What EU Nations Got Wrong in AML Oversight
In a report published last month, the European Banking Authority (EBA) outlined its recent assessments of how EU nations are supervising and enforcing their anti-money laundering (AML) and counterterrorism financing (CTF) rules. Unsurprisingly, the results weren’t pretty.
The authority slammed seven AML regulators from five, unnamed EU member-states for adopting a so-called “tick-box” approach to supervision. The EBA also concluded that the national regulators were struggling to translate their theoretical knowledge of ML/TF risks into effective supervisory practices and risk-based supervisory strategies.
National regulators separately failed to implement sufficiently proportional and dissuasive sanctions on the discovery of banks failings, according to the EBA. Some did not effectively cooperate with domestic and international stakeholders, resulting in failures to draw on synergies and to position AML/CTF in the wider national and international supervisory framework. Overall, the EBA concluded regulators’ approaches to the AML/CTF supervision of banks “were not always effective.”
On a more positive note, the EBA acknowledged that many regulators have strengthened their approach to AML/CTF supervision. Supervisory staff demonstrated a good knowledge of international and EU standards and were committed to fighting financial crime. Several regulators have made the fight against ML/TF as a priority and many have significantly increased the size of their supervisory teams.
Whilst all regulators had considered the EU’s supranational risk assessment (SNRA) when developing their supervisory approach, some regulators adopted the SNRA’s findings without considering the extent to which the findings were relevant to their sector. Consequently, some risks relevant to individual Member States were not considered. In one example, a regulator considered the risks of electronic money as per the SNRA, but its staff told the EBA that electronic money was not available in their country.
Where national risk assessments (NRAs) had been published, not all regulators had incorporated them into their risk assessments of the banking industry. Where NRAs were not published or did not focus on banks, regulators failed to assess the risk presents by banks. As a result, regulators’ understanding of the ML/TF risks local banks faced was suboptimal, the authority concluded.
The EBA also found that regulators failed to assess the ML/TF risks of local banks or failed to assess them comprehensively. Nor did they adequately consider the differing types of ML/TF risks presented by differing types of banks. For example, some regulators did not distinguish between the risks presented by a private bank with wealthy clients compared to a small savings bank with a mainly local customer base. As a result of this particular weakness, regulators often failed to focus on the banking sub-sectors with the greatest risk.
Risk assessment of individual banks
The EBA found that regulators were at different stages of development when assessing the risks of individual banks, and some of those assessments were not conducted appropriately.
While regulators sought information directly from banks to consider their risk assessment, they often failed to seek relevant information from other domestic authorities or even from different departments within their own organisations, such as prudential supervisors or Financial Intelligence Units. In some Member States, AML/CTF regulation for individual banks was shared between two organisations, each of whom developed their own risk methodologies. However, neither organisation had requested nor seen the risk assessment prepared by their counterpart.
Some risk assessments were extremely complex, using sophisticated mathematical formulae, a large number of data points and multiple assessment layers. Often regulatory staff were unable to explain how individual risk factors were meaningful. In many cases, where the risk assessment of individual banks did not match the view of AML experts, the evaluations were adjusted manually. In one case, a regulator collected 400 pieces of data but only used 100 of them in their risk assessments as the remainder cancelled each other out.
Although regulators used different weightings to individual risk factors, they were often unable to explain the rationale behind each weighting. In some cases, prudential risk factors were given a significant weight, which meant that smaller banks were often classified as having a low risk irrespective of their business model or customer base.
Most national supervisors based their assessments of individual banks on a combination of the inherent risks the institution faced and the adequacy of its mitigating controls. However, regulators were often unable to explain whether a bank’s high-risk assessment, for example, was a result of high inherent risks or inadequate controls. Consequently, regulators were hampered in their ability to target effective supervisory action.
Moreover, most national regulators relied on an individual bank’s own assessment of its systems and controls. Less consideration was given to whether such conclusions were reliable and most regulators who adopted such an approach failed to address cases where their assessments of an individual bank’s risk differed from the the bank’s assessment of its own risk.
Supervision of banks
The EBA review team found a number of common failings by bank supervisors. In some Member States, the overall supervisory strategy for the banking industry was not informed by the risk assessments by regulators of individual banks. As a result, some banks had not been supervised for ML/TF purposes in line with their risk profile or at all. Small cooperative banks were often not supervised for ML/TF risks, even though some of these institutions had a higher TF risk due to having asylum seekers from high-risk countries amongst their customer base.
