The last two years have seen a spate of high-profile CFO resignations following failures in their companies’ anti-money laundering (AML) regimes.
This global cull has likely caused finance leaders around the world to reassess their AML and counter-terrorist financing (CTF) programmes urgently. But even without it, the recent issuance of new regulations and guidance on AML and CTF is making such reviews necessary.
The Financial Action Task Force (FATF) brought in its latest Terrorist Financing Risk Assessment Guidance in July 2019. The EU’s Fifth Money Laundering Directive came into force in January 2020. The sixth directive will follow swiftly on its heels in December.
These changes will affect many CFOs directly. Elaine Smyth, CIMA’s associate director–Professional Standards, said all organisations that offer financial services, regardless of size, will need to comply with money laundering regulations.
Each business has responsibility for ensuring senior oversight of AML/CTF processes. This oversight role does not necessarily fall to the CFO. But when it does, finance chiefs must ensure they are aware of the risks and have adequate procedures for mitigation.
“Even if they are not charged with carrying out the duties, they must build the infrastructure and provide the leadership to create the environment for the necessary work,” said Roy Sroka, CPA, partner, CFO, and chief compliance officer at Wynnchurch Capital, a North American private-equity firm.
Control framework should be ‘robust, flexible’
The Fifth Money Laundering Directive (5MLD) extended existing customer due diligence obligations, increased reporting requirements for many businesses, and introduced new risk assessment duties. It also added a regulatory imperative that individual senior managers ensure compliance.
5MLD also extends its AML and CTF obligations to cryptocurrency exchanges and custodians, bringing the EU in line with cryptocurrency measures introduced in the US several years ago.
Lack of regulation had led Europe to become a haven for laundering cryptocurrency gained illicitly. While many virtual currency and wallet providers already require customers to verify their identities, some crypto transactions allow anonymity, which criminals have exploited to transfer funds without detection.
London-based Andrew Pimlott, senior managing director for advanced analytics in financial investigations at FTI Consulting, said the thrust of AML and CTF regulatory requirements are around customer identification. So if dealing with cryptocurrencies, or another party that does, CFOs must be confident they will meet these requirements and have sufficient knowledge of customer mechanisms.
“As with any new technology, implementation risks exposure to unintended breach of regulations,” Pimlott said. “However, cryptos are too evolved to be ignored, so must be looked at. This will result in big spending on automated monitoring functions. But if seen as an upfront cost, the benefits will be worth it.”
New York-based Guy Melamed, CPA, the CFO and COO at data security company Varonis, said adoption of cryptocurrency had progressed rapidly in the last five years.
“That will continue, especially as the volatility of the currencies reduces,” he said. “Businesses will use them much more; CFOs and finance teams will have much more to monitor; and there will be more to do in ensuring proper processing.”
Monitoring cryptocurrencies could also be a challenge as different jurisdictions have different regulations, Pimlott said. Those that handle cryptos illegally to hide money laundering activities will continue to find ways to do this.
Another issue with cryptos is that some might make fewer details about a payee available, Melamed said. “That means one less layer of protection, and it puts significantly more challenges around tracking and ensuring proper processes,” he said. “Different methods may be necessary to achieve that.”
The Sixth Money Laundering Directive (6MLD) will standardise the approach of EU states to money laundering offences and expand the range of sanctions and the scope of liability, including extension of criminal liability to individuals.
This means that if a business has insufficient compliance and doesn’t efficiently prevent money laundering, relevant employees will be subject to legal proceedings, said Pimlott. CFOs must therefore have a clear understanding of 5MLD and readiness for 6MLD.
Denmark-based Richard Grint, financial crime expert at PA Consulting, said with the sixth directive following so quickly after the fifth, the key message for CFOs and other finance professionals is that the regulatory landscape is evolving at pace.
“Finance leaders should ensure their AML control framework is robust, flexible, and able to adjust to new threats and to incoming regulation,” he said. “The most successful firms and leaders do not treat it as a compliance exercise. They proactively manage their financial crime risks to respond to such changes.”
From a finance perspective, both directives highlight and enforce requirements around the need for high-quality source-of-funds checks, Grint said. This means companies must understand exactly the origin of inbound money flows.
The FATF’s 2019 Terrorist Financing Risk Assessment Guidance is directed mainly at countries, but it provides recommendations for financial and other companies.
For example, it says that organisations such as banks need to play a much bigger role in tackling the growing threat of terrorist financing by collaborating with public bodies such as government and regulators, law enforcement bodies, and finance and trade centres.
The guidance highlights a range of products and services with inherent risk. These include pre-paid cards, money or value transfer services, remittance services, person-to-person transfers, correspondent banking services, money service businesses, hawalas, not-for-profit organisations, and precious metals or stones. It gives examples of associated activities that should be monitored closely.
