Risk Assessments in an Anti-Money Laundering Compliance Program

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Will the UK Let the Light of Day Shine Into Its Regulatory Process?

Should the regulators process be shrouded in mystery or should there be disclosure into the light of day? That is a question currently before authorities in London. As reported in the Financial Times (FT) column Inside Business, in a piece entitled “UK regulators must judge the right time to go public”, Brooke Masters reported that the UK Financial Services Authority (FSA) cannot provide the public details about a matter under investigation “until its internal decision maker, the Regulatory Decisions Committee, has heard the allegations and the defence of the accused and come down in favour of enforcement action.” There is currently legislation in front of Parliament which would allow a newly constituted financial regulatory agency, the Financial Conduct Authority, to go public with “warning notices” before a case gets to the Regulatory Decisions Committee. Masters cites advocates of this legislation who “say this would make the UK more like the US, where the Securities and Exchange Commission [SEC] can make public charges it has filed with a judge or administrative proceeding.” Apparently representatives of British banking interests are desperately fighting to keep such proceeds secret.

The Con

Master’s presents several arguments why regulatory investigations should remain secret. She quoted Lord Flight who claims that “allegations can blacken reputations and harm innocent investors.” He even pointed an accusatory finger at the head of the state of New York’s Department of Financial Services’ (DFS) Benjamin Lawsky who made allegations that Standard Chartered “hid $250 billion of transactions with Iran in breach of US sanctions, a charge that caused a one-day 16 per cent fall in the bank’s share price.” The bank insisted that they were “blindsided” by the allegations and indeed there were only $14 million in transactions which violated either US or New York state law. Of course we all now know that Standard Chartered also settled with the DFS for $340 million within days of these accusations being made public.

The Pro

Masters cites to un-named British Ministers who argue that “the public deserves to know when government regulators believe a major institution or prominent figure has committed wrongdoing. Further, timely announcements by the FSA or other appropriate regulators would “allow investors to move their money or protect themselves from similar misdeeds.” She poses the question of “Wouldn’t you want to know that a broker was facing charges of selling unsuitable investments before you – or even more pointedly, an elderly relative – gave him money?” Next she notes that “Quick enforcement also helps restore faith in the financial system. It is quite frankly a joke that nearly four years after HBOS failed, we still don’t know whether the FSA thinks anyone there did anything improper.”

Masters concludes her piece with a look at the SEC “Wells Notice” procedure, which is a private warning by the SEC to companies and individuals that the SEC wants to bring a case against them and this document invites the company or individual to respond directly to the SEC. This process allows the party or parties in question to respond or to work out a settlement. Masters believes that “the practice has worked well, especially for investors, who often get an early heads up about potential problems because most public companies disclose when they have received such a notice.” She believes that this interim step would be useful to give companies “a private right of reply before throwing open the doors.” But Masters makes clear her final position by concluding that she does not believe the UK government should “give in to the City’s efforts to keep the disciplinary process shrouded in mystery.” In other words, the light of day should shine into these dark crevices of nefarious activity.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Earl Scruggs: Banjo, Bluegrass and the Fight against Corruption and Bribery

Last Thursday, Earl Scruggs died. He was one of the musician’s most responsible for my development in learning about, and appreciating, different styles of music. For musicians, he basically invented and then popularized the 3 finger picking style on the 5 string banjo. For popular culture, he is probably best known for his work with guitarist Lester Flats, including the timeless hit “Foggy Mountain Breakdown”, the theme song from the movie Bonnie and Clyde, and for “Ballad of Jed Clampett” from the 1960s television show, The Beverly Hillbillies. However, for me, it was after he split with Lester Flats and started the Earl Scruggs Revue, with his sons and several other musicians. In the Revue, he fused rock, country, blues, folk and jazz with bluegrass in a way that I still find fresh and powerful today.

So what is the lesson of Earl Scruggs for the compliance practitioner? It is this, even if you develop a completely new style that makes you one of the foremost experts in an area, you can still evolve. Further, the style you use may have significant effects on other styles, even in the fight against bribery and corruption. For the compliance practitioner, this comes to mind with some news out of the world of anti-money laundering. We began the week with the notice from the UK Financial Services Authority of the agreed upon penalty with Coutts, a UK private banking entity. As reported in The Telegraph, in an article entitled “Coutts agrees to settle FSA fine for reduced fee”, Coutts was fined £8.75m (just over $14MM) “and severely censured by the UK’s Financial Services Authority (FSA) for failing to undertake sufficient anti-money laundering checks on their customers.” The Telegraph reporter Mike Goldman, quoting from the FSA report, wrote “The failings at Coutts were serious, systemic and were allowed to persist for almost three years,…Coutts was expanding its customer base during the Relevant Period and staff were incentivised in part to increase the number of customers taken on. As such, it was important that there were appropriate systems and controls in place, including with respect to the risk of money laundering. The weaknesses in Coutts’ controls resulted in an unacceptable risk of handling the proceeds of crime.”

