Stephen Platt:

Well, hello, and welcome to another episode of the Anti-Money Laundering Talk Show from KYC 360. My name is Stephen Platt. And I’m delighted to welcome one of the UK’s leading anti-financial crime lawyer, Ruth Paley. Ruth is a legal director at Eversheds Sutherland in London. And I’ve had the privilege of working alongside Ruth, on a number of important and complex cases while she was at the bar, prior to her joining Eversheds, and I know her to be an outstanding practitioner in the field. And it’s a real privilege to have the opportunity to talk to her about anti-money laundering and the approach that she is seeing in the UK at the moment. And throughout 2022 and beyond. Ruth, hello, how are you? How is life treating you?

Ruth Paley:

Hi Stephen, thank you so much. What a wonderful introduction. Yes, I’m very well. It’s great to be here. I love the talk show. So, thank you for that.

Stephen Platt:

Well, thanks. Thanks for joining us, because I do appreciate how busy you are. Now, as you know, I always like to start these conversations by asking my guests to tell us a little bit about their background, and how it is they’ve come to work in the anti-financial crime field. If I can describe it in that way. Would you mind giving us a bit of a potted history and as to how you got to where you are now?

Ruth Paley:

Yeah, thank you. So I started out with a bar in 2003. And I practiced in just general crime actually, for the first few years of my time there. And as my practice grew, I took on more and more financial crime cases and frauds. And found I really enjoyed that kind of work. So made it a specialism stayed at the bar for 12 years. And then I decided that I was going to leave the bar because it’s not particularly family friendly profession, such say, and it would have been helpful to be I felt to have a desk, and a boss and pension and sick pay and holiday pay and all those things that you don’t get when you’re self-employed. So I jumped ship at that stage to Eversheds, there was and I joined us off Council role in that team in a corporate crime investigations team.

Ruth Paley:

And from there, I think that’s where my AML and financial crime practice really took off because I worked on lots of different matters advising overseas and UK headquartered banks and talking to lots of different clients about their anti-money laundering compliance needs, and just found it really interesting subject ever since. So for the last six years, that’s what I’ve done at Eversheds. And my day-to-day practice is sometimes investigations, but more often than not, is helping advise financial institutions and other regulated entities as to how to stay compliant with the money laundering regulations with Proceeds of Crime Act and associated guidance. So that’s a short summary of how I found myself where I am.

Stephen Platt:

Fascinating. You made the transition Ruth as I did from practicing at the bar to joining a solicitor’s firm, and I didn’t find that an easy transition, going from the sort of cut and thrust of the bar to the cut and paste as I describe it, the commercial department of the solicitors firm. I guess, it would have been an easier transition for you because you didn’t go into a commercial department, you went into a department dedicated to financial crime compliance, but nevertheless, how did you find that that transition?

Ruth Paley:

Yeah, I think that’s a good question. Because, the bar and private practice are very different disciplines. And when you’re at the bar, as I said, you don’t have a boss, you don’t have a line manager. You don’t have a marketing budget. And you are responsible for your practice. If you finish early for the day, you can go home, watch a movie, or prep your next case or whatever, and you’re very much a law unto yourself, really, and it’s quite an itinerant lifestyle as well. But you’ll know Stephen you’re going from court to court and never in the same place twice. You never necessarily working with the same people or going in front of the same judges. And it’s a very varied life and actually, going to a desk-based job, even something as simple as that was something that I had not done in a long time, and that of itself was a shock. But more of a shock to me, I think was the difference in emphasis between what we do at the bar and what is required of you in private practice.

Ruth Paley:

And I had a kind of honeymoon period at Eversheds where I was in this Rumsfeld in position where I didn’t know what I didn’t know. So I was thinking everything was fine. And I was getting on, no problems. And it gradually began to dawn on me, in fact that there was a lot more to being a solicitor’s firm than just advising your clients. And the commerciality of being in a firm and the need to find solutions for your clients, which are practical and pragmatic. And commercial is something which you don’t really have to focus on at the bar, you’re very much basing your reputation on your advice and your advocacy. And you talk a lot, and you write a lot, and it’s very different discipline. I think, being a private practice. I don’t know if you found that as well. But it was something that I think I did struggle with really to adjust to in the beginning, and it took me a while so to bed in, but I think, I’m – I think I’m a full convert now. I don’t think you wouldn’t catch me going back to the bar now. I don’t think.

