Businesses continue to face multiple challenges in achieving compliance with the requirements of the FCA and the 5th Money Laundering Directive (5th MLD), whilst running a tight and effective business. In all cases the aim is the same: to prevent crime whilst
enabling genuine business, but the approach can seem rather different. In this article I look at the difference in approach between the FCA and the EU's Fifth Money Laundering Directive and why this might be.
5th Money Laundering Directive
The Money Laundering Directives aimed to effect industry change at all levels, via revised scope and defined reductions in threshold values.
The Anti Money Laundering Directives aimed to effect industry change at all levels, via revised scope and defined reductions in threshold values. The latest version, the 5th Anti-Money Laundering Directive is said to further strengthen transparency and the
existing preventative framework, whilst ensuring the UK adheres to international standards set by the Financial Action Task Force (FAFT).
The Financial Conduct Authority is keen to ensure that the UK’s anti-money laundering and counter-terrorist financing regime both effectively deters illicit activity, whilst ensuring the controls in place are not too burdensome for businesses. To this end,
it has been advocating a Risk-Based Approach (RBA), with the focus on outcomes rather than a tick box approach.
One can’t help but wonder if there isn’t a touch of disconnect between the regulators that drafted the MLD5 and those that advocate the risk-based approach. However, whatever the reason regulated businesses are caught in the middle, as they are required
to comply both with the standards set by the 5th AMLD, and the risk-based approach mandated by the FCA.
Risk-based approach finding increased advocacy internationally
The Financial Conduct Authority (FCA) has led the RBA strategy in the UK, with the full backing of many regulated entities. They believe it to be the only way to accommodate the regulator’s objective: to prevent crime without overwhelming ordinary business
activities and crushing entrepreneurialism.
According to the FATF, a risk-based approach means that countries, competent authorities and regulated entities, identify, assess and understand the money laundering and terrorist financing risk to which they are exposed, and take appropriate mitigation
measures in accordance with the level of risk.
There are other definitions, but in essence, they all say that RBA requires an entity to design and apply internal controls appropriate to the level of identified risk for that entity. A position that was further supported by the FCA, when it censured banks
for existing markets and industries in the remittance space ‘de-risking scandal’ (source), that led to the closure of payments businesses and loss of
access to international payments for some vulnerable groups.
So, why is the 5th AMLD so prescriptive?
Oddly, at the same time as the RBA is finding favour with other EU regulators (and as far afield as Australia and the US) the 5th AMLD is more prescriptive than ever, it controls more explicitly detailed and the scope for a robust defence of a businesses’
own RBA diminished. So why would the 5th AMLD go in this direction?
Firstly, risk and compliance professionals, whilst supporting the RBA concept, have continually demanded additional guidance. For business, a well-defined list of what should be checked and how reduces business risk as compliance is simply a matter of following
the rules, however, this comes at the expense of over-checking low-risk transactions and potentially missing crime on high-risk transactions.
The 5th AMLD also has to deal with companies for whom compliance will always be a secondary consideration, and the RBA may be an excuse to relax controls. Despite tough regulation,, not all companies have the will, the expertise and the resources to understand
and implement an effective RBA. By prescribing rules, the 5th AMLD is trying to ensure minimum standards.
But the additional clarity, in what had seemed to be a minefield, may only appear to have the potential to decrease the risk of regulatory censure. For example, it will not help regulated entities to manage the substantive risks that relationships with PEPs,
whose functions fall outside of these definitions, expose them to. It may not even avoid regulatory criticism as regulators such as the FCA properly assert their right to expect entities to manage risk.
So, where does that leave the regulated industries?
There is general consensus that the best way to effectively stop crime, whilst enabling business, is a Risk-Based Approach. However, there remains a suspicion that some of the strongest advocates have often used a commercial optic, presuming that RBA is
an open door to avoiding potentially costly controls.
Indeed, anecdotal stories around statements concerning the standing of potentially lucrative prospects, in order to avoid due diligence and hide behind RBA, suggest that even where compliance leadership advocated externally for the approach, it may have
failed to educate the broader business about the reality of it.
It seems that everyone wants the apparent freedoms of RBA for their business, perhaps thinking that this will deflect supervisors from the negative assessment of their control framework. If so, this may be based on the incorrect assumption that the RBA simply
allows an entity to pick and choose when it applies controls. In fact, the requirement is for consistent application of a documented risk management strategy.
The future of the risk based approach?
Regulators routinely make reference to the advantages of RBA, but the detailed directions given in the 5th AMLD suggest that either they don’t trust entities to apply it effectively, or they are actually responding to the calls for more direction that come
from the regulated?
If regulators really do want to move away from rule-based frameworks then they must also invest in a bespoke approach to supervision that will require more of their staff. They must also accept that occasional failures are not indicative of a failed framework.
If the regulated want the freedom to determine their own risk appetites, and to design and deploy control frameworks in accordance with the risk profiles they determine, then they need to have a better understanding of the concept and accept accountability
for occasional failures. And when this happens, they need to be able to articulate and defend their bespoke control frameworks.
The balance between freedom and direction
Ultimately, the perspectives of each side need to come to alignment on the balance between freedom and direction. RBA is an evolving concept in a dynamic industry and these apparently disorganised attitudes on either side are unlikely ever to be fully resolved.
However, it is valuable for all participants to engage regularly and try to map a consistent understanding aligned with the shared objective of a well-functioning market, resistant to abuse by criminality.
With the 6AMLD due to take effect in December 2020, those who are lagging behind now will have an even steeper mountain to climb if no action is taken soon.