Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Don’t Share STRs or STR Data

Recently the Compliance Officer from a small reporting entity reached out to me to ask an uncomfortable question: should they provide copies of the Suspicious Transaction Reports (STRs) that they had filed with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to their financial services providers such as a credit union or bank?

This was a difficult situation for the reporting entity’s Compliance Officer because they were afraid of pushing back too much with the financial services provider. Like most non-bank reporting entities, they rely heavily on the services provided by the bank in order to be able to operate their business. Financial service providers, such as banks and credit unions, have the ability to close the accounts of businesses in Canada (often called de-risking), and it can be difficult for some types of reporting entities to establish new banking or payments relationships. The financial services provider in this situation has significantly more power than the reporting entity that is dependent on them.

My gut reaction was that the reporting entity should not disclose the contents of their STR reports, or provide copies. In Canadian legislation, disclosing the fact that an STR was made, or disclosing the contents of such a report, with the intent to “prejudice a criminal investigation” can be punishable as a criminal offence, with penalties of up to 2 years imprisonment (this is also known as “tipping off”). While there did not appear to be any intent to prejudice a criminal investigation in this case, it still seemed like a bad idea. I did a quick check-in with fellow AML geeks on LinkedIn. There are some great comments here, and I had a number of conversations in DMs and by phone. No one seemed to think that the reporting entity should be providing copies of STRs.

The question then became how to best empower the reporting entity to push back effectively. I submitted the following request to FINTRAC and to the Office of the Privacy Commissioner (OPC), both of which have mechanisms to allow Canadians and Canadian companies to ask the regulators to opine on matters free of charge:

One of our clients, a Canadian Money services business (MSB) has been asked by their financial services provider (bank/credit union) to provide copies of the suspicious transaction reports (STRs) and Attempted Suspicious Transaction Reports (ASTRs) that have been filed with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) on an ongoing basis. This struck us as being an overreach in terms of the information that should be disclosed to a service provider, and we are reaching out for an opinion on the appropriateness of these requests.

The financial service provider appears to be of the opinion that this is a reasonable request, and that they may close the MSB’s bank account if the STRs and ASTRs are not provided by the MSB.

I let both FINTRAC and OPC know that I had submitted requests to both. So far, only FINTRAC has responded. Their response is below in full (TL:DR: reporting entities should not share copies of STRs reported to FINTRAC).

Thank you for contacting the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Canada’s independent agency responsible for the receipt, analysis, assessment and disclosure of information in order to assist in the detection, prevention and deterrence of money laundering and the financing of terrorist activities in Canada and abroad.

I am writing further to your email of July 16th, 2020, wherein you requested clarification regarding the sharing of suspicious transaction reports (STRs) submitted to FINTRAC.

As you know, section 8 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) states that no person or entity shall disclose that they have made, are making, or will make a report under section 7, or disclose the contents of such a report, with the intent to prejudice a criminal investigation, whether or not a criminal investigation has begun.

The PCMLTFA sets out a regime in which the information contained in financial transaction reports sent to FINTRAC (including STRs) is protected from disclosure except in very limited circumstances. The Act also includes specific provisions aimed at protecting the personal information under FINTRAC’s control. For example, as you may be aware, the PCMLTFA is founded on a prohibition on disclosure (s. 55(1), PCMLTFA). Any disclosure of information or intelligence by FINTRAC must fall under one of the exceptions to this prohibition. Outside of these exceptions, FINTRAC is prohibited from disclosing the contents of financial transaction reports, or even acknowledging their existence.