Stephen Platt:

There’s no going back. Well, I certainly echo that. I wasn’t particularly good, either at the bar or in a law firm. So as you now know I run a technology business. And that’s going all together better for me, I think rather than the two previous ruffles that I had.

Ruth Paley:

Absolutely.

Stephen Platt:

Ruth, what I’m going to do is, I am going to ask you to get out your crystal ball. And tell us what you think 2022 has in store for the UK market from an AML perspective. What are you seeing in the market? And what do you think the year is going to hold for AML professionals in the UK?

Ruth Paley:

Yeah, so I think that there’s been a lot of talk – and I know we’ll come on to this – there has been a lot of talk about the FCA’s first recent criminal prosecution of a financial institution, that worst case, and I think there’s been a lot of speculation about whether or not we’re going to see, if not a deluge of those types of cases, more of that and more of the FCA flexing its powers in the criminal arena. And I think that’s something that is on the minds of many regulated financial institutions as to whether or not they could be staring down the barrel of one of those prosecutions in the future, for failings which might have happened now, I guess, many years ago. And so that’s something I think that people are concerned about. And I also think that we will see the regulator continuing to press firms on these traditional subjects of governance and control failings, transaction monitoring issues, problems with the quality and the quantity of SARs, that suspicious activity reports that firms are making.

Ruth Paley:

So, I think that we’ll see more of the same as we’ve seen over the last year or so. And I think we’ll continue to see big spends, as it were by the major financial institutions to try and get their compliance into a place where it’s as good as it can be. I think that we may see the FCA focusing on potentially some foreign banks, foreign headquartered banks with the UK presence, I think you may see some of that, because sometimes those controls, as you’ll know Stephen, the controls that come down for group from group, I should say, aren’t always completely tailored to the UK regime. And that seems to be something that the regulator is focusing on at the moment. And aside from that, I think we might see some of the newer types of firms or e-payments firms and some of the smaller FinTech coming under increasing scrutiny as well. And the other thing I think I would flag is probably that the wider regulated sector, and this is something certainly that we’re seeing the wider regulated sector is going to come under increasing scrutiny. So law firms or estate agencies, accountants, tax advisers, those guys who are also regulated, just as the financial institutions are under the money laundering regs as those regulators begin to kind of flex their muscles and bed down into their roles as not just supervisors but also enforcers. I think we will see more of that.

Stephen Platt:

Fascinating, fascinating. Well, we’ll come back and talk through some of those points. Perhaps in the context of the FCA as publication of its evaluation of data from the annual financial crime data returns. Late last year, I think it was in October/ November last year, they published the report, and that covered the period 2017 to 2020. And I think I’ve got this right, it incorporated data from returns from about two and a half thousand firms, I think. So it’s a very insightful document and it contains a lot of value for readers. And I know, you’ve studied it, and I know it pretty intimately. What are the key lessons in your opinion, Ruth, to be drawn from that report?

Ruth Paley:

Yeah. So I think that the key lessons and if you like the key benefits from considering the report, come from the benchmarking that can be done, actually, against what the FCA has recorded, is happening across as you said, a huge number of firms over three years. And I think it’s really useful to consider the information that’s been shared, which comes under a number of different categories that you’ve got politically exposed persons, what’s happening in correspondent banking, high risk customers, that sort of thing, how many suspicious activity reports being made, and we can come on to that in detail in a moment, but lots of different categories of data. And I think it’s really useful for firms, particularly MLROs, senior compliance staff to consider that data against their own AML landscape, if you like, so their own customer profiles, and their risk profile, and to look at that data and say, are we an outlier?

Ruth Paley:

So firms are doing this in terms of PEPs or they’re doing that in terms of sanctions? Are we doing the same thing? Or something vaguely similar or are we completely outside of, I won’t say expectations, but we completely outside of what appears to be the range in respect of that particular category. And if we are, there might be really good reasons for that. And it’s not necessarily a reason to panic. But it’s very helpful, I think, from a benchmarking perspective, just to know what others in the market are doing, and to measure yourself against that. And to record, I think, if you are not necessarily in the range, as I’ve said what the reasons for that might be, and if there’s if you can understand the reasons and their persuasive reasons for not being, as it were, in the same place as your competitive firms, then that’s all to the good, but I think it helps prompt conversations internally, particularly at senior levels. I do think it’s a really useful document.

Stephen Platt:

The document doesn’t give specifics in the sense that there is no information about individual firms, it’s a report which aggregates the data from the returns that received from all of the firms, but nevertheless, you think it’s still possible to utilize it for useful benchmarking purposes?

