Compliance – A Pragmatic Approach to Regulation
Too many times we hear financial services professionals complaining that they are at odds with their confrontational compliance department, more often than that business generation units refer to their anti-money laundering team referred to as a business prevention unit.
Whilst there are many pieces of financial services law, regulation, rules, guidance & codes in existence (even in a small jurisdiction such as Guernsey) they have at their heart a few key goals:
- Protecting the financial services consumer
- Protecting the financial services system
- Preventing use of financial services for crime
So, how do we fix the often-confrontational approach that seems to prevail within the compliance / anti-money laundering space? Here are a few suggestions:
Not all business is high risk
Many Money Laundering Reporting Officers (MLROs) are very risk-averse, after all they run the risk of prosecution if they do not fulfil their duties properly. However, it is important that a business has appropriate risk-rating for clients.
A MLRO may want to investigate each client to the nth degree, however that flies in the face of the purpose of risk-rating – ensuring that client relationships that really are high risk have more time spent on them then lower risk client relationships. How can a business spend more time when it has to perform enhanced due diligence (EDD) across all clients?
Ensure that when the board reviews the organisation’s in-house Anti-Money Laundering (AML) Handbook that risk-rating is covered with clear detail as to what could constitute a higher risk relationship. The board has the decision to control the risk of the business, and the MLRO cannot override the board is setting this policy as they are the instrument ensuring compliance with the policies.
Regular review by senior management will help to ensure that an overly zealous MLRO is not jeopardising the profitable functioning of the business.
Not all countries are the same
This is an important mantra for two very different reasons:
- Lists of low risk countries and sensitive jurisdictions issued by the regulator can assist with risk-rating clients in those countries; as can sanctions lists issued by governments
- Not all clients in all countries can easily provide the required documentation
The former is important – firstly the Guernsey Financial Services Commission (GFSC) has published a list of jurisdictions that it considers to have equivalent AML frameworks (Appendix C) in its’ AML Handbook. The AML requirements are already quite complex, and whilst clearly the board should determine whether it wants to adopt the entire list of Appendix C countries as low risk the MLRO should provide the board with reasons why any of the list should be discounted. Furthermore, ignoring the GFSC list of sensitive jurisdictions, or countries which appear prominently on the sanctions lists, could potentially imperil a business.
I once had reason to question a Deputy MLRO as to why a certain country was on their list of high risk jurisdictions. The answer was “because I want to know if any business is done from that country”. When asked what they would do with that information the answer “I just want to know” indicated that there would be no special process for dealing with a client from that country, however arbitrarily including that country on the high risk list means that any potential client would face providing EDD without good reason.
The second bullet point is an important one, and often vexes MLROs. What do you do when a client can’t provide proof of their address in the form of one of the documents listed in the GFSC’s AML Handbook? The answer is to think outside the box, and to suggest alternatives at an early stage. Maybe two independent statements of the client living there could be provided in place of a utility bill? There are some countries where standard proof of address is near impossible to provide and the GFSC would simply want you to be comfortable that you have sufficient proof even in a non-proscribed form.
Don’t reject a document – seek additional confirmation
What do I do when the lawyer certifying the document hasn’t used the correct wording and hasn’t said that the photograph is a true likeness of the person they have met? Don’t just reject the certified passport out of hand – it nearly meets the requirements. How about emailing the lawyer asking them to confirm that it is a true likeness of the person they have met?
Not all business is high risk – Take 2
It is tempting for a MLRO to give any structure where a PEP is involved a high-risk rating even if there is no risk of the PEP illicitly obtaining funds based on the structure used and the financial services product they are using.
Let’s take the example of a UK-registered quasi-governmental entity that is regulated for financial services business and can be found on the FCA’s financial services register. There is a PEP on the board, however the entity is investing into a fund and will only receive monies from an account in the name of the entity and will only pay out to an account in the name of the entity. How can the PEP use the investment to illicitly obtain funds? They can’t. Therefore, what is the risk? It’s a regulated financial services business in a low-risk jurisdiction – the risk is low.
Codes are Codes and Guidance is Guidance
Sometimes the GFSC issues codes and guidance.
Codes can often be seen as best practice, however not all codes will precisely fit all business. Be willing to document where you don’t comply with a code and why. Table this before a board meeting and have the board approve the reason for non-compliance.
Guidance is just that, never take is a proscriptive. Guidance will often provide one route towards achieving a regulatory objective, don’t feel obliged to apply the guidance rigidly. Be willing to employ a pragmatic solution that meets the requirements of your own business, and again get the board to approve this. So long as the controls effectively ensure the law, rule or regulation is complied with the guidance does not need to be strictly observed.
If all else fails…
Sit down and discuss what you have and where the deficiencies lie. A Compliance Officer MLRO should never simply dictate to the business. Maybe remedial action can take place. Maybe a small number of additional documents need to be obtained. Maybe a policy or procedure in place is no longer appropriate for all of the business being carried out and needs to be reviewed and updated. Be willing to be flexible and pragmatic.
The Midshore Solution
We can offer a pragmatic compliance/AML solution for our clients. We can review your compliance monitoring programme along with any of your procedures and policies, offering advice on where to improve them. We can also act as compliance officer or provide a MLRO for your business, ensuring that these functions are carried out in a way that ensures your business continues to comply with regulation without compromising business flows.
We can also provide regulatory refresher training to your team, including all Guernsey laws, rules & regulations; MiFID II & MiFIR; GDPR; CRS/FATCA; BEPS; AIFMD; and AML. We also offer training for the following CISI level 3 regulatory modules:
- Combating Financial Crime
- Managing Cyber Security
- Global Financial Compliance
- Risk in Financial Services