While reporting entities (REs) are not subject to the same prohibitions, FINTRAC strongly believes that STRs should be regarded as highly sensitive documents, given the role FINTRAC plays in the fight against money laundering (ML) and terrorist activity financing (TF) in Canada, and the fact that STRs are a key source of FINTRAC’s intelligence holdings. From FINTRAC’s perspective, it is not in the public interest for REs to disclose financial transaction reports and the information contained therein. Even beyond this, the collection or disclosure of financial transaction reports, including STRs, without a valid purpose and authority, may infringe on legislated privacy protection obligations. Almost all information within financial transaction reports is personal information about an identifiable individual and is considered financial intelligence by

FINTRAC, collected for the sole purpose of reporting to FINTRAC. The potential harm that could occur from the disclosure of the information in these financial transactions reports is great, and includes compromising: (1) police and national security investigations that are both ongoing or could be undertaken in the future; (2) sources of the information/intelligence within the reports, placing those sources at risk of retaliation; and (3) FINTRAC’s compliance activities, given that data provided by REs is always provided in confidence and that confidence is expected to be maintained by all parties. FINTRAC relies on the information included within STRs to support disclosure of financial intelligence to police and other law enforcement and national security organizations, in the interest of detecting, preventing and deterring ML and TF.

Therefore, while your client (MSB) is not prohibited from sharing the STRs it has submitted to FINTRAC with its service provider (Bank/CU), unless it is with the intent to prejudice a criminal investigation, strong consideration should be given to the above.

If you would like a PDF copy of the complete question and policy position for your due diligence files, or to provide to an external party that is requesting copies of your STRs, or information about their content, you can download it here.

Response from FINTRAC – Re_ Sharing Copies of STRs_ASTRs

A version of this Q&A is also now posted on FINTRAC’s website (PI-10662).

The response from OPC, in contrast, was underwhelming. In essence, they will investigate specific complaints, but they will not issue advanced rulings. That said, if any service provider is insisting that copies of STRs must be shared with them, a complaint to the OPC may be an option.

Response from the Office of the Privacy Commissioner of Canada – INFO-084075

Need a hand?

If you have AML or privacy-related questions, we can help. You can get in touch using our online form, by emailing info@outliercanada.com, or by calling us toll-free at 1-844-919-1623.

Why rich people don’t just open a bank…

 

It can be tough to open and maintain a bank account as a crypto-business. A policy of “derisking” (when banks avoid conducting business with customers perceived as being higher risk) leaves many crypto-businesses (and other MSBs) ill-served by the existing banking system.

A not-uncommon response to this reality (i.e. we’ve had this conversation enough times to deem it worthy of a blog post) is some variation of: “I’m a rich person! Why don’t I just open a bank?”

No doubt, this impulse comes from the admirably entrepreneurial spirit of our community. There’s a problem (lack of access to banking services), so let’s solve it.

But if you don’t have a background in compliance or banking and think that you’re “just” going to magically open your dream-crypto-paradise-bank… We’re here to advise you to slow your roll. We’re not saying you can’t do it… but here are some things you should consider. Knowledge is power.

Sidenote: We’re Canadian and these notes refer to Canadian processes. There are likely to be some differences in other countries, but we won’t know what they are. If you want to know, do the research. Let us know what you find if it’s interesting.

Opening a bank is expensive.

While you may think you have the cash to spare, opening a bank is expensive, and probably more expensive than you expect, both in terms of what you need to have in reserve, and what you’ll spend initially. We’ve heard the figure of $50m buy-in—which, by the way, does not guarantee you a charter.

You will spend money for years before you serve customers.

If you’re curious about where all those millions could possibly go, you’re going to get friendly* with an army of consultants, lawyers, and accountants over the next few years. (*And by friendly, we mean pay a lot of money to).

The process of getting issued a charter is lengthy (if you don’t believe us, you may enjoy perusing the 27-page long PDF guide from OFSI on the subject) and getting this process right means your investment will be whittled away by hiring people who can help navigate you through this labyrinth. You’ll also be spending money on employees, by the way, for years before you’ll ever have the privilege of serving a customer. Years. Plural.

Your team will spend a long time pleasing regulators before you’re operational.

Yes, even though you won’t be permitted to have customers for a long time, you will still need to assemble a team that can put together all of the elements of a bank into place. Your team will spend all of their time implementing processes, demonstrating to the regulator(s) that they’ve done so, and then tweaking these processes as the regulators require or request (in these instances, a request is really a politely stated requirement). If it’s any comfort, your employees will certainly be kept busy, even without customers.

