Showing posts with label Money laundering. Show all posts
Showing posts with label Money laundering. Show all posts

Sunday, 30 May 2021

Lithuania: Supervisory Challenges on (Non Bank) PI & EMI Payment Activity in Centrolink

Hang On, Speedy

As highlighted in the previous post, following explosive growth, in 2020 non bank PI & EMI accounted for
  • 86% of the number of transactions in Centrolink

  • 69% of the total value of all transactions, and

  • represented 87% of Centrolink participants.

What are the specific risk characteristics of PI & EMI business that pose challenges for the authorities?

  1. Explosive growth in number and aggregate value of transactions

  2. Non bank entities predominate

  3. Centrolink transactions are now primarily “offshore” business in two senses:

    • In the majority of cases, both sides of the payment are “outside” Lithuania, e.g., the by-order party and the beneficiary

    • Up to 70% of PI & EMI clients are from offshore centers

  1. Customer vetting may be inadequate given “remote” CDD (customer due diligence)

  2. Centrolink is an attractive gateway to 36 countries in Europe.

  3. Risk issues thus transcend Lithuania’s borders.

I don’t need to say much about the issue of explosive growth.

The more trees in the forest, the harder to find Robin or any other hoods.

As regards non bank FI’s perceived greater risk, some general comments.

The failure of a large bank or group of banks poses a systemic risk to the financial system and economy.

In contrast the failure of a money exchange firm or a payments processor (think PI or EMI) is likely to have much less of an impact.

As a result, banks are more strictly regulated and more strictly monitored than other FIs.

Non-bank FI policies and procedures, internal control systems, etc. are often less rigorous and less rigorously implemented.

Part of this is due to less developed and onerous regulations on them. No need to have as elaborate structures as banks.

Economics and size also have an impact.

The fact that monitoring is often “lighter” can also play a role: no one is watching.

We can use the 2020 Lithuanian National Risk Assessment of Money Laundering and Terrorist Financing (NRA) to assess the risks outlined above.

Page numbers below refer to the NRA unless another document is cited.

Let’s start by looking at potential weaknesses in PI/EMI policies and procedures and implementation thereof.

Weakness in PI and EMI Licensees AML/CFT Risk Assessments and Monitoring

According to the NRA (page 38)

Due to the fact that many of the clients are non-resident or from offshore countries, the companies have difficulties to identify the clients in reliable and independent sources. The due diligence and transaction monitoring systems are less effective than the ones used in the banking sector, as most of the businesses are new and focus on increasing clients’ portfolio instead of AML/CFT regulatory compliance. Most institutions have not yet performed organization-wide risks assessments to identify the risks based on five factors (geographies, customers, products or services, delivery channels, other qualitative risks). Next to that, not all institutions perform the retrospective transaction monitoring.


Wide ranging deficiencies across a critical set of control areas.

Suspiciously” Low Volumes of Suspicious Transaction Reports (STRs)

The data in the annual reports of the Ministry of Interior’s Financial Crimes Investigate Service Money Laundering and Terrorist Financing Prevention Board (ML&TFPB) is more detailed and current than that in the NRA. So I’ll use that information.

Here is a link to the 2018 Annual Report. Here is the 2019 Annual Report.

And here is the 2020 Annual Report.

The tables below are based on data from these three reports.

If you know anything about STRs, you’ve probably heard that FI’s prepare these primarily for CYA purposes and generate excessive numbers that overwhelm the authorities’ ability to make use of them.

These statements are often correct.

So why am I focused on the number of STRs?

I’m not.

Rather I want to compare 

  • STRs from the PI & EMI sector to that from banks and  
  • STRs of each sector as percentage of transactions processed by that sector.

When a particular segment of FI’s has a relatively low number of STRs or scores low on the above two metrics, it’s not unreasonable to assume that that segment’s transaction monitoring procedures are less than robust.

If a particular institution scores low on all three measures, that’s also a red flag in most cases.

These metrics are not conclusive. There may be very good reasons for differences.

At first blush the data seems to show definite progress. The PI & EMI sector is filing more reports. Fantastic growth! 2020 is more than 18x 2018.




Their percentage of total STRs is increasing smartly.




But as a percent of the number of transactions not so good.



As a percentage of transaction made, in 2020 banks submitted 3.5x the number of STRs that the PI & EMI institutions did!

As outlined above, the PI & EMI sector certainly appears to be conducting more risky business than the banks.

It’s, therefore, not unreasonable to expect that would have a higher percent than they do.