Ruth Paley:

Yeah, I think so. I mean, so take an example, you can see that there has been a reduction in the number of pets over the period. So at the beginning of the period, there was something like 110,000 PEPs customers, in terms of firms reporting their customer base. So across all of these firms that made their returns, there are 110,000 PEPs customers. And that’s decreased by gosh, probably just under 20%, also to 89,000 PEPs at the end of the period. And so, what we see is that firms are onboarding and dealing with fewer PEPs. And whilst that might be, I guess the changes in the PEP profile of a business might be due in part to the FCA guidance that issued in 2017 to exclude certain domestic customers as PEPs. I still do think that there’s something interesting there in terms of seeing some, I guess reduction in the services that being provided to pet customers.

Ruth Paley:

And similarly for high-risk customers. We see that… we see some interesting data about a declining trend and a total number of high-risk customers. So there was, I think an outlier in the pensions and retirement income sector saw an increase. But generally speaking, across the books of the funds reporting, we see that there is a decrease generally, which I think we can partly ascribe to de-risking, and potentially to firms, I guess, tightening up their risk rating methodologies. And because there’s a cost associated isn’t there with doing business with a high-risk customer, and you’ve got enhanced due diligence that you need to conduct. And so, where firms might be tightening up their risk rating methodologies, they might be seeing fewer high-risk customers.

Ruth Paley:

So I think as I say, benchmarking in the most general sense it’s kind of useful to think is that the same trend that we’re seeing, are our high risk customers declining? Are they going up? If they’re going up, what’s the reason for that? Is that our business model? Or are we doing more risky business? So there are lots of questions, I think that can come out this that you can ask yourself, if you work in an AML team.

Stephen Platt:

Yeah, I see. That’s very interesting. What does the report have to say about SARs? I mean, are we seeing SARs over that period trending upwards or downwards remaining static? What lessons can we learn from SARs? About SARs from the report?

Ruth Paley:

Yeah, so there are some pretty astonishing statistics on SARs, actually. So, I mean, we’ll all know that the number of SARs is increasing year on year, both for the information SAR if we call it that, and also the defense against money laundering, the DAML SAR. So, all of those SARs going up year on year, the NCA reports, but what we see from the FCA’s data is that for the year, I think up to 2020, something like a million internal SARs were made. So these are internal reports need to be MLRO within an organization. Half of the million SARs that were reported internally, were from just three firms, three firms of 2,200 businesses submitting data is pretty staggering statistic, I think. And those same three firms are also contributing 60% of the total sales reported to the NCA. So the figures around about 500,000 SARs. It’s gone up a bit, I think, but 60% of that number is coming from three firms. And that’s that also I think, is fairly astonishing.

Ruth Paley:

Retail banking, when it comes to suspicious activity reporting is unsurprisingly the overwhelming contributor to the number of SARs going in. It was retail banking accounted for 78% of the SARs reported internally and 85% of the sales reported externally by the MRO to the NCA. I think the FCA has noted that the difference between the volume of SARs reported across firms varies very greatly. And to some extent, that’s reflective of firm’s risk appetites. But other, other explanations also include that some firms potentially have a higher threshold for reporting suspicion, as it were. So, yeah, interesting.

Stephen Platt:

It is very interesting. Now, did the report touch on transaction monitoring and screening? I know, for example, that transaction monitoring or the lack thereof was certainly a feature in the NatWest case, as indeed appears to be in many other cases. But does the report go into detail about the effectiveness, the efficacy of whatever technologies firms are using?

Ruth Paley:

You know what, it doesn’t really give a huge amount of data on transaction monitoring. So for example, if you were looking for kind of number of transaction monitoring alerts you’re going to see any of that. And in this report, there is some content on sanctions. And, the sanction screening is up, I think, 16.5% over the three reporting periods. So a lot of automatic sanction screening going on. And it was somewhat surprising, I think, to see that every sector across this cohort, did have funds in it that didn’t use automatic screening, but as I say the trend is upwards for the automated services. I think If you want to know what’s going on with transaction monitoring and screening, more generally you would do well to turn your attention to the FCA’s, “Dear CEO letter” which came out. I think it was May last year, finally published in July. So I can touch on that if you want or we can come to that in a bit if that would be helpful.