You’re probably not going to be the CEO…

Despite making the decision to open a bank, you will likely not become the bank’s CEO, or even its COO. Senior management positions at banks require regulatory approval. Regulators are looking for you to have had a long history, at a senior level, in a bank or other federally regulated financial institution

… or even on the Board of Directors.

As with senior management positions, seats on the Board of Directors require regulatory approval. Even if you successfully jump through all the hoops required to start your bank, you will likely end up with little to no say in how it is ultimately run.

Well That’s Awkward!

There’s a noble sentiment behind the desire to “just open a bank” and solve the problems you see in the current banking system. But, the risks, effort, and returns are seldom well understood. In essence, opening a bank means making a substantial investment (in both time and money) in something that may one day become an asset (but may not). You can own the bank, but will likely not run it, despite the multi-year multi-million commitment you make. Even if you’re a wealthy investor with patient money, we’d suggest that you ought to be really passionate about setting up a bank if you want to embark upon this kind of endeavour.

What can you do instead?

So, if you’re not going to start a bank but are still frustrated by the banking system as it currently stands—what can you do instead?

Frankly, we need grassroots pressure to change the system we have. It’s important for us to have discussions with the gatekeepers (regulators, traditional banking institutions) for crypto business to get access to banking services. Part of the burden of being in this space is taking the time to educate those who control access to the resources we need. We’ve found that often even people with responsibility for developing policy related to bitcoin and other virtual currencies or tokens don’t fully understand it (and therefore its risk implications). While it may be frustrating to explain that it is possible to buy a fraction of a bitcoin to someone who we really think ought to understand this already, the more we can normalize crypto within the system, the more access we can hope to gain.

And while it can be difficult to speak out if you are a business who has been refused a bank account (or had your account shut down), we’d encourage you to share your experiences of trying to find banking services. Make a complaint to the institution. Share your story with the media (even if you don’t name the FI) or contact your political representatives. You can also, at the moment, contribute your feedback on the draft legislation on AML Regulations for “Virtual Currencies.” (See this blog post for more on how to do that). Exert pressure on the existing players.

But, of course… if you’ve decided you are passionate enough (and deep-pocketed enough) to start a truly crypto-friendly bank: more power to you and definitely let us know how you get on.

We’re Here To Help

If you have questions about virtual currency and regulation in Canada, or regulation in Canada in general, please contact us.

The Secret Project: 2017

Thank you to the Canadian MSB Association for allowing us to present our research findings at the 2017 Fall Conference.

Money Services Business (MSB) and bitcoin business banking in Canada is the most significant barrier to entry. We set out to prove that the derisking crisis is real. In a first world country, this is absurd. We hope that this research facilitates an open and honest dialogue, that includes those with the power to improve the situation.

For those that have asked, here are our slides:

The Secret Project- MSB Banking (PDF)

The Secret Project- MSB Banking (PowerPoint)

Raw data: use it as you see fit. Seriously. We believe in open source. Information wants to be free.

Google Drive Access

A video of the presentation will follow.

 

Breach of Security Safeguards Regulations

Back in June of 2015, the Digital Privacy Act received royal assent, resulting in amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Most amendments came into force at that time, except for the much-anticipated requirements related to breach notification. These requirements will come into force once regulations have been developed and put into place, and will affect any organization that collects, uses or discloses personal information in the course of commercial activities.

On September 2, 2017, a draft of those regulations was published in the Canada Gazette. The draft regulations will require organizations to report, to the privacy commissioner, any breach of security safeguards involving personal information under its control if it is reasonable to believe the breach creates a real risk of significant harm. The draft regulations state that such a report would have to contain the following:

  • a description of the circumstances of the breach and, if known, the cause;
  • the day or the period in which the breach occurred;
  • a description of the personal information that was involved in the breach;
  • an estimate of the number of individuals impacted – where the breach creates a real risk of significant harm;
  • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
  • the steps that the organization has taken or will take to notify impacted individuals; and
  • the name and contact information of a person who can answer, on behalf of the organization, the Privacy Commissioner’s questions about the breach.