Their actual performance confirms NRA’s assessment of weakness in the PI/EMI AML/CFT.

Let’s turn to a feature in regulations that poses a risk.

Remote KYC/CDD Allowed for PI and EMI Licensees (page 38)

PI and EMI licensees are allowed to conduct “remote” know your customer/customer due diligence.

That is, the client need not be present in Lithuania. Approval is by review of documents submitted.

This is an even greater KYC issue because PI and EMI entities’ clients are primarily non residents.

And up to 70% of them are from offshore centers. (page 38).

That is a rather large red flag.

Adding to the risk is the fact that 97% of the value of all EMI and PI transactions in 2019 was conducted for legal entities not natural persons. (page 6 of the 2019 PI and EMI Activity Review).

Positively identifying the UBOs of private companies is a difficult endeavour, even more so for those formed in offshore jurisdictions.

In contrast, Lithuanian banks have been de-risking their exposure to foreign clients by reducing foreign client relationships and deposits.

As of 2020, Lithuanian banks had the lowest percentage of foreign corporate and natural person customers’ deposits in the Baltic region at 2.5% compared to Latvia (20,3%) and Estonia (7.3%). (Page 7 and 8).

Risks Associated with SEPA

Based on the average amount of 2020 Centrolink transactions (banks Euros 3,841 and the PI & EMI institutions Euros 1,423) and the ACH/BACS-like nature of Centrolink, you might well wonder if there is a real risk of significant illicit transactions.

To the first point, these are arithmetic averages. There could quite well be some fairly large value transactions among the 95.2 million total transactions processed in 2020.

To the second, while Centrolink processes Direct Debits and Direct Credits—that are likely to be small “ticket” items—it also processes payments similar to typical bank transfers.

There are two types of these transfers:

  1. A SEPA Instant Credit Transfer subject to a SEPA system limit of Euros 100,000 for each separate transaction. With promised completion (delivery to the beneficiary’s bank) 10 seconds after release! Note this timing doesn’t apply in all 36 of SEPA countries.

  2. A SEPA Credit Transfer subject to a SEPA system limit of Euros 999,999,999,99. These transactions are completed at the earliest next business day after receipt.

Each bank sets its own SICT and SCT limit for each customer both for individual as well as aggregate transactions. That would include Centrolink DP’s for IDP’s they accepted as clients.

SCT limits of Euros 1 billion are likely to be rare indeed. And not just in Lithuania.

SCIT and SCT “straight” payments and likely transactions limits make it possible to move significant amounts through Centrolink into the SEPA.

Monitoring systems to detect suspicious transactions would therefore be in competition with the creativity of illicit actors to disguise them. 

The offshore nature of Lithuania payment activity makes this a harder “race”.

Friday, 7 May 2021

Great Money Laundering "Deep Dive" by Matthew Collin into Leaked Data from An isle of Man Bank


 

Matthew Collins of Brookings has performed a "deep dive" analysis of client information "hacked" from Cayman National Bank and Trust, Isle of Man, a subsidiary of the Cayman Island-based Cayman National Corporation.

Here's a link to the teaser article which outlines his key findings.

And a link to the longer 55 page article

Lots of (great) detailed analysis:  the leaked data spans the period 2008 to 2019.

Even though CNB&T Isle of Man is a relatively small institution in the Isle of Man, the article is well worth the read.

Thursday, 16 July 2020

BIS Updates its Guidelines for the Management of AML/CFT



This month the BIS released an update to its January 2014 publication “Guidelines: Sound management of risks related to money laundering and financing of terrorism.“

The updates focus on the need for increased communication/interaction and co-operation between a nation’s financial institution supervisory agency (prudential supervision) and other domestic national agencies charged with anti-money laundering and countering the financing of terrorism.

As well the BIS advocates similar cross-border interaction and cooperation.

It’s important to note once again that the BIS does not have the authority to force countries to accept its guidelines. It does not legislate, it recommends.

Individual countries may accept or reject BIS guidance in full or in part. And are free to set the details of how a principle they accept will be applied. 

That being said, it is rare that countries reject BIS suggestions in toto.

What are the changes?

The addition of paragraph 96 to the main body of the guidelines and a new Annex 5 outlining best practices.

