Hong Kong: Universal Banking Soldier
The Money Laundering Compliance Officer in the spotlight.

The designation of an appropriate person to be the Money Laundering Compliance Officer (MLCO) in a financial institution is not an altogether new legal requirement, but one that has come under increased focus as Money Laundering and Terrorist Financing assume a new importance.

The reporting element of the MLCO’s role is to receive reports from members of staff of their knowledge or suspicions of money laundering, and, unless he decides that it is not, in fact, suspicious, his responsibility is to pass that information to the relevant authority.

When this post was created, different institutions made the appointment according to different criteria, dependent on such internal variables as their internal understanding of a suitable individual profile or competencies, the availability of suitable staff, and their interpretation of whose bailiwick the work fell in. In terms of the latter, some large organisations took the view that it was related to fraud, and consequently it fell to whoever would be responsible for investigation work, wherever that might be. Others allocated it straight to the security function, others to internal audit departments or to the legal or compliance function. In most cases the positioning decision would have been made, or at least strongly influenced, by pre-existing departmental responsibilities. Whatever else may have happened, it is rare to find an example of an entirely new department being created or where the duties of the function were allocated to someone not already busy with other primary responsibilities.

There were no hard and fast rules for how the MLCO had to be selected, and the profile of the person selected was often a reflection of the times and the actual values of the corporate culture.

There was certainly no prohibition against the designated person having any number of other responsibilities, many of which might have had little relevance to the prevention of money laundering.

The position can therefore be found in various functional departments in different organizations, and there is unlikely to be one definitive correct answer as to where it ‘belongs.’. The question is not so much where it should be in terms of left to right on the Organization Chart, as much as it one of top to bottom.

It was, however, originally established as a compliance responsibility; and that meant compliance with the regulations and guidelines as issued by the governing regulatory authorities. There is little to suggest that any thought was ever given to this role having a contribution to make at a strategic level.

Unfortunately, as later events in the UK were to demonstrate, the administrative and reactive nature of the compliance culture proved to be one of its weaknesses. The role of the MLCO was consigned to too junior a level in many organisations, and because the regulatory authorities had their focus elsewhere and did not insist otherwise, in many cases the issue was allowed to slip lower and lower down management’s scale of priorities. There were few prosecutions and little incentive for the matter to be considered at a more senior level. Corporate policy was just to comply, passively, with anything the regulators required.

That, unfortunately, was one of the contributing factors that led to the embarrassment of the Abacha scandal. It is probable that no one really knows for sure exactly how much money Sani Abacha looted from his impoverished country, we only know what was later traced and returned, and that was a lot.

Between them, no fewer than 23 otherwise highly respectable financial institutions in London were found to have handled over US$1.3 Billion connected to Abacha, his family and close associates in Nigeria. If we assume that the money was evenly distributed among those institutions, they would still have handled over US$50 Million each.

Faced with business on this scale, the sad fact is that the institutions involved showed either a naivety that makes a complete mockery of their education or a complete disregard for their legal and moral responsibilities. The Financial Services Authority, although critical of the banks involved, was muted in its condemnation. 15 of the 23 banks were told their anti-money laundering measures were inadequate, so we assume that the remainder did have adequate policies and procedures in place, they just failed to implement them.

The scandal was not so much that it happened, but that the funds were so obviously connected to the President of Nigeria, a notoriously corrupt country where half the population live in abject poverty. Abacha was a military ruler, so without even enquiring as to salary levels in the Nigerian armed forces, the question has to be asked; where did these banks think the money was from?

Did they just assume his wife ran a successful legal practice? Generating over US$50 Million? Perhaps she augmented her income by taking in laundry, or selling cosmetics door to door.

The sad implication remains that the levels of "due diligence" performed was simply inexcusable, replaced by negligence, greed and wilful blindness.

The world has woken up to the question and now wonders why, when the leaders of these African countries have such enormous personal wealth, charities have to raise money for famine relief in their countries. As the legal environment evolves, future Abachas may find the financial community more apprehensive about accepting their wealth.

Smarting from the embarrassment of that case, one of the changes introduced by the newly inaugurated FSA in London was to examine the role of the MLCO. One significant finding was that, all too often, the role was being filled by someone too junior; so one of the most significant changes the FSA introduced was the rule that the person appointed to be the designated compliance officer must be a senior executive who is of sufficient maturity and independence to carry out the role. Additionally, their appointment must be approved by the FSA.