On the heels of this enforcement action, the FSA followed last Thursday with the release of a report that included a review of 15 British banks who lacked sufficient anti-corruption and bribery checks. In an article in the New York Times (NYT), entitled “British Banks Called Weak In Checking Corruption”, Julie Werdigier reported on a FSA report which reviewed certain British banks during the second half of 2011. The review is a part of the FSA’s ongoing efforts “to improve the controls of ethical business behavior among financial institutions with offices in London.” The selection of the banks for review was based upon the high risk nature of the countries in which they were operating.

The FSA Director was quoted in a statement as saying, “Despite the high profile of the issue, the investment banking sector has been too slow and too reactive in managing bribery and corruption risk.” Further, the FSA found policies and procedures for gifts and entertainment were found to be lacking as well as the capacity for checking the backgrounds of prospective employees. The FSA also noted that gifts were not always correctly recorded and that it found instances of inappropriate hospitality.

The importance of having a robust anti-money laundering program was once again made clear last week when the Milan Branch of JPMorgan Chase closed a Vatican-held bank account based upon the suspicion of money laundering. In an article in The Daily Beast, entitled “JPMorgan Chase Closes Vatican Bank Account”, reporter Barbie Latza Nadeau discusses Chase’s decision to close the account “on speculation that the account is being used for less-than-immaculate financial deeds…after Vatican bankers were “unable to respond to a series of requests about questionable money transfers.” This was a continuation of bad news for Vatican banking as early this month, the US Department of State listed the Vatican as a “jurisdiction of concern for its money-laundering practices.”

Lastly, we take note of a French effort in the fight against global corruption. As reported in the Wall Street Journal (WSJ), in an article entitled “French Seize Assets of African Official”, France’s “top court allowed Transparency International to proceed” with a lawsuit against the son of the President of Equatorial Guinea. The son, while employed as the Minister of Agriculture of the country with an annual salary of $100,000, had the following items seized, “valuable paintings, vintage wines and multimillion dollar cars.” When his home was raided earlier in the year, the French officials found “a sauna, a movie theater, a nightclub, a beauty parlor, a spacious bathroom with gold-plated faucets, a wine cellar, and several other rooms decorated with marble statues and Fabergé eggs, according to court documents. Investigators seized all of the furniture that could be carried out, added a person familiar with the matter.” Ominously, the government of Equatorial Guinea warned the group’s lawsuit would “rupture relations” and that French companies would pay the price “from this situation.”

Just as Earl Scruggs led a musical revolution, first in bluegrass with his new picking style, then in expanding the boundaries of the genre, the fight against bribery and corruption is widening. If you are a compliance practitioner, you should take note of these international developments and have your company ready to respond.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

RISK-BASED COMPLIANCE

A recent benchmarking survey of Third Party Codes of Conduct was conducted by the Society of Corporate Compliance and Ethics (SCCE) and reported on by Rebecca Walker. The findings indicated that a majority of companies with an otherwise robust compliance program do not extend this to third parties with which they conduct business. The findings revealed the following: 53% of companies do not disseminate their internal codes of conduct to third parties; only 26% require third parties to certify to their own codes; and just 17% of the respondents have any third party codes of conduct.

For those companies which now desire to evaluate their third party business partners for Foreign Corrupt Practices Act (FCPA) compliance, how, and perhaps where, do they begin? The approach that appears to be gaining the most traction both with regulators and learned commentators is to develop a risk based approach to FCPA compliance. There is no specific Department of Justice (DOJ) guidance on any one specific process for a risk based compliance system. However, there is sufficient guidance in other FCPA and analogous compliance areas, such that direction can be provided to US and foreign companies in this area.

Writing in the FCPABlog, Scott Moritz of Daylight Forensic & Advisory suggested that a risk-based approach based upon the regulatory programs in Anti-Money Laundering (AML) governance. In the AML areas, the concept is that certain parties, including vendors, represent a higher compliance risk than others. Geography, nexus to government officials, business type, method of payment and dollar volume – are all risk indicators.

