Risk Assessments in an Anti-Money Laundering Compliance Program

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The FSA Bares its Teeth: Be Aware of International Enforcement Regimes

While many companies here in the US complain about the enforcement of the Foreign Corrupt Practices Act (FCPA), and are actively seeking to soften its enforcement by lobbying Congress to amend the FCPA, just imagine how they might feel about paying a multi-million dollar fine for a situation in which no bribery was proven. That is the situation that UK insurance broker Willis Ltd., found itself in yesterday, in what reporter Sam Rubenfeld termed “the largest fine by the FSA (the UK Financial Services Authority) … ever imposed for failure to implement controls to prevent financial crimes”. The FSA announced on July 21 that it had assessed a penalty of £6.9MM to the insurance broker Willis Ltd., for failing to ensure payments it made to third parties were not used for corrupt purposes.

In an article in the Wall Street Journal’s Corruption Currents blog, entitled “FSA Fines Willis GBP6.9 Million For Anti-Corruption Failures”, Rubenfeld detailed that Willis had, from January 2005 through December 2009, made payments of over £27MM to foreign third party agents to assist in obtaining business of £60MM. Of this £27MM there were $227,000 (yes the FSA switched from GBP to USD in mid-Final Notice) identified in suspicious payments to counterparties in Egypt and Russia, which the FSA said were referred to the UK Serious Organized Crime Agency for further investigation.

Rubenfeld noted that the fine could have been significantly higher as the FSA recognized that Willis had “taken significant steps” to address failings identified by the FSA. These steps, together with Willis’ cooperation and willingness to settle, qualified the company for a 30% discount on its fine. He reported that without the discount, Willis would have had to pay £9.85 million. So for those of you keeping score at home, that is £60MM ($97MM) in business, generating £27MM ($44MM) in commissions, for which a ‘suspicious $227K’ was found. All of this resulted in a fine of £ 6.9MM ($11.2MM).

The FSA Final Notice detailed several clear guidelines which the UK Bribery Act or FCPA practitioner may find useful in establishing an adequate procedures or a best practices compliance program. The FSA stated that Willis had failed to:

• Make and document a business case for the payments to overseas third parties;
• No formal training was provided to Willis’ staff in analyzing requests for payments or third party billings;
• There was no risk assessment of the third parties;
• There was inadequate monitoring of the third parties;
• There was inadequate due diligence performed on the third parties, particularly their relationships to foreign governmental officials; and
• Willis ignored clear Red Flags that the third parties would make improper payments.

All of these factors led to an overall “weak control environment” regarding payments to foreign third parties. This gave rise to unacceptable risk that the payments made to these third parties could be used for the payments of bribes. The FSA noted that although Willis had introduced improved policies and guidance, aimed at reducing and better managing its compliance risks, the company failed to ensure that these new policies were followed. Additionally, although the Willis Board was involved in the new policy development, the Board did not receive adequate information from senior management to assess whether the risks of bribery and corruption “were effectively mitigated.

So while your company is complaining about the US enforcement regime, perhaps it might reflect on actual violations of the FCPA, or as our colleagues from thebriberyact.com, Barry Vitou and Richard Kovalevsky, QC, put it yesterday, “If your business is regulated by the FSA take note. This warning is directed to your business.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011