Corporate politics being what they are, it would be naïve to expect that this will insulate and protect the MLCO from operational and business pressures, but the rule was introduced so that senior management cannot abdicate their responsibilities in this area.

There are different aspects to the role. In addition to having a designated compliance officer, an anti-money laundering programme must include policies and procedures at both the prevention and the discovery stages, as well as a staff training programme. In some institutions, the role is largely restricted to the reporting function. The account opening due diligence procedures are left entirely to the marketing or operations staff, with little practical consideration of the money laundering implications, and similarly, the training function is often not considered a compliance responsibility either.

The problem is that no matter how well qualified, how senior and how diligent the MLCO might be, it is patently unreasonable to expect any one individual to keep an entire financial institution free from involvement in money laundering scandals. This would not even be possible with a large compliance department behind him. There are simply never going to be enough compliance personnel to be everywhere at once, looking over the shoulder of every other employee in the organization, policing every transaction.

The only way to build effective defences to keep money laundering out of the organization is for every member of staff, from the lowliest trainee clerk up to the Boardroom, to be alert in conducting their due diligence procedures in the first place, and to be vigilant in handling business on a daily basis. The MLCO cannot do this alone, nor can it be left to the compliance department. There is a need for Policies and Procedures that strike a balance between protecting the institution from exploitation by criminal elements yet do not undeservedly impede the flow of business, and it is of paramount importance that all staff are properly trained to be alert for signs of possibly suspicious transactions.

One of the MLCO’s most important management functions, therefore, should be to act as a catalyst for change in the organization, protecting the institution by raising the general awareness of the threat and fostering an environment where anyone intent on laundering the proceeds of crime is simply deterred and denied access.

The problem remains that some senior management appear to be living in the past, and cling to the old concept that anti-money laundering is just one more minor burden to be shouldered; not unlike the obligation to provide handicapped parking, a smoke-free workplace, RSI breaks or any number of other bureaucratic procedures that must be complied with. In many cases, the implications have not sunk home – that preventing money laundering is now a pre-requisite for staying in business, and the role of the MLCO must evolve with the times.

There is a widespread belief among senior staff throughout the finance industry that they have "enough" compliance already, and although there may be a perfectly understandable reluctance to allocate resources to something that is a cost-centre not a profit-centre, they forget that the price of liberty went up on 11 September 2001.

Although this was certainly not the only factor, it was certainly the most dramatic, and the most public signal that money laundering is being forced higher up the corporate agenda. The drive to identify and freeze terrorist financing may have been the spark that brought about the PATRIOT Act, but the greater effect of the fire will be felt against financial crime and the conventional use and abuse of the international financial system for money laundering.

The effect, not only of the PATRIOT Act, but of the EU Second Directive, the Proceeds of Crime Act and the new unitary regulatory environment under the FSA in the UK, and various other factors that have focused international attention on money laundering, has been to push an increasing burden on to the private sector.

Investigating money laundering is no longer something that can be dismissed as the responsibility of the police. In this brave new world it is the private sector, the financial institutions themselves who are being forced to assume responsibility for their own protection. The previous model was that compliance was a passive issue; the obligation was just that – compliance - meaning to do what we are told by the regulatory authority. The reality, however, is that it has evolved from a passive compliance role to a proactive preventative role; and the MLCO has been pushed forward to stand in the front rank; facing an enemy that is the proceeds of every crime ever motivated by financial gain.

The battle lines drawn, with the gnawing realization that the consequences of losing even one battle might prove terminal, the MLCO’s orders are simple; he has to protect and defend against the infiltration of a subversive threat.

There is widespread consensus that money laundering is a terrible blight on the international finance industry and that terrorist financing is a scourge to be eradicated, and in the current climate, it would be a foolhardy man who said otherwise. Talk, of course, is cheap. The real question is how seriously committed the financial industry really is, and whether or not anyone is prepared to show their commitment to the battle by actually committing resources to it.