This risk-based approach was commented upon, favorably by the DOJ, in Release Opinion 08-02. In this Release Opinion the DOJ reviewed and approved Halliburton’s proposed acquisition of the UK entity Expro. The DOJ spoke directly to a risk based approach by that Halliburton had agreed to provide the following:

. . . a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which will address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. Such work plan will organize the due diligence effort into high risk, medium risk, and lowest risk elements.

This risk-based approach has also been accepted by UK’s Financial Services Authority (FSA) in its settlement of the enforcement action against the insurance giant AON earlier this year. As a part of the settlement AON agreed to the following:

AON…designed and implemented a global anti-corruption policy … limiting the use of third parties … whose only service to AON is assisting it in the obtaining and retaining of business solely through client introductions in countries where the risk of corrupt practices is anything other than low. These jurisdictions are defined by reference to an internationally accepted corruption perceptions index. Any use of third parties not prohibited by the policy must be reviewed and approved in accordance with global anti-corruption protocols.

How does a company implement this guidance? Scott Moritz suggests that key to any risk-based approach is “the strategic use of information technology, tracking and sorting the critical elements — including risk-ranking, as well as enhanced due diligence and ongoing monitoring of high-risk parties proportionate to their risk profiles.”

The uses of a risk based compliance system can be myriad. The Release Opinion 08-02 system was in response to an international acquisition. Such systems can also be used to rank and assist in the evaluation of business partners or supply chain vendors. But, however such a system is used, the clear import from the DOJ, FSA and learned commentators is that some type of rational system should be put in place and followed.

RISK-BASED DUE DILIGENCE FOR SUPPLY CHAIN VENDORS UNDER THE FCPA

Quick, as the Compliance Professional within your organization, which department or group of your company spends the most money annually? Did Supply Chain immediately come to mind? Probably not. Now just as quickly, how much of your compliance efforts are focused on the Supply Chain within your organization? Other than perhaps financial due diligence, such as through Dun & Bradstreet or quality control through your QHSE group, the Supply Chain probably does not command your Compliance Department attention as do other types of third party business partners such as agents, distributors and joint venture partners. This may be coming to an end as most Compliance Professionals recognize that third parties which supply goods or services to a company should be scrutinized similarly to other third party business partners.
There are several methods that could be used to assess risk in the area of supply chain and vendors. The approach suggested by the UK’s Financial Services Authority (FSA) in its settlement of the enforcement action against the insurance giant AON would refer “to an internationally accepted corruption perceptions index” such as is available through Transparency International or other recognized authority. The approach suggested by the Department of Justice, in Release Opinion 08-02 would provide categories of “High Risk, Medium Risk and Low Risk”. Finally, writing in the FCPABlog, Scott Moritz of Daylight Forensic & Advisory LLC has suggested an approach that incorporates a variety of risk-assessment tools, including, “the strategic use of information technology, tracking and sorting the critical elements”.
This commentary proposes an approach which would incorporate all three of the above cited analogous compliance areas into one risk-based assessment program for supply chain vendors. Based upon the assessed risk, an appropriate level of due diligence would then be required. The categories suggested are as follows:
1. High Risk Suppliers;
2. Low Risk Suppliers;
3. Nominal Risk Suppliers; and
4. Suppliers of General Goods and Products.
A. High-Risk Suppliers
A High-Risk Supplier is defined as a supplier which presents a higher level of compliance risk because of the presence of one or more of the following factors:
1. It is based in or supplies goods/services from a high risk country;
2. It has a reputation in the business community for questionable business practices or ethics; or
3. It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions.
B. Low-Risk Suppliers
A Low-Risk Supplier is defined as an individual or private entity located in a Low-Risk Country which:
1. Supplies goods or services in a Low-Risk Country;
2. Is based in a low risk country where the goods or services are delivered, it has no involvement with any foreign government, government entity, or Government Official; or
3. Is subject to the US FCPA and/or Sarbanes-Oxley compliance.
C. Minimal-Risk Suppliers
A Minimal-Risk Supplier is an individual or entity which provides goods or services that are non-specific to a particular job or assignment and the value of each transaction is USD $10,000 or less. These types of vendors include office and industrial suppliers, equipment leasing companies and such entities which supply such routinely used services.
D. Suppliers of General Goods and Products
A Supplier of General Goods and Products is an individual or entity which provides goods or services that are widely available to the general public and do not fall under the definition of Minimal-Risk Supplier. These types of vendors include transportation, food services and educational services providers.