Log In | Subscribe | | |

Enhanced Due Diligence: Something new or just a buzzword? (2003)

In this conference paper, presented in Singapore on 31 July 2003, Nigel Morris-Cotterill looked at the then novel concept of Enhanced Due Diligence.

There is absolutely nothing new about so called Enhanced Due Diligence. It is just a TLA (three letter acronym) for that which properly advised and well managed businesses have been doing for years.

The problem is that most financial services businesses are neither well advised nor, when it comes to compliance, well managed.

I'll set out the argument from the perspective of the banks:

1) compliance is expensive

2) compliance is a diversion from our core activities

3) compliance gets in the way of doing business

4) compliance will cost us x per annum but if we don't do any, the fines will only be half x every three years or so. Therefore doing no compliance actively strengthens our balance sheet.

5) If we decide that doing no compliance is too risky, then we can comply to the least extent possible and get ticks in boxes. Then at least we had an argument that we tried but were not very good at it.

That is the sort of argument you get when you put accountants in charge of compliance. And right across the world, accounting firms have used experience in forensic examination as grounds for claiming expertise in relation to money laundering detection, prevention and compliance. They have seen the word "audit" and they like it.

The problem is that this cost-averse approach is counter-productive. In 1996, in the first edition of my book "How not to be a money launderer" I wrote that audit of compliance systems should be a legal function not an accounting function.

At that time, the concept of monitoring and auditing compliance systems was unheard of.

Compliance was a dirty little department hidden at the end of a corridor sandwiched between the toilets and the smoking room. When the door opened with a squeak, bats came out.

And all over the world the problem remained the same.

Don't imagine for one moment that the position was any different in New York or London: the Wall Street scandals of failed Chinese Walls mean, at their root, one thing: no one paid enough attention to compliance.

The fact that the Royal Bank of Scotland was fined GBP750,000 because their compliance systems were not good enough was, at its root, due to one thing: no one paid enough attention to compliance.

There are those who don't listen carefully enough to what I say and think I mean something different so I will make one or two bald observations that will set the scene here:

1) the point upon which I am most often misrepresented is in relation to cash transaction reporting. I think that, at a government level, cash transaction reporting does not meet any risk/reward/ cost /benefit analysis in countries with large numbers of reporting institutions. I think it is too expensive to submit, too expensive to collect and too expensive to analyse in a timely manner. It defeats the focus of current anti money laundering laws which is to get information in as close as real time as possible and to provide the opportunity for that money to be traced or frozen.

However, internally within organisations, I believe that cash transactions are a very valuable measure as to the norms on or applicable to an account and therefore identify what transactions are abnormal and, as a consequence, provide an indicator as to possible suspicion.

For this reason, I do not like automated cash transaction deposits of substantial amounts. I want the counter-clerk to see the whites of the eyes of the depositor when he hands over that money.

2) I do believe that compliance personnel and those that devise, monitor and audit compliance systems should come from a legal background. Compliance is a legal issue. The current trend to convert it to a quasi audit function acts to reduce compliance not to enhance it. This is not a sales pitch for lawyers, nor a way of discrediting accountants. It is a simple truth taken from examining the compliance function: compliance is not a forensic issue - it is a question of taking law and regulation and applying them to the way the financial services business does its business. This is a legal or quasi legal function.

Let's look at how to identify suspicion: it is a function of creative thought. The identification of suspicion does not come from rigid rules: Mr x deposits 5,000 every month but last month he deposited 10,000 therefore I am suspicious. It comes from knowing your customer, knowing what is reasonable for a person in his position and knowing your own business. If you want people to apply prescriptive rules to suspicion, then you can set true/false flags at various stages of account processing to see if any of them are triggered. But this is not enough to identify suspicion. You need your people to have a degree of understanding, to know when something doesn't feel right, and to know what to do about it. And that means creative thought.

Criminals do not think in straight lines. But to reduce compliance to, in effect, a series of check boxes makes staff, managers and compliance officers think in straight lines. To be able to detect and deter money laundering, those staff need to think around corners.

As soon as compliance is reduced to a series of tick boxes and forms, then the creative thought that permits thinking around corners is stifled.

3) For regulators: we need less not more prescription if we are to detect and deter money laundering. But there is an inherent conflict between this view and the view of the bankers.

Bankers want certainty and we can understand why:

first, they don't have to think too hard,

secondly, they can tick those boxes and say "I did enough" and

third, they don't have to worry too much about the quality of the training they deliver - again, a tick in a box will do.

Those are the cynical reasons. But there are more valid reasons: the fact is that compliance without boundaries means a bottomless pit for costs. It doesn't matter if you are Citibank with its huge compliance resources or Ah Ping's coffee shop and money transfer business - you still need to know the limits of your compliance.

