Should it be remarkable that the world's leading financial institutions are still failing to meet their regulatory and compliance obligations? In this report in the Financial Times you could substitute the name of any major financial institution for Deutsche Bank and not be surprised.

How big a problem is money laundering?  The United Nations Office on Drugs and Crime estimates that illegal activity accounts for 3.6% of global GDP with 27% ($1.6 trillion) being laundered. The European Commission calculates the damage caused by corruption in the EU alone at some €120bn a year, equivalent to 1.1% of EU GDP. Member States lose over 2% of their GDP annually to tax crimes. In Ireland estimates for the size of the problem range from €3.1bn to €7.8bn.

Where do the costs arise? There are several elements: loss of government revenue; the cost of enforcement; the cost of compliance; and damage to the integrity of financial markets.

Knowing the extent of the problem and the Regulator's motivation to deal with it, what should be surprising is that these breaches still happen particularly so where the consequences for financial institutions can be severe. In Ireland a breach of the AML compliance rules is an offence for which an individual or corporation can be fined €5,000 or go to prison for 12 months or both. However, there have been no criminal convictions in Ireland under the AML regime. Compliance offences are generally not subject to prosecution. Instead the administrative sanctions regime under Central Bank legislation is generally applied to a breach of AML compliance rules.

What are the specific issues identified by the Regulator in Ireland for example? The Central Bank has been engaged in ongoing AML Themed Inspections. It has found:

  • undue delay in implementing measures 
  • where day-to-day responsibility for compliance had been delegated by the board, the necessary oversight at the appropriate level was absent
  • firms did not document or demonstrate how they had evaluated specific risks or produce a rationale for such mitigation plans
  • material gaps in anti-money laundering and counter terrorist financing (AML/CTF) procedures
  • varying types of failures to conduct CDD 
  • focus on board engagement

Why should we not be surprised at this report? Why is compliance so difficult? Pre-crisis regulation was just one of many considerations for the financial services sector. Capital was plentiful. Misconduct issues were thought to be rare. Now the rules are much more complex. Regulators are increasing levels of scrutiny and are increasingly penalty-minded. They are more suspicious and less flexible about compliance, reporting, and the underlying business processes and data. Banks have become both information hubs and potential targets as governments ensure the proper payment of taxes and compliance with AML and anti-terrorist financing measures. 

In response Banks have built a labyrinth of compliance processes: a new regulation; a new process bolted on. This creates high cost and inefficiency. Initiatives introduced are being led by different groups within the business. They lack effective coordination so there is inconsistent understanding of regulatory implications. Inefficient and duplicate processes exist in different arms of the same organisation.

The biggest obstacle to getting it right is the financial investment required and the technology restraints. The IT systems used in the major banks would be unrecognisable to the Facebook generation. Cyber security is central to compliance planning as new technologies expose customer data to greater risks. 

So what can Banks and other financial institutions do in the face of this regulatory onslaught? First they need to understand that it's a board issue not a compliance officer issue. Second, they need to reverse their thinking: don't react to the Regulator: predict the Regulator. How do we do that? We understand what it is that motivates the Regulator. If we understand what the Regulator is trying to do we can design adaptable compliance processes. Banks currently design individual processes piecemeal in response to specific legislation and not in anticipation of it. 

So how do we anticipate what the Regulator wants? That requires an answer in depth beyond the scope of this note. But at the heart of that answer is consumer protection. And once you understand that you can begin to create products and build processes from the ground up that are inherently compliant. In the words of one sage, start with the consumer and go backwards.