It would be helpful, of course, if we knew what the enemy looked like. The problem, unfortunately, is that it is a compulsive and dynamic shape-shifter that could be disguised in any ostensibly legitimate account or transaction. Money Launderers cannot and should not be thought of as stereotypes; they come in all shapes and sizes, of every creed and colour, from every walk of life. At the higher and most profitable levels of criminal endeavour, where sophisticated schemes will be utilised, sophisticated and highly educated professionals will invariably be involved. The traditional tick-the-box clerical approach, therefore, may leave gaps in the barbed wire wide enough to march an entire Colombian drug cartel through in parade order to the accompaniment of a Mariachi band.

All organizations depend on rules, of course, and it is one of the most important Compliance functions to assess the risks pertaining to different activities, and to devise and implement operating procedures so that staff understand their responsibilities and remain alert to potentially suspicious behaviour. Those rules and regulations are fundamentally important, and they provide the foundation on which the MLCO can do his job.

From the criminal law perspective, the MLCO’s primary concern must be the company’s system for receiving reports of suspicious transactions, and, where necessary, passing that information on to the relevant law enforcement agency.

The amount of work involved in that effort, of course, is connected with the number of suspicious transaction reports generated by staff, and that is dependent on the nature of the bank’s business. Staff training also has a bearing on the diligence with which transactions are scrutinised and staff’s sensitivity to the risk, thus impacting on the number of reports generated.

The paradox, unfortunately, is that the more successful the MLCO is in training staff, the more time will be consumed with Suspicious Transactions Reports (STRs) and hence the less time will be available for him to engage in any other investigation work. These reports will always take priority.

Accordingly, one suggestion is that in addition to the compliance staff engaged to handle STRs, large financial institutions should appoint an additional team of proactive investigators, unburdened with STR duties, specifically to investigate, in depth, potentially suspicious activity within the customer base. This simple but innovative suggestion probably represents the most effective model available to an institution serious about weeding out criminal funds, and defending itself from the associated litigation.

The analogy is that rather than just employing a guard dog, it is also becoming necessary to have a bloodhound, to ‘sniff out’ potentially suspicious activity before the guard dog has seen the intruder or even knows to bark. The role of such an investigation unit would essentially be to supplement the more reactive efforts of their colleagues whose primary concern is the legal duty relating to STRs from staff. The investigation role would be a proactive one, to try to stay one step ahead of whatever money laundering strategies might be encountered, and to look for suspicious activity where it has not yet been identified or reported. This will generate valuable corporate intelligence for the senior Compliance Officer so that the institution might pre-empt any problems by initiating action early.

In smaller or lower risk operations, one person might be able to cover both these roles, but larger and more departmentally structured institutions might consider creating a new position, thus strengthening their existing structure to reflect the increased risk. Whether these two functions should be split will be dependent on a number of factors, not least of which are the size of the operation and the compliance resources available. However it is structured, the underlying principle is that the primarily ‘reactive’ compliance environment must evolve into a more proactive one. That being the case, the skills required in the position are also changing.

The priority is no longer simply to comply with the regulations and guidelines as issued by the governing regulatory authorities, but to take the initiative and identify problems before they arise. That takes the "Know Your Customer" ethic to a new level, and entails a degree of familiarization that might even be considered intrusive, particularly as it is so closely affiliated with the erosion of the traditional concepts of banking secrecy and the right to privacy.

Sincerity is always subject to proof, and information that customers may share about their background and the source of their wealth may not always be totally reliable. It therefore becomes necessary, in certain cases, to conduct discreet enquiries to determine if the institution should have grounds for concern. This cannot be done in every case, but it has become a requirement in the case of individuals or accounts deemed to be high risk.

Many management traditionalists might be inclined to keep such a new activity hidden so as not to risk upsetting sensitive customers. The contrary view, however, would be to give it a very high profile, making the presence of such a department widely known. Cynical as though it may be, one of the advantages of doing is not simply to identify evidence of crime, but to satisfy the regulatory authority! The importance of been seen to be doing all that is reasonably possible to defend against money laundering cannot be under-estimated, not just in order to keep the regulators at bay but to establish a defence for the inevitability of the legal challenge.

Reference was made above to how the anti-money laundering function can be found in different institutions departments of different institutions; ranging from Security to Internal Audit to Legal, but when recruiting for the position from external candidates, many institutions naturally looked to the ranks of ex-policemen.