But there is a difference between setting boundaries and providing prescription. And it all comes back to that creative thought: if the regulator says "do the following and then you are safe," the money launderer knows that all he has to do is to satisfy the banker that the banker has met the required steps. And that merely requires the banker to be in a receptive state of mind. Which he is because he has put himself in that receptive state of mind because he wants to win that business.

4. Legislatures need to realise that people in banks are not there to be law enforcement agencies. Increasingly, to borrow from the old Western films, bankers are being deputised. And they are being deputised against their will. And it is right that they should object.

Law makers forget several things about banking:

1. It is historically a people business, although it is right to say that over the past five years or so trends are towards the commoditisation of customers. Customers still like to imagine that they have a relationship with managers, however that is defined.

2. the vast majority of banking, is a high volume, low margin business. Therefore increasing the customer acquisition and monitoring costs only serves to make small accounts less profitable or to push them into loss. The cost of running those accounts must be passed onto the account holder. The costs of maintaining an inactive account are a fixed cost, activity levels on that account increase that costs depending on use. So a bank which sets a monthly charge for providing an account and then a per item charge is actually operating a regressive pricing policy.

But such a pricing policy is the most appropriate way of funding the provision of a basic account. Increasingly, there is a demand for interest to be paid on current accounts, and increasingly there is a demand for "free" services such as ATM withdrawals.

If ever greater due diligence is required, and ever greater monitoring of accounts then that has to be applied to either an up front fee or an increased account charge. Someone has to pay for it and whilst there is a common misconception that banks are rich, we all know that banks are not rich - if they were no one would be worried about the implementation of Basle II.

3. Whatever laws and regulations one country makes, it is a fraction of the total compliance burden that a bank has to consider.

Let's look at the local banks: if they have an overseas office, that overseas office must maintain a compliance system which meets the highest of the host regime or the Singapore regime. So immediately head office has to examine laws and regulation in two countries (that is fine - they should expect that) but then they have to reconcile the two, decide which is the most stringent and then apply it to that branch, provided that, if the Singapore position is the most stringent, that it does not stray into breaking laws in the host country.

Now extrapolate that to banks with branches in 200 countries. How can any bank be expected to monitor and maintain 200 up to date systems when there are substantial changes on an almost weekly basis? We need regulators and legislators to stop making law: not so that compliance is weaker but so that compliance officers and those that work on systems can get a fix on what they have to do and to do it effectively.

Put simply, compliance officers, especially in the past two years, have been expected to hit a moving target - one which moves fast and does not even go in predictable lines and, worse, to hit not just one but several targets simultaneously, not just in relation to money laundering but also in relation to terrorist financing and a raft of compliance and structural management issues.

The truth is that bankers now spend more time in managing the business than in being bankers. And that has many effects. For our purposes today, that means that things do get skimped and there is cost cutting because costs are rising in other parts of the compliance business.

And that means that standards and effectiveness of compliance falls.

So, when evangelists like me say "we should be aiming at higher levels of compliance than meet a tick box mentality, the bankers say "and where do the resources come from?"

So here is the final misunderstanding of my position.

My knowledge, experience and skill tells me that compliance falls away dramatically as we go away from the centre and in time from implementation.

So compliance systems must permit compliance monitoring and enforcement from the centre.

Even so, the ripples get smaller as we reach the edges of the organisation. And that means that the biggest risks are at the outer edges.

So, if you put in place a head office system that is just good enough, by the time that system has been in place a few months, especially out along the more distant lines of communication, then there will be weakness in your systems.

So, whilst I urge regulators to take a more hands off approach to prescription, I urge banks to take the strongest view they can of regulation and to apply it, knowing that over time and distance its effectiveness will fall away.

That is why, to me and my clients all the fuss about Enhanced Due Diligence is nothing new: we have been doing it for years.

It is those who have set out to tick boxes demonstrating bare compliance that have lots of work to do now, to improve their systems, to revise their manuals, to re-do their training from a completely different perspective and to change the mindset of their organisation.

That is going to be difficult and it is going to be expensive.

But some of the measures suggested for Enhanced Due Diligence are expensive, complex and will not add significantly to protecting the business.

So what is all the fuss about?

One presentation given to a conference in the USA, where most of this is new as due diligence was historically exceptionally weak, says

"basic enhanced due diligence requirements are

- verify the true identity of the customer

- verify beneficial owners of trusts

- determine source of funds

- monitor transactions for unusual activity which the presenter defined as transfers to and from high risk countries and transfers to non-customers or omnibus or clearing accounts

- confirm legal status and business activities which the presenters defined as obtaining financial statements, credit reports, customer visit and references."

Those recommendations come from Merrill Lynch and Prudential Securities.

Note that they describe them as " Basic Enhanced Due Diligence."

It is the juxtaposition of basic and enhanced that give me cause for concern. There is nothing enhanced about this - it is the absolute minimum that businesses should have been doing all along.