Paragraph 96 sums up the BIS’s intent.
“Prudential and AML/CFT supervisors should establish an effective cooperation mechanism regardless of the institutional setting, as set out in Annex 5, to ensure that ML/FT risks are adequately supervised in the domestic and cross-jurisdictional context for the benefit of the two functions.“


Annex 5 contains what I’d consider some rather self-evident points. But many regulations do state what is obvious. And that’s done for good reasons.

License Authorization

  1. Prudential Supervisors should consult with AML/CFT supervisors to identify any AML/CFT risks posed by the bank’s proposed business model for a new bank or such risks for an existing foreign bank seeking a license in its jurisdiction.
  2. They should also consider the bank’s AML/CFT policies and procedures, risk management structure and risk mitigation systems.

Assessment of Major Shareholders, Acquisitions, and Major Holdings
  1. Similar to the above with a focus on how these affect the proposed licensee’s AML/CFT risk as well as cases when new shareholders are proposed.
  2. Part of this assessment is a review of the history of the proposed major shareholders, acquisitions, and major holdings for evidence of AML/CFT risks, vulnerabilities or transgressions.
  3. This assessment requires cross border interchange and co-operation to obtain information from other national regulatory agencies.
International Co-Operation
  1. This can be established via bi-lateral agreements (MoUs) for exchange or “prudential colleges” where a group of supervisory or regulatory agencies agree to exchange information. Link to information on EU “prudential college”.
  2. The FATF has published guidelines on the exchange of AML/CFT information both domestically and internationally. Last update in 2017.PP

Sunday, 16 February 2020

Anti Money Laundering Some Inconvenient "Facts"

Not a Red Arrow in the Quiver

Last month Matthew Collin published a blog entitled “Angola and the money laundering paradox” in which he noted that the dos Santos case highlighted certain paradoxes about money laundering.

His key points were that contrary to what many believe a large volume of money laundering takes place in jurisdictions that score well on Transparency International’s Corruption Perceptions Index, have good ratings (mutual evaluations) on their anti money laundering regulations and system from the FATF or similar bodies, score high on transparency,, etc.

Be sure and read his article it is full of worthwhile insight and information.

None of this is surprising to those involved in international finance nor to those who follow money laundering.  

There are more inconvenient "truths" or at least observations about money laundering. 

As usual, AA is not shy about highlighting them.

First, the "developed and well-regulated" markets are where the bulk of large value money laundering takes place over all three stages of the process: placement, layering, and integration. 

As the chap in the picture above (Robin Hood or Robin Gud) will tell you, the best place for a “hood” to hide out is where there are lots of trees.

It’s much easier to get lost among the trillions of dollars of daily transactions in the major "developed and well-regulated" markets.

These are places that you’d like to hold financial or other assets (properly disguised of course) for a variety of reasons:  greater liquidity, potential for appreciation, systems that protect your rights from arbitrary actions.

Those with assets to sell or banking services to provide in those markets are keenly interested in maximizing sale proceeds or service revenues. And perhaps not of the sort to get overly "fussed" about the source of funds.

A booming property market and vibrant stock market are every government's dream.

This is no secret. There are reliable official estimates of money laundering that cut through imaginary "halos", including those of their own jurisdictions. 

Here are two examples.

Each year the US Department of State publishes the International Narcotics Control Strategy Report pursuant to a statutory requirement. Usually in late March covering the prior year. The INCSR is based on input from various US governmental agencies.

As you'd expect with any national source, it is not free from political considerations. 

Within Volume II of the INSCR is a list of “Major Money Laundering Jurisdictions”. 

You’ll find the list of such countries for 2018 in the INCSR 2019 Volume II pages 14 -15. 

Tucked in among the usual suspects of Afghanistan, Uzbekistan, the UAE, you’ll find the United Kingdom, the United States, etc. 

In past years, the DoS would rank countries as being of “primary concern”, “concern”, and “other countries monitored.”

In the “primary concern” list, the United States, the UK and several European countries were routinely included.  

Here’s an archived version from the 2017 INSCR. 

The UK’s National Crime Agency notes that “Although there are no exact figures there is a realistic possibility that the scale of money laundering impacting the UK annually is in the hundreds of billions of pounds.” 

If you think about a country like Angola, any serious money laundering through the financial system there would be noticeable because of the lower volume of transactions. Not enough trees. In some cases countries only have “bushes". 

Here's an example of how "lack of trees" can aid in identifying unusual, perhaps even suspicious transactions.

Back in 2016 SWIFTs August RMB Tracker noted further imaginary progress in the development of the RMB as an "international currency" citing a spike in RMB transactions in "South Africa".

