You were one of the senior managers at a global bank during a major financial crime investigation. What is it like to be the person in that position?

I was the First Line Accountable Executive for the resultant global transformation of one of its largest business (Global Banking & Markets) and a member of the Group Executive Committee overseeing the global programme. It was a shock to be honest. A cathartic experience for those like me, directly in the eye of the storm, shock mixed with a sense of nervousness. Nervousness for the bank, my business, my career and as the extent of the regulatory challenges became clear, our collective ability to get the job done. Employees and many clients were shocked that the group had got into such a public mess and as the details became apparent, surprised that regulatory pressure had been building behind the scenes for quite a while. There was certainly a sense of panic and pressure because control order delivery timescales can be very tight. But more than anything, there was a strong motivation to do what we needed to.

The situation was clearly very serious. I understand you were effectively ‘in the dock’ at the start of the process?

Well, it wasn’t an actual “dock” but we were certainly nervous about real legal liability. But yes a few of us were the subject of fairly intense regulatory attention. Based in the US at the time, I was of interest due to my first line leadership role and needed to address their concerns on how payments were flowing through our US business from other parts of the group (from affiliated banks) and our correspondent banking network and what level of diligence was typically applied.

Initially the interviews were very uncomfortable because regretfully, I didn’t know all the answers. It wasn’t just me, I don’t think anyone internally had all the answers they were looking for. That was the problem.

The regulator’s early questions focused on how we identified and managed financial crime risk across our business and whether we were comfortable with the risks and the controls we had in place. And why we were comfortable. That’s a fairly open question that you could ask any bank and I’m not sure at the time many could answer the question particularly eloquently or appropriately. Even now, after all the billions of dollars we’ve spent on financial crime collectively as an industry, many bankers, at all levels, will struggle to answer that question.

Senior leaders within financial organisations have a huge amount of responsibility for many different aspects of the bank. How realistic do you think it is that they have a detailed understanding of all regulatory responsibilities and how they should be applied across their institution?

I think it’s really important for every business leader to understand the regulatory framework they’re operating in, but that doesn’t mean to say that they have to be the compliance expert. Whether you’re the Group CEO or the Head of the Investment Bank, the Retail Bank, a wealth business, commercial banking business, or the payments and cash management business, you should understand the risks in your business – whether that’s operational risks, credit risk, or financial crime risk. And with an understanding of risk, you also need an appreciation of how you are managing them.

So yes, you need a headline understanding of the regulations and know whether your controls are appropriate. If they’re not, then what are you doing about it? If the controls don’t suffice for the level of risk in the business, then you’re ultimately taking a significant business and personal risk.   And how the bank’s executives get comfortable with some of the answers to those basic questions is really to the heart of first, second and third line accountability and cooperation.

The amount of anti-financial crime regulation continues to grow. How do you think this is impacting both the front office and the wider market?

They are very different questions. I’ll start with the front office, and I would say at board level, for those banks that have been subject to regulatory intervention, we have seen quite a lot of blood spilt at very senior levels, some very large fines and some massive remediation spending. In some cases, we’ve also seen some quite consequential changes in risk appetite.

As a result, there has been change in general understanding of fin crime risk and how it affects banking and particular roles. I don’t necessarily think though this has led to universal changes in behaviours. Culture change. That’s a challenging issue.

But those largely big Western banks that have been through one if not two phases of regulatory remediation, now understand the risks and have spent a lot of money in trying to implement a system of controls to manage it. And now perhaps they are in a phase 3 and realising that all that money hasn’t necessarily well spent. A lot of the systems don’t actually provide good intel or controls, they might still be getting into trouble with their regulators and they are wondering if there is a better way of doing things?

Whether it’s finding more cost efficient processes, changing the organisation governance structure, evolving their overall risk appetite or changing behaviours and culture. They know they need to do something.

In terms of risk appetite,  I’ve seen banks pull out of significant tranches of business that with hindsight they may not have done. They did this because at the time they didn’t really understand the risks, or they realised it was easier to pull out than try to manage the risks properly.

Currently we’re seeing banks pull out of certain markets, sectors, products. Deliberately. And often this is a really good thing. But in some cases, there has been an unintentional consequence that many bankers have become scared of doing business. A culture of fear has been created, people are afraid of saying yes – it’s perhaps easier to say no.

Both of these influences have an impact on a macro level. For example, some bigger banks in some countries have found it difficult to access the global payments market. In some cases this has resulted in firms going to secondary or tertiary providers with weaker risk controls which actually impacts on the efficiency and the safety of the financial payment system.

So there’s a balance to be found. I think in some banks that went too far, not that it was the wrong thing to do at the time as undoubtedly some banks had not been as focussed on this as they should have been. We really need to consider how much risk is being found – what is the cost benefit?

In your experience, have you seen a risk-based framework applied well in institutions?

Good question. I’ve seen frameworks evolve towards better risk management but I think this has been constrained by rules based regulation. So the answer’s probably, no, I haven’t seen any true risk based frameworks – I think it will come but it is some way off yet. I’ve seen one that’s probably as good as it can get in terms of the balance of what is reasonable in the markets that bank is operating in.

I think what we are after is an intelligence based financial crime risk management framework where there is much better relevant information sharing across banks, crime prevention agencies and enforcement.

There are three core axes of anti-financial crime, Anti Money Laundering (AML), Sanctions, and Anti Bribery and Corruption (ABC). Should banks be focusing on one more than the other depending on their particular business? 

Well, that comes back to my point about understanding the risks of your business. Undoubtedly in parts of the business that I was responsible for (large corporates), a key aspect of financial crime risk was sanctions based. Conversely, the most risk by value and volume was AML (through correspondent banking), despite it being only one element of the business.

So within the boundaries of regulation, we aim to develop and weight the control framework to take account of the significant AML risk in correspondent banking and a different sanctions based risk weighting in other parts the business.

We faced very different types of AML risk concentration across different countries and markets and these took some time to model and to mitigate.  We tried to apply fundamentally the same framework (with localised adjustments for specific scenarios) otherwise you end up either missing some important stuff or over engineering the approach entirely.

It’s very easy to disappear down a series of rabbit holes and /or over engineer but I would advise you to focus on understanding your real risks and manage towards mitigating them.

There are new anti-financial crime technologies, particularly around automation, coming out all the time. Are you seeing organisations use these tools well in practice? 

It’s a very mixed bag. Some banks are making big investment in these technologies, and certainly machine learning, robotics, AI and intelligence based financial crime risk management are buzz words. But it is still quite early days and we are still largely working within the confines of old rules based regulatory frameworks and in many cases, woefully inadequate data sources and intelligence sharing capabilities.

I’ve seen cloud-based CDD procedures enabling significant efficiencies and encouraging and effective forensically targeted use of AI data mining, I’m confident it will come.

There has also been encouraging signs from regulatory agencies that more effective risk based methodologies that harness tech will be encouraged. I think all acknowledge that an ability to share risk information dynamically cross border, cross institution, intra institution between FI’s and Agencies must be a good thing. But there are years of mistrust and prejudices to overcome.