AML: the regulatory landscape

Financial institutions may have their minds on other matters post-US election, mid-pandemic and pre-Brexit. But the ever-present issue of AML compliance only looks set to get more complex in coming months. As a tranche of new measures approaches, Risk Universe dissects some of the key regulation updates on the horizon, plus sheds light on the context in which these changes have been made.

Financial institutions may have their minds on other matters post-US election, mid-pandemic and pre-Brexit. But the ever-present issue of AML compliance only looks set to get more complex in coming months. As a tranche of new measures approaches, Risk Universe dissects some of the key regulation updates on the horizon, plus sheds light on the context in which these changes have been made.


In September 2020, the International Consortium of Investigative Journalists (ICIJ) - the same group responsible for the Panama Papers investigation - released a dossier of more than 2,500 classified banking documents to the world’s press. The files contained thousands of Suspicious Activity Reports (SARs) submitted by banks to the US regulator, FinCEN (Financial Crimes Enforcement Network.) The leak exposed the extent to which banks and authorities are aware of trillions of dollars of illicit funds flowing through the global banking system. Approximately US$2tn worth of questionable transactions were documented in the files - including more than US$1bn transferred via an account at JPMorgan, which was later revealed as belonging to someone on the FBI’s 10 Most Wanted list.

Perhaps one of the most shocking revelations from the FinCEN Files was the UK’s part in all of this. 3,282 of the shell companies recorded in the documents were registered at addresses in the UK - more than any other country in the world. An office address in Potters Bar (a small town 13 miles outside of London) has hundreds of companies registered to it, but lies empty - as do thousands of other properties used in the same way. As a result, FinCEN and the US Treasury have classified the UK as a “higher risk jurisdiction.”

Worryingly, this is likely to be just a snapshot of a much wider problem. “Though a vast amount, the $2tn in suspicious transactions identified within this set of documents is just a drop in a far larger flood of dirty money gushing through banks around the world,” said the ICIJ. “The FinCEN Files represent less than 0.02% of the more than 12 million suspicious activity reports that financial institutions filed with FinCEN between 2011 and 2017.”

Off the back of the FinCEN Files leak, the UK government has announced reforms to Companies House to clamp down on fraudulent activity and FinCEN itself is consulting on amendments to the Bank Secrecy Act. The EU is also updating its AML directive, just six months after the last update. Despite many banks being considered “too big to jail”, the regulators are closing in on institutions that don’t demonstrate due diligence in their AML procedures and recent scandals will only serve to tighten regulatory oversight, leading to even more time-consuming and costly security measures. Penalties issued to financial institutions for AML violations are increasing. In 2019, the total amount of AML-related penalties was nearly double what it was in 2018, rising from US$4.27bn to US$8.14bn globally.





The ILLICIT CASH Act (Improving Laundering Laws and Increasing Comprehensive Information Tracking of Criminal Activity in Shell Holdings Act) provides a much-needed update to the US Bank Secrecy Act (BSA) of 1970. The BSA has mostly been enforced via financial institutions issuing Suspicious Activity Reports to the US financial crimes authority, FinCEN. The recent leak of more than 2,500 of these documents to the global media exposed the extent to which reports of suspicious activity go unaddressed by authorities and highlighted huge issues with communication between relevant parties. A key initiative of the ILLICIT CASH Act is to address this problem, by formalising reporting processes, loosening data sharing restrictions and improving innovation through technology.



Coordinated communication between financial institutions, regulators and law enforcement

In the US, there is currently no mandate for banks, law enforcement and the regulators to converse about reported suspicious activity and to share information about whether it is significant to criminal investigations. This means, once a bank has reported a suspicious transaction to the authorities, many simply continue doing business with the client until they are told otherwise. But banks are legally required to identify the source of funds they transfer and should freeze accounts that they deem suspicious. The FinCEN Files leak revealed that some of the world’s largest banks were guilty of continuing to do business with clients who had SARs against them, including JPMorgan, Barclays, HSBC, Deutsche Bank, Bank of New York Mellon and Standard Chartered. The ILLICIT CASH Act calls for a “critical feedback loop” whereby all parties are informed about priorities, collection methods and investigative outcomes so that the status of individuals is always clear and financial institutions can stop profiting from the activities of unscrupulous clients.

Improved provision for data sharing

The BSA system does not currently allow for easy transferral of data between financial institutions, making it very difficult to share important information about potential suspicious activity with other banks. It even sometimes prevents financial institutions from sharing vital AML details with their affiliate organisations. One way the bill hopes to get around this is to allow banks to de-identify some SARs and share this information with other banks in certain circumstances. Data is also often separated out into different repositories, making it difficult to compare and monitor client activity, even within the same organisation. Banks will be expected to address the way they utilise data to improve the efficacy of monitoring systems.

Improved innovation through technology

The ILLICIT CASH Act provides a clear mandate for innovation within financial institutions in the context of AML technology. With the new rules, banks will be encouraged to explore new methods of tracking suspicious activity, including the use of artificial intelligence. The new rules will include a regulatory framework for testing new technologies and automated AML programmes that help identify priority risks.

Increased corporate transparency: reporting beneficial ownership

The US has been slow to move when it comes to tackling corporate transparency, specifically in the context of declaring beneficial ownership. The first public register for beneficial ownership of companies was launched in the UK in 2016. In the US, there is still no such registry and even law enforcement agencies do not collect this information in a central repository. Corporations are registered on an individual state level, and there is no country-wide system that collates this data. The US has been flagged many times as one of the easiest jurisdictions in which to register a shell company. Under the new rules, companies would be required to register all beneficial owners centrally via FinCEN.


