In case you missed it, Global Initiative has published a challenging article about FinCEN documents leaked to BuzzFeed. Gabriel Moberg suggests that money laundering is going on with the knowledge both of banks and regulators.
Gabriel's article is here. He makes a persuasive case, though I'm slightly worried by the vagueness of some of the statements: "Of the $2 trillion worth of transactions accounted for in the files, billions of dollars' worth of transactions have been identified as illegal." smacks uncomfortably of tabloid journalism. Identified by whom? Just how much is "billions?. While I don't accuse him of sensationalism, I'd like to see a little more provenance before we draw conclusions.
But let's take Gabriel's conclusions as correct; it's a fine article, and I have no wish - or indeed right - to criticise it. There are other facts in the story that bear closer scrutiny and comment. The sheer volume of SARs being submitted is almost certainly moving beyond policeable thresholds. Regulators and law enforcement agencies are being drowned in reams of virtual paper. In 2018, 433,000 suspicious activity reports were filed, leading to just 46 prosecutions. The penalties, though, have been far more than a slap on the wrist. In 2019, non-compliance fines totalled around $10 billion, with UBS being fined more than $5 billion.
Such penalties have two almost inevitable consequences:
Giving the banks, regulators and law enforcement agencies the benefit of the (considerable) doubt that they're willingly supporting money-laundering, it's easy to see that the former of these two consequences creates an environment in which money-launderers can hide in plain sight. If just over 0.01% of cases in 2018 led to prosecution and, as is suggested, the volume of SARs has increased, how can already overloaded authorities hope to give proper attention to every case? As anyone who's attended a fraud court case will attest, financial fraud is complex and deliberately obscure. Detecting where the bodies are buried can take months.
As a conscientious and vocal objector to bank derisking, I find it hard to criticise those organisations who choose to be more diligent, rather than the baby-and-bathwater solution of simply avoiding entire regions. The human cost of derisking is vast and has be halted. But increased diligence that makes laws unenforceable is no answer.
I'll return to this in a moment, but now let's turn to the length of time banks take to submit their reports.
When a suspicious activity is detected, banks have 60 days to submit an SAR, yet the top five banks took an average time of between 136 days (Deutsche Bank) and 1,205 days (Barclays). That's more than three years to submit a report that should have been tendered within two months. Gabriel attributes this delay to a wilful decision to cover up illegal activity by reporting it only when it's too late. I suspect a less nefarious cause. SARs are assembled from information gathered from a variety of sources, usually based around KYC information gathered at onboarding (which is often out of date), and transaction records (which are often incomplete). This diverse material has to be gathered together from multiple storage repositories, gaps filled, stock movements and shipping records found and collated, and a great deal more. All of this while an MLRO tries to stay abreast of the everyday business that pays their wages. Is it altogether surprising that it keeps sinking to the bottom of the too-hard pile?
Once the SAR is filed, the responsible authority now has to make sense of it. But it's not an orderly, chronological record, presented in a coherent order; it's a mish-mash of scanned documents from a lot of different sources. If money-laundering has been going on, it's a fair bet that every opportunity for creating confusion has been taken.
So is there a way out of this stalemate? Derisking has provided no answer; tightened compliance regulation hasn't worked, and increased suspicious activity reporting simply shifts the problem further along the food-chain.
At the risk of executing a shameless plug, this is exactly the problem we've set out to resolve with biz.Clarency. Sixteen years of supporting and evolving the due diligence of an international payments organisation has taught us a lot of lessons about what's required for due diligence to do what it's intended for: to prevent financial crime, not simply to shift blame. To do that it must fulfil a list of criteria:
It can be seen from the above that the system becomes essentially self-policing. Its primary purpose is to aid transparency by reducing workload - and hence costs - for everyone concerned, but its unbreakable imposition of process and flow control gives any bad actor in the chain very few places to hide. I believe Gabriel is wrong about systemic insitutional support for money-laundering but it's quite possible he's dead right. If he is, it's not just important that we rethink our approach to compliance, it's urgent and vital.
We inhabit a world in which labels and "best practice" obfuscate the goal we're aiming for. It started when religion took the place of believing in God. Now we think racism is about changing "blackboard" to "chalkboard"; that sexism is combatted by calling someone a Chairperson. Human Resources began as a means of protecting the employee, now it's a multi-million industry to protect the employer and make no one rich but consultants. We've all stood by and watched financial compliance become Health and Safety for banks. Instead of fighting the underlying problem, we turn our energies to being blameless.
And that's where the real crime lies.