I recently had the chance to visit with Koby Bambilia, Managing Director at K2 Integrity. We looked at some key anti-money laundering (AML) trends in 2021 and how they might impact AML investigations, prevention and enforcement going forward into 2022. We consider the impact to-date from the passage of the AML Law of 2020 then move to some of the key questions on AML going into 2022. Has COVID and the global crises created shifts which allowed bad actors take advantage of the financial system? Finally, what are some of the key risks to mitigate these risks and get ahead of the rule making as we head into 2022?
We began by considering the focus of Department of Treasury (Treasury) and its regulators. Here there are several topics that were given priority as part of the national Strategy for Countering Corruption, terrorism and other illicit activities. These priorities include cybercrime, virtual foreign currency, domestic terror financing, criminal organizations, human trafficking, smuggling, drug trafficking, corruption, fraud and proliferation financing. Bambilia related, “we can easily see that the list is quite extensive yet. There is something in common for all these priorities. If you look at the priorities, they include predicate crimes that generate illicit funds thought assets, which allows criminal actors to launder through the financial system.” As money laundering is linked to all these priorities it remains a priority.
Bambilia believes financial institutions need to incorporate these AML priorities into their risk-based Bank Secrecy Act (BSA) compliance programs by assessing the potential risk associated with the client base, the products and service services they offer, in conjunction with their geographic areas and countries of operations. Bambilia believes that government examiners will soon ask to see and review what steps banks and financial institutions have taken with regards to these priorities. In other words, whatever steps you take Document, Document, and Document so you can show the regulators when they come knocking.
As Treasury continues to issue regulations stemming from the AML Law of 2020, banks and financial institutions should be prepared to face new and revised beneficial ownerships and obligations in 2022. Bambilia believes, “December’s proposed rule to implement the Corporate Transparency Act, gave us all the preview into the Treasury Department’s mind and approach to developing a national registry of beneficial ownership information.” Moreover, this should also act as a reminder to meticulously follow the Beneficial Ownership Rule, which requires covered financial institutions to identify beneficial owners of each customer at the time a new account is being opened and to determine the true and official owners based on both the control and ownership prongs. Bambilia also noted, “looking ahead into 2022, beyond the immediate implications, the proposed rule will also require changes to existing customer due diligence obligations for financial institutions.” Finally, they will most probably be the subject of a future FinCEN rule making.
It is clear that COVID-19 had immense impact on everything relating to illegal activities and bad actors. Ransomware is the tool most bad actors are using, even with financial institutions. Bambilia related, “those nefarious actors are probing to obtain both customer and commercial credentials, as well as proprietary information to defraud financial institutions and to disrupt business functions.” Interestingly, Bambilia