Organizations that experience such a breach will also have to do the  following:

  • Determine if the breach poses a “real risk of significant harm” to any individual whose personal information was involved in the breach by conducting a risk assessment;
  • Notify affected individuals if it is determined that there is a real risk of significant harm. How the notification will take place depends on serval factors such as if contact information of the impacted individuals is known, cost, and if the method chosen to deliver such a notification will cause further harm;
  • Issue notification that contains:
    • a description of the circumstances of the breach;
    • the day or period during which the breach occurred;
    • a description of the personal information that was involved in the breach;
    • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
    • the steps that the impacted individuals could take to reduce the risk of harm resulting from the breach;
    • a toll-free number or email address that the impacted individuals can use to obtain further information about the breach; and
    • information about the organization’s internal complaint process and about the individual’s rights under PIPEDA, and that they can make a complaint with the privacy commissioner;
  • Notify other organizations or government institutions if they believe they may be able to reduce the risk of harm to the impacted individuals (i.e. law enforcement agencies). If this is the case, consent of individuals is not required for such disclosures; and
  • Keep records of any data breach for a minimum of 24 months.

The determination if there is a real risk of significant harm to an individual, and reporting “as soon as feasible” requirements, are likely to be the most challenging for organizations.

In determining if there is a “real risk of significant harm”, the assessment of risk conducted must consider factors such as the sensitivity of the personal information involved, whether or not the data was data encrypted, whether the personal information could be misused, if the information has been recovered, etc. The true risk of such factors may not always be known at the time that the risk assessment is first conducted. If not known, it may be best to use a worst case scenario in the assessment.

In reporting “as soon as feasible” after an organization determines that the breach has occurred, to both the Privacy Commissioner and impacted individuals, organizations may be hesitant to provide specific information. Reasons why organizations may be hesitant may include, details and information may change as further investigating of the breach is conducted, or for fear of litigation risk down the road. Additionally, there is reputational risk that organizations will be concerned about. When notifying the Privacy Commissioner, organizations may want to state that the investigation is ongoing and that updates will be provided in a timely manner. When notifying impacted individuals, organizations should ensure that all required information is contained in the notification. It is best to be transparent and truthful in such notifications, as not doing so may cause even greater litigation and reputational risk.

Regulatory Impact Analysis and Regulations

The draft regulations are open for a comment period, to read full details of the draft and the accompanying regulatory impact analysis statement please visit the Canada Gazette.

We’re Here To Help

If you have questions regarding this or any questions related to privacy legislation in general, please contact us.

Sanctions This Week: July 25th – 29th, 2016

 

OSFISanctions Pic

There were no updates released from OSFI this week.

Go to the OSFI lists page.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released four updates last week.  One update was related to the publication of Cuba-related Frequently Asked Questions (FAQ), covering some of the recent changes made to the sanctions that had previously been placed on Cuba.  Other updates included the removal of 12 individuals from the Counter Terrorism Designations List, the issuance of a Finding of Violation and the publication of Iran General License J.

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals.  The sanctions target countries, regimes, terrorists, international narcotics traffickers, the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S.

The update to the Cuba-related FAQs was for the issuance of a new FAQ (#38) and a revision of an existing FAQ (#39), relating to certain information collection and recordkeeping requirements for persons subject to U.S. jurisdiction who provide authorized carrier or travel services to or from Cuba for specifically licensed travelers.

The update to the Counter Terrorism Designations List included the removal of 12 individuals of Libyan origin who are currently residing in the UK.

The Finding of Violation was issued to Compass Bank, which uses the trade name BBVA Compass, for violations of the Foreign Narcotics Kingpin Sanctions Regulations. From June 12, 2013 to June 3, 2014, Compass maintained accounts on behalf of two individuals on OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”).

