FATF requirement to produce a National Money Laundering and Terrorist Financing Assessment:
In February 2012 FATF published its revised International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation where Recommendation 1 and its Interpretative Notes referred to the need for countries to conduct and produce an assessment of the risks, to update that assessment and to make it available.
One year later in February 2013 FATF produced Guidance on National Money Laundering and Terrorist Financing Risk Assessment in the expectation that countries will now be at the stage of researching, compiling, and assessing their risks in order to better protect themselves and to demonstrate compliance at their coming evaluations.
I am pleased to see this overdue progress towards a strategic understanding, however the prospect of producing a National Risk Assessment (NRA) is worrying many, probably most, countries to a standstill.
The most frequent concerns run something like this: ‘we don’t have the information ….without data how can we quantify how much is laundered….if we can’t do that then how can we calculate the risk…if we can’t do that then …etc etc..’ until nothing is done. Some are justifying their inaction by waiting for others to make the first move – to see if a template or a benchmark standard emerges.
My position is this:
- Every jurisdiction already has the knowledge to produce an NRA;
- Every jurisdiction’s NRA will be unique;
- Every jurisdiction’s NRA will be a poor reflection of the real (unknown) extent of money laundering;
- Every jurisdiction with an NRA will be better informed – if only by the certainty that they now know what previously they only feared they didn’t know.
I am being deliberately provocative in that last statement but not pessimistic. There is nothing to fear and everything to gain by the process of an NRA, particularly if we remember to keep the complex simple.
The FATF Guidelines try their best to keep the complex simple even though I have some comments below on how the process can be made simpler still. I cannot say the same about the accompanying annexes in the guidance from the IMF and the World Bank. It is clear to me that FATF is being inclusive by directing readers to the guidance of two other influential international organisations, however I feel that the reader will only be confused as a result of reading three different approaches.
To overcome widespread reluctance to start the process we must begin with restrained ambition, and remain realistic and pragmatic. The NRA is not expected to be a ‘grand work’ – the ultimate unravelling, dissection and analysis of all forms of actual and potential money laundering, together with a comprehensive fool-proof plan of action to prevent and otherwise control its heinous consequences. In time the NRA will become more focused, more insightful, more bold, but it is unlikely that the first iteration will be more than a broad qualitative description of the obvious. So be it. Its creation will be a significant step forward from not having one.
In case there is hesitation because of fears of exposing significant weaknesses thereby requiring sweeping, costly changes, we should remember that the NRA may lead a country to conclude that it can scale down its AML resources and focus. Such a prospect is rarely spoken about but remains a realistic outcome. The results of understanding the threats, degree of risks and subsequent consequences are more multi-dimensional than simply forever increasing regulation, resourcing and implementation.
Let me turn to the written guidance itself – I like it and am pleased that it has been produced however I do have some observations that are my personal preferences.
First, a note about the dangers of taking the words in the FATF guidance too literally. I know that those embarking on the task of creating their first NRA will study the FATF guidance and follow it closely paragraph by paragraph, word by word. They will find parts that are encouraging and others that appear to contradict.
As former chair of a FATF Project Team I know how these documents are compiled. They are the product of a range of experts from many different countries and continents – the advantages of such an approach are obvious. However, once the substance of the document is compiled, itself the result of the perspective and preferences of several authors or authoring teams, each paragraph will then be subjected to group editing. This generally means that the final content is agreed by the consensus of the project team but no single member agrees with all of it. And so it is true to say that if each project member were responsible for conducting their own jurisdiction’s NRA they would draw on the parts of the guidance that they liked and they would ignore the rest – thereby producing very different, but appropriate, risk assessments.
This is what I recommend to everybody who has or will have a role in the compilation of their NRA.
In Paragraphs 10 and 45 of the guidance we see the continuing definition of vulnerabilities as ‘weaknesses’. This word association shapes thinking towards a relative weakness against a benchmark or standard, principally FATF standards. Evaluations talk of legislative or regulatory shortcomings, procedural loop-holes etc. The country’s response is then directed towards ‘strengthening’ them but irrespective of whether or not, or to what extent, criminals are abusing them. That approach is a ‘potential-risk based approach’ but not an ‘actual-risk based approach’ and real criminal activity may not be adversely affected by such strengthening.
