I first started designing and delivering AML training in 1996. That’s a full quarter-century ago. And can you imagine how many times I have said, over those twenty-five years, things like “check regularly for PEPs – regulators are hot on EDD for PEPs” and “make sure you chase down any deficiencies in CDD as quickly as possible”. These are not new concepts. And yet still – still – we are seeing regulators taking businesses to task for the most basic of AML failings. We’re not talking about people wrestling with the finer points of defence SARs or struggling to define legal professional privilege – it’s the really basic, obvious, well-documented stuff, spelled out in everyone’s guidance, that is still being done wrong.
In a Guernsey finding at the very end of 2020, we read of a client who was “an ultra-high net worth individual from a high-risk country [who was] working with and being associated with individuals who were politically exposed, [while himself] being involved in the management and control of state (high-risk country) owned organisations linked to armaments, the extractive industry and IT services for the military” – and yet the business concerned “failed to identify the client as a PEP for the first ten years of the relationship”. To misquote Chandler from “Friends”, could the client BE more PEPpish?
Three weeks earlier the Maltese authorities had fined a “prestige” credit card provider for various AML failings: one client had declared an annual income of £150,000 and then over a few months made €1.2 million in payments – most “transferred into the company’s bank accounts from the company’s interrelated company incorporated in Hong Kong”, but no processes were in place to identify the source of those funds. Source of funds? Really?
And in June 2020 the UK’s FCA fined Commerzbank an eye-watering £37,805,400 for numerous shortcomings in its AML regime – made all the more baffling because “they occurred following visits by the Authority to Commerzbank London in 2012, 2015 and 2017 to discuss issues relating to its AML control framework, during which the Authority identified weaknesses that Commerzbank London was to address”. Again, these were not complicated issues: for instance, “2,226 existing clients were overdue refreshed KYC checks” and “[the bank’s] automated tool for monitoring money laundering risk on transactions for clients… did not have access to key information from certain of Commerzbank’s transaction systems”.
Hello? Is anyone listening? These are standard, basis AML requirements. Please don’t make me wonder whether I’ve wasted that quarter-century.