The final update of the week was related to OFAC issuing “General License J”, authorizing the re-exportation of certain civil aircraft to Iran on temporary sojourn and related transactions.

See the Cuba-related FAQ update on OFAC’s website.

See the Counter Terrorism Designations List update on OFAC’s website.

See the issuance of a Finding of Violation to Compass Bank on OFAC’s website.

See the Iran General License J details on OFAC’s website.

See OFAC’s recent actions page.

Need A Hand?

We would love to hear from you.  If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Sanctions This Week: July 18th – 22nd, 2016

OSFIOutlier3_032

On July 18th and 22nd, 2016, the Office of the Superintendent of Financial Institutions (OSFI) released the United Nations Security Council’s (UNSC’s) Al’Qaida and Taliban regulations updates to the sanctions list, deleting one individual and amending another.

The individuals are subject to the assets freeze, travel ban and arms embargo set out in paragraph 2 of Security Council resolution 2253 (2015) adopted under Chapter VII of the Charter of the United Nations.

The review of the individual who was deleted from the list was triggered by regularly scheduled updates.  However, no additional information was available regarding the justification.

The amendment of one individual’s information included the following:

  • A physical description;
  • The confirmation of the most recent position held within the Taliban, as of April 2015; and
  • That they are currently involved in drug trafficking and operate a heroin laboratory in Afghanistan.

See the July 18th update on the United Nations (UN) website.

See the July 22nd update on the United Nations (UN) website.

Go to the OSFI lists page.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released three updates last week.  One update was related to the addition of three individuals to the Counter Terrorism Designations list.  The second update was related to the addition of multiple individuals and entities to the Syria and Non-proliferation Designations lists.  The final update last week was to the Kingpin Act and Panama-related Frequently Asked Questions (FAQs) regarding General Licenses.

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals.  The sanctions target countries, regimes, terrorists, international narcotics traffickers, the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S.

The changes to the Counter Terrorism Designations list included three individuals of different nationalities, Saudi Arabia, Egypt and Algeria, though all have been linked to Al Qa’ida.

The update to the Syria Sanctions list included eight individuals, all of whom are Syrian.  The seven entities, which range from construction, to finance to manufacturing industries and vary in location, which include:

  • Syria;
  • Saint Kitts and Nevis;
  • Cyprus;
  • UAE; and

The update to the Kingpin Act and Panama-related FAQs are specific General License 5B and 6B

See the Counter Terrorism Designations list update on OFAC’s website.

See the Syrian and Non-proliferation Designations lists update on OFAC’s website.

See the Kingpin Act and Panama-related General License FAQs update on OFAC’s website.

See OFAC’s recent actions page.

Need A Hand?

We would love to hear from you.  If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Sanctions This Week: April 18th-24th, 2016

Outlier3_036

OSFI

On April 20th, 2016, the Office of the Superintendent of Financial Institutions (OSFI) released the United Nations Security Council’s (UNSC’s) Al-Qaida and Taliban regulations update to the sanctions list, adding five individuals.

The individuals are subject to the assets freeze, travel ban and arms embargo set out in paragraph 2 of Security Council resolution 2253 (2015) adopted under Chapter VII of the Charter of the United Nations.  He individuals listed hold the following titles:

  • Head of religious compliance police and a recruiter of foreign terrorist fighters for Islamic State in Iraq and the Levant (ISIL);
  • lead oil and gas division official of Islamic State in Iraq and the Levant (ISIL);
  • Leader of an Indonesia-based organization that has publicly sworn allegiance to Islamic State in Iraq and the Levant (ISIL);
  • Leader and armed groups in Gaza using money to build an ISIL presence in Gaza; and
  • Served as the acting emir of Jemmah Anshorut Tauhid (JAT) since 2014 and has supported Islamic State in Iraq and the Levant (ISIL).

All of these individuals are of different nationalities, but all have connections to ISIL and have been designated as such.

See the update on the United Nations (UN) website.

