Towards the end of May 2020, private and business customers of a Nordic bank received a special notice: as of October 1st, 2020, it read, their bank will no longer provide payment solutions to or from a list of countries countries where they believe the risk of financial crime to be extremely high. Additionally, the bank will also cease operations in locations made unprofitable by the very limited traffic volume. The warning further explained that “banks are made responsible by the authorities to prevent and hinder money laundering, terrorist financing, tax avoidance, corruption, fraud or other crime” and that “these measures are a step towards delivering on this responsibility.”
Source: https://fsi.taxjustice.net/en/introduction/fsi-results. The World’s Most secretive jurisdictions, according to Tax Justice Network. Highlighted in yellow, the jurisdictions where the bank in question will no longer provide payment services.
This sort of strict response may seem like overkill, but it is not a shocking one in the aftermath of the 6th Anti Money Laundering Directive of the EU, which defines all too loosely which prevention measures are to be considered adequate, as well as apparently implying that under EU jurisdiction legal entities (not only financial institutions) could be held accountable also for the actions of rogue employees. Member States have started implementation as of December 2020, and as a consequence, financial institutions in particular have been experiencing a higher level of scrutiny by the national Financial Intelligence Units. In Norway, the largest Norwegian bank, DNB, might end up being indicted in the first landmark case, thus defining the new industry standards in this respect.
While waiting for the legal precedents, it can be very tempting for businesses to grab the low hanging fruit and turn down customers based on lists as in the example above. Generalised lists like this, however, do not seem to be having the intended effect, especially with respect to the aim of stopping “fraud or other crime.” If we take as an example the jurisdictions involved in the PPE procurement fraud the UK recently fell victim to we see how such a scheme could still happen: in the case mentioned, the NHS ordered GBP 45 million worth of medical-grade respirators from Hertfordshire-based Purple Surgical, which sourced those through California from a company based in the BVI, which in turn purchased them from South Korea via its chief executive in Hong Kong. The passing through the BVI, the only blacklisted jurisdiction in this transaction path, would not be discovered, as the payment would be hidden by going through other whitelisted ones. The same thinking applies in the case of the North Korean forced labour exploited by Chinese PPE manufacturers, where the payments would go from the UK, Italy, the US, Germany, South Korea, or Japan, to China. Clearing or banning entire jurisdictions is the easy way out. We beg to disagree however with the idea that this may be an efficient way of addressing the problem: the increase in the use of “mules” and cryptocurrencies in developed countries for the purpose of money laundering is just the most recent piece of evidence against this approach. No less important is the growing demand for banking services by foreign natural and legal citizens: dismissing algorithmically a potentially profitable group of good customers would not be wise either.
A more effective approach requires going beyond compliance programmes and keeping an open mind for anything that deviates from what would be considered “normal” in any given context. Going through KYC (“Know-Your-Customer”) questionnaires and really asking all those questions can become a guide to finding and weeding out potential anomalies or red flags that could reveal a hidden motive behind the establishment of a customer relationship, something which would turn to be better than a box-ticking exercise. The same diligence should be employed during periodic reviews of suppliers and customers, keeping in mind that any insignificant change on paper may be very relevant in practice: if the ownership of a business is passed on to someone else, if the share capital changes significantly, if the core business shifts to another classification, these are all events that should trigger some follow-up questions. Knowing who we are dealing with is a must and to do that it is necessary to thoroughly analyse and go to the bottom of company structures, finding real footprints and beneficial owners.
Take also the time to get to know your people, since now your own corporate fate will be tied to their actions. Keep also in mind that, were a legal person to be deemed accountable, this would not exonerate the natural persons involved from culpability. The criteria for accountability will be known through the transposition into Member State legislation, and, most importantly, through legal precedents. At the end of the day, investing in your people and improving your onboarding routines locally is more effective than buying expensive AI systems that for the time being use lists as their learning set. The difference between the two is that the former is a proactive or preventative defense, which works ex-ante. The latter acts ex-post, and we all know how helpful it is to close the barn after the horse has bolted.