Going Dutch

Risk-based approach – a work in progress

The Dutch were systematic in planning their capital – house-fronts onto the main canals were originally restricted to 30 feet in width; only the gables allowed for flourishes though somehow each property manages to achieve individual expression even without craning the neck. So much was apparent during a recent visit last month to cover the Association of Certified Anti-Money Laundering Specialists (ACAMS) European Money Laundering Conference and Exhibition and there is an analogy here with the Third EU Directive in the opportunity it offers regulated businesses to develop a unique form of risk based approach (RBA) to money laundering and terrorist financing (ML/TF) within a defined set of parameters, which include the need to conduct due diligence and identify beneficial owners, for ongoing monitoring, record keeping and training. Architectural refinement never stops and the same applies to the RBA, which is very much a work in progress. “It’s a good approach,” Jane Ogden, Head of Corporate Financial Crime Prevention at HBOS plc, told delegates, but there are plenty of points in the Directive where uncertainty about the final design persists. There are suggestions of inconsistency, she noted, for example in the approach to politically exposed persons (PEPs). On the one hand, Article 13 says that a risk based approach may be used to identify if an individual is a PEP but if it turns out that they are, it is mandatory to have senior management approval to establish a business relationship with them and to conduct “enhanced ongoing monitoring”. The debate continues on whether it is sensible to draw a distinction between domestic PEPs and those “residing in another member state or in a third country”, which is the definition contained in the Directive. “We regard domestic PEPs and PEPs,” said Ogden Article 13 gives rise to other questions: how high should the sign-off be to agree to the relationship, ie, how senior is the senior manager? What are the “adequate measures” that must be taken to determine the source of funds? but the Directive only requires enhanced due diligence (EDD) on PEPs “residing in another member state or in a third country”. Another problem area is reliance on third parties, possible and extended under the Third Directive but still a “fundamental conundrum” in practice, Ogden noted. Is it possible to rely on another organisation to carry out customer due diligence to a level that fits with the relying institution’s RBA? “How do we know they meet our standards? Some institutions have only two risk categories – high and low – while others have as many as nine.” Even if there is notional equivalence in terminology, it is hard to be sure that there is the same thinking about risk. Cross-border reliance may prove even more fraught: what is the position if the originating institution fails to identify a PEP on the ground that they are ‘domestic’ and this is not picked up by the relying firm in another jurisdiction for which he or she is a foreign PEP? Even if reliance is placed on the originator to conduct the CDD there is no option to delegate ongoing monitoring to them. The other side of reliance, acting as the originator who carries out the CDD is not a decision to be taken lightly either. It means retaining documents for a period of at least five years after the end of the business relationship or completion of transactions. “Will you need to give details of your organisation’s record-keeping and RBA?” are also points to consider, said Ogden.