A fairly cursory examination of publicly available material disclosed that the spike wasn't only in transactions for South African customers.

More importantly that analysis disclosed the spike was primarily due to a single RMB 2.7 billion transaction in Mauritius.

Second, fines give a fairly good idea of where money laundering is taking place and how serious it is.

By amount the bulk of money laundering fines are levied by regulators in the USA and Europe on banks operating within their jurisdictions. The size of these fines indicates the volume and seriousness of the infractions.

According to AccountancyDaily, there were 58 AML penalties worldwide in 2019 totaling USD 8.14 billion nearly double the amount of the 29 penalties in 2018.

US regulators were the most active with 25 penalties totaling USD 2.3 billion, the UK with 12 penalties totaling USD 388 million.

(Fines like the UK's aren’t going to do much to combat money laundering. They’re unlikely to silence the laughter in board rooms.) 

France took the record that year for the largest penalty USD 5.1 billion levied against UBS who are appealing the fine. 

In terms of money laundering and sanctions violations penalties (the latter a particular preserve of the USA) there have been some USD 36 billion since the 2008 financial crisis according to a recent report by Ferengo who publish this data annually. 

Again the countries whose banks were “tagged” with the fines come from “developed and well-regulated” markets. You won’t find Angola or Iran among them.

Third, despite apparent precision attempts to quantify money laundering, corruption, and other illicit activity results in crude estimates at best and often in semi-educated guesses. Sometimes they measure less than we think they do.

Here are some examples from previous posts.

Sometimes they don't model everything we think they do.

For example, Transparency International’s Corruptions Perceptions Index is based on perceptionsThere are no public statistics on corrupt transactions, except those arising from legal cases.

More importantly TI considers only governmental corruption as clearly outlined on TI's website.

A fuller discussion here

The latest TI CPI rated Denmark as the least corrupt country in the world tied with New Zealand.  In 2018 Denmark stood atop the CPI alone.

Yet, Den Danske Bank’s branch in Estonia was involved in a Euro 200 billion money laundering scandal over more than a few years.

According to reports, the Central Bank of Russia informed both Danish and Estonian regulators in 2007 and 2013 that Danske's Estonian branch was being used for money laundering.

It would appear that warning was not acted upon, presuming that these reports are correct.  

Denmark and several other TI highly rated countries are victims in a multi billion euro tax fraud based on “dividend stripping” or a “cum/ex” operation. Denmark Euro 2 billion, Germany 5 billion. 

Major European banks colluded with clients to implement the scheme. Not one Angolan bank in the mix.

So, if you’re relying on TI to frame your money laundering risk profiles, think again. It's only a partial source and has its own limitations. 

Most money laundering takes place through private sector not public sector banks. And be aware that other rankings of financial crimes risk use the CPI as input. 

Fourth, assessments (mutual evaluation reviews) of anti-money laundering regulations and systems miss key factors.

Much of these are based on whether there are laws on the books that cover the key elements in a good AML regime (based on FATF recommendations) and how strict they are.

Geography plays in important role in this process because "zip code" is used to risk exposures.

MENA countries are likely to be scrutinized more for terrorist finance than Latin American ones. Deficiencies found in MENA will be treated as more serious than those in Latin America.

Checking the robustness of legal regimes is certainly important. 

But, if laws are robust but ignored, they are of little use.  If they provide less than perfect solutions as all legal systems do, then reliance on them should be tempered by this knowledge.   

The same with individual financial institutions procedures for enforcing the national AML regime.

Fifth, compliance with AML regulations involves a lot of "box ticking".

Financial institutions are required to perform two key AML tasks:  (a) conduct CDD (customer due diligence) prior to accepting a customer and (b) monitor a customer's transactions and conduct of its relationship to detect suspicious activity. The bank should investigate suspicious activity and where warranted file a report with its financial regulator.

CDD consists of "proving" a customer's identity, financial condition, etc. and assessing whether the potential customer is not engaged in illegal or terrorist activity. 

This involves obtaining various documents depending on whether the potential customer is a legal entity or a natural person, e.g. passports, commercial registrations, financial statements, etc. 

As a general rule, one can say that individuals and businesses that need their money laundered have rather high gross margins. Thus, they have ample budgets to pay intermediary fees and make facilitating payments.

They have the money to pay for the creation of documents to comply with AML requirements and to set up complex structures to hide realities. 

Here it's important to note banks are not required to “verify” documents but can accept them on their face as valid unless the documents are clearly forgeries or inconsistent. This is similar to their obligations regarding the authenticity of documents presented under letters of credit. 