Stephen Platt:

No, we will. I’d like very much to do that. But just coming back to the point you’ve made about sanction screening. My understanding is that at – it’s a while you’ll forgive me since I read the report – but I think I’m right in saying that there was a comment that the investment management sector appeared to be the weakest if you like when it came to the absence of sanction screening. And whether I’m right or wrong about that. I think I’m right about that. I mean, how on earth do businesses manage their exposure to sanctions risk without some automated screening program? I mean, you would think that what keeps chief executives awake at night is the idea that they’re going to wake up one morning and find themselves on the front page of the Wall Street Journal, because they have breached and OFAC sanction. How in those circumstances, do you manage that your exposure to that risk appropriately manually?

Ruth Paley:

Yeah. I mean, I couldn’t agree more, I think it seems from the figures, at least, it seems that there were 271 firms or submissions from firms, which indicated that they weren’t using automatic sanction screening, say 10% of the total responses, at least because there were others as well. This is just in the investment management sector, as you correctly recalled. And so that really is, I think, an astonishing figure and the other figure as well, which is much smaller, but also, I think, equally puzzling is that retail banking has six firms who reported that they don’t use automatic screening. So how in a retail bank, you can avoid having some degree of automation over your processes. It’s not something that I’ve come across, I have to say, with financial institutions that I work with, generally speaking, will have a fairly sophisticated screening program, whether or not they are using it effectively. And whether or not they’re tailoring their transaction monitoring systems and their screening systems in a way that the FCA considers to be appropriate is another question. But I think the absence of a screening tool, if you like an automated screening tool is one which is very unusual or was surprising to me anyway.

Stephen Platt:

In the context of retail banks, dealing with very significant volumes of customers and counterparties. It is difficult, certainly for me to conceive of how they could possibly be managing their exposure to that risk, other than with some automated technological process, but maybe they know something I don’t.

Ruth Paley:

I think as well, Stephen. One has to remember that this data is once it’s aggregated for our purposes, it states which is available to the FCA. And so, I guess where the FCA notes, as I say, firms who are outliers or potentially there might be a combination of responses, which might draw attention. The FCA is not going to ignore that. And it’s already noted in the description of the data in an introduction to the data that firms need to be alert to the requirement, for example, to provide consistent data. So the FCA noted that some submissions, or a small number of submissions contain examples where, for example, the number of SARs reported externally, were greater than the number of SARs reported internally, which doesn’t make sense, of course, because when you’re reporting when you’re drawing on the population of internal SARs.

Stephen Platt:

You got to be kidding, is that true?

Ruth Paley:

Yeah. And so, if you’re a firm submitting this data, you really need to be careful. This is one of I think, the key points that we highlighted where we, when we’ve been discussing it. You do need to be careful that the data is being reviewed for accuracy before you submit it because that is to some extent, it’s a bit of a red rag to a bull and it is the sort of thing will cause your regulator to raise an eyebrow and say, “Well, do we need to look at this firm more closely? Are they overdoing it an AML visit if they are getting these basic calculations wrong?” It says in terms actually the report that the FCA will follow up with firms who submit poor quality data. And noting of course it makes sense that poor data submissions can be evidence of poor financial crime systems and controls, which I think I’d agree with.

Ruth Paley:

So one of the key takeaways from the report was, don’t get somebody in the team to kind of just fire off these statistics, when you’re completing your returns, do send it up for proper sign off, it should go to the MRO, it should go through a QA process to make sure that it internally makes sense, as it were, as well, as ready to be disclosed.

Stephen Platt:

Yeah. I mean, the last thing you want to do, clearly is to load the gun, you’ll regulate. I mean, it comes back to the same thing, there’s no need, this is a constant. It’s all about data and the quality of data, and the quality of the analysis of the data and the quality of influence of the action that’s taken off the back of that analysis of the data. And if you’re demonstrating to your regulator that you’re unable even to get the data right around SARs, what does it communicate to them about the way in which you manage data pertaining to customer relationships? No, it’s all of the same species, right? And I think that’s a point extremely well made, if you’re going to submit these reports, which indeed, you’re obliged to do, for goodness’ sake, make sure you get the information, right.

Stephen Platt:

And let us come and talk about another aspect of the report, which is spend, the report had something to say about how much money was being spent on employees who are dedicated to financial crime prevention. And I think I’m right in saying that, that the spend increased over the period over the three-year period and it was over, I think, a billion pounds that was being spent on financial crime prevention employees, that doesn’t obviously count the cost of employees in other roles, who nevertheless spend a good deal of time thinking about financial crime prevention issues. But the trend is upwards as I understand it.