Go to the OSFI lists page.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released two updates last week.  One update was related to the addition of an individual to the Libya Sanctions list.  The second update was the publication of new Cuba-related Frequently Asked Questions (FAQ), related to the recent changes made to the sanctions that had previously been placed on Cuba.

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals.  The sanctions target countries, regimes, terrorists, international narcotics traffickers, the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S.  The changes to the Libya sanctions list included the addition of the Prime Minister and Defense Minister of the National Salvation Government, who has been added due to contributions to the situation in Libya.

See the Cuba-related FAQ update on OFAC’s website.

See the Libya sanction list update on OFAC’s website.

See OFAC’s recent actions page.

Need A Hand?

We would love to hear from you.  If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Sanctions This Week: March 28th-April 3rd, 2016

 

OSFI

On March 29th, 2016, the Office of the Superintendent of Financial Institutions (OSFI) released the United Nations Security Council’s (UNSC) ISIL (Da’esh) and Al-Qaida sanctions update to the sanctions list, adding a single individual.

The individual is subject to the assets freeze, travel ban and arms embargo set out in paragraph 2 of Security Council resolution 2253 (2015) adopted under Chapter VII of the Charter of the United Nations.  The individual added is Saudi Arabian and holds a Qatari passport.  He is currently residing in Afghanistan and has led an Al-Qaida battalion in Afghanistan since at least mid-2010.Rodney_Money_Clothesline4

See the update on the United Nations (UN) website.

Go to the OSFI lists page.

 

 

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released two updates last week.  One was related to the removal of the Highly Enriched Uranium (HEU) Agreement Assets Control Regulations, and the second, was adding three individuals and two entities to the Counter Terrorism Designations Lists.  OFAC also released the 3rd Quarter FY2014 Report for licensing activities undertaken pursuant to the Trade Sanctions Reform and Export Enhancement Act of 2000 (TSRA).

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals.  The sanctions target countries, regimes, terrorists, international narcotics traffickers, the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S.  The additions mentioned above, related to the Counter Terrorism Designations update, were included due to the fact both the individuals and entities are linked to Al-Qaida and the Taliban.  They are all Pakistani nationals, with Saudi Arabian ID, and are reported to be currently residing in the UK.

See the Counter-Terrorism update on OFAC’s website.

See OFAC’s recent actions page.

Need A Hand?

We would love to hear from you.  If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Above And Beyond What?

It seems that every time I’m at a conference or event related to compliance, I hear people talking about going “above and beyond” the requirements. Something about this statement has always seemed wrong to me. It wasn’t until recently that I understood why: most of us aren’t getting the basics right.

FINTRAC Examination Data

 

Most Of Us Are Failing At The Basics

This is not an indictment of Compliance Officers and the tremendous effort that goes into compliance. It’s a simple statistical fact.

We crunched some numbers by industry for anti-money laundering (AML) compliance in Canada based on information obtained from the regulator through an access to information request in 2014. The rate of examinations for which there were no deficiencies (across all reporting entity types) was 17 percent. While we congratulate the savvy few that met this bar, that leaves 83 percent of reporting entities that failed to meet the basic requirements in some way.

While these results are specific to examinations conducted by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), it’s not unreasonable to assume that the results can be generalized to compliance more broadly.

Shift The Focus

Before anyone can go “above and beyond” the fundamentals should be solid. One of the most painful reviews (like an audit for compliance) that I’ve conducted was a classic case of going above and beyond while completely missing the mark on baseline compliance. The reporting entity had great technology and related risk ranking metrics. The methods that they used to understand customer behavior involved machine learning and geo-location data at each login, analyzed over time. It was a great risk management strategy, except that they hadn’t identified a single customer in accordance with the law. Not a single one…

Ironically, in working to design measures that went beyond the basic compliance requirements, they found themselves so far outside of what was allowable under the law that had an examination been conducted by a regulator at the time, they could have been facing a very hefty penalty (as was the case for Ripple Labs in the USA).

