AML is Everybody's Problem and Nobody's -And that's a problem

Measures designed to combat money laundering dominate the global regulatory environment. The Financial Action Task Force comprehensively monitors the AML activities of virtually every nation in the world; jurisdictions continually issue new regulations; and institutions spend billions of dollars on technology and manpower to know their customers, monitor transactions, and file reports for investigation by regulators and law enforcement.

And yet it is a war we are nowhere close to winning–or even fighting to a draw, as evidenced by a steady stream of high-profile news stories. As the most recent Basel AML Index put it, “Clearly, still too little is being done to effectively counter ML/TF risks.”

Of course, a great deal is being done to counter money laundering and terrorist financing risks. The key word, however, is effectively. Why is it that so much effort by so many entities seems to yield less than the sum of its parts? It’s a question that deserves serious consideration.

Complex Networks of Conflicting Incentives

The key to understanding the limits of the current approach to AML is to recognize that while money laundering, terrorist financing, and sanctions evasion are commonly described as a “global problem”–implying that there is an overarching global solution–it’s more accurate to say that they are a collective problem, with responsibility split across the complex networks of the global financial system, which includes multiple intergovernmental organizations, governments, and regulators in each sovereign state and the financial institutions themselves. Each node in those networks has its own focus and objectives, which can conflict with one another. This structure is ripe for producing exactly the gaps and vulnerabilities that money launderers seek to exploit. So it is that when asked how the global AML framework could be most improved, respondents tended to focus not on larger budgets or better frontline execution, but on improved coordination between and within jurisdictions (see Figure 4).

Consider the frameworks that emanate from organizations like the FATF or the EU. Each jurisdiction that adopts them does so in the context of its own existing regulations on, say, data privacy, bank secrecy, and structural frameworks. This can lead to significant variation in the depth and sophistication of regulatory and enforcement infrastructure from jurisdiction to jurisdiction. Additionally, different countries will assign different priority levels to AML/CFT based on their own assessments of the inherent risk and of the availability and appetite for allocating resources. A country with weak institutional frameworks might sign whatever international agreements are required to stay off the Gray List but may be unable or unwilling to support those agreements with effective enforcement.

But even in a country with a strong rule of law and a sufficient regulatory and enforcement infrastructure, AML/CFT measures have to be balanced with the need to foster international trade in a global economy. Indeed, a country might consciously decide, as a matter of policy, to create an environment favorable to non-resident banking in an effort to establish itself as a regional hub in the global financial system. Doing so may incur significant inherent risk, but the benefits may be perceived to outweigh those risks.

In whatever way each jurisdiction comes to its AML/CFT regime, the implementation of that regime unfolds through a smaller network within each country of regulatory bodies, financial investigation units, law enforcement agencies, and central banks. Just as with each jurisdiction, how each entity within a jurisdiction fulfills its AML/ CFT mandate can vary for a number of reasons. Law enforcement agencies, for example, are likely to devote the most resources to fighting crimes that involve their citizens or take place within their jurisdiction. However, money laundering today frequently involves multiple jurisdictions, making it difficult to establish a link to a predicate offense in a given jurisdiction.

Regulatory agencies, for their part, have a great deal of potentially useful information, gleaned from examinations, filings, and other sources, but that information is often limited by its focus on policies and procedures rather than on-site examination of actual activity. Furthermore, those insights are usually shared with other governmental bodies only when they are specifically requested through formal channels. The process of conducting a true forensic investigation across borders is thus often slow and cumbersome, and further hampered by resource constraints that limit the extensive intelligence gathering required to connect the dots across the many layers of entities, ownership interests, and transactions.

At the level of individual institutions, more inefficiencies unfold. Like countries and their agencies, most financial services institutions are comprised of multiple business units and functions connected by varying degrees of collaboration. Many institutions also need to balance AML/CFT compliance requirements with the imperatives to minimize costs and to generate shareholder returns; in jurisdictions with relatively lax AML/CFT enforcement, an institution that takes a hard line may well find itself at a competitive disadvantage.

The increasingly aggressive position taken by regulatory and enforcement agencies regarding AML/CFT compliance programs has, unintentionally, created another inefficiency: Financial institutions are disincentivized from rigorously screening out “false positives” when reporting suspicious transactions to FIUs, making it difficult for FIUs and law enforcement agencies to discern the signal through the noise.

In the end, AML/CFT compliance too often is seen as an exercise in demonstrating adherence to and documentation of procedures, rather than genuine risk reduction through intelligence gathering. It is easy for sophisticated financial criminals to outmaneuver this mindset. Even the most blatant money laundering operation can have a surface layer of pristine paperwork.

AML/CFT compliance too often is seen as an exercise in demonstrating adherence to and documentation of procedures, rather than genuine risk reduction through intelligence gathering.

Improving the System on Its Own Terms

The number of disconnects that occur through these interlocking networks make it tempting to conclude that the system is fundamentally flawed. But this would be a mistake. The mere fact that there is a structure that is recognized by such a wide range of countries and institutions is a substantial achievement. At the same time, it is shortsighted to think that merely doing more of the same will produce markedly better results. Instead, efforts should be made to strengthen the system on its own terms, after considering the tradeoffs involved in various potential initiatives.

More work needs to be done, for example, in reaching global standards for data handling that balance the rights of individuals with the need for transparency. Today’s AML/CFT regimes have their roots in an analog era, when there were significant practical limitations on the sharing and analysis of information. But aggregated information–whether shared between agencies within a country or between countries–is the key to effective understanding, analysis, and remediation of AM L/CFT risks. Data rather than procedure needs to be at the center of how both regulators and the financial community approach AML/ CFT, the promulgation of frameworks and regulations, and the evaluation of regimes. To be sure, there are proportionality issues to be addressed and evolving data privacy regulations to be respected. But this should not preclude a needed fundamental shift in how AML/CFT risks are approached.

In addition, the emphasis on reporting should be on quality rather than quantity. (That relatively few respondents in our survey chose this as a top concern simply demonstrates that more information sharing and better coordination is a prerequisite for any other improvements to take hold.) Regulations should be written to incentivize firms to report a smaller number of incidents but to do so in greater depth. In the short term, this may mean that some activity that warrants scrutiny goes unexamined. But in the long term, such an approach will elevate the sophistication of the monitoring process at both the institutional and jurisdictional level. As organizations become more experienced (and perhaps better funded), they can expand their reach. Simply producing a higher volume of reports of varying levels of usefulness will do little to improve the competencies of the system.

Finally, law enforcement agencies and other bodies at the jurisdictional level need to think more holistically about their mandate. Money laundering, like so much in the digital age, has no respect for national boundaries. Countries need to rethink the scope of the charge they give to their regulatory and enforcement bodies so that those agencies can pursue those who engage in money laundering to the fullest extent possible.

The battle against money laundering is built on networks–and networks always generate a certain amount of friction and inefficiency. This makes it all the more important to understand the mechanics at work and ensure that they are aligned with the goal at hand. AML/CFT efforts can and will benefit from such a realignment, bringing them into a data-centric, borderless age while still respecting the sovereignty of the entities comprising those networks.