The guidance also sets standards for the collection of quantitative and qualitative data and for considering all stages of terrorist financing in risk assessments. It recommends including factors such as domestic and foreign intelligence information, sources of funding, channels used, and geographic origin and destination of funds or other assets.
Grint said the guidance is part of a wider trend towards organisations being obliged to mitigate broader financial crime risks.
“Leaders should make sure their financial crime control framework can handle all financial crime risks,” he said. “By focusing on money laundering alone, firms risk missing their equally weighty obligations around terrorist financing.”
KPMG has highlighted challenges in complying with the FATF’s guidance, such as the low value of the funds or assets often used by terrorists, the cross-border nature of terrorist financing, and the fact that transactions can appear routine. The guidance aims to help countries overcome some of these challenges by providing practical examples and considerations, it said.
Johannesburg-based Jaco Joubert, ACMA, CGMA, the CFO at Integrated Processing Solutions (IPS), said these challenges are particularly apparent in South Africa.
The country’s 2017 Financial Intelligence Centre Amendment Act (FICAA) introduced a risk-based approach that is central to the effective implementation of FATF recommendations.
But the application of the risk-based approach has been slow and challenging for companies like IPS because some of its offerings are low-value products aimed at the mass market and those without bank accounts, Joubert said.
“In South Africa, many of the population are unbanked, or underbanked, often living in informal settlements without the required proof-of-residence documents, which is necessary to perform a Know Your Client assessment,” he said. “Furthermore, remittances are a vital financial service for the lower-income and migrant populations. It can therefore be a challenge to balance financial inclusion targets with the integrity standards required by FICAA and the FATF.
“These requirements could negatively affect people living in rural areas or informal employees, including those paid in cash and undocumented migrants.”
The unbanked population also creates a challenge when applying AML rules, Joubert said. To ensure compliance with AML and CTF provisions, companies need to expand their understanding of risk-based approaches, particularly with respect to customer due diligence.
Putting specific controls in place
Even in countries where most people have a bank account, the regulations can prove tricky.
Sroka said: “The new FATF and EU guidelines unfortunately add more nuance to the ever more complicated regional and country-specific requirements that are pushed down to the CFO and AML officers. They must interpret and adapt them to their enterprises.
“They must seek the highest applicable standards for the countries where they operate, and build processes to meet each given standard. But the most important aspects for one organisation might be minor points for another. So, application of the guidelines is organisation-specific.”
Sroka said CFOs and AML officers should already be reviewing control weaknesses regularly. But they need to build systems, processes, and internal education tools that are tailored to their organisation’s risk, and strategy should be reviewed regularly to adapt to current threats. This will involve multiple financial and management team members.
“Static, off-the-shelf policies that gather dust and are owned by one designated employee will not be effective against nimble and ubiquitous adversaries,” Sroka said. “So, as new information becomes available from global task forces, financial officers should review the related updates, recommend changes to their firm’s policy, then educate teams as needed.”
Strong analytical skills
Joubert said his organisation, like others in the payments processing space, faces a real threat of being used to facilitate money laundering or terrorist financing and has a major role in fighting these crimes.
“If found to be associated with these types of activities, even if unintentionally, we could lose our operating licences or face administrative sanctions or reputational damage,” he said.
The valuable skills Joubert said can help to beat money laundering and terrorist financing are:
- The ability to analyse data, including customer information and activity;
- The ability to create links and networks for reporting to authorities; and
- Local, national, and international collaboration skills.
“Our company provides compulsory and ongoing AML and CTF training to enable employees to comply with the provisions,” Joubert said. “The board, social and ethics committee members are also required to complete the necessary training.”
Joubert said IPS’s AML and CTF risk management process is a continuous cycle that includes identification, assessment, mitigation, reporting, and monitoring of risks. Companies should test the adequacy of AML and CTF systems and controls regularly.
‘Culture of scepticism’
Pimlott said many AML functions can be automated to ease the increased burden of new regulations on the compliance team. Advanced analytics can provide mechanisms to address red flags proactively, so teams can identify and focus on high-risk transactions, he said.
Pimlott agreed that company-wide training and top-down compliance culture are essential to beat money laundering
Melamed said financial criminals are becoming increasingly sophisticated in the way they take advantage of the complexities of global trade and financial systems.
“Teams need to be aware,” he said. “Combating this is not that easy. It is not just about the mechanical and technical aspects, it’s a combination of products, processes, and a culture of scepticism.
“CFOs need to promote a culture where teams are not afraid to ask questions when something doesn’t seem right. They particularly need to generate that culture in their own team as people in purchasing or accounts payable, for example, are often targeted and will pick up things managers don’t.”
— Tim Cooper is a freelance writer based in the UK. To comment on this article or to suggest an idea for another article, contact Neil Amato, an FM magazine senior editor, at Neil.Amato@aicpa-cima.com.