The rationale for such appointments was usually related to the candidate’s knowledge of who the local criminal fraternity actually were, and their personal relationships with former colleagues still on the Force. In reality, however, these attributes come with a relatively short shelf life, and life in the private sector often calls for a different set of investigative skills, where the lack of executive authority entails more emphasis on analysis rather than criminal investigation skills, or interviewing technique. More important than an encyclopaedic knowledge of the local villains is an understanding of the dynamic nature of the money laundering risk, with the ability to analyze financial products for their potential vulnerabilities.

It is a rare banker whose career has been built on seeing vulnerability as quickly as others see opportunity. Where such individuals have the mental dexterity to assemble a multi-dimensional jigsaw pieces in his head, it should be rarer still, we hope, that one would have the thought processes, not so much of a Sherlock Holmes as that of his arch-rival, the criminal Professor Moriarty.

Unfortunately for the HR Department, these rare animals are now needed.

In addition to these qualifications, the greater challenge is in the implementation of counter-measures, and advising on anti-money laundering measures which are effective, but do not interfere with the primary role of the organisation, which is to do business and make money.

The problem with the anti-money laundering function in any financial institution, unfortunately, is that it is counter-profitable if not actually counter-productive. In an expansion-minded organisation whose stock-in trade is money, the movement of money and finding profitable investments for money, the corporate culture has to promote business expansion and the accumulation of more money to manage.

Against that, the anti-money laundering effort demands that somebody stand in the face of this, and, in the worst case, draw a line in the sand and forbid certain transactions. This calls for one of two things, therefore, either such seniority that he can neither be easily intimidated nor over-ruled in a confrontation, or considerable strength of character, with the moral fibre and thick-skinned tenacity of an alligator who would rather be right than President.

Much of the job should involve being a strategic advisor to senior management, nurturing and shaping the operations of the organisation, and steering them away from potential problem areas. However, when push comes to shove, although the Chief Executive should have enough savvy and faith not to get into such a drama in the first place, when the MLCO squares off against him in a Mexican Stand-off, with guns drawn at twenty paces; the Compliance Officer’s job is to protect the institution, from itself if necessary - he cannot be the one to flinch.

In almost any other situations, this would be absolute and certain career suicide. Even to contemplate the prospect might be signs of certifiable madness, but there is method in this particular strain of madness. The reporting element of the MLCO’s role involves receiving reports from staff and passing that information on in the form of a Suspicious Transaction Report. Of course, if the staff’s concerns are deemed to be unfounded, no further action is necessary, but if it transpires that the activity was, indeed, related to the proceeds of crime, but that no report was made to the authorities - either through error or negligence - the liability for the oversight rests on the shoulders on the MLCO. ‘Failing to report’ is a criminal offence. In Hong Kong it is punishable with a HK$500,000 fine and a three month prison sentence.

Moreover, in the UK, in addition to the ultimate threat of criminal prosecution, failure to perform these duties adequately can now lead to disciplinary procedures and personal fines being imposed by the FSA.

Admittedly, convictions for ‘failing to report’ may be notoriously difficult to obtain, but law enforcement authorities are only too well aware of two simple facts. The first is that they cannot investigate or prosecute serious criminal conspiracies or complex financial crimes without the support and co-operation of the financial community. The second is that unless and until senior executives and board members of major financial institutions appreciate the gravity of this obligation, and the real risk that they themselves might face a stiff sentence on money laundering charges, there is little incentive for real change.

Without such a threat over them, the financial community can be relied upon to resist each and every meaningful increase in their compliance duties.

In all wars, much depends on the vigilance of the soldier on sentry duty. The war against Money Laundering and Terrorist Financing is no different, but the sentry is no longer the man in uniform, armed with a rifle and bayonet, the role has been passed to every member of staff who is involved with a financial institutions customers and their business. It is a collective responsibility.

Staff must be trained to be mindful of the risk and they must be encouraged to report any suspicions they may have, because a policy of "Don’t ask, don’t tell" is a recipe for certain disaster for senior management and for the institutions itself.

The MLCO himself has an ‘HQ job.’ He does not interact with customers in the normal course of business so it is unlikely that he will be the one in the front line position who first flags a potentially suspicious transaction. He will, however, be the one person standing in front of the Chief Executive if the institution fails in its responsibilities in this area and the Firing Squad is assembled. His incentive should be to make sure that that day never comes.