The Corporate Transparency Act

The Corporate Transparency Act (CTA) is considered the “partner act” of the ILLICIT CASH Act and was passed by the House of Representatives in October 2019. It is focussed specifically on addressing the lack of transparency around beneficial ownership and the use of shell companies. It requires anyone applying to form a corporation or limited liability company to submit a list of beneficial owners to FinCEN - expanding the Customer Due Diligence rule implemented by FinCEN in May 2018. A beneficial owner is defined in the Act as anyone who has at least a 25% stake in the business. Some critics suggest this threshold will allow too many potential criminals to slip through the net. Others argue the CTA will add to already burdensome reporting requirements and overwhelm AML departments. The bill also imposes fines and a prison term of up to three years for providing false or fraudulent beneficial ownership information, or for wilfully providing incomplete or outdated beneficial ownership information.



The EU’s Sixth Anti-Money Laundering Directive: 6AMLD

On December 6th 2020, the EU’s updated AML directive will come into play, with an implementation deadline of June 3rd 2021. Previous iterations of the Directive have established an EU-wide UBO register (a public ‘ultimate beneficial ownership’ register where all EU registered companies must declare who their beneficial owners are) to improve transparency; included the addition of high-risk factors when assessing the need for enhanced due diligence; and established a need for banks to have a better understanding of the ownership and control structure of corporate customers.



A broader definition of money laundering

The latest directive seeks to clarify the definition of money laundering across all EU member states. Discrepancies between the different nations’ definitions of what constitutes money laundering have allowed criminals to exploit loopholes in the law. 6AMLD provides a list of the 22 specific offences that predicate money laundering (i.e. offences from which illicit funds are generated and then laundered through banks) with the aim of closing some of these loopholes. AML teams will now be expected to identify suspicious activity linked to any of the following 22 predicated offenses:


  1. Organised crime and racketeering
  2. Terrorism
  3. Human trafficking and migrant smuggling
  4. Sexual exploitation
  5. Illicit trafficking in narcotic drugs and psychotropic substances
  6. Illicit arms trafficking
  7. Illicit trafficking in stolen and other goods
  8. Corruption
  9. Fraud
  10. Counterfeiting currency
  11. Counterfeiting and pirating products
  12. Environmental crime
  13. Murder
  14. Kidnapping and hostage-taking
  15. Robbery or theft
  16. Smuggling
  17. Tax crimes relating to direct and indirect taxes
  18. Extortion
  19. Forgery
  20. Piracy
  21. Insider trading and market manipulation
  22. Cybercrime


 Wider regulatory reach

Under the previous regulation, only those who profited from money laundering were held accountable for the crime. In the update, aiding and abetting falls into the Directive’s definition of money laundering offences, meaning anyone who is believed to have helped an individual or organisation launder money, will be culpable. The update will also include legal persons such as companies and partnerships, not just individuals. Those in senior management roles may also be held accountable where there is an apparent “lack of supervision or control” by a “directing mind.” Regular reporting and good communication between all lines of defence will be critical to ensure effective oversight.  


Information-sharing requirements

In order to tackle the issue of dual criminality, local jurisdictions will be required to cooperate more efficiently across borders, sharing information more freely with other EU member states. This will allow offences that were committed in several EU countries to be prosecuted in just one state.   



With global tightening of AML regulation, there will be huge pressures on firms to ensure compliance in this area. Going forward, AML teams should prioritise the following areas:

Innovation through technology

Regulators around the globe are encouraging firms to make better use and explore the potential benefits of regulatory technology. Testing and development is vital if these systems are going to meet the growing regulatory challenge. Billions of dollars are wasted each year on investigating false positives generated by automated AML controls. According to a report by Reuters Financial Regulatory Forum, “more than 95% of system-generated alerts are closed as ‘false positives’ in the first phase of review, with approximately 98% of alerts never culminating in a suspicious activity report.” Artificial intelligence and machine learning-based solutions could be vital in addressing these inefficiencies, helping to identify areas of genuine high risk and focus resources more effectively.

Training of AML and compliance personnel

As regulation evolves, so too should your AML and compliance training programmes. Creating alerts for legislation updates and ensuring these are incorporated into staff training programmes is essential.

Impact of COVID-19 on AML

A global pandemic provides a perfect opportunity for criminals to take advantage of unconventional KYC measures. There will inevitably be an AML fallout from this difficult time and risk-based approaches to client onboarding will no doubt have allowed some unscrupulous operators to go unnoticed. The general consensus of advice from all regulators is to carry out regular reviews to ensure all AML and CTF compliance policies and procedures are adequate in the context of remote customer onboarding and due diligence. Firms should also ensure that any potential compliance delays due to COVID-19 measures are documented and the regulator immediately notified.



Westpac bank announced a 66% drop in profits this year as a result of AML penalties and also the impact of COVID-19. The Australian bank was fined AU$1.3bn for breaching the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 more than 23 million times. Westpac failed to report over 19.5 million international funds transfer instructions to AUSTRAC (Australian Transaction Reports and Analysis Centre) over the course of five years, amounting to more than AU$11bn dollars. In settling the charges, Westpac agreed it failed to keep records relating to the origin of some international funds transfers, and to pass on information about the source of funds to other banks in the transfer chain, which those banks needed to manage their own AML/CTF risks. The bank also failed to carry out appropriate customer due diligence. Other failures included not appropriately assessing and monitoring the risks associated with the movement of money into and out of Australia through its correspondent banking relationships, including with known higher risk jurisdictions. The regulator said such a large number of breaches over several years was “unacceptable and could have been avoided with better assurance and oversight processes to identify ongoing reporting failures.”





close [x]
Registered: RiskBusiness Services Limited
Reg. Office: 2 Claremont Way, Halesowen, West Midlands, B63 4UR
Reg No: 07525025