• wblogo
  • wblogo
  • wblogo

FATF publishes UK's evaluation report

Chris Hamblin, Editor, London, 11 December 2018

articleimage

The world's anti-money-laundering standard-setter has praised the United Kingdom for having a well-developed and robust regime to help it fight money laundering and terrorist finance, but it wants it to strengthen its supervision and increase the resources of its financial intelligence unit, the UKFIU.

The FATF has conducted an assessment of - and published a report about - the United Kingdom’s anti-money-laundering and anti-terrorist-finance system, largely praising the world's biggest financial services provider for its efforts to comply with its "40 recommendations." The report describes HM Government's appreciation of its so-called "money-laundering risks" as "strong." The jurisdiction now achieves 1,400 convictions for money laundering per annum. The authorities have powerful tools to help them obtain information about beneficial ownership and other things and, the standard-setter thinks, make good use of this information in their investigations. Apart from calling for more resources for the UKFIU, the FATF makes the observation that "the suspicious activity reporting regime needs to be modernised and reformed." 'Supervision' is another area in which there is room for improvement. The FATF accepted the report at its so-called plenary meeting in October but has only published it now.

Further praise is heaped upon the country for outreach activities conducted by supervisors, for measures to prevent criminals or their associates from being professionally accredited or controlling financial institutions and for its attempts to make it easier for the AML authorities (of whom there are a staggering 24) to find out corporate details. The UK is planning to make the reporting and registration of corporate structures even more onerous for the private sector in the near future, according to the FATF.

The UK has been highly effective in investigating, prosecuting and convicting a range of terrorist financing activity and has played a leading part in submitting the names of people it suspects of terrorism (the arcane term that the FATF uses is "designating terrorists") to both the United Nations and the European Union for approval.

Is every SAR read?

The FATF has not found the UK to be 'non-compliant' with its 40 recommendations in any way, but there are instances of it being 'largely compliant' and even two of it being 'partially compliant.' Among these two, the second (regarding recommendation 29, to do with FIUs) need not concern us here, save to say that the Parisian body (which resides in the building of the Organisation for Economic Co-operation and Development, its 'big brother') thinks that it is not clear if the UKFIU is sufficiently independent of the National Crime Agency, the country's political police, adding that it "has a limited ability to conduct operational analysis due to the large number of SARs [suspicious activity reports] and limited human and IT resources." This sounds as though not every SAR is read by an investigator - a scandal that has befallen many FIUs in the past, with governments the world over lying consistently about the attention that their operatives pay to reports. The regulated community in each country typically takes very unkindly to such lapses when they are revealed in the press, as with the 52,000-SAR backlog that the UK's old National Criminal Intelligence Service strove fruitlessly to keep quiet in the 'noughties.

Correspondent banking

The other example of 'partial compliance' comes in the vexed area of correspondent banking. This has been an area in which 'de-risking' (banks pulling out of whole categories of business for fear of money-laundering cases) has cut down many people's access to the financial system of the wider world, much to the FATF's impotent disapproval. The FATF's evaluation of the UK's observance of recommendation 13, which applies here, is a fascinating one: even though it is based in Paris and has taken on much of the culture of European Union institutions, it complains of British favouritism towards European countries: "Factors underlying the rating - mandatory EDD ("enhanced due diligence") measures regarding correspondent banking relationships apply only to respondent institutions outside the EEA." This is the very accusation that offshore centres in the Caribbean have been levelling at the UK for a long time.

The FATF states vaguely that "the legal framework needs strengthening" when it comes to correspondent banking, going into further detail at note 88: "In high-risk situations, regulated entities must undertake enhanced due diligence (e.g. when dealing with politically exposed persons, correspondent banking relationships and high-risk jurisdictions). While the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 allow financial institutions to treat EU correspondent banking relationships as low-risk, private sector representatives met during the on-site visit advised that such relationships are considered to be high-risk."

With regard to cross-border correspondent banking relationships in non-EEA countries, the UK requires financial institutions to: (i) gather sufficient information about a respondent institution to understand the nature of its business fully and use publicly available information to scrutinise its reputation and the quality of supervision to which it is subject (the FATF thinks that this obliges it to find out whether it has been subject to ML/TF investigations or regulatory action); (ii) assess its AML controls; (iii) obtain approval from senior managers before establishing a new correspondent banking relationship with it; and (iv) write down the respective responsibilities of each institution. The FATF's criticism of these measures is that they apply only to respondent institutions outside the EEA. This is not in line with recommendation 13, which calls for such measures to apply to all cross-border correspondent banking relationships.

