Know Your Customer … But to Thine Own Self Be True

Almost every move we make is determined by a risk assessment. From jet-skiing without a life jacket to parking momentarily in a no-parking zone, our daily decisions are made weighing risk against benefit. While we often think we have all the information and skills to assess the situation, many of us zoom past the red flags, muffle the warning beeps on our risk radar and speed ahead anyway – only to take a long, hard fall later for not erring on the side of caution.

Some of us simply can’t fight this aspect of human nature.

When it comes to assessing the risk of money laundering in the financial sector, the highly calibrated risk-assessing processors can seem just as inadequate. Despite having years of practice for firms to get it right, we are privy to an endless parade of financial institutions mired in the astonishing magnitude of their muddled customer due diligence (CDD). In 2020, banks worldwide paid a collective $15.13 billion in fines for a range of compliance failures.

As BuzzFeed News revealed last fall with the publication of the FinCEN Files, banks look the other way while processing trillions of dollars in suspicious transactions and often ignore their own employees’ warnings.

Don’t Rain on My Parade: Poking Holes in the AML Compliance Umbrella

A scandal can serve as a good scare tactic in that it sends fear shivering through boards of directors, reminding them that AML noncompliance can be a risky business in a shifting sea of regulatory enforcement. Every time huge fines rain down from thunderous regulatory skies on an errant firm, compliance officers in organizations in the same sector suddenly remember to huddle under their colorful “tick the box” compliance umbrellas so they can hire more compliance staff and scribble new AML policies. Too often these will be forgotten when the media storm passes and the ice water in management’s veins begins to thaw.

What’s more, it’s clear that these punitive actions are not translating into lessons learned. AML fines have accelerated steadily over the past two decades. The period between 2008 and 2018 saw $26 billion in fines, while 2019 alone saw $10 billion. There is no reason to believe this trend will reverse any time soon.

It appears there is a huge disconnect between “compliant” CDD controls and the ability to assess the money-laundering risk off the back of that process. The resolution to that quandary requires a deep dive into the swirling vortex of the CDD black hole.

Conflicting Risks Can Sink Ships

Grounded in a risk-based approach, AML legislation best practice places high importance on the CDD process as a primary gatekeeper in the prevention of financial crime. If the due diligence is done right, both at onboarding and in an ongoing fashion, it can help safeguard against money launderers looking to secure a haven for their illegal activities.

But although financial institutions may be putting their best foot forward to stay compliant with AML and CDD regulations, the same faulty human decision-making processes (miscalculating risk when focusing on an immediate outcome) is replicated when it comes to CDD execution. Employees and employers alike are interested in swiftly onboarding clients, which means lowering customer drop-out rates while potential gains pour unobstructed (and more quickly) into the company coffers. And skipping cyclical ongoing monitoring checks means less people to man the company decks, less friction with the existing clients and perhaps even higher personal ratings from their direct supervisors sharking the waters for big fish.

In short, the KYC/CDD process is vulnerable both at the staff level where people (by their nature) are prone to breaking rules and err in their haste to get the job done, as well as on the board/management level where the human appetite for greed and power will always directly conflict with organizational risk appetite.

So as long as the lure of lucrative transactions waxes louder than the lure of the police sirens, there needs to be a human-friendly, intuitive CDD safety net in place so the slippery fish can’t slip through any holes.

Paying the Price of the Disconnect in the Murky CDD Process

In an infinite fintech sea rife with financial crime, onboarding and monitoring clients is at once a Sisyphean and thankless task – with plenty of room for error throughout. Diligence doers participating in different parts of the CDD process often come to the table with varying levels of responsibility, differing skill sets and maybe even opposing incentives for doing their jobs. Yet they are expected to work seamlessly in tandem over time, often without a centralized repository to house documentation and communications between them.

At the same time, the difficulty in accurately assessing the multiple, intertwined layers of risk, (client, product, geographic and transactional) can become even more overwhelming when inconsistent verification standards within the firm result in poor-quality datasets. Add that to a lack of a standardized decision tree in place to generate the risk ratings, and once again, the CDD process can end up being highly subjective – leaving the guy at the helm to sheepishly present the regulator with a justified audit trail of abhorrent CDD incompetence.

And finally, the faint of heart (and those individuals disdainful of sophisticated CDD solutions) should note that all this careful and detailed investigation is being carried out against the backdrop of dynamic global sanctions changes, emerging legislation, missing documentation, client identity falsifications and pressure from the client (and the firm) to keep the money moving in one direction – all under the leer of a looming regulator. Yikes!

UBO or UFO? Go with the Flow!

Weighing the risks against the benefit under stringent AML controls means asking the right questions in order to avoid doing completely unnecessary checks. But at the same time, it also means knowing when not to cut corners (like not bothering to investigate source of wealth or source of funds. The only way to achieve that delicate balance is to implement a data-rich, centralized solution that is inherently customizable to any firm’s specific workflow while providing built-in best practice checks and balances to fit relevant business environments and jurisdictions. Guiding and leading with automatic prompts and triggers enables staff adhering to a risk-based approach systematically with minimum effort.

The quintessential tool would be anchored in conditional logic, where the relevant queries and requests for information would appropriately unfold during the CDD process as the system is dynamically generating an overall risk rating. In addition, the supervisors can be flagged to initiate changes, approve or disapprove, as well as oversee the weighting of the individual risk ratings as necessary at any point in time. The strategically placed prompts, calls for action, reminders and flag triggers act as a bulwark against the typical KYC/CDD obstacles – namely, human beings.

Know Your Risk … of Not Having a Conditional Logic-Based CDD Lifeboat in Place

As the rising tide of money-laundering crime engulfs regulators across the globe, they are digging in and clawing their way to the top by upping the ante. Penalties can now include not only fines, but also other enforcement measures, like firms being barred from taking on new clients or being restricted in certain areas of business.  Jurisdictions such as the U.K. have expanded the businesses subject to a regulatory framework to include accountancy practices, law firms, estate agents, art dealers and cryptocurrencies while virtual assets are starting to come under a regulatory framework in the EU. No one is safe from their oversight – from the little accounting firms to those offshore lounging on their yachts!

As for you, the casual doer of diligence wandering around bewildered in the CDD maze, beware: The ultimate responsibility for onboarding that risky client is on you and your firm. Perhaps in addition to verifying your clients, you should verify your need for a risk-based CDD solution before someone high up goes head over heels overboard.

As the economic benefits of central bank digital currencies emerge, so does one of their major downsides: an opportunity to avoid sanctions imposed by governments.

Almost every day it seems a new form of digital money emerges, often touted as the next hot idea. But with so many governments indicating interest in these developments, central bank digital currencies (CBDCs) might actually be a technology to change the world.

WHAT IS A CBDC?

A CBDC is a digital form of currency issued by central banks, which often have a monopoly over the issuance of currency within their own state’s territory. As a currency it is different from traditional reserves or settlement accounts, which are the established way for central banks to issue their ‘physical’ currencies. Although evidently inspired by cryptocurrencies such as Bitcoin, CBDCs are more like cash. While Bitcoin and Ethereum prices fluctuate wildly and could lose their value entirely, CBDCs are backed by a government, and are legal tender in the country in which they are issued. Thus, it is easiest to conceptualise them as digital banknotes, despite being inspired by decentralised cryptocurrencies. And although not an absolute necessity, many CBDCs are based on distributed ledger technology – decentralised databases managed by multiple participants or nodes – which is the technological infrastructure underpinning blockchain and cryptocurrencies.

CBDC models do vary by jurisdiction, and can be broadly grouped into two main types: wholesale and retail/general purpose. It is worth noting that most countries discussed are creating retail CBDCs (those widely available and targeted at payments between individuals and businesses).

Design choices also vary: CBDCs can be token-based or account-based. The former draws more from typical cryptocurrency models, using private and public key pairs similarly to Bitcoin. The latter requires each user to hold an account with the central bank, with transaction approval dependent on identity verification. It seems that most CBDCs will adopt the latter model.

GLOBAL INTEREST IN CBDC USE

A 2020 survey conducted by the Bank for International Settlements found that ‘80% of the world’s central banks had already started to conceptualise and research the potential for CBDCs’. Perhaps this is no surprise given the declining use of cash, spurred on by the coronavirus pandemic and the necessity of contactless payments.

Even before the pandemic, cash use was already declining in many advanced economies, a trend that has worried central banks, which aim to foster public access to and trust in central bank money. A CBDC has the potential to address this trend and help countries in a variety of ways, including fostering financial inclusion by expanding the number of people who have access to banking services and by enhancing the effectiveness of monetary policy. For citizens, a digital banknote could perhaps be the safest form of money.

CBDCs are no longer just theoretical. In late 2020, the Bahamas launched the Sand Dollar; China is in the news frequently for its progress with the digital yuan; and the EU, the UK and the US have all indicated their interest in exploring their own CBDCs.

This domestic focus is also coupled with international ambitions, as many countries aim to improve cross-border payments through CBDCs. While there are debates over the best ways to ensure CBDC interoperability, there is a strongly held belief that CBDCs can benefit the global economy. But herein lie the international security risks, especially when looking at the effectiveness of financial sanctions.

EFFECT ON SANCTIONS

Many countries face various sanctions regimes from the US and the EU, or those mandated through UN Security Council resolutions. Countries sanctioned heavily by the US show particular interest in CBDCs, and some have even explicitly stated their intention to evade US sanctions through popularising their own CBDC.

China is the most notable of these, especially given its progress and success in this space with the digital yuan, also known as DC/EP (Digital Currency/Electronic Payment). In November 2020, Beijing announced that almost $300 million had been spent using DC/EP in four million domestic transactions. The aim is for broad circulation by 2022 with an intention to test DC/EP at the 2022 Beijing Winter Olympics.

Russia, Venezuela and Iran, all facing US sanctions, have also shown various levels of interest in CBDCs. In March, Moscow said that the first prototype of a Russian CBDC will be launched in late 2021. Venezuela’s President Nicolas Maduro has long tried to popularise the Petro coin, claiming that the pre-sale alone raised $3.3 billion. These numbers are unconfirmed and the Petro is largely seen as a failure. Meanwhile, Iran is also conducting research.

DETHRONING THE DOLLAR

It is easy to understand why any government would be interested in a CBDC. For US-sanctioned countries, though, there might be additional long-term benefits to investing in this technology. Currently, the US can exert power over these countries due to the ubiquity of the dollar – as of 2019, approximately 88% of all foreign exchange trades were backed by the dollar. Widespread adoption of CBDCs could reduce the dollar’s domination, lessening the power of US sanctions.

Multiple US-sanctioned countries have specifically listed decreased dependence on the dollar as part of their motivation for creating a CBDC. Russia’s central bank said that a digital ruble could help mitigate the risk of sanctions. Chinese state media claimed in 2020 that ‘sovereign digital currency provides a functional alternative to the dollar settlement system and blunts the impact of any sanctions’. Iran’s President Hassan Rouhani specifically proposed a cryptocurrency-related payment system among Muslim countries to cut regional reliance on the dollar. When announcing the Petro, President Maduro claimed the coin would ‘help to overcome the financial blockade’.

Washington is aware of these motives. In March 2018, then-President Donald Trump bannedUS companies and citizens from dealing with Venezuela’s Petro coin. More recently, US officials, speaking on condition of anonymity, told the Bloomberg news agency that the Biden administration is ‘eager to understand how the digital yuan will be distributed, and whether it could also be used to work around US sanctions’.

Another function of CBDCs is the ability to oversee and monitor citizens and financial transactions. Any account-based CBDC potentially allows tight control by the central bank over the finances of the users. While this will be helpful in identifying illicit activity, it also means that the central bank can see exactly what citizens are doing to an extent previously unimaginable in traditional finance.

The type of anonymity used in the centralised CBDC models means that both parties in a transaction would likely be anonymous to the public but visible to the central bank. CBDCs therefore offer less privacy than cash, a feature that may add to their appeal in authoritarian countries.

WHAT IS NEXT?

One of the biggest unresolved questions concerns the level of infrastructure compatibility between the different CBDC models that are emerging. The long-term impact of a CBDC like DC/EP cannot be understood until there is some ability to exchange the CBDC for other fiat currencies – successful internationalisation of any currency (physical or digital) is near impossible without exchange options.

Furthermore, what impact might CBDC conversion into other digital currencies have? For example, if China allowed conversion from DC/EP to cryptocurrencies, would this enable a new sanctions evasion route for North Korea, a country already known for its cryptocurrency expertise? It seems unlikely that China’s CBDC would engage with decentralised cryptocurrencies, especially given Beijing’s bans on the technology, but it is possible.

Sanctioned countries are far from the only jurisdictions interested in this technology, and the interoperability of CBDCs applies equally to the UK’s potential Britcoin or the digital euro – perhaps even more so given these countries’ centrality to international trade. Yet as with any promising innovation, anticipating the potential for abuse will be an important consideration as this technology proliferates.

“And the Award for the Most Disastrous Third-Party Risk in 2020 Goes to …”

Imagine if there were an annual award show for risk. Of course, due to the pandemic, the award show would have to be virtual – but if there were such a show, the pinnacle award would be for the Most Disastrous Risk of the Year.

Hands down, the award for 2020 would go to location risk. In case you aren’t familiar with location risk’s body of work, it includes events specific to a geographical location: natural disasters such as hurricanes, earthquakes and disease outbreaks; social unrest including riots and strikes; political instability resulting from high-level corruption or a coup; terror attacks, whether physical or cyber; and macroeconomic conditions like high inflation and high unemployment.

All kidding aside, this is detrimental because most organizations’ third-party risk management programs ignore location risk altogether. During 2020, their almost laser-like focus on financial and cyber risks left businesses uninformed and behind the eight ball, struggling to keep up with the rapidly changing risk landscape. In fact, during the pandemic, financial and cyber risks were actually lagging indicators.

As the pandemic gained steam, there were countless leading indicators, which – if known early enough – could have been used to improve business continuity and resiliency.

Financial and Cyber Risks: Lagging Indicators

Let’s take a look at COVID-19’s cascading risk scenario to further explain why financial and cyber risks were actually lagging indicators during the pandemic. When the crisis started, the first business continuity risks arose as China’s government enacted restrictions to stop the spread of the disease. Next came government regulations risk in other countries from shutdowns, border closures, travel bans, etc. Then entered people risks, as a pandemic is foremost a health risk. Risks of wide-scale absenteeism grew due to individuals either contracting the disease themselves or having to care for family members who were ill. Some locations were significantly more vulnerable due to weak health care infrastructure.

After people risks came remote-work requirements and lockdowns that were stricter and longer in some locations than in others. In many areas, this was a challenge due to poor internet infrastructure and a shortage of laptop computers. With people forced to work from home on unsecured networks and personal computer equipment, cybersecurity risks increased.

As the pandemic continued long-term and economies constricted to different degrees in different locations, financial cracks finally began to show with third parties. With a reactionary approach that relied on monitoring changes in only financial or even cyber risks, businesses were late to prevent a cascading downfall.

The 3 Resiliency Lessons Learned

If COVID-19 has a silver lining, it’s the opportunity to learn from our risk management shortcomings and advance our risk management practices to ensure greater future resiliency. Our experience during the pandemic brought into focus three critical lessons:

1. Resiliency requires monitoring location risk. Unfortunately, as many enterprises ignored location risks in their TPRM program, they were left in the dark about the locations from where services were provided. They didn’t understand the inherent weakness and vulnerabilities of each location and were ill-informed when their location’s risk landscape changed, forcing them to manage risk reactively.
2. Resiliency requires monitoring risk continuously. During 2020, the foundation of the majority of risk management programs were legacy processes like point-in-time assessments, due diligence and onboarding. Because most organizations lacked continuous monitoring capabilities, they were forced to rely on data collected months before the pandemic. As the risk landscape rapidly evolved and changed with each new day, this stale data was unhelpful and at times counterproductive for risk mitigation efforts during the pandemic.
3. Resiliency requires monitoring risk across broad frameworks. A global crisis such as COVID-19 presents the unique challenge of cascading risks. Global business supply chains are hyperconnected, and managing business continuity during the unprecedented disruptions without a guidebook was difficult. There’s only one way to effectively predict what comes next when faced with a cascading risks scenario, and that’s through continuous monitoring of broad risk aperture.

