sure everyone shares in the hope that 2021 will be an opportunity to start rebuilding the things we once took for granted.
2020 has been a landmark year for many of the wrong reasons, one of which being the many new opportunities it has afforded the criminal and money laundering world, who wasted no time in seizing upon the disarray for financial gain. The past 12 months have been a major test for the financial crime compliance community, but without exception you have shown remarkable resilience; initially through the transition to a remote working model and subsequently, to the challenges of increasingly sophisticated and varied attack patterns meted out by the criminal underworld.
Throughout 2020, our Facing Change series has documented the transition of working practises and the challenges and pressures COVID has placed on organisations and sectors alike. And, despite being faced with one of the worst crises in living memory, overwhelmingly people and employers have pivoted, adapted and evolved with little aplomb, to the new norms. You can follow the conversation here.
A positive start
Looking back, the year started with high hopes that new regulation would help tackle the growing financial crime problem when the requirements of the 5th Money Laundering Directive were integrated into an updated version of the UK’s anti-money laundering regulations and implemented on January 10th 2020.
A whole raft of additional requirements were introduced to help firms manage higher risk, but grabbing the headlines was the introduction of crypto-asset firms and art dealers into the regulatory environment. A number of firms had already recognised that compliance with 5MLD was essential to their journey and were well on the way. In this interview I conducted back in May, both Paul Barker of Archax and Francesco Roda of Koine recognised that compliance is essential in working with institutional investors and mainstream financial services on a level playing field. To quote Francesco “regulation is about protecting investors and consumers.”
Crypto firms that had applied have until January 2021 to complete registration with the FCA. The clock is therefore ticking…
Dark clouds and silver linings
No sooner had firms begun implementing 5MLD than the clouds of COVID-19 gathered, leading to the first lockdown in March and a massive effort for all regulated organisations to re-organise compliance operations based on people working from home. As we look back, it’s a tribute to the industry that such a massive upheaval was carried out so well. Nevertheless criminals were quick to exploit the opportunity.
COVID-19 related scams abounded, with criminals seizing upon our vulnerabilities, using PPE and other essential healthcare items as bait to con individuals, businesses and governments. Cybercrime and online fraud abounded as this report from UK Finance made clear in September.
As Katy Worobec, Managing Director at UK Finance said, “Criminals have ruthlessly adapted to this pandemic with scams exploiting the rise in people working from home and spending time online.”
Financial criminals also enthusiastically embraced ‘going digital’, with gangs growing in sophistication, widespread use of social media, the dark web and of course crypto-assets, such as Bitcoin. This article by HelpNetSecurity in February laid bare the prevalence of criminal crypto activity, with some startling facts:
- Cryptocurrency users, exchanges and investors suffered $4.5 billion in crypto-related losses resulting from thefts, hacks, and fraud
- 65% of top 120 VASPs lack good KYC
- 66% of dark web vendors of illegal financial products and stolen identities transact in cryptocurrencies
In the July, LexisNexis Risk Solutions published its own independently researched report looking at Future Financial Crime Risks with the subtitle ‘What keeps AML and CFT professionals awake at night?’
The report concludes that if we are really going to move the dial in the fight against financial crime, tech and biometrics, entity linking, digital identity data and deep, centralised databases of PEPs, sanctions lists, enforcement data and adverse media are essential tools. It also identifies a single customer view across the organisation as vital for quick and dynamic assessment of risks associated with an individual or entity.
If the pandemic has reinforced one assumption amongst the compliance and law enforcement communities, it’s that the digital arena is where future financial crime battle lines will be drawn.
Regulation keeps a steady course
Firms being fined for inadequate AML procedures showed no signs of let-up in 2020 as this article by the Law Gazette from the summer made clear.
In June, the Facing Change series spoke with Colette Best of the Solicitors Regulation Authority (SRA) for England and Wales, and Graham Mackenzie of The Law Society Scotland. Both regulators made it perfectly clear they are tightening up on AML processes with the firms they supervise. Watch the episode here.
The broad discussion highlighted the significant additional risk created for UK law firms by the COVID-19 pandemic and subsequent economic downturn. Newly-created and exploitable vulnerabilities are putting increased pressure on compliance teams, already struggling to maintain adequate processes and controls, while contending with the added complications of working remotely. At the same time, this very unique set of circumstances has turned the definition of ‘suspicious activity’ upside-down, making the process of risk assessment even trickier for AML teams.
As both the SRA and Law Society of Scotland made clear, AML regulatory standards and outcomes across the sector will not be relaxed. In fact, the same supportive, but robust approach is being taken by all the regulators, including the Gambling Commission and HMRC across the spectrum of financial and professional services. So, 2021 will probably mean that all regulated firms should review and update their AML processes, as a matter of urgency.
True progress never did run smooth
In September, we asked around 500 compliance professionals, split equally across banks, lenders, wealth management firms and estate agencies, how well they were progressing with implementation of measures to comply with 5MLD regulations, 9 months on from the updated money laundering regulations coming into force. The results were surprising. We found that on average firms were only around halfway (55%) towards implementing the new regulations. You might presume that COVID-19 was a big cause of these delays, but in fact 64% of firms reported just the opposite – that the pandemic actually sped up implementation efforts! It’s justifiable to wonder therefore, what the situation would be had the crisis not occurred. The research also showed that many firms were still struggling to really understand the objectives of the new regulations. No doubt the ever-increasing list of organisations penalised for AML failures and late implementation of the new regulations suggests that we still have a long way to go.