Ruth Paley:

Absolutely. I mean, it’s been upwards ever since I think we started working in this area, Stephen. It just continues to rise. I mean, I do recall us discussing probably 10 years ago, whether or not the explosion in AML functions that the resourcing of AML functions that’s going to continue if it could possibly continue it does, doesn’t it? You do see, you see an ever-increasing focus on AML within the business and cost of noncompliance is so very great. That’s the problem. And they continue to increase. So, I mean, I think that’s right. I think they had something like 17,000 between them, the firms had 17,000 full time equivalent staff and financial crime rolls, which is up, certainly more than 1000 from the beginning of the period to the end of the period, but it’s certainly that will certainly be up over the last 5 to 10 years very significantly.

Stephen Platt:

It’s interesting, isn’t it? Because, is the increase in the number of FTEs dedicated to financial crime prevention, a consequence of firms thinking that they can deal with this by just throwing more and more bodies at the problem. When in fact there’s a compelling case to make that says that’s not working. You are employing more and more people within the sector. But it’s questionable as to the effectiveness. What’s your view?

Ruth Paley:

Yeah, I was going to say a few moments ago, actually, I think that this data that’s being collected here just to go off on a slight tangent. So this data that’s been collected here is data that shouldn’t just be collected at the end of every year and submitted to the FCA and everybody looks and goes, “Alright, so we’ve caught this number of stars,” Or whatever. This is data that’s… This is squarely within the ambit of management information, isn’t it. This is the data that if you have a sophisticated tool which we’re using for boarding and a holistic customer risk assessment or risk management and ongoing monitoring service, if you’d like, if you’ve got one of those tools, then you should be using it to generate this data and discuss it very regularly and to be on top of it. I think part of it, I think is using the information that you do have about your customers and using the tools that are at your disposal in a team to try and help you manage some of these risks.

Ruth Paley:

I’d agree with you that you’re not going to solve the problem by just bringing in more people, those people need to be guided and focused on understanding the risk properly because if they haven’t grasped the gravity of the task at hand and the component parts of it and effective AML framework, then it doesn’t matter how many of them you’ve got, you aren’t not going to be using them effectively.

Stephen Platt:

No, I think that’s absolutely right. What we see time and again is, it’s one thing to have failings with the best will in the world. Every organization is going to experience failings of one type or another, there are going to be weaknesses in it in any control environment. It’s one thing to have those weaknesses, it’s another thing to fail to identify where your areas of weakness are. It’s yet another thing to fail to elevate information about those weaknesses up the chain of command so that appropriate remedial action can be taken. We see time and time again, I think, real problems in relation to the second and third of those points. It’s the failure to identify where you’re not getting it right, and even in circumstances where you do identify your weaknesses, it seems that the boards of these organizations are either too interested in the good news and insufficiently interested in the bad news, or, people further down the food chain are too afraid to report the bad news to them. But information about where the weaknesses are generally always exists. It’s just a question of getting that information to the right people so that they can take the right action to put things right. Do you agree with me? Is there anything in that?

Ruth Paley:

I want to give credit to the compliance teams because they can be quite stretched and they’re doing, I would say, almost exclusively trying to do their best really, and I agree that we do see failings and that things aren’t always as they ought to be. But what I certainly experienced myself is that you have a bunch of people who are, generally speaking, incredibly dedicated. They do care about managing AML risk and wider financial crime risk, and they want to do the right thing. But sometimes it’s hard because there’s such a huge ambit of responsibilities and obligations that it can be difficult, I think, to stay on top of those things.

Stephen Platt:

Yes, I agree that it’s not easy, although, frankly, I don’t think it’s as difficult as some of these terms make it appear. When you look at some of the rookie errors that continue to be made by firms, but generally, I totally agree with you. I think the vast majority of people in the space are dedicated to the prevention of financial crimes, they’re very few bad actors who are other otherwise motivated. I don’t think anybody can really doubt that efforts are on the rise in the UK, really, across all sectors. There are, I think, some sectors where the effort is significantly weaker than in others. But nevertheless, I think, overall, efforts are on the increase. Yet we continue to see, with this monotonous regularity, firms being whacked for getting the basics from. Now, is that? What conclusions can we draw from that? Is it that poor old compliance officers, they’re like goalkeepers. Nobody ever remembers all of the shots that they save, they’re just remembered for the howlers that they let in.

