Criminals hide behind regulatory barriers while banks pay the price
Current practises – in particular rules barring lenders from sharing suspicious activity reports across borders – are leaving banks and regulators ignorant and exposed to criminals and money launderers
Lash out at the big international banks – as I did a couple of weeks ago – for shutting their doors to small companies, start ups, and other corporate waifs and strays, and the mumbled response is predictable and consistent: We have no choice because key regulators, in particular the US, are threatening fierce punishments for failure to demonstrate best efforts to “know your customer” – KYC – and failure to clamp down comprehensively on financial crime.
Uncertain about when or how they might fall foul of a regulator, banks have let fear become the ruler of their client relationships. Apart from KYC, there are three other three-letter-words that today haunt their workplace nightmares and sit at the heart of “de-risking” their operations to satisfy regulators: the Anti-Money Laundering (AML) and Counter-terrorist Financing (CFT) infrastructure, and Suspicious Activity Reporting (SAR). “Failures” to adequately KYC and submit SARs have left them exposed to regulator accusations of inadequate protections on AML and CFT. Get used to this acronym soup.
Punishments for some have been eye-watering. HSBC in 2012 paid US$1.92 billion in fines to US authorities for AML lapses, including allowing itself to be used to launder drug money out of Mexico. In 2014, the US Attorney’s Office forced JP Morgan Chase to pay US$1.7 billion to the victims of Madoff Securities on the grounds that they failed to maintain an effective AML programme, and failed to file an SAR on Madoff Securities’ trading activity.
In 2013 and 2014 combined, the UK regulator issued a total of £2 billion (US$2.83 billion) in fines for KYC and AML offences. Worldwide since 2013, financial institutions failing to meet AML rules for KYC have been fined more than US$10 billion.
The “precautionary principle” means not simply that a potential client with any sniff of opacity is politely shown the door. It means also that the KYC checks are so onerous, burdensome and costly, that unless the client is likely to be a big or influential one, account opening is simply not worth the bother. The average international bank today spends US$56 million a year on KYC compliance, according to Thomson Reuters, with some spending as much as US$400 million on KYC and its sister in crime CDD (Customer Due Diligence). Banks including Citibank, JP Morgan and HSBC say they have each hired between 25,000 and 30,000 compliance staff since the 2008 crash – a straight bottom-line hit that must be having murderous impact on profits.
A group of leading international banks in league with the Institute of International Finance (IIF) have been wrestling with ways to mitigate these disastrous developments, and they have homed in on at least one initiative that may help – making it easier for banks to share suspicious activity information. They have created a fictitious Mundus Bank to demonstrate how numerous current practises – in particular rules barring banks from sharing suspicious activity reports across borders – are leaving banks and regulators ignorant and exposed to serious criminals and money launderers.
The fictitious Mundus Bank has 3,000 offices across 50 countries, and 35 million customers worldwide. It has a striking similarity to a little local four-letter-word bank which has 47 million customers and operates in 71 countries worldwide, but let that coincidence pass.
HSBC emphasises that while Mundus is fictitious, “the examples themselves are based on real-life situations”. Mundus has correspondent banking relationships with institutions in a further 100 economies. It processes 2 million cross-border transactions each day, and files 100,000 suspicious activity reports (SARs) every year – between 300 and 400 every working day.
In a fascinating scenario elaborated on by the Mundus case, a tripwire was triggered in Singapore where a Mundus account was receiving regular round-figure payments ranging from US$20,000 to US$200,000 via the UK, originating in Latin America. An SAR was filed, and an internal investigation launched.
Needless to say, a can of worms emerged linking accounts both inside and outside Mundus Bank across dozens of economies. Because Mundus was not allowed to share the SAR with regulators outside Singapore, “authorities in Australia, Canada, Mexico, New Zealand, Turkey and the UK saw nothing”, the scenario noted.
Even within the Mundus Bank, investigators could not get a full picture, because US$ transactions within Asia-Pacific are cleared through Mundus Singapore, while dollar transactions elsewhere are cleared through Mundus US – neither of whom are allowed to share SARs. Because funds originated from banks outside Mundus, and ended up in banks outside Mundus – and because identities of beneficiaries were obscured behind nominees – it was impossible to discover whether or not money laundering was occurring. The SARs remained just that – suspicious.
Glaring out of the case were four clear sets of barriers to discovering whether criminals were at work:
•barriers to sharing information across borders;
•local data-sharing and secrecy laws that hide people behind nominees;
•no mechanisms for banks to share information, or discuss investigations with each other across borders;
•barriers to banks, police or global investigators working together on enforcement.
The fictitious Mundus case points clearly to the value of creating a single central body that sees all SARs and can communicate and coordinate with law-enforcers worldwide. Such an initiative would not only improve banks’ effectiveness in sniffing out murky business: it would cut onerous costs by greatly reducing the duplication of compliance work being done country by country across hundreds of big international banks; and most important of all, it would make it much easier for innocent small businesses to avoid the cross-fire.
Given the pressing importance of this problem, surely more parties need to get involved. In APEC, Finance Ministers last autumn called on the 21 APEC economies “to build capacity to address financial crimes, which threaten everyone’s economic and social well being”. They called for a report “exploring ways to strengthen capacity in tackling tax crimes and other related crimes”. But beyond these fine words, our region’s officials have sat on their thumbs. Surely cooperation to share suspicious information is not too much to ask.
David Dodwell is executive director of the Hong Kong-APEC Trade Policy Group