Historically, anti-money laundering (AML) regulations were exclusively targeted at banks and other financial institutions, but global AML legislative frameworks have recently expanded to include significant regulations for nonfinancial institutions. Financial professionals in a much broader array of organisations will need to develop and pay much closer attention to AML controls.
This trend is expected to continue, and nonfinancial institutions that fall into the categories set out by the laws need to comply. For other companies, it is advantageous to include the AML concepts in their third-party due diligence process in order to avoid running afoul of the law.
In late 2020, the National Defense Authorization Act for Fiscal Year 2021, P.L. 116-283, introduced amendments and enhancements to the US’s AML framework in the form of the Anti-Money Laundering Act of 2020, which builds on the USA PATRIOT Act of 2001, P.L. 107-56.
On the other side of the Atlantic, the Sixth Anti-Money Laundering Directive came into effect for EU member states in December 2020 and required implementation by June 2021.
Both of these pieces of legislation expand the existing AML regulatory frameworks and echo the evolutionary trends that we have seen over recent years. Between them, they provide for:
- Increased disclosure on ultimate beneficial owners (UBOs) to promote transparency regarding money flows;
- Enhanced whistle-blower protection and rewards;
- AML principles expanded to institutions in nonfinancial sectors, such as gambling; auditing, accounting, and tax; precious metals; high-value goods; auction houses; and others;
- Increased cooperation among the different players in the national and international arena to enhance the effectiveness of cross-border actions;
- Enhanced law enforcement and increased penalties for AML violations; and
- Modernisation of the traditional AML vehicles, which have been extended to include new players in the arena, such as cryptoassets and virtual currencies, wallet providers, gift cards, and others.
At a practical level, the new AML measures will often overlap with existing controls required to comply with other fraud-prevention legislative frameworks, such as anti-bribery and anti-corruption regulations.
From a broader risk perspective, when evaluating which AML measures to implement, it is important to consider the potential reputational risk that might arise from AML-related scandals, which might involve closely associated third parties.
A risk-based approach to AML efforts is highly recommended, starting with a comprehensive risk assessment. Organisations should consider the following when examining their AML risk.
The risk assessment should start broadly. Where an organisation is conducting business is a good place to start. One significant risk factor is the level of AML risk associated with the country in which the third party operates or is incorporated. The “high-risk third country” list from the European Commission (under Article 9.2 of the Fourth Money Laundering Directive) is a helpful starting point. Finance professionals will also want to refer to the Financial Action Task Force’s Guidance for a Risk-Based Approach for the Accounting Profession.
Another risk factor that nonfinancial institutions should consider is the nature of the customer business and whether it is a cash-intensive business, which is often a potential red flag for money laundering.
The above criteria are helpful in identifying broad categories of high-risk transactions, large geographies, or types of third parties to monitor closely, but when organisations want to look more closely at individuals or transactions, additional risk factors should be evaluated.
For organisations launching AML controls, the following are good places to start.
For organisations starting to pay more attention to their AML exposure, a good place to begin is with politically exposed persons (PEPs). The Financial Action Task Force, an intergovernmental organisation founded in 1989 by G-7 member states to combat money laundering, defines PEPs as “an individual who is or has been entrusted with a prominent public function”.
PEPs, or family members or known close associates of a PEP, present a higher risk of involvement in money laundering and/or terrorist financing because of the position they hold.
To minimise the risk when dealing with PEPs, strong internal controls around gifts, invitations, and cash should be in place. PEPs are also extensively covered by anti-bribery and anti-corruption regulations around the world to ensure that companies screen and control transactions with PEPs to ensure that these are not vehicles to bribe public officials.
Complex ownership structures
Companies with complex ownership structures, legal entities in countries that are high-risk for AML or favour anonymity, undisclosed UBOs, and bank accounts in countries different from that of incorporation are all red flags that should be investigated and evaluated thoroughly before engaging in a business relationship with third parties.
Nature of the transaction
Transactions that are complex or unusual or that have no apparent economic or legal purpose are red flags and should be carefully evaluated. The background and purpose of the transaction should be examined, and further steps should be taken to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship.
Situations not involving face-to-face business relationships or transactions — especially common in the past year and a half due to the COVID-19 pandemic — are higher-risk. An in-person relationship or a visit to the premises of the third party could be a way to gain more information about the third party. If this is not possible, alternatives should be considered, such as virtual tours of facilities.
Potentially fraudulent behaviour
Red flags for potentially fraudulent behaviour range from unwillingness to disclose UBOs or other relevant company information to providing false or stolen documentation or information. Companies should follow up and investigate such behaviour to gain reassurance over the legitimacy of the third party.
In all the above cases, companies should seek additional independent, reliable sources to verify information provided, and take extra measures to better understand the background of the transaction, and the ownership and financial situation of the third party.
Databases made available by private companies upon payment are useful, as they include information about UBOs, shareholding structures, media screenings, and director screenings. Free publicly available databases are also a valuable source of information, notably the database published by the Organized Crime and Corruption Reporting Project.
AML compliance tools available on the market are usually targeted at the financial sector. However, a wide range of compliance software tailored for nonfinancial institutions is available and could support companies in the automated identification of red flags associated with third parties. These tools can range from basic checks of third-party information against databases to sophisticated tools that leverage artificial intelligence to identify trends and analyse data. However, it should be noted that the UK money laundering regulations of 2017 emphasise that if electronic checks are made, the process is secure, free from fraud, and capable of accurately confirming identities.
Due to the continuous evolution in the AML legislation landscape, technology, and financial crime tactics, it is imperative that professionals keep updated with the latest AML trends and regulations to manage risks effectively.
— Cecilia Locati, FCMA, CGMA, is the founder of Internal Control Toolbox and vice-president of risk, compliance, and internal audit for RHI Magnesita. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.