Stephen Platt:

Is there something in that analogy? To put the question a different way, is the financial services sector, let’s focus on FinServ, is that sector getting a good return on the investment that it’s making in AML Compliance? Or is the problem that is getting a good return on the spend that it’s making but it’s just not spending enough? What’s the answer? I know there probably is no right answer to this. But when you read about these failures constantly, on the one hand and on the other hand, you read in the FCA report that there are now 17,000 full time employees dedicated in the sector to preventing financial crime. It’s very difficult to reconcile these two pieces of information. What’s the issue, Ruth, in your opinion?

Ruth Paley:

Yeah, it’s very difficult, isn’t it? If you look at, for example, the West prosecution, the spend by NatWest on financial crime compliance over the period, I think, certainly over the indictment period and beyond, exceeds a billion pounds off the top of my head, I’ll check that, but it was an absolutely extraordinary figure. One question is what more one can do having spent such a colossal figure. It’s very hard to see, and more generally now speaking about financial institutions, more generally, it’s very hard to see what more can be done than the devotion of resources and I think as well culturally appropriate tone and tone from the top and leadership and all of those things, but what more can be done, other than to resource this important area for firm’s business? One thing I was going to say actually, about the DCO letter, just anecdotally speaking to MLRO connections that I have, is that it was really welcome across the industry, and the MLRO didn’t see this letter and sign and go, “God, we’re being beaten again, this is terrible, I can’t believe the FCA is going on about this still.”

Ruth Paley:

Yet the MLROs for the most part, I think, saw this letter as a great opportunity to get in front of senior people within the organization, board level, whatever, and to have conversations about the importance of compliance and to have tangible evidence holding this letter and saying, “Look, the FCA has said we must identify any gaps amongst these categories and we must look holistically across our financial crime controls.” Our risk assessments, our transaction monitoring arrangements, our SARS, our CDD and EDDR, our governance, we must look at all of this, and we must go back to the FCA, it’s just for the retail sector only, but it’s still, I think, extremely relevant across the regulated sector. We must go back to the FCA with our gap analysis and explain where we don’t meet the requirements that have been set out within the letter.

Ruth Paley:

That, I think, is a very powerful tool for some in the compliance and AML compliance world, because it gives them an end and it gives them an opportunity to say it’s not just me wanging on about compliance here and moaning again about not having enough resources or, we need to take this more seriously, or there needs to be more reporting to the board or, I need more air time with senior people. It’s not just me, look, this is what the regulator says, and I need your buy in, and I need your commitment. So in a sense, I think it’s been viewed as a positive development. But I don’t know if you’ve seen that as well.

Stephen Platt:

It’s very interesting. To go back to your previous point, it’s one thing, isn’t it to spend big on this, but it’s another thing to spend it well. The question for me is always, if I were sitting at the apex of a tier one bank, this is the question I’d be asking, “Is all of this money that we’re spending on financial crime compliance being spent in the right places? Am I getting maximum bang for my buck?” Now, what works well… You work with a lot of firms, Ruth, you see those firms where things are effective and other firms where they’re less effective. Are you able to share with us your view of the characteristics, if you like, of firms that, in your opinion, are getting this right?

Ruth Paley:

Well, I think there’s a real range of firms. Obviously, in my role, I generally am assisting those firms who need support with their compliance and potentially may already be at an enforcement stage, certainly coming under scrutiny from a supervisory perspective. So I do tend to see across the spectrum, probably more of the practices which could usefully be improved. But, I think what I would say is that the firmwide risk assessment, it’s been said before, but it is true, in my experience, that the firm wide risk assessment is the backbone of a firm’s compliance with the regulations. If you’ve thought carefully about your risk profile, and if you’ve expressed that coherently and incisively in your firm wide risk assessment, then you have a jumping off point from which to develop your policies, your controls, your procedures and your means of managing the risks that you’ve identified. So I’d say firms who are getting it right, invariably, have devoted significant time and resources to that initial process of the risk assessment. So that is a key element of the financial crime compliance program.

Ruth Paley:

Yeah, absolutely I agree with that. I think, if you look closely, and this is one of the things that we do very regularly, is to support firms in identifying issues as it were on risk management and to help them to see and understand where there may be gaps or deficiencies and to help them to remediate those gaps. So, absolutely agree that, generally speaking, when we come in, where we’re asked to assist with an investigation type exercise, if you like, whether or not there’s FCA involvement, or whether or not it’s just prompted by something that the financial institution itself has identified as potentially being an issue, then yeah, I think it’s fairly standard to uncover using available information to uncover gaps and deficiencies. But that, in part, I think, is due to the fact that it is a very complex regime. The German SG guidance, as you all know, is several hundred pages long, it’s very dense, the obligations are very onerous.