Black holes and ‘revelations’
Never a year goes by without one revelation or another relating to systemic failings in the detection and prevention of financial crime and 2020 was no different. The so-called #Fincen Papers leak hit the headlines in September following an investigation by the International Consortium of Investigative Journalists (ICIJ) into the gaping-wide black holes in the safeguards in place to prevent the misuse of corporate structures.
The revelations were controversial at every level, from the legitimacy of the leaks in the first place – the papers were carefully selected and failed to show the full picture – to the massive failures on the part of some of the world’s biggest banks. The UK in particular was criticised for weaknesses in its systems and the ease with which UK companies could be used as vehicles for illicit transactions, leading to it being labelled a ‘high risk jurisdiction’. In spite of the negative press, the storm blew over fairly quickly, probably due to the ongoing work to improve safeguards and prevent financial crime. It might be a work in progress, but its heading in the right direction.
In her October speech at the Royal United Services Institute (RUSI), Lisa Osofsky, Director General of the Serious Fraud Office (SFO) gave her annual speech on the fight against economic crime in the UK. Whilst acknowledging many successes in bringing criminals to justice, “much more can be done,” she said. She praised the role of the newly-created National Economic Crime Centre (ECC) and recognised that the fight against financial crime is now much higher on the political agenda. Given a magic wand, she explained she would prioritise changes to the legal system, particularly the ability to make it easier to start investigations before having all the evidence available, where suspicion is strong. She also supported improving information sharing, especially across international borders.
Huge challenges remain for Law Enforcement and she spoke to the explosion of data availability as criminals increasingly use technology for their illicit gains, highlighting that “unless [law enforcement] has the same technology and data analytics capabilities, [they] will be at a disadvantage.” Her concluding statement sums it all up: “It is only through this focus and hard work, together across our office, government, our country and our globe, that we will beat back financial crime and deliver the results that our taxpayers and the victims deserve.”
Change is afoot
In the Autumn, Companies House announced plans to reform, following the end of the public consultation in August. The lack of governance of the data held on the registry has been a concern amongst the financial crime compliance community for many years, and the ease with which UK registered companies can be set up and abused as highlighted in the FinCen leaks, is a significant weakness in the financial system. Plans to bring in identity verification processes for directors and shareholders of newly-registered companies were broadly welcomed. In a further development, obligations are also expected to be imposed on regulated firms to report discrepancies found on the Persons of Significant Control Register. All of these are positive developments, of course, but do they go far enough? It could be argued that a more risk-based approach should be adopted where robust checks are required on registration of a new company, for example where the directors come from a high-risk country, based on FATF criteria. Should sanctions screening be adopted on all new directors? Everything must be a balance between time and resource, but if we are to make real inroads, then I would argue we should go further.
Brexit seems to be the hardest word
As 2020 draws to a close, two other major issues are looming and both are related to that ubiquitous and perennial topic, Brexit.
Many readers will already know that the UK has developed its own sanctions regime via the Sanctions and Money Laundering Act. In fact, we saw first use of OFSI’s new powers earlier this year in the implementation of new sanctions (including a number of designations for human rights abuses) and in the enforcement of fines for non-compliance (in this case, Standard Chartered were fined just over £20m for sanctions breaches against Russia).
From December 31st, major changes will come into force when the UK government publishes updates to the two current UK sanctions lists. The UK’s OFSI Consolidated List will contain the same financial sanctions targets as the UK Sanctions List. The UK Sanctions List is expected to contain other types of sanctions in addition to financial sanctions, so the two lists will not align completely. All EU sanctions will have been transposed to the new UK HMT list, with additional information added in many cases. So firms will need to be clear which list they screen against from 1st January, and be prepared for a spike in alerts when screening against the new UK list. Watch this space via OFSI in the run up to 31st December.
Finally, the UK government has made clear that the UK will not adopt the latest regulatory updates from the EU, the so-called 6th Money Laundering Directive, which became law across the EU in December. HM Treasury said the UK’s domestic legislation is already largely compliant with the Directive’s measures and in relation to the offences and sentences set out in the Directive, the UK already goes much further. Opting in, it concluded, would not enhance the UK’s approach to tackling money laundering.
And finally …
2020 has been both a year to remember, and to forget. Financial criminals have adapted and pivoted their activities as the year – and the crisis – has unravelled, but financial crime in its many guises continues unabated. Although not to be recognised with the same valour as frontline workers, the financial crime compliance community has nonetheless risen to the occasion admirably, overcoming many challenges along the way. All of us in the industry should take comfort and pride from that fact as we look forward to a bit of respite and (hopefully) some time together with families over the festive season. To that end, we wish our readers cordial season’s greetings and festive cheer and we look forward to joining forces once more in the New Year to tackle the inevitable challenges 2021 will bring, as the fight goes on!