Tracking down dirty cash

FST. The Third AML Directive should now be fully transposed across Europe. What do you think is the biggest challenge facing the European financial services industry in dealing with AML?

MS. The Third AML Directive is not a directive that is implemented exactly the same way in each country. The directive says countries should follow this directive and implement it in local laws and regulations. It’s not only a European regulation, but one that gets translated into local laws and regulations. That leaves you with a challenge that some countries have slightly different interpretation of the directive, and the fact that some go a little further than others. If you are a European financial institution, where do you stand? You think about one implementation of the AML directive, but you end up with an effort with multiple implementations across the countries because there are some small variations here and there. But please don’t get me wrong – it’s not that one country says left and the other country says right based on the same directive.

However, if you are a European institution you still need to look into country-by-country specifics, and ask yourself whether your European-wide approach is actually tackling all local regulations and implementations? But probably the biggest challenge right now, which runs across multiple regulations, is data privacy. And if the banks want to be successful at AML, data privacy laws and regulations need to change so that banks and institutions can start sharing information more broadly and widely. It’s a common thread that runs through most discussions on AML.

FST. Is there a tension between setting global bank policies and the requirements of individual laws in individual countries/territories?

MS. The simple answer is yes – and this issue is a huge challenge. If you look at AML regulations and their maturity levels, what you find is that new regulations are implemented first in the western hemisphere. So quite often it starts in the US or the UK, moves into mainland Europe, and then slowly into Asia, and then on the way back come into Latin America. Africa is usually somewhere in between Asia and Latin America, but sometimes it is right at the end of the chain.

So if you are a global institution, this means that you are facing jurisdictions with different maturity levels of AML regulations, and the key question you have to answer as a global institution is are you going for the highest denominator or the lowest denominator? Are you looking for the country with the highest AML standard and scrutiny and applying that across the all of the countries and jurisdictions? Does this make you competitive in those markets and what is your competitor doing? Are they implementing the same, or are they going country-by-country? So it is a huge challenge indeed.

Maybe you globally adopt the KYC (Know Your Customer) approach UK, or you like the pragmatic approach of the Honk Kong regulations for transaction monitoring, and you adopt that globally as a minimum standard. What I mean by the minimum standard is that you enforce it around your network; you go around the network and agree that no matter what you have to do locally, these is the checklist or minimum standard that you have to adhere to. For example, up until last year Kazakhstan still didn’t have a formal AML regulation in place. Also, if you detect a suspicious email in your monitoring system your global standard may mean that you have to report it to the regulator within 30 days even if the regulator gives you 60 days in that particular country. There are countries that give you 24 hours or maybe a week so obviously the local standard would prevail because it is stricter.

FST. In terms of bank’s internal systems, KYC and due diligence place quite a demand on individual institutions. What are the best ways for a bank to tackle these? Is it co-operation between banks and/or outsourcing to a third party?

MS. When you are building or developing new systems outsourcing is definitely an opportunity to reduce costs. When it comes to KYC, I don’t believe it is an option to outsource because at the end of the day when you talk about KYC you are talking about the heart and soul of the bank – do you really want to outsource customer data? I think every institution can answer the question for themselves if they want to. But data privacy becomes a hotter topic each day. You need to think about competitive advantage that you may have through the client information that you keep on your systems and your records.

Then there are the costs associated with the KYC. We had a desperate need to have the system to meet and to support the needs that the new regulation has put on banks. But I’ve seen, right across the industry, that most of the KYC systems are standalone systems and then you have the challenge of reconciliation – how do you reconcile your KYC records, to your core banking system, to your CRM system, to your accounting system, and so on. You have all this information, and then another system that keeps client records. What has happened to information management or to one single client file? I only know one institution that has managed this extremely well with one global central infrastructure, although it is a smaller bank.

So the answer to your KYC question is in going upstream and including it in your core banking system, not as a standalone or add-on system that lies around and no one feels ownership for. If systems change and you forget to tell the KYC system then all of a sudden lines are broken and you have to spend a lot of money to get things fixed – an absolute nightmare.

FST. Given the global threat of terrorism, does there need to be better co-operation between the industry and regulators across geographies or are the demands on the banks already too much?

MS. That’s an interesting question. The industry is aligning and co-ordinating pretty well across the globe. There are various fora where industry comes together, the banks in particular, to debate the latest regulations, exchange thoughts, and set the standards for the leading banks in the world. And there are other fora where the industry comes together to exchange, and talk, and define practices to basically address a global issue. The regulators, unfortunately, only see slow movement. What is really is required is that the regulators globally come together and deploy global regulations and standards and put them into the local regulation, but agree on global standards that help to address that global threat. So we need cross- jurisdiction efforts, because perhaps the scrutiny is already too high in some countries, but can it be too high when we are talking about global terrorism? Perhaps not, but yes, it is higher in some countries than in others.

The role of the industry is to give law enforcement and the governments financial intelligence they can use in their efforts to combat terrorism. It’s not the job of the industry, and banks in particular, to combat terrorism. It’s our job not to support the enforcement agency with the information available to us wherever we can. We are not proxy policemen on behalf of regulation in one country by trying to enforce it globally through the backdoor.

FST. Now the third directive is transposed, do you think we’ll see a period of consolidation in regulations, or do you think 2008 will see more refinements and activity in this space?

MS. If you look at some of the regulations in the last few years, such as MiFID and the EU AML Directive, these have hit European and international banks really hard on the regulatory side. To me, it appears that one of the key challenges seems to be the timing of the regulations. Therefore, will there be more? Yes, I think there will be more individually, and there will be little consolidated ones, unfortunately. I have still the hope that 2009 and 2010, that there’s a better chance to align those regulations better upfront and see where are the common elements and then make those into common regulations with some add-ons that are very specific. But right now, you have very independent dialogue running next to each other, which makes it tricky, to say the least, for international banks. And of course, when we say tricky, we mean always a lot of effort, and of course those efforts result in higher costs and so on.

FST. Finally, can you tell me about your new job and what it entails?

MS. Sure. By the time that you read this I will be working for a global insurance company based in Switzerland – Zurich Financial Services as the global AML and trade sanctions lead looking into financial crime. After being at the forefront of AML development at ABN Amro I felt that it was time to take that knowledge into the world of insurance. Within the insurance industry there are US$3 trillion premiums generated every single year. The regulators want to avoid non-legitimate and terrorist funds from moving around, so they have cracked down on the banks as they look into who is moving the largest amounts of money. They have also been looking into money service businesses because, as I said, we have US$3 trillion of premiums moving backwards and forwards every year. So the insurance firms are clearly in the focus of the regulators. I have been asked to help this company be ahead of the curve and learn from the banking world, which has been through a very rough ride. There is a feeling that part of this rough ride will reach out to the insurance companies. So it’s always an advantage to be ahead of the pack.