Ruth Paley:

I would say alongside that, you need an effective money laundering compliance officer, informal term for the person under the regulations, regulation 21, who has responsibility for ensuring compliance within the regs. So those firms, you have an effective MLCO, if you like. Those firms will do better because they have somebody whose neck is on the line, if you like, in terms of compliance, somebody who really cares about whether or not the firm is meeting its obligations under the regulations. That person can be a driver for compliance and asking the right questions. They might not have deep technical expertise in regulations, I don’t think that’s always necessary, but they do need to have a commitment and passion and determination that AML will be part of the culture of the firm. I’m sure you’ve seen that as well on your travels of this area.

Ruth Paley:

But I would say the MLRO taking responsibility is a big component part, and of course, then things like the independent audit, and we’re still not seeing all firms committing to the independent audit as regularly as perhaps the FCA might expect and having a really thorough mapping exercise of your policies, controls, procedures against the regulations is a really valuable thing to do as well, and I don’t think all firms are necessarily prioritizing that, and when they do have an independent audit, sometimes it’s done internally which can be fine but it needs to be very thorough, and it needs to be with a critical eye on, “Have you met and really thought about every single obligation under the regulations.” Not many firms have the resources or the time or necessarily the inclination to enter into that process regularly. I do see that fans that do commit to that are generally identifying failings a lot more quickly, if that makes sense.

Stephen Platt:

Yes. I must say that all of those three points that you’ve made, I think, are critical. They chime absolutely with my experience of analyzing firms that have got this wrong in the past. What you say about the firm wide risk assessment being the backbone of a financial crime compliance program is absolutely right, because it gets everybody within the organization on the same page. If you are going into battle, if you have as your objective, “We want to bear down on financial crime compliance,” Then it’s really, really important that you’re all honest and open and you have a common understanding within your organization about what your risks are, what your weaknesses are, what your strengths are, where the investment needs to be made. Too many organizations just fail to have that common understanding even within the organization, amongst the people that are charged with the responsibility are actually taking this fight through to money launderers. It never ever ceases to amaze me that these firm wide risk assessments are not done as effectively as they should be.

Ruth Paley:

Yeah, I agree with everything you said there.

Stephen Platt:

Now, David Lewis, a friend of mine, obviously a well known actor in the AML space internationally recently retired as the executive secretary at the FATF. David said that fining banks doesn’t work, which you might say the pretty controversial statement for the recently retired executive secretary of the FATF. What’s your view? NatWest is obviously the most recent big case in the UK, first criminal prosecution for breach of the regulations, a substantial penalty, quarter of a billion quid. Do you think fining organizations that have almost limitless resources works or should the authorities be adopting different tactics?

Ruth Paley:

It’s a question about the deterrent effect, isn’t it? I suppose. I’ve been advising on the money laundering regs since they came in in 2017. They brought with them criminal sanctions. So if you breached the regulations as an individual you can go to prison for up to two years. I think that is something that troubles people, probably potentially, more than the financial implications. But I also think that we need to think about whether or not there is a likelihood of these cases finding their way into the courts, because I think that that is where the deterrent effect is strongest, and that’s why this has been such powerful scout for the FCA, if you’d like, they’ve been looking for an appropriate case to prosecute under these regulations for a long time. I think that the fine is one component part of that deterrent effect when you’re talking about breaches that the money laundering regs. But I also think it’s about the frequency with which these cases are happening.

Ruth Paley:

Several years ago now, I got busy going around saying to clients, “So we must get this right or you could go to prison, you must get this right or you will end up in a criminal prosecution, it will be very uncomfortable reputation, it’d be disastrous,” et cetera. I thought to myself, “Well, I really love to know, actually, if that’s ever happened.” So I started making Freedom of Information Act requests of various organizations including the FCA, CPS, the HMRC, and discovered, certainly from the FCA perspective, which is the one my clients will naturally be most interested in. They had never bought any prosecution under the 2007 regs or the 2017 regs. So I do think the word game changer is overused.

Ruth Paley:

But I do think that this first prosecution is a bit of a watershed moment, because I think banks are looking to that, and saying… Financial institutions that can try it and saying, “I really don’t want that to be me.” The implications are incredibly serious, and the imagery that we’ve seen around some of the conduct, also, it’s not something that you would want in the public domain if you were a financial institution. So, yeah, fines are a component part, fines, I think, are a representative signal to the rest of the world that it’s been taken very seriously. But what I think probably would keep me awake at night anyway, if it was me, would be, more the question of whether or not my personal liberty was at risk, and whether or not there was going to be a criminal proceedings against me as an individual for breach of the regulations, which as we’ve already discussed, are very, very wide ranging.