That in the USA, this is regarded as rocket science is an indication of how retarded USA procedures were.

The problems we all face now is that, as a result of the USA's knee jerk reaction to 11 September, no one knows where the boundaries are.

So people are guessing. Again, the Merrill approach as set out by the paper presented to the Securities and Investment Authority gives us some idea of how basic supposed Enhanced Due Diligence is.

Create and apply trigger criteria - (they suggest wire transfers of USD1 million as an example)

Create and apply customer parameters - (that is to set norms for an account of that type)

Obtain and apply information from third party providers before acting on an account

Compare actual transaction reviews in real time against a series of post transaction reviews

Identify transactions that appear to be structured to avoid reporting requirements

Identify transfers to or from countries designated as "money laundering havens."

Again, these are, so far as I am concerned, the basics that all accounts should be subjected to.

The difficult area here are that there is a presumption of a white list of countries that do not cause concern - I am very sceptical of this because different countries have very different approaches to their implementation of, for example, the FATF 40 Recommendations.

So, if these are the basics, as I contend, of any due diligence programme,

- how far can you go,

- how far should you go in pursuing your enquiries?

The question of identification is relatively easy in the USA and in the UK and in other internet-savvy environments.

The first starting point for any checking is that most obvious of resources, Google.Com.

Many people have been using the internet for a long time. They have built up a profile on the internet and they had no idea, when they began using it, that they were creating the information that would allow them to be tracked for years afterwards.

Try putting my name into Google.Com. At last count, there were more than 350 entries including postings to newsgroups from several years ago.

Try putting the name of Silkscreen Consulting in. Again, you will find more than 200.

Try our e-learning business: Click to learn more - you will find more than 2600 references to that phrase. Refine it by including the term "money laundering" and you will find more than 750. But this search shows the downside of the technique: the phrase "click to learn more" is widely used on websites and so the results contain a lot of noise. Refine it further by adding "e-learning" and there are 39 results.

The next point of call is www.archive.org. This is one of the web's dirty little secrets. Archive.org calls itself the Internet Time Machine. Over the past five years or so, it has built a library of internet sites and keeps them in an archive. It's not perfect but it does provide snapshots of what a particular website was doing at a particular time. Is that consistent with the information that the customer has given you?

A very telling point is to look at www.allwhois.com - although this resource has become slightly restricted as some domain registrars have denied access to their records, it will nevertheless give information on the vast majority of currently registered domains. The information this provides is often telling: the person setting up the site will often hide behind a business centre or PO Box address and give hotmail or some such as an e-mail address. It will also tell you where the account is hosted. If this is in a secrecy jurisdiction, then you may have problems getting access to records if you need them in the future.

The domain name will itself give you some indication of how much information is available: for example, the .co.uk domains do not reveal full information due to the UK's data protection laws.

Next there are a range of news services: www.rocketinfo.com is excellent for current news but its archives are not readily accessible. Google.com's news service is also good but relatively new. But there are, of course, newspapers: the leading newspapers in most countries have websites and when you are looking at the background of the rich and famous, you will find acres of coverage about them. You may have to register and, in some cases, pay a fee for access to the archives.

These are all things you can do in a minute or two from your desktop. Next there are checking services. But this is where there is another problem.

The USA PATRIOT Act requires checking of politically exposed persons - and their immediate families and associates. This is where the ripple effect becomes greatest. Newspaper articles will give you information as to families and associates.

Can you identify all those named in UN, OFAC and other names and sanctions lists? Can you check all new applicants against such lists? Can you check new names added to the lists against all your current customers? In the past two days, the UN and the USA have both indicated that they expect these lists to be significantly expanded in the months to come. This means spending money on data collection and on technology.

Do you have to identify the participators in businesses associated with the politically exposed person? I think the answer to this should be yes.

Companies registries differ greatly from country to country. We can take the UK and Jersey as examples: Basic company information is available free from UK Companies House but for a small fee, much more information is available - and it includes doing a name search on directors. You can discover not only who the directors and shareholders are (or at least who they are declared to be) but you can also see how many other companies the directors are involved in. Are any of those companies that you should be worried about? However, the information in Jersey is less comprehensive. Jersey is currently debating whether that information should be available. Guernsey says that such a register is useful - but only up to a point. It admits that it does not have, nor does it compel the disclosure of, that information in relation to its international business corporations.

Should you use some form of due diligence enquiry agent? We work with companies that provide this service but it is simply not cost effective for personal and small business accounts.

Can the costs be contained?

Can you contain the costs of all these checking procedures?

This is an impossible question.

The UK's Financial Services Authority indicated that it intended to make all financial services businesses to undertake KYC on all of their customers before April 1994. In the past week they have said that the cost benefit analysis of this step means that it is no longer to be an FSA policy.

But saying that did not help much because the FSA also said that if a financial institution did not...

World Money Lau...