Between the 1st and 2nd Lines of Defence | Key Takeaways from our AML Network Forum
On Friday the 18th of November, FCG launched the anticipated AML network, and kicked-off on the topic of striking the right balance between the 1st and 2nd defence line.
Senior executives from Nordic financial institutions met up in Stockholm and were joined by international speakers including the Financial Times reporter Richard Milne, the Advisor to the Governor of Central Bank of the UAE Uldis Cerps and John McDermott, Director at Protiviti.
Is transparency an active choice?
Richard Milne, the Financial Times’s correspondent covering Scandinavia and the Baltics, set the scene with a review of the last years´ money-laundering scandals, causes and effects.
According to Milne, the Swedish trust-based system has a certain influence on our approach to AML. Swedish companies are still reactive, always solving the last crisis and while struggling to solve the last, criminal actors are already advancing to the next modus.
With regards to the role of media and the question if media has changed how it reports on financial crime in recent years, Milne referred to the significant resources that the criminal actors possess, and how colleagues at the Financial Times have been subject to intensive actions by Russians sending out “very aggressive letters”.
In reference to how the money-laundering scandals have impacted how boards and senior management deal and communicate around money-laundering, corruption risks and incidents, Milne says it is frustrating to see that transparency is not chosen. There are no “good examples” of companies that have mitigated scandals from escalating by actively demonstrating transparency.
Uldis Cerps, former Executive Director Banking Supervision at the Swedish Financial Supervisory Authority, joined via link and gave his views on why several Nordic banks have failed in their anti-money laundering obligations.
Cerps discussed models to understand market failure and the resulting need for regulation and posed the question if commercial self-interest is sufficient to prevent money-laundering. The answer according to Cerps is no, because of the fixation on business revenues and the avoidance of excessive costs. The result – in the absence of regulation – would be a lack of competence, underinvestment in people, processes and technology. AML regulation minimizes those risks but cannot completely eliminate them.
According to Cerps insufficient understanding or AML risks and an inappropriate risk culture are the key drivers of non-compliance. Companies need to review their incentive structure, and AML must be an integral part of risk management framework and corporate governance.
Overlaps and underlaps in how AML resources are allocated
Focusing on the three lines of defence, he noted that banks globally are required to address both overlaps and underlaps in how AML resources are allocated. It is also critical that the AML risk assessments are comprehensive and up-to-date, and that the top management receives accurate and sufficient information on outstanding compliance issues both in the parent company and in subsidiaries.
Cerps pointed out that the gap between Swedish financial institutions perception of their AML capabilities and reality in terms of how well they do manage AML was evident a decade ago. He referred to the report “Money laundering and financing of terrorism. Better risk management” by Swedish FSA (2013), which states that “On the basis of survey of large number of companies, FSA observes that a large share of companies are convinced that they comply with the legal requirements regarding risk management. At the same time, while performing its supervisory and licensing activities, the FSA observed at the time that many companies have notable difficulties in achieving appropriate quality in their work (to prevent money laundering and terrorism financing)”.
AML risk is wrongly understood as the risk of being sanctioned
He also noted that in the past years cross-border supervisory cooperation in the AML area has been strengthened, and this work should continue.
He remarked that the AML risk is often wrongly understood as the risk of being sanctioned, while the reality is that financial institutions could get exposed to laundering criminal funds or financing terrorism.
The audience suggested that senior management grapples to understand AML risk because the risk is difficult to quantify. The participants also noted that market discipline has not brought the AML risk to the surface, and markets reacted only when the risks are materialized, focusing mainly to the risk of sanctions.
John McDermott, Director and Financial Services Industry Luminary at Protiviti, and former Managing Director & Head of Compliance and Operational Risk Control at UBS New York, joined via link from the USA and shared his experiences from the US context and over forty years in senior governance, control and internal audit functions in global financial institutions.
Fines are not correcting behaviour, according to McDermott, financial institutions need better scoring systems for inherent risks. Management of residual risk need to be dynamic. Today these processes are still manually intensive in many organizations. Client-owners in the first line must have greater input to the risk appetite, accountability and AML needs to work in partnership with business management.
No time to be pro-active?
In his presentation, McDermott talked about how companies are spending around 80 percent on their attention and resources on hindsight and insight activities such as yearly testing and attestations, credit scores, postmortems, supervision violations, surveillance violation, alert monitoring, root cause analysis and lessons learned. Meanwhile, only approximately 20 per cent is spent on forward looking and pro-active measures on predictive behavioral analysis, non-traditional key risk indicators, or seek rational in the seemingly disparate.
There is a misallocation of compliance resources. Firms should pursue a balance between hindsight and foresight. Control team’s responsibilities and reporting lines need to be crystal clear.John McDermott
Do not get stuck in line 1 1/2
According to McDermott’s experience, in migrating accountability to the business for AML controls, many firms have hired compliance professionals to perform aspects of the oversight function in the first line. This makes sense from an experience standpoint, but the program can become at risk when these first line professionals’ “straddle” the first and second lines, and sit in “no man’s land”, also known as line 1 1/2.
“The most successful compliance programs are ones that act independently of the first line, but that enjoy strong tone at the top cultural support, as well as sufficient funding for IT and staffing resources” states John McDermott.
Taking a summary view on the discussions that followed, Ronny Gustavsson, Director and Head of Financial Crime Prevention at FCG, notes that senior management in many organizations have a need to evaluate and implement a functioning risk appetite with appropriate key risk indicators.
Many comments in the forum pointed to this challenge, among other things, as well as challenges at the juncture between a supervisory perspective and effective risk mitigation. Integrating traditional work with regards to evaluating operational risks with AML enables banks and other financial companies to measure, control and reduce risks. This is really important, but an area where many organizations today need to advance quite a bit more.Ronny Gustavsson
While the challenge to be the step ahead of financial crime is constant, AML needs to be constantly updated and dynamic.
To join the next FCG AML Network Event on the of 10th March in Stockholm, please pre-register here.
For more information, please contact Louise Brown or Jonas Karlsson.