That makes sense.

Unless it’s a rank amateur forgery how will a bank in Country A, verify your Country B passport?  Or your financial statement?  Or a letter from a lawyer confirming you inherited USD 100 million from your Uncle Abdullah?

Money launders are also able to hire “name” professional advisors and intermediaries. 

The sort of “names” that would add a “halo” to the client.

"If XYZ is dealing with Ms. X, she must be “clean” because they are an international firm and must have done proper 'due diligence'.

Most national AML laws and regulations are based upon the recommendation of the FATF an international body that develops AML standards. FATF Recommendation 17 allows a national regulator to permit its banks to rely on a third party to perform some of the key steps in CDD or customer vetting.  

This can also be a convenient excuse for a bank not to look too closely for fear of finding out something it doesn't want to know or aggravating a potentially lucrative customer.. 

What's hopefully clear from all of this is that there is a great deal of "box ticking" in the CDD process. 

As an internationally mobile individual, I have had to open accounts in a variety of foreign jurisdictions.

In most cases I have been called on to sign a letter that states I won’t use the account for illegal purposes or to fund terrorist activities.

I also have been asked to self-report my income and net worth. Provide proof of my address, e.g., a letter addressed to that address, a utility bill, a driver's license, etc.

But not in every case!

And that's not just overseas, in one case when I lived overseas and wanted to open an account with one of the largest banks in the USA, my Social Security number, a deposit, and a smile were all I needed to open an account.  I wasn't asked to "show" my passport or driver's license! 

Luckily for the banks I deal with, I’m an honest person. But not every client is.

This concept of self-certifying oneself as “not a crook” is an interesting one.

Once while opening an account with a foreign bank, I asked its representative if he thought that a person who wanted to use an account for illegal purposes or terrorism would have his or her conscience troubled by lying in such a letter. 

His retort was “If you don’t sign the letter, no account”. 

Letter signed, box ticked, financial integrity protected, we moved on.

To be fair, how would a bank determine if a potential customer were a terrorist or criminal?

Are banks smarter than law enforcement and certain organs of state security?

Do banks have access to information that these official bodies do not?

Bank financial performance seems to suggest that as a group they are less "smart" and have less access to information about their clients than is commonly imagined. 

Once a customer is accepted then the bank must monitor the account relationship for transactions that don't seem to be compatible with the information provided on financial capacity or contain money laundering patterns. The FATF publishes a list of these, if you're interested.

In general this is "easier" than the CDD step.  A lot of this can be automated fairly simply primarily where the account is being used for many transactions.  

However,if the account is being used for a one off or infrequent transactions, this becomes a harder task.  

Six, The phrase "pecunia non olet" explains why money laundering occurs.


In fact the more you have the sweeter the smell, particularly when fees for advising and handling that money are based on amount.

Ms. dos Santos was clearly a “PEP” (politically exposed person). 

Standard practice AML procedures would require that she be subject to enhanced due diligence at the inception of a relationship and thereafter by ongoing enhanced monitoring by banks, professional service providers, and intermediaries.

She must have had quite a convincing story about how she legally accumulated her wealth and then kept on legally accumulating more. 

Plus a trove of very credible looking documents.

Or maybe it was the “sweet smell” of success?

Or the fear that too intrusive an approach would take her to finding another bank, advisor or professional service provider? 

The rich are different than you or me.  Not only do they have more money than we do.  But their bankers are more deferential.  

Perhaps, a even more compelling story is that of Rabobank NA, the US subsidiary bank of Rabobank in the Netherlands.

According to the US Department of Justice, two of the bank's rural branches in California--Tecate and Calexico cities right on the border with Mexico--had a "lot" of US dollar deposits.

So much that the bank had to send at least one armoured car per week to collect the cash. Depositors then typically wired or otherwise transferred the money out of the accounts shortly after making the deposits.

Now one (at least AA) would think that large cash deposits well beyond economic activity in the area--at least legitimate activity--might be a "red" flag of potential money laundering, warranting at least an investigation.

The immediate transfers would typically also be considered a "suspicious" transaction.

Well Rabo did investigate and apparently decided it was.

So they did what any "responsible" financial institution might do.

They devised a "verified customer scheme" to facilitate continued acceptance of the deposits in an ultimately unsuccessful attempt to hide the transactions from USA authorities. A seemingly high risk strategy.  What were they thinking?.