Criminals have no interest in exploiting loop-holes just because they exist, they are not like teenage computer hackers whose motivation is solely to show that they can by-pass systems. Criminals are customers that have their own requirements – that is why I keep on saying that successful AML measures depend on understanding the criminal mind. I will take this opportunity to refer to my earlier papers on ‘Understanding the Psychology of Money Launderers’.
It is just as important to consider a strength as a vulnerability – I can assure you that organised crime groups and their money launderers are attracted to strong, well regulated, FATF-compliant jurisdictions and their financial institutions. The latter are vulnerable precisely because of those strengths. Countries and businesses should not only be thinking about procedural gaps but also what it is about the strengths of their organisations, their products, their services that attracts criminals.
Paragraph 22 raises an interesting point – that of political and other national sensitivities. The guidance says that such concerns should be put aside so as not to influence the NRA’s findings – that is an ideal but probably not realistic. I recommend two NRA versions – one for public/FATF consumption and another at a confidential level for authorised government officials. I realise such a suggestion will draws gasps of shock from some FATF delegates but I am not recommending a true assessment and a bogus assessment.
The two will be similar but one will include sensitive factors that influence policy and implementation. This approach does not undermine the ‘FATF’ NRA and only reflects normal practice – every government’s public position on every issue is only ever part of the story and there are necessarily confidential and secret assessments and reports with added critical detail. It is real life and sensible. The purpose of the NRA is not to satisfy the FATF machine but to enable the country to understand its risks and to decide what, if anything, to do about them.
Paragraph 43 offers a reasonable and welcome systematic approach to producing an NRA (identification, analysis, evaluation) – but I become a little concerned when I read recommendations to start by listing vulnerabilities of ‘primary methods & payment mechanisms’. Care is needed to avoid being too introspective and technical and to maintain awareness of the external threat, the likelihood of that threat happening, and if it does materialise then the relative harm caused (some money laundering can be judged to be less serious/harmful than others). There is a likelihood that much effort will be expended analysing the systems (payment mechanisms) and then great difficulty encountered deciding whether or not they are in any way being abused, and if so whether it presents a strategic threat.
I personally favour an approach that is almost the reverse order of the one in the guidance.
The guidance describes the final Stage III as ‘evaluation’ to establish the priorities, but I recommend starting with the priorities and working backwards. Technical experts are not needed to identify the country’s social, economic, political problems – the average citizen could list them accurately enough: increasing drug misuse leading to a wasted generation; increasing presence of criminal influence in communities, businesses, politics; poor international reputation damaging trade and investment; diaspora collections of funding for suspected terrorist groups etc.
Of course these problems will not be the direct and sole consequence of money laundering – there will be many more factors and many more mitigating/controlling measures to take other than AML. But, oddly, the only international Action Task Force is focused on money laundering and so that is the prism through which we must look.
Most, if not all, countries already have a good sense of their priorities – they may not have a quantitative justification for them but they are nevertheless real and valid. This starting process can be described more formally as ‘qualitative judgements by those experts with the width and depth of appropriate experience’ or less formally as ‘gut feeling’. The end result is often the same – there is no need to over-complicate this.
The next stage should be ’analysis’, which can be more focused and simpler now that the priorities are already known. The results of the analysis will most likely support those priorities but if not then they must be adjusted accordingly – remember that an adjustment can just as easily mean a downgrading of priority and its counter-measures.
The only point of having priorities is to do something about them: prevent, avoid, reduce, mitigate etc. In order to know where to apply the measures that will be most effective it is now necessary to work backwards to understand the various factors that enable such a situation to arise. This involves understanding the relevant systems (ie not all the financial systems); those institutions/businesses/people that have a role in those systems; and understanding who it is that is likely to abuse those systems.
In conclusion; my advice to most jurisdictions is in three parts: start now, start small, grow in to a continuously improving National Risk Assessment.
The top priority of those is to start now.