What should a money-laundering reporting officer do if Hunter Biden is an applicant for business? What are the 'red flags' associated with the beneficial ownership of corporations by a HNW customer? How might the Senior Managers & Certification Regime make MLROs' annual reports more honest? In this article Rachel Woolley (pictured) of Fenergo answers these and other questions.

Rachel Woolley is the global director of financial crime at Fenergo, an AML software vendor. She has more than ten years’ experience in the financial sector, having worked primarily in funds and retail banking. Compliance Matters asked her some questions about recent trends and her answers are to be found here.

Q: What does the MLRO do when he goes onto Google or World-Check and notices that the PEP/applicant for business has some very expensive properties or luxury goods? Does he ban him from business until he’s seen all the receipts and the old bank statements that show where the money came from? Or does he place him on the high-risk list but take the business anyway without seeing all the receipts? Does he give him a free pass because he doesn’t actually own the yachts and aeroplanes because it’s owned by an opaque couple of Cayman-island SPVs? Please take us through the right steps.

A: There are a couple of angles to this. In the UK, you have the unexplained wealth order (UWO). If there's no explanation of someone's wealth, there is a tool for the state to deal with it. In terms of onboarding, there's a lot of focus around politically-exposed persons or PEPs, close family members and close associates. You may be subject to bribery as well as corruption. The MLRO trying to ascertain the level of risk seems to be a shift to an industry consideration because if you don't accept him, the likelihhood is that someone else will. There is a massive focus on your network risk [which is present] the length and breadth of your organisation. That's the thing that Fenergo helps firms with and manual processes struggle to catch it. So you have to get the source of funds. Once you've done that, you must find the source of wealth. That's slightly trickier to find and verify. You might be onboarding lots of customers at the same time, which might cause problems. It's also difficult if the HNW person you're onboarding has new money, perhaps if he has 'won big' at a casino. He is innocent until proven guilty, although most companies have a level of professional scepticism.

Q: What if you're onboarding, say, Hunter Biden? He might raise a few red flags, having obtained that well-paid job on the board of a Ukrainian gas company with no command of Ukrainian and no experience in the energy sector at a time when his father was US vice president.

A: With a case like that, you have to sift through all the noise. There is a lot of information in the public domain that might not be fair. There are dark arts on the opposition side. I'd be looking at public registries. One red flag is a large corporation where the board has been changing quite frequently. You also have to look at how he attained a seat on the board.

Q: What have recent studies by Fenergo found?

A: A report that Fenergo released this year (which draws its data from up to the end of last year) found that the world's regulators have levied more than US$36 billion in AML/KYC and sanctions-related fines since the financial crisis began in 2008-9. This staggering number shows that the financial institutions in question had inadequate policy, processes, procedures, systems, governance and, in many cases, oversight. Interestingly, a similar report from 2018 found that the vast majority of these regulatory costs were associated with an AML/KYC-specific labour force.

Q: A financial firm must understand the ownership and control-structure of every firm that it 'onboards' but corporations do not go to private banks for business. Instead, the applicant for business is often an HNW who has stakes in lots of companies and/or draws his wealth and funds from them, so the compliance officer or MLRO has to check out the beneficial ownership of those corporations, is that not so?

A: Yes, or it relies on a financial advisor. And it has to check to see if a PEP owns majority stakes in those companies, or if the applicant for business is a PEP himself. It has to see what he's controlling – it's not just looking into shareholdings any more, it's also about ascertaining control. Most jurisdictions have rules saying who's acting on the account. It'll want to know the corporations that he owns when it's trying to identify the source of his wealth, then it wants to know it for the purposes of transaction monitoring.

So it might not have to verify the identities of individuals (although it will for direct customers and anybody acting on their behalf) but it does have to know who owns the entities that the HNW customer is receiving money from. If the money's coming from listed companies, that's reliable. It is also looking for online presence and it wants to see if the business is established. The big thing to check on that is if there’s been a recent change of shareholders or directors, or when the company in question ceased to be dormant. Fenergo is plugged into Companies House, so we do that.

Q: In your opinion, does good compliance require the hiring of more than one software vendor to screen the same things, e.g. worldwide reputation? Or is reliance on just one firm all right?

A: It depends. Some vendors have better data in different jurisdictions. You may want to have more than one if you're global.

Q: What else should the MLRO look for?

A: Relationship patterns are also significant, as the same service providers are often used, as was the case with Mossack Fonseca in the Panama Papers scandal.

Q: Are we talking about links to dodgy law firms? If so, does Factiva/Fenergo software tell you whether such firms are involved?

A: We are and it can. You could have the same singatories on the HNW's accounts. If you have a single viewpoint of that, you can see if that law firm has been indicted. If it has, you then ought to check each account. It comes down to your screening.

Q: Let us talk about the vague rules (known as 'Principles for Business') that the UK's regulator enforces. For example, it recently punished Commerzbank for not fulfilling principle 3, which tells firms to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems. How can one trust the regulator not to abuse its power, when it can punish anyone for being unable to live up to these lofty and nebulous ideals?

A: It's a difficult one. The vast majority of fines are issued for vague reasons. The regulator has a relationship with the firm, so at least its expectations are clear. Part of the big issue in the European Union is that the Money Laundering Directive is applied inconsistently. In some jurisdictions, what generally happens is that the regulators will do an investigation if something bad happens but also they do thematic inspections. Then they might punish the firm with the assertion that "we've seen enough to form an opinion that money laundering will occur." Commerzbank, incidentally, were pinged on accounts that were overdue for checking. They were probably building up because the job of checking is a relatively manual thing still.

Q: What jobs do you think that banks fail to do the worst when spotting and dealing with risks associated with PEPs?

A: Overdue customer checks. They typically ought to review the risks associated with customers every 2-3 years. Failure to do so is common.

Q: At Commerzbank, certain business areas did not always stick to internal bank rules. This ‘internal policy’ thing is a big thing for regulators, isn’t it? Even if the policy isn’t in line with a particular rule.

A: Absolutely right – even if it's not expressing a rule. The regulator wants to say: "If you can't stick to this rule, what else are you not doing? Your word is questionable."

Q: As we know, the FCA often tells this-or-that firm that its compliance headcount ought to be higher. Have you ever evolved a rule of thumb to work out how many compliance people a department should have?

A: It comes down to the environment and the complexity of the environment. Some firms use manual checkers and rely on subject-matter experts, others automate the process. If we look at the Financial Action Task Force's mutual evaluation reports on countries, Iceland and Germany were called out by their own financial intelligence units which told the inspectors that they didn't have enough people. Then there is the worry that the MLRO might avoid disclosing the fact that he is under-resourced in his annual report for fear of offending his employers - this might be alleviated by certain accountability regimes such as the Senior Managers & Certification Regime in the UK. Now, because of this reform, the board itself is facing hefty fines. If the MLRO's annual report is not followed on, to some extent the MLRO could use it as a defence.

Q: What are the latest developments in AML/CTF RegTech that strike you?

A: Geo-tagging and geolocation. That's coming out from a Covid perspective. Also, advances are being made with software that takes a holistic view of risk with integrated systems. Fenergo and Smart KYC, for instance, sit on top of many systems. So we're talking about orchestration and an end-to-end view. Both of those trends are accelerating.

Q: How is AML RegTech different from CFT RegTech?

A: Although the intent and purpose behind money laundering is clearly different from that of terrorist finance, the methods that people use to disguise the funds are often the same. This is why laws refer to both subjects. Financial institutions' compliance processes are designed to detect suspicious activity, whether it relates to money laundering or terrorist financing. The software that exists is therefore typically applicable to the detection of both types of crime, rather than distinct offerings.