EU nations also struggled to implement a risk-based supervisory approach to individual banks, which undermined the efficacy of supervision overall, the EBA said. In most countries, the number of actively supervised banks was very low.
Whilst most regulators had a supervisory manual, staff appeared to adopt a “tick-box” approach to supervision and hence failed to identify or to record systemic weaknesses within a bank. Examples included regulators checking that a bank had undertaken a risk assessment, but not assessing whether its analysis was credible and reasonable. What’s more, regulatory officials did not consider whether repeated lapses by a bank signaled underlying systemic problems such as poor corporate governance.
Bank compliance staff, in many cases, were not sufficiently skilled or experienced, yet national regulators did not account for such shortcomings in their review of an institution’s risk-based approach, the EBA said.
Often staff from prudential supervision teams were relied upon to alert AML/CTF experts of cases of higher ML/TF risks without having been trained to recognise such higher risks. In some cases, this weakness lead to a granting of authorisation despite significant questions about potential ML/TF risks.
The EBA also noted that, in many cases, the flow of information between prudential and AML/CTF supervision teams was based on close personal relationships between staff rather than being based on a formal structure. This informality could bring problems where staff turnover increased or where a regulator grew in size.
Whilst all regulators had a variety of means of communicating with banks, many firms reported to the EBA that they did not have a clear understanding of what their regulator expected from them. Some banks felt that regulatory guidance was too proscriptive and failed to recognise their adoption of the risk-based approach.
In many cases, the EBA found that regulators used the Third EU Money Laundering Directive, adopted in 2005, as the basis of their enforcement policy, which often resulted in small fines. Banks advised the EBA that they regarded such fines as a cost of doing business and that, on occasion, a breach did not result in a fine as the regulator’s sanctioning tool did not recognise such a breach. In several instances, the breaches had persisted for many years after a fine was first imposed without any subsequent challenge from a regulator.
This comparative lack of effective enforcement action was compounded by the failure by many regulatory officials to follow up and review the remedial action taken by banks once breaches had been discovered.
Whilst all regulators professed a willingness to cooperate with domestic and international counterparts, they did not follow through in practice. Although national supervisors often participated in domestic meetings with other regulators, law enforcement, FIU’s and government departments, specific concerns about individual banks were rarely discussed by participants, the EBA noted.
When there was cooperation between public sector bodies, it was often based on personal relationships between staff. On occasion, it was noted that the breakdown in such relationships negatively affected the level or effectiveness of cooperation.
International cooperation, by contrast, tended to be on an ad hoc basis rather than as part of a deliberate planned strategy. Frequently, information that could be useful to foreign regulators was not shared nor did many regulators seek information from their counterparts that could have informed their own efforts, the authority said.
Whilst most regulators were aware that colleges of prudential supervisors sometimes discussed AML/CTF issues, they had not been invited to contribute or to participate in such colleges.
With the adoption of the risk-based approach to ML/TF in 2005 by the EU Third Money Laundering Directive and its endorsement by the Financial Action Task Force (FATF) in its 2012 Recommendations, it is disappointing that, on the basis of the EBA review, many regulators appear to have considerable difficulty in applying the method domestically.
The EBA particularly highlighted a tick-box approach to compliance with AML/CTF requirements, a failure to consider the effectiveness of individual banks’ systems and controls, the absence of dissuasive and proportionate sanctions and a lack of adequate engagement with domestic and international stakeholders.
The EBA’s findings are consistent with those of FATF, which has stated that 75% of countries reviewed needed to make fundamental or major improvements to supervising banks and other regulated businesses, and that every reviewed country needed to make fundamental or major improvements to the implementation of effective preventative measures by banks and other regulated businesses.
The widely reported and significant AML/CTF failings at Danske Bank, Swedbank, ABLV, Pilatus Bank, ING and Deutsche Bank may now be assessed against a less-than-effective supervisory framework in a number of EU Member States.
It can only be hoped that the regulators reviewed by the EBA have benefited from the process, whilst their EU counterparts are much better prepared should they be invited to participate in the 2020 EBA review. It’s in the interest of all that the EU’s bank supervision substantially improve.
Article by Denis O’Connor, published on KYC360, March 16, 2020