Print this article

Designed to fail? Banking, compliance and the FinCEN Files leak

Francesco Fulcoli


5 April 2021

A former US government Treasury official – Natalie Mayflower Sours Edwards – has been convicted for leaking these confidential documents, although the ICIJ has escaped official opprobrium entirely.

These SARs are significant because they reveal that the world's major banks probably allowed more than US$2 trillion in illicit transactions to slip through their fingers.

The scandal rightly raises questions to do with ethical banking practices and the role of compliance officers in offsetting the risks involved. Now that the hue and cry has died down a little, it is of great value for compliance officers to peruse it and understand the industry's AML blind spots.

The FinCEN leak highlights numerous problems in the compliance set-up at major global banks and private institutions – not only ones with headquarters in the US but others around the world – that bankers have often swept under the rug. It lays bare the consequences of underinvestment in technology and resources, the problems that financial firms can face when their compliance departments are structured incorrectly and slotted into larger teams and the pressure that compliance men and women can face to shy away from 'blowing the whistle' about malpractice.

A lack of standardisation in role and function

Firstly, let us examine how the structures of compliance departments at major banks and financial institutions could have allowed illicit transactions to pass through otherwise legitimate financial networks. The issue stems from the fact that there is little standardisation in the way in which firms approach compliance. This can affect the function’s ability to do its job most significantly.

For instance, at many an organisation it is not unusual for compliance to be merged with risk, legal or security, feeding into other departments as opposed to being a stand-alone service. Compliance should, as much as possible, be separate from other divisions. Only then can it counsel the business independently and do its regulatory duties.

However, as the compliance function is not always consulted about or introduced to new strategies or products during the development phase when it should be, it often works behind a ‘Chinese Wall’ and is therefore unable to guide the designers of new products and the experiences of new customers from the start. The result is that it is often an afterthought and a tick-box exercise, which limits its efficacy. In modern-day financial services, compliance has the potential to be omnipresent in a business, helping to offset risks related to Know-Your-Customer (KYC) or Anti-Money-Laundering (AML) controls, affecting the performance of services and the whole direction of every business in a good way.

How did we get to this stage?

In many ways, today's situation is a symptom of the way in which our traditional financial institutions have protected themselves and their customers. Over the last 50 years, we’ve seen economies go through both prosperity and slumps, but it is the latter which leads major banks to rethink the way in which they evaluate risk. Over time, crashes like the one of 2008 have led to compliance people having to grapple with set projects, protecting their "verticals and different client solutions" against further risk. This has caused them to rely too much on technology and infrastructure for specific tasks. It often aligns these efforts to specific regulations and this can be bad for the necessary renewal of investment in compliance.

Long-term underinvestment breeds mistakes

Without a standard approach to the use of compliance people in businesses, those businesses can suffer from underinvestment in the compliance function and fail to appreciate the need for modern technology and compliance tools. Compared with the software that FinTechs and neo-banks use today, compliance infrastructure at traditional banks can be viewed as monolithic and/or unstable. This is in part due to pressure to cut costs but is also due to questionable budget allocation. For instance, according to a McKinsey report, 79% of compliance expenditure at traditional financial institutions is on upkeep of staff, not on its technology or tools. As a result, many departments are using technology that is built to run specific scripts that are at least twenty years out of date.

This pattern of tech underinvestment prevents compliance people from realising how best to protect their clients and companies from adversity. As a form of best practice, compliance departments should be evolving their technologies and processes in tandem with changing threats and the regulatory landscape. To work with archaic screening measures or security tools to combat modern risk is similar to fitting a square peg into a round hole and makes the work of compliance people much harder. As the case of the FinCEN leak proves, this can leave them badly resourced and unable to run accurate KYC and AML checks.

It is not surprising to note that major banks and other financial institutions have been vulnerable to criminals who use them because they thoroughly misunderstand the nature of their HNW customers and the provenance of their money. Indeed, it is surprising that these out-of-date processes have only just come to light. Now that these mistakes have been placed under the public spotlight, it is crucial for financial leaders to recognise the need for further investment and to refocus their attention on the central role that compliance plays in secure and efficient operations.

The art of 'blowing the whistle' in compliance

It is important to note that a firm that knows how best to use its compliance function and give it the regular investment in technology and resources that it needs will, among other things, allow that function to investigate, support and do something about the claims of informants. Without the necessary regulations or set processes, employees can come under pressure to overlook suspicious activity, particularly if it pertains to a prized client or earns the company lots of revenue. In fact, the latest report from the 'Protect,' the so-called "whistleblowing" charity, found that 31% of telltales were victimised by managers, 22% were dismissed and 12% buckled under pressure and resigned, all of which evidence shows that informants face powerful deterrents.

Tipping-off is, and will continue to be, an important part of the checks and balances that keep any industry, but most importantly financial services, healthy and free from corruption. It should always be championed and not discouraged. Every firm must stamp out this silent ‘culture of fear’ with support from a well-funded and robust compliance function.

It is encouraging to note that recent data from the UK's Financial Conduct Authority suggests that people in financial services are becoming more comfortable with the idea of coming forward and raising awareness about misconduct. It shows that the number of ‘tip offs’ have risen 35% since 2015, and therefore that the taboo against and fear of tipping-off is breaking down. We must therefore capitalise on this trend and prevent recent public transgressions like the Wirecard scandal or the FinCEN files from happening again. Business leaders must actively encourage an environment where compliance professionals, and those from other departments, feel safe and empowered to report illicit activity.

The next 180 days

So, what does this tell us? It suggests that now, more than ever, the FinCEN files have demonstrated the extent to which banks and financial institutions need to revamp their compliance process completely from both a technical and a cultural standpoint. They must realise that compliance is not a limited operation but can be a ubiquitous function that ought to influence technology teams and product managers alike. Much like modern cyber-security practices, compliance cannot be an afterthought; it must have a seat at the main table and be entrenched in all areas of the business.

As part of this, firms must give their compliance departments appropriate resources and backing to keep KYC and AML measures current and robust, while also feeling empowered to act on malpractice should they, or a fellow employee, notice illicit behaviour. In this regard, traditional financial institutions could learn a lesson or two from their younger, challenger counterparts.

Free from the chains of legacy infrastructure and an entrenched culture, neobanks or fintechs such as TransferGo have been able to reinvent the compliance model, focusing on flexibility and utility, allowing them to move fast to deliver product, corporate and customer updates. For example, we’ve found that compliance actually speeds up innovation and delivery as opposed to suppressing it - the latter being an out-of-date stigma which senior leadership teams at big banks still hold on to.

Over the next six months, in my view, there will be a steady change in the position and integration of compliance in financial businesses. Public scandals such as Wirecard and the FinCEN files have been a wake-up call for financial leaders and, one hopes, the catalyst for change.  

On the cusp of change

The FinCEN file leak has provided us with an opportunity to reflect and revise the traditional approach to compliance at major banks and financial institutions; indeed, the persistence of the status quo has no doubt caused major failures. With cumbersome, outdated systems and unfit structures and processes, institutions have inevitably been unable to implement KYC or AML processes effectively; nor have they been able protect themselves against the modern landscape of threats. What is more, with the industry haunted by a ‘culture of fear’ and unsupportive of genuine tipping-off measures, it is no wonder that more scandals and evidence of malpractice have not emerged.

It is clear that the way in which the industry views compliance is on the cusp of real change, so firms are going to do something to try to offset the kind of misconduct highlighted by the FinCEN files. Challenger banks and FinTech firms must continue to lead the way by achieving "best practice for compliance integration and consultation." The coming transformation of attitudes to compliance will be exciting.

* Francesco Fulcoli can be reached at