Ignorance is no defence: Boards and CEOs Must Challenge Their Financial Crime Capabilities
Despite the growth in financial crime, many Boards and CEOs are failing to take reasonable steps to test the effectiveness of their financial crime prevention and detection frameworks.
This comes at a time when regulators are ramping up their challenge to firms, pushing the Board and CEO to demonstrate the operating effectiveness of their financial crime framework (including money laundering, terrorist financing, fraud, cybercrime and sanctions) and confirm that known issues have been escalated and actioned.
For firms that don’t meet the mark, value can be destroyed, personal liability incurred for directors, and regulators are imposing restrictions on new business activities, initiating costly investigations and imposing heavy fines.
The trouble comes in defining what is “reasonable,” leaving boards and CEOs in a quandary that, left unchecked, could lead to loss of value and reputation in the marketplace.
Leadership Is Personally Liable, But Don’t Have The Skills
The board and CEO of a regulated firm remain fully accountable — and personally liable — for complying with all regulatory obligations.
Certain legal regimes, including those in the Channel Islands can also impose penalties on both executive and non-executive directors for intentional or reckless contravention of money laundering laws (e.g. the Jersey Financial Services Commission has the power to impose a maximum penalty of £400,000 for intentional or reckless contravention of the Money Laundering (Jersey) Order 2008.
Despite external threats continuing to evolve, and the firm’s own business model undergoing change:
- Banks often lack continued investment in financial crime controls and capacity, including a lack of investment in new technology.
- Wealth managers, stockbrokers, payment firms and e-money firms often lack investment in their risk management and compliance infrastructure, frequently in-sourcing compliance activities from unregulated ‘appointed representatives’ but outsourcing elements of risk management and control to third parties without adequately evidencing the effectiveness of those arrangements.
The root cause is often that boards and CEOs lack the skills and confidence necessary to provide leadership and maintain an effective financial crime culture, capability and capacity, often defaulting to reliance on their compliance officers or waiting until a problem occurs before addressing it.
Regulators Are Becoming More Aggressive
The increased risk of fraud and money laundering has the potential to cause significant negative economic, market and social damage, therefore, regulators are responding by holding Boards and CEOs accountable for ensuring that their firms always meet regulatory requirements and expectations in full.
Regulators are also becoming more targeted, intrusive, assertive and data led in identifying regulated firms with key fraud or money laundering indicators and making increased use of their supervisory tools and powers, including:
- Performing short notice and unannounced visits;
- Requesting the board and senior management to attest to the state of financial crime controls within their organisation;
- Imposing restrictions on new business activities;
- Commissioning expensive investigations and skilled person reporting to diagnose the root causes and recommend necessary remedial actions;
- Taking enforcement actions against firms and senior management, resulting in significant fines, reputational damage and legal costs.
What Boards And CEOs Must Do
Effective governance and risk management starts with the leadership team understanding their level of exposure to financial crime risks, including understanding who their clients are and their expected transaction patterns and corporate structures, then investing the necessary time, energy and capital to manage these risks effectively.
Boards then need to exercise sufficient oversight and challenge their financial crime culture, capability, and capacity. This includes getting comfortable with key assumptions driving monitoring and screening approaches and how financial crime issues, including backlogs, are prioritised. Failure to keep pace with best practice can not only expose individual directors to personal liability and destroy value for the firm but it can erode the confidence of key stakeholders — investors, correspondent banks, regulators, and customers.
Ignorance is no defence. Financial crime prevention and detection is not a tick-the-box compliance exercise, and accountability cannot be outsourced to a third party. Rather, the Board and CEO must take the lead in evidencing that the firm has robust and effective systems and controls in place and ensure that the compliance function and MLRO have the required experience, skills and independence.
