AML & CFT Myth busting with Fiona Hall – AML/CFT Compliance Lawyer

Example image

We interviewed Fiona Hall, a lawyer who specialises in AML & CFT regulatory compliance, to learn about the biggest misconceptions around anti-money laundering and countering financing of terrorism processes that she hears from clients, to bust the myths, so you don’t make these most common mistakes!

The "it isn’t relevant to us" myths

  • "It doesn’t happen here'' – Businesses owners don’t like to think that money laundering or even potentially worse, terrorist financing, could be happening right under their nose, but the truth is anyone offering services or products that can be used to launder funds or support terrorist activity is susceptible to exploitation. It is incredibly important that reporting entities accept that it isn’t a case of it being everyone else in the sector except them. Your sector has been identified because there are genuine inherent risks associated with it. You need to understand those risks and consider them in the context of your business, before any measures you take to mitigate the risks.

  • "It’s all about drugs or gangs" - A lot of reporting entities link money laundering with obvious criminal activities, especially drug dealing, and overlook white collar crime such as embezzlement or tax evasion. However, in most cases, it isn’t individuals carrying bags of cash from a carpark drug deal and dumping it down in front of you. Money laundering and terrorism financing are often sophisticated operations and are commonly managed through businesses that pose as legitimate. Laundering proceeds from criminal offending of all kinds means placing and layering the money – and that generally happens through everyday activities.

  • "We’ve known our customer for 10 years, we know them" – Just because you’ve built a loyal relationship with a customer for years, doesn’t mean you know everything about them or even enough about them to really know what risks they present. People undertaking illegal activity don’t generally advertise it. And more significantly, 10 years ago you likely didn’t turn your mind to the sort of questions you need to ask now to actually consider and assess customer risk from a money laundering and terrorism financing perspective.

  • "We are a low-risk reporting entity" – Often I find that reporting entities are desperate to assess their risk as low, I think because they believe acknowledging any significant risk is in some way a negative reflection on their business. Higher risk reporting entities are simply sectors that are more attractive to money launderers or terrorist financiers and offer services that can be used to hide the origin of money and mingle it with legitimate funds making it hard to trace. It is why the legal profession is rated medium-high risk, because they can provide an air of legitimacy to a transaction and when settling transactions through a trust account can – entirely unwittingly – facilitate anonymity and help obscure the origin of funds. It isn’t because a law firm is reckless in any way, it is simply that the services they offer have room for exploitation.

The Customer Due Diligence Myths

  • "Electronic identity verification is difficult and expensive" – Clients, especially smaller businesses, will often disregard electronic identity verification as cost prohibitive, but there are many instances where electronic identity verification is both cost efficient and the most effective way to complete identity verification for a business and its customers. Using a system that can be API integrated into standard operating systems can reduce some of the leg work and ensure that you apply consistent standards. Reporting entities need to really understand and explore options to find a best fit and factor in the value and cost of their time as part of that process.

  • "Our identity verification provider does it all for us"– Electronic identity verification is a tool within a compliance programme. It provides reporting entities with access to databases through which they can verify the identity of individuals. The good providers can also help with assessing the parties who need to be verified and assist with setting rules, but ultimately, it is up to each reporting entity to assess the reliability and independence of the databases they rely upon and the rules that will result in a pass. This has always been the case but the updated guidance to the Identity Verification Code of Practise really highlights that the ultimate responsibility rests with the reporting entity – so you need to work with your provider to understand the verification process and make sure it works to your risk appetite and expectations. It is also really important to cover off the all-important nature and purpose part of CDD as well, as that isn’t something you will find in a database.   

  • "On-going CDD means I have to redo the identity verification" -  The AML CFT Act really hasn’t provided very much guidance on ongoing customer due diligence, but what it does make clear is that it is intended to ensure that the information you have about your customers is consistent with the business relationship and transactions, the purpose being that you will be able to identify when something unusual happens. It means knowing if there is a change in effective control of the customer for example, or if their place of business has changed, if their type of business has changed. You don’t need to re-verify identities – sure, get updated identification documentation if you see it has expired. However, ongoing customer due diligence is linked with transaction monitoring because it is about ensuring that you have sufficient information to identify and report suspicious activity. It is not about running the verification process all over again.
Example image

  • "Another reporting entity has already verified them, so we shouldn’t have to as well" – You are always required to verify a new customer’s identity before establishing a business relationship with them, as well as any existing customer where there has been material change in the business relationship. This is regardless of whether they’ve been already been verified by another reporting entity. And neither should you, in my view, just ask to rely on another reporting entity to provide you with their customer due diligence without some robust enquiry into their verification procedures and agreed protocols. For starters, the relevant sections in the AML / CFT Act on reliance have quite prescriptive requirements, including that the other reporting entity agrees to carry out the customer due diligence on your behalf – suggesting a prior arrangement. When reporting entities say it’s just a duplication, I say think of it as a jigsaw puzzle – every entity is likely to collect slightly different information and it all goes to help build a bigger picture ultimately if it is needed.

The Suspicious Activity Reporting myths

  • You have to report suspicious behaviour straight away – If you identify any customer activity, including any transactions or behaviour, that appears unusual, you need to investigate it in a timely manner and once you determine it meets the threshold of suspicious you have to report it within three days. However, that doesn’t mean you have to report within three days of identifying the alert or the potential suspicion – you are allowed to properly investigate. The test is that you report within three days of when an objective person would have formed a suspicion. Sometimes you can form a suspicion on the spot but other times, you may genuinely need weeks to cover off proper lines of enquiry, before you can do so.

  • "If I file a SAR, my client will find out and know it was me" - Creating a SAR doesn’t mean a S.W.A.T team will turn up at your client’s property the next day. Nine times out of ten, the information is just stored – I compare it to a library. You will likely never know whether your SAR has triggered an investigation or is ever used as part of one – and neither will your customer.

Myths about Record Keeping

  • "I just need to keep what I am using, and information and records about transactions and customer ID" – The courts have held that record keeping is a cornerstone of the Act. Reporting entities really need to think about this, what they keep and how it can be accessed – including updates to processes and why changes to risk assessments and programmes were made, training and vetting records. These are common areas where I see reporting entities slipping. Similarly, you need to have records of investigations into potentially suspicious behaviour, even where it didn’t result in a SAR.