This week MLROs.com, the AML trade body, hosted a conference at the London offices of the law firm of Gordon Dadds. Delegates received a good grounding in the preventive measures required by the European Union's fourth Money Laundering Directive.

One lecturer made the bold statement to the effect that "prevention is the cure," rather than merely better than the cure, for a financial firm's liabilities under the UK's money laundering laws. Prevention is, in broad terms, accomplished by screening, detection, analysis, intervention and reporting. The foundation for it is every firm's anti-money-laundering and terrorist finance (AML/TF) risk assessment. 

Risk assessments through the ages

The conference looked at the legal provenance of this risk assessment. It started in 2005, with the third directive which mentioned it in passing in article 34, which stated: "institutions...establish adequate and appropriate processes and procedures of...risk assessment. Then, in 2007, came the Money Laundering Regulations, article 20 of which stated that "a relevant person must establish and maintain appropriate and risk-sensitive policies and procedures relating to...risk assessment and management."

The Financial Action Task Force, the world's AML standard-setter, then updated its '40 recommendations' in 2012 to say that the identification process ought to be 'comprehensive' and also 'dynamic.' The EU's forth AML directive duly devoted a whole article - number 8 - to risk assessments for "obliged entities" (the FATF's term; British law calls them "reporting entities"). The latest British law to mention them is article 18 Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. This regulation actually contains a whole raft of articles that mention risk assessments, namely 16(2); 19(1,4); 21(7,10); 28(12); 33(6); and 37(4,7). 

Further reforms are likely in the EU's upcoming fifth directive, now a work in progress. The risks for which 'MLD V' might cater are a stand-alone category of "high risk third countries," i.e. risky countries outside the EU; prepaid cards; cyber-currencies; beneficial ownership registers; and "CDD (customer due diligence) refreshers."

How to go about assessing risks

A financial firm ought to review its AML/TF risks by taking into account:

• information that the relevant supervisory authority (which could be foreign, like the US Office of Foreign Assets Control) makes available;
• its group entity's customer base, geographical reach, transactions, products, services and delivery channels; and
• all the steps it takes to log the above (demonstrable to the supervisors if needs be).

It should have a written risk assessment that it can show to the regulator upon request and it should keep it up-to-date in line with its changing "risk landscape." It should then carry out CDD in line with its risk assessment.

The first step then is to do some research. The private bank should look at published failings, FATF reports and risks specific to MLD V that are geographical, product-related, transactional and to do with delivery channels.

The next step is for the bank to evaluate the risks that it has identified. In the geographical category, for instance, it might find that customers based in certain countries pose a greater ML/TF risk because that country is more corrupt than others. Then it should quantify the risks and control gaps by means of an AML risk scoring matrix. The risks are not only regulatory but criminal, reputational and financial. Next should come an ML/TF risk assessment spreadsheet with everything on, then a control gap analysis that prioritises those controls that are most in need of fixing.

Banks should not forget that EU law requires "super equivalence" for its AML controls. This means that each group of companies must apply all policies and procedures up to EU (and, in this case, British) standards to all subsidiaries and branches. It must take account of the rules of the European Economic Area. It must also hold itself to British standards in countries outside the EU where its companies are based unless forbidden to do so, in which case it should report this to its supervisory authority and work out some kind of response.

When an inspector calls

If any criminal investigation were to begin, the bank should evaluate the people involved, the issues, the risk of repetition and the investigative period. It should think about reporting any trouble it encounters within its own operations to its regulator, with which it should co-operate. It should assess the merits of the investigation. It should look at "directors and officers" insurance to see whether its executives are covered against harm (but not against liability for fines - the old Financial Services Authority banned this in 2004). It should arrange an internal dialogue between its people - one lawyer observed that this would probably be 'protected,' i.e. immune to disclosure in court. 

The bank should also consider public relations and ways of limiting reputational damage, perhaps asking itself whether its employees are writing on Twitter about embarrassing goings-on in the office. It should, lastly, consider conflicts of interest and decide whether to 'settle' with the authorities or resist their attempts to persuade it to pay a fine or admit wrongdoing. In most cases, an early deal is preferable.