Here and there

Praise is directed at the Financial Conduct Authority for its strong commitment to ensuring that effective controls are in place. Thanks to its efforts, large British firms with extensive correspondent banking books have groupwide AML/ATF policies and procedures and have expanded their compliance staff substantially over the last decade. The FATF's assessors still detected some gaps in compliance in respect of correspondent banking, particularly at smaller banks.

It goes on: "This was demonstrated in a 2014 survey by the FCA which found that while some retail, wholesale, and private banks had implemented effective AML/CFT and sanctions controls, significant and widespread weaknesses persisted at some firms (including in relation to correspondent banking, EDD and the ongoing monitoring of high risk clients). Particularly serious issues were found at six banks...the FCA took enforcement action against two of these banks, as well as updating regulatory guidance with further examples of good practice. The FCA has seen significant improvements as a result. The establishment [of the] Senior Managers and Certification Regime [actually still in the future - the FATF is confusing it with the current Senior Managers' Regime at banks] and its attendant liabilities on senior management have led to continued progress in addressing these issues. The gap between examinations of SAMLP and PAMLP banks and limited number of smaller bank examinations, however, leads to an uneven playing field in terms of correspondent banking policies and procedures."

The three tiers of the FCA

This last is a reference to the FCA's bureaucracy for checking bank's compliance with the Money Laundering Regulations. It has about 700 sector supervisors who do this as part of their broader supervisory functions - these people do AML/ATF work of the less complex kind. They are supported by a specialist financial crime department of 50 or so people who tackle the more complex issues.

The FCA’s supervision is divided into three tiers: the Systematic Anti Money Laundering Programme or SAMLP, which takes in the 14 largest retail and investment banks; the Proactive Anti Money Laundering Programme or PAMLP, which takes in 156 smaller firms from highly risky sectors; and the Risk Assurance Review, which deals with the small fry.

In the top tier, the FCA sends 4-5 people every four years and their inspections last for 4-6 months. In the next tier, it sends 2-3 people every four years and they stay for 2-4 days only. In the bottom category, which consists of a mind-blowing 19,500 firms, it reviews a sample of 100 firms per annum with 60 reviews by way of on-site inspections and 40 desk-bound review, 20 of which include a teleconference. The selection process is 80% random and 20% based on tip-offs. The regulator completes 100 on-site inspections each year, all told. The FATF is happy with this but wants it to visit the top two tiers of firms twice as often as it does now. It refers to the introduction of the Annual Data Return as a positive feature - it first sent this out to 2,000 firms for completion in 2016, collecting information and statistics about SARs, firms’ exposure to customers and jurisdictions and their AML/ATF control mechanisms.

Minor criticisms

Most of the FATF's remaining criticisms of the British AML regime are minor and centre around various controls or offences being punishable but not articluated explicitly as stand-alone measures in regulations or law. This is, to a large extent, nit-picking.

One less trivial complaint surrounds criterion 10.9 of recommendation 10, on the subject of "customer due diligence," an ugly term that the Basel Group for Banking Supervision used in the wake of 11 September 2001 to describe "know your customer" controls. When a British financial firm takes on a customer that is a legal person or arrangement, i.e. a trust or corporation, it is required to identify it and verify its identity in respect of: (i) its name, legal form and proof of existence; (ii) the powers that regulate and bind the legal person or arrangement, as well as the names of everyone who holds a senior management position there; and (iii) the address of the registered office. In the UK, however, the requirement to identify and verify the names of senior managers is not absolute – firms need only take "reasonable measures" to determine and verify these details, which annoys the FATF slightly.

On the terrorist financing front, the FATF is also critical of the fact that it sometimes takes the Office of Financial Sanctions Implementation 3-4 days to tell the public that it has blacklisted someone. The stilted phrase that the FATF uses here is "the communication of designations by OFSI is not immediate."

'EU favoritism' surfaces in a few more places, such as in the area of third-party management. The Money Laundering Regulations do not require each firm to take country risk fully into account before hiring a so-called "third-party introducer." This is because they allow it to rely on an intermediary in the EU by presuming that all EU member-states have equivalent AML/CFT standards for recommendation 10 (CDD) and recommendation 11 (recordkeeping) instead of taking account of proper country risk assessments.

The old chestnut of Scottish General Partnerships surfaces in a note about recommendation 24, to do with the beneficial ownership of legal persons. Not all of these are required to register in the UK or maintain relevant information, which annoys the standard-setter. Regarding recommendation 38, dual criminality has yet to be guaranteed for mutual legal assistance in Scotland, and "requests from non-treaty or non-Commonwealth countries relating to fiscal matters and proceedings which have yet to be initiated regardless of whether the action requested is coercive or non-coercive."

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll