It would be difficult to write about money laundering controls in Asia without mentioning 1MDB, a Malaysian sovereign wealth fund embroiled in an ongoing international money laundering scandal. Yet, when Risk.net contacted six of the banks penalised for the wrongdoing to talk about lessons learned, our enquiries were greeted with either radio silence or a flat ‘no’.
One reason for this reticence could be a reluctance to show their hand to money launderers. But another is likely to be a fear of publicising anti-money laundering (AML) breaches – a sometimes bigger worry than the risk of regulatory fines.
Banks in Asia-Pacific are having to work harder to avoid such fallout, as the region’s regulators adopt increasingly rigorous standards and conduct more aggressive investigations. “We’re seeing more of an enforcement approach coming to the major financial centres in Asia,” says David Howes, Singapore-based deputy head of financial crime compliance at Standard Chartered, one of the banks unwilling to talk about their 1MDB experience.
According to a Thomson Reuters survey released in October, financial companies put their average customer due diligence costs in Australia, Hong Kong and Singapore at $50 million a year – a touch above the global average spend on this central part of AML controls. The average cost for the three countries has changed little since last year’s survey, whereas the global figure fell to $48 million from $60 million.
Local regulators’ actions are partly driven by the Financial Action Task Force, an intergovernmental body whose 37 members represent most major financial centres around the world. In 2012, FATF set out landmark standards for national measures against money laundering and the financing of terrorism and weapons of mass destruction, billing them as a “stepping up” of the fight against those crimes. Since then, it has updated the recommendations every year apart from 2014. FATF also regularly visits its member states to gauge their implementation of the international standards and lays out the findings in detailed public reports.
FATF inspections in Malaysia in late 2014 and Singapore in late 2015 prompted “significant amendments” to AML regulation in the two countries, says Stephanie Magnus, head of the financial services and regulatory practice in Singapore at law firm Baker McKenzie.
Singapore, for example, issued revised AML regulations for financial institutions in April 2015. Key changes included requiring company-wide assessments of money laundering risks, in addition to evaluations of individual customers; introducing a new customer category for people entrusted with prominent public functions in an international organisation and corresponding stricter rules for business relationships with such people; and additional requirements for cross-border wire transfers exceeding S$1,500 ($1,112).
Since the FATF inspections, regulators in both countries have also been more proactive in enforcing the rules, adds Magnus.
1MDB is one of many cases in the region highlighting the increased regulatory focus on senior management responsibility for AML and financial crimePhil Rodd, EY
In Asia’s highest-profile recent case, allegations in 2015 of massive illegal flows from 1MDB to the accounts of Malaysian prime minister Najib Razak have prompted money-laundering investigations in at least six countries, including Singapore, the US and Switzerland.
Citing mainly AML breaches in 1MDB-related transactions, last year the Monetary Authority of Singapore shut down the local branch of Switzerland’s BSI Bank – the first time it has closed a merchant bank since 1984. Less than six months later, it shut down another merchant bank, Switzerland’s Falcon Bank, due to 1MDB-related failures and improper conduct by senior management in Switzerland and Singapore.
The closures were “a shock to the system” and made “everyone quite scared”, according to the head of risk management for the region at an asset management firm.
Singapore also took aim at individuals implicated in the scandal. In March, the city-state barred Tim Leissner, former chairman of Goldman Sachs for South-east Asia, from its financial industry for 10 years. Seven other people, including BSI Bank and Falcon Bank executives, have either been served similar prohibition orders, jailed or fined, or punished with a combination of those measures.
“1MDB is one of many cases in the region highlighting the increased regulatory focus on senior management responsibility for AML and financial crime,” says Phil Rodd, chief adviser on financial crime risks for Asia-Pacific at EY.
Lastly, Singapore’s central bank fined both Swiss firms, as well as Coutts, Credit Suisse, DBS, Standard Chartered, UBS and UOB, as a result of its investigation of 1MDB. Risk.net contacted the latter six banks.
Those fines were relatively small – the biggest set BSI Bank back the equivalent of $9.9 million – but financial penalties do come in much larger sizes, especially if a bank has a branch in the US. Over the past five years, foreign regulators, mostly in the US, have imposed $1.75 billion in fines on banks headquartered in Asia-Pacific for AML and sanctions violations, according to Corlytics, provider of regulatory enforcement data. In contrast, regulators in Hong Kong, Singapore and Australia – the most active enforcers in the region – extracted just $40 million in fines over the same period.
If you’ve successfully onboarded a customer in Hong Kong, asking them for extra documents or more information when they then onboard in Singapore, or vice versa, tends to result in a negative customer experienceChee Kin Lam, DBS
A $225 million penalty against Pakistan’s largest bank is a case in point. In September, the New York Department of Financial Services fined Habib Bank and closed down its New York branch. The regulator said that, among other things, the bank used its New York branch to facilitate “without adequate anti-money laundering and counter-terrorist financing controls” billions of dollars of transactions by a Saudi private bank with reported links to Al-Qaeda.
It is such “mega-fines” that inflict real financial pain on firms, says Dominic Mac, global head of know-your-customer (KYC) services at Thomson Reuters. But even without them, simply being singled out for failing to prevent money laundering can be damaging, he adds. “AML failures have a massive downstream reputational impact. It’s the bad banks that get fined because they’ve got bad processes.”
Another, less-publicised but often no less onerous consequence of control slip-ups – be they intentional or not – is pressure on the bank by supervisors to put its house in order.
“Once you have a fine, you have to be able to demonstrate to the regulator the route to solving that inefficiency in your processes, which leads to banks engaging costly consultants, usually hiring more people, coming up with a band-aid solution. The incremental costs are much more impactful than the [average] fine,” says Mac.
At the same time, staying above board can be a tricky balancing act for firms.
Banks active in more than one jurisdiction in Asia-Pacific must contend with differences between national regulations. For instance, the Hong Kong Monetary Authority currently requires banks to identify any ultimate beneficiary of a company or trust – the so-called ‘beneficial owner’ – that holds at least 10% of the entity, while in other jurisdictions the threshold is 25%.
Not only do such differences make it difficult to standardise operations across the region, but they also create problems when banks try to cater to customers with accounts in more than one country.
It’s an old quote in the industry that identifying and preventing money laundering is like looking for a needle in a hay stack. It still rings trueDavid Howes, Standard Chartered
“If you’ve successfully onboarded a customer in Hong Kong, asking them for extra documents or more information when they then onboard in Singapore, or vice versa, tends to result in a negative customer experience,” says Chee Kin Lam, the head of legal and regulatory risk management at Singaporean bank DBS.
The consequences can be as severe as losing customers. According to the Thomson Reuters poll on the impact of KYC regulations on financial companies and their corporate clients, the two main complaints of bank customers – both globally and in Asia-Pacific – were a lack of common KYC requirements across banks and having to deal with many different people at the bank during onboarding.
“Many are voting with their feet: 12% [globally] report that they have changed banks as a result of KYC issues,” the survey said.
There are signs regulators are aware of the need for common standards: the authorities in Hong Kong have proposed relaxing the beneficial owner identification threshold to “more than 25%”, citing “the prevailing FATF standard and international practice”, and requiring banks to record basic information about the recipients of wire transfers, again to fall in line with FATF recommendations. Subject to legislative approval, the amendments will come into force in March.
One commonality between national AML regimes is a risk-based approach, recommended by FATF, which allows financial institutions a certain amount of discretion in applying the rules.
Speaking at a financial crime seminar in July, Chua Kim Leng, then assistant managing director at Singapore’s central bank, described the regulator’s approach to financial crime prevention this way: “Our inspections go beyond rules-based compliance and focus on an institution’s risk understanding and risk management.” Among other things, the Monetary Authority of Singapore evaluates whether senior managers are “setting the right tone from the top” and whether there is “sound risk culture” at the firm, he added.
Throwing more bodies at the problem is not a sustainable solutionChua Kim Leng, former assistant managing director at Singapore’s central bank
A lack of explicit rules can complicate compliance. A local financial crime consultant gives an example of onboarding a very complex client, with a number of beneficial owners and trust structures involved: “Where do you stop? How deep do you drill down? How many directors do you verify? Where do you draw the line? Regulations don’t stipulate how far you should go.”
So, given the difficulties, what’s a bank to do? Part of the solution lies in using smarter technology and shared databases.
Current customer due diligence processes, based on applying pre-set rules, thresholds and scenarios to financial activity, tend to generate high numbers of ‘false positives’, which usually require human intervention to assess, at high cost.
“Throwing more bodies at the problem is not a sustainable solution,” Singapore’s Chua said at the seminar. He noted the potential of machine-learning techniques, saying they can help identify unusual patterns of transactions across a network of entities and across time. “These systems show promise and could succeed in picking out suspicious activities that are impossible for the human eye today.”
Howes at Standard Chartered is equally optimistic about the role new technology can play in fighting money laundering. He cites as examples better use of data analytics to identify true and false positives, greater automation of certain processes using robotics and – something Standard Chartered is experimenting with – machine learning.
But more low-tech solutions, such as databases, can also help. Howes singles out India’s requirement that bank accounts be linked to the customer’s Aadhaar national ID number, based in part on biometric information, as a major measure against money laundering.
Earlier this year Singapore’s government gave locally registered businesses access to its MyInfo database of residents’ personal data, after a successful pilot with four banks that allowed individuals to auto-populate application forms for new bank accounts or credit cards.
To the extent that banks are onboarding the same customers, if that can be done in a KYC utility, using digital data, it can be done in a much more efficient mannerPhil Rodd, EY
And last year, the Indonesian government allowed financial institutions to access the country’s ID card database for KYC purposes.Private companies, including Swift, Thomson Reuters and IHS Markit, are developing similar shared KYC databases. “To the extent that banks are onboarding the same customers, if that can be done in a KYC utility, using digital data, it can be done in a much more efficient manner,” says Rodd at EY.
Another vital weapon against money launderers is greater information sharing between banks and law enforcement agencies, say financial crime experts in the region.
On that front, there are signs of progress. In May, Hong Kong’s police, central bank, the Hong Kong Association of Banks and 10 retail banks, including Citibank, DBS, HSBC and Standard Chartered, started a 12-month pilot project aimed at sharing information and resources to fight fraud and money laundering.
Similarly, in April, the Monetary Authority of Singapore and the city-state’s police force launched the Anti-Money Laundering and Countering the Financing of Terrorism Industry Partnership. Eight local and foreign banks as well as the Association of Banks in Singapore are involved in the initiative.
“These [two] taskforces represent the two parties coming together to focus on a common goal: catching the bad guys,” says Lam at DBS. “We are very, very supportive.”
Such innovative practices are welcome, but much more is needed to combat a truly formidable and constantly evolving threat. The total amount of money laundered globally may be around $1.5 trillion a year, according to estimates by the United Nations and the International Monetary Fund.
“It’s an old quote in the industry that identifying and preventing money laundering is like looking for a needle in a hay stack. It still rings true,” says Howes at Standard Chartered.