Ruth Paley:

If you have responsibility or a senior management responsibility for compliance with any or some of these regulations, that’s got to be something that’s going to trouble you, I think.

Stephen Platt:

I’m sure that’s right. Sometimes I think that the facts of some of these cases are so extraordinary that they militate against the impact of the lesson or the message for the rest of industry that can be derived from the penalty that’s been imposed. NatWest, everybody’s familiar with the facts, there’s this customer, they have predicted sales of £15million a year, they took 365 million in five years, 260 million of which was in cash. The facts are just staggering. And I wonder whether people look at the fine, look at the facts and react actually by saying, “You know what, I don’t really think there’s a salutary lesson in that for us because that that will just never happen within our organization.” Now, I think it would be naive of them to think that, but that is certainly a reaction that I’ve encountered. “That’s never going to happen in my backyard because we’re more sophisticated than that.” Do you ever encounter that kind of response Ruth?

Ruth Paley:

Generally speaking, I think that you’ll find that the financial crime function of any established regulated business, probably won’t, in certainly my experience, that they wouldn’t necessarily have that attitude, but I definitely have seen it within the C suite and perhaps potentially those people who perhaps aren’t dealing with financial crime day to day will be, in the same way that the general public are, will be pretty stunned by what they’re hearing. Because when you present it in a way it’s been presented in a press, it is somewhat difficult to understand how it happened. But I do think that most financial crime compliance professionals, MLROs, heads of compliance, most of them will look at that case and say, “Okay, fine, so we might not be exactly on point for us but I do stay awake at night sometimes wondering if we’ve managed to catch or capture the right risk profile or we’ve set the algorithm correctly on our transaction monitoring system, or are we missing a particular demographic of customers who, in fact, we’re not asking the right questions. Is our first line as effective as it ought to be.”

Ruth Paley:

Those questions, I think, will prey on the minds of certainly most of the professionals that I work with. I haven’t noticed people being dismissive, but I do recognize what you describe as being more typical of a potentially a board level attitude towards that, surely that can never happen here.

Stephen Platt:

It’s interesting what you say about algorithms. I know it was a feature of the NatWest case, as indeed it has been in many other cases of compliance failure. I think, actually, my own reading of that in NatWest cases, it was actually quite powerful mitigation. But it does come back to the point that if you’re going to invest in technology, for goodness sake, make sure you invest in technology that you understand, that is comprehensible. So that if you’re relying upon it to help you make decisions, make sure you understand the logic of it, make sure that you can explain it. I really do think that this is an issue because there’s a lot of technology out there that, frankly, I think is a little bit too clever by half, and unless you understand it, then, you need to be wary of it.

Ruth Paley:

Well, I totally agree with that, and I would add to that, but not only do you need to invest in the right tool, but you also need to invest in the right people to own that tool and its function, if you see what I mean. Because one of the key criticisms of the FCA in terms of transaction monitoring, and transaction monitoring, I will say, is an area where we do see a lot of difficulty and we do need to support quite significantly on that subject. But what we see is that individuals with responsibility for the operation of those systems are sometimes having little understanding of, as you say, the technical setup, the appropriate parameters, the algorithm, have they just used an off the shelf solution, if you like. So I think where you’ve got a technology company which is offering what can be a very powerful tool in allowing you to identify at an early stage customer risk and transaction risk. I do think that whoever is at the other end within the firm needs to commit to spending time to understand that tool.

Ruth Paley:

Obviously, it should be as simple as possible to use, but there will be complexities, and I think it’s very important that that person can talk persuasively and explain cogently to their regulator, and to their board, and to their line management how it works and how to use the data that’s coming out of the system. So yeah, I totally agree with you on that.

Stephen Platt:

Well, that’s, I think, Ruth a really good point for us to end, on a point of a chord and agreement. Unfortunately, the clock has beaten us yet again. But on behalf of our listeners, I want to thank you for a really interesting discussion. Your knowledge and insight on the position in the UK, the approach of the FCA, the failings that we see within industry, and more particularly, your expertise in assisting organizations to improve the effectiveness of their AML controlled environments is enormously valuable. So thanks for taking the time, Ruth. I really do appreciate it. And thank you, to you all for listening.

Ruth Paley:

Thanks, Stephen. It was lovely to be here. I really enjoyed that.