The Risk Horizon for the Rest of 2021

The global effects of the pandemic are far from over. Although some countries are making progress on vaccinating their citizens, many countries are at a financial and health care infrastructure disadvantage. The longer the virus continues, the greater the chance that mutations could result in variants that could reduce the efficacy of our current vaccine protocols. Vaccinated travelers to foreign countries could bring variants home, re-igniting the problems we faced in the early days of the pandemic.

Beyond location risks, others to consider include:

• People risks will continue to remain high. Talent well-being in terms of physical, mental and emotional health should be a high-priority focus in 2021. Talent is always a resource constraint, but it’s especially so in a pandemic.
• Cyber risks will continue to increase as companies adopt more permanent remote and distributed working models.
• Financial risks could rise. As the crisis is prolonged, we could see greater negative impact to revenues. This poses a tremendous financial risk, especially for small- and medium-sized companies without a strong enough balance sheet to get them through the crisis.
• Regulatory and compliance risks will rise as regulators add new regulations to address the distributed and non-physical work environments of “work from anywhere.”
• Supply-chain disruption risks got a lot of attention during the pandemic as enterprises realized they lacked view beyond their third parties. Effective mitigation of supply chain disruption risks requires a deep view to the Nth parties of the supply chain.
• ESG risks have become a hot topic in the last six months. Failure to incorporate ESG risk monitoring will leave companies susceptible to compliance and reputation risks at their own enterprise level and throughout their supplier network.

Advancing Risk Management through Automation

When we are finally able to get COVID-19 under control globally, we must consider the possibility that the virus is only a “practice pandemic.” The next one could be worse in terms of mortality rate and business disruptions.

As it’s impossible to predict with certainty where the next global crisis will come from, enterprises must incorporate continuous monitoring capabilities across a broad risk aperture to enable the early warning system that continuity and resiliency requires. Unfortunately, today’s risk landscape is so vast that continuously monitoring risk is beyond human capabilities. The good news: there are risk solutions in the market that leverage automation to enable continuous monitoring that allows internal risk teams to move away from spending time on risk identification efforts to focus instead on risk mitigation.

For the increased volume of risk findings that may result, cutting-edge risk solutions have leveraged further advances in AI, data science and machine learning to automate a significant portion of risk actions required. Internal risk teams can focus on only the most critical risk mitigation efforts that require human intervention and effort. Incorporating today’s automation in TPRM programs can enable continuous monitoring across a broad risk aperture to provide a current and comprehensive view of an enterprise’s risk landscape.

Looking Ahead, Proactively

Eventually, we will move beyond the pandemic, but our dynamic risk landscape is here to stay. Proactive risk management can achieve continuity and resiliency going forward, but it will require enterprises to move to risk management practices that include continuous monitoring across a wide risk aperture, including location risk.

Fortunately, humans don’t have to do it alone. Today’s automation capabilities enable risk teams to stay ahead of the rapidly changing risk landscape effectively and cost efficiently. Early warning from leading indicators and automated risk-mitigation actions will enable risk teams to do more with less, and enterprises will experience improved business continuity and resiliency facing whatever new risk is next on the global horizon.

Article by Meera Narendra

Following allegations surrounding money laundering and tax violations, Binance Holdings Ltd., is facing a federal investigation by the Internal Revenue Service and the U.S Department of Justice.

According to Bloomberg, government officials have been seeking information from people who have insight into Binance’s business dealings and exploring possible money-laundering and tax-related offenses by both the exchange’s staff and customers.

The investigation comes after a report by Chainalysis, a blockchain forensic firm, traced $2.8 billion worth of illicit bitcoin on exchange and trading platforms, of which $756 million went through Binance.

The crypto exchange said: “We take our legal obligations very seriously and engage with regulators and law enforcement in a collaborative fashion. We have worked hard to build a robust compliance program that incorporates anti-money laundering principles and tools used by financial institutions to detect and address suspicious activity.”

Concerns have been raised regarding cryptocurrencies being used to conceal illegal transactions and those ”who’ve made windfalls betting on the market’s meteoric rise are evading taxes,” Bloomberg reported.

The cyber-attack against Colonial Pipeline Co, which triggered fuel shortages across the Eastern U.S. resulted in the company paying the hackers a $5 million ransom in intracetable cryptocurrency within hours.

Binance is also currently under investigation by the United States Commodity Trading Futures Commission (CTFC) for allowing U.S. investors to buy and sell derivatives.

Article by David Lawder

U.S. Treasury Deputy Secretary Wally Adeyemo told securities industry executives on Wednesday that the Treasury will weigh the costs and benefits of financial sanctions to ensure that they remain a strong and viable foreign policy tool.

In a statement following a meeting with the Securities Industry and Financial Markets Association (SIFMA), the Treasury said Adeyemo gave the group an update on his review of Treasury sanctions policy, saying that sanctions “have become the tool of first resort” to address national security and international economic challenges.

“He explained that while this tool has resulted in notable successes, it has also created unanticipated challenges,” Treasury said without naming specific cases.

“The Deputy Secretary stressed that moving forward, and as the United States faces a changing international order, the Treasury Department is assessing the costs and benefits of sanctions use in each case with an eye towards ensuring they remain a strong, viable option for policymakers in the years and decades to come.”

By David Lawder, Reuters, 21 April 2021

Article by Accounting Web

The NCA and OPBAS have published guidance for accountants on preparing “clear and concise” Suspicious Activity Reports (SAR). David Winch summarises what a ‘good quality’ SAR looks like.

Not the most snappy title, but the latest “Guidance for anti-money laundering supervisors on submitting better quality Suspicious Activity Reports” published this month is mercifully brief and readable.

It’s been prepared by the National Crime Agency (NCA) in conjunction with the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) with the intention of helping accountants and lawyers improve the quality of the SARs which they submit.

Clear and concise

It’s not rocket science. The key point is that your SAR is going to be read initially by someone who knows nothing about your firm, nothing about the person about whom you are reporting, nothing about what you are hoping or expecting the authorities might do after receiving your SAR and – let’s be frank – probably understands very little about accounts, tax or company law.

It’s likely for this reason that acronyms and jargon should be avoided as the recipient might not understand and they’re open to misinterpretation.

So you need to give them enough background to understand who you suspect, what you suspect them of having done (or failed to do), what your connection is to the suspected person and suspicious events, and why this is an issue which should interest the authorities.

Aside from the most basic advice – “Punctuation should be used” – and please DON’T HIT CAPS LOCK – the guidance asks that SARs be clear and concise and structured in a logical format.

A brief chronological summary of events will be useful and the SAR glossary codes can save time for the writer as well as the reader. A quick XXF4XX tells the reader immediately that you are reporting a suspicion of personal tax evasion.

Of course you will not be in a position to, for example, quantify the amount involved in a suspected fraud – but you probably can give an order of magnitude which gives the reader a better understanding of the issue.  The more focussed and relevant information you can supply, the better.

Reason for suspicion

The suspicion element needs to be explicit. But with characters limited (8,000 characters on SAR Online and 30,000 using email bulk encryption), it advises you to focus on the five Ws: who, what, where, when and why.

• Who is involved?
• How are they involved?
• What is the criminal property?
• Where is the criminal property?
• When did the circumstances arise?
• Why is there suspicion?

If you’re needing to submit a SAR have a read of this new guidance HERE and use the appropriate glossary codes which you can find HERE.

Then get that SAR submitted and get back to remunerative work!