Rework

Consequently, they spent a good deal of time and money updating their systems and identifying customers. In some cases, customers were lost. The (re)identification process was frustrating for people that believed that they had already completed everything that was needful in order to transact freely. There were updates to process documents and IT systems that took place over the course of months, and a good deal of frustration at the rework involved.

A competent third party or in house expert can be useful in assisting with system and process design, provided that they are able to understand your business model, basic compliance requirements and how to achieve these in the most elegant way possible.

Keep It Simple (Seriously)

At a recent conference, I was listening to a speaker whom I consider a model for what not to do, both functionally and ethically. As he sweepingly gestured towards an overly complex chart, he stared into the blank faces of his audience and proclaimed “It’s ok if you don’t get it. That’s not the point. The point is that I should look impressive. Are you impressed?” I was not.

Which model fits your needs?

Which model fits your needs?

Remember that the people that are usually fulfilling your compliance requirements are your frontline staff. Would they be able to use the model to the left to risk rank your customers?

While it can be tempting to create complex rating systems, it’s important to understand that your compliance program should be functional. If the system that you’ve created is too complex for your staff to understand and adhere to, it will fail. Whether you’re hiring someone external or creating your program in-house, remember to keep it as simple and easy to follow as possible.

Ask, Check, Test

One of the many arguments that I’ve heard for going above and beyond is that this is helpful when dealing with regulators and banking service providers. While I agree that this can certainly be the case, it’s a moot point if the basic requirements are not met.

In my experience, both regulators and bankers are candid – when asked – about where their expectations are set. There is no real appetite on the part of either to create a set of secret standards related to going above and beyond. From a practical perspective, this means that reporting entities should be focused on understanding the basic requirements, and seeking clarification as needed.

Effectiveness reviews can also be a useful tool in this regard, provided that the reviewer or auditor is well versed in local compliance requirements. Similarly, internal testing should be geared towards baseline requirements to ensure that these are being met.

Opportunities & Innovation

Going above and beyond for its own sake (in terms of compliance) is neither required, nor particularly good business.

This is not to say that reporting entities should avoid innovation. Rather, these efforts should be focused and prioritized on finding the most cost-effective and efficient ways to meet baseline compliance requirements, and mitigating risk.

Changing compliance legislation can also provide opportunities for innovation, in particular where there are public consultations. This type of dialogue with lawmakers allows stakeholders to suggest alternatives that may mitigate risk in new and innovative ways. It provides an opportunity to showcase new technologies and processes that solve common compliance problems with greater efficiency (although they may not fit into the current regulatory paradigm).

Need A Hand?

We believe that good compliance is good business. If you have questions, please feel free to contact us.

Who Wins The De-Risking Shell Game?

BankRisk_2The volume of evidence, both empirical and anecdotal, grows every day. The story on the surface is simple enough: banks are making the decision to “de-risk” (a polite way to say close the account of) certain types of businesses including money service businesses (MSBs) and digital currency businesses that are considered “too risky” by traditional financial services providers. The unintended consequences have included strained remittance corridors and frustration for businesses struggling to get by without reliable banking services. While these consequences are well documented, there are other unintended consequences of the de-risking phenomenon that have been less widely discussed. These include a growing lack of transparency between some industries and their banking service providers and directly threatens our ability to effectively manage money laundering and terrorist financing risk at both the financial institution and national levels.

It’s a shell game of “hide the risk” – and we’re all losing.

Businesses Are Losing

By now, if you haven’t heard about businesses struggling to survive without access to banking facilities, you would have had to ignore financial media for the past two years. The global effects of de-risking have attracted the attention of the G-20, the Financial Action Task Force (FATF), Financial Crimes Enforcement Network (FinCEN), the World Bank, and many more. While it’s clear that there are issues in terms of access to banking, let’s be honest with one another: while some businesses will close up shop, many others will take a different track.

Whether it’s using alternative financial service providers, payment processors, personal bank accounts or merely opening accounts at other financial institutions without revealing the true nature of the underlying activity, businesses will find a way to carry on. I’ve spoken personally to businesses that have taken these approaches, and it has never been their first or most ideal choice. These aren’t criminals carrying on some nefarious business! They are entrepreneurs who would rather be able to provide their real business plan to their banks and explain their activity honestly, but they do not believe that this option is open to them.

Banks Are Losing

Consequently, a bank with a policy that prohibits these types of businesses from holding accounts will deal with businesses that have gone to great lengths to conceal the true nature of their activity. The banks are unaware of the true nature of the activity passing through their accounts, and therefore ill equipped to manage the risk related to these activities. The strain on banking resources must be phenomenal, as banks must constantly devise new ways to interpret patterns of customer activity to detect undeclared MSB or digital currency activity. While it isn’t easy to quantify these costs, I can only surmise that the cost of this detective work must be high, despite being ineffective.

To further muddy the waters, businesses who fail to provide transparent information to their banks for fear of de-risking may also conduct completely legal activities in a way that starts to look like criminal activity. For example, if you believe that your business banking relationship is not reliable, you may open many accounts (in some combination of personal and business names) and conduct fractions of your banking through each, transferring funds from one account to another as needed to meet your obligations. On the surface, it can seem much like “layering” or “structuring” activity (techniques used by money launderers to make funds more difficult to trace). This further adds to the banks’ burden by creating more activity that must be monitored and investigated.

Entire Nations Are Losing

It has been widely publicized that in some cases like Somalia, entire nations that are dependent on remittance payments from friends and family living and working abroad are experiencing increased difficulty. Reliable and cost-effective remittance payment providers are a shrinking pool. This seems absurd in a time when technology can facilitate a payment in seconds.

National Security Is Losing

It’s not just far-flung places dependent on remittance payments that are losing. Here at home, we have a national security system that is dependent on our financial intelligence units (FIUs) having access to reliable data. The reliability of that data is undermined at every level by the de-risking shell game:

  • Businesses do not declare the true nature of their activity – and there are no incentives for them to do so;
  • Banks do not understand the nature of their customers’ activities, making it difficult detect potentially criminal activity; and
  • There is likely to be an increase in “false positives”, where activity conducted by businesses that do not believe that they can reveal the true nature of their activity to their banks instead conduct business in a manner that resembles criminal money laundering techniques.

Taken together, this results in the likelihood that key information is not being reported to FIUs correctly. Consequently, it becomes more difficult for law enforcement and other national securities to rely on this data to perform their roles effectively.

Who Is Winning?

There are two potential winners in this game and much like the shell games that you see duping tourists on the streets of large cities, neither is without malevolent intent.

The first are unregistered/unlicensed MSB businesses. These are businesses that have ignored regulatory requirements and carried on business without any FIU reporting. In some cases, these businesses will even minimize their interaction with the local financial system by using foreign bank accounts (and point of sale terminals) to collect customer funds. While the risk of penalty is high, the reward for these businesses (in particular where they are able to complete transactions that pose a challenge for their compliant counterparts) can also be high.

The second is criminal organizations. When legitimate businesses are performing transactions that look like money laundering, detecting true criminal activity becomes exponentially more difficult. I can only assume that the criminals are laughing all the way to the bank.

Shutting Down The Shell Game

De-risking is a complex problem with complex outcomes, but the solution need not be complicated. It does, however, involve the cooperation of all levels of the financial services community: regulators, banking service providers and businesses.

The costs and benefits of de-risking need to be reassessed. Where banking service providers are capable of accepting and managing accounts for businesses considered to be “higher risk”, they should do so, with their regulator’s blessing. Rather than perpetuating the shell game, regulators should encourage banking service providers to manage risk (and provide solid guidance with reference to how this should be done). Finally, there should be open communication between banking service providers, regulators and business banking customers. The lines of communication closed by de-risking must be opened, allowing banks to have honest conversations that will provide real insight into their customers’ business and lead to effective long-term risk management.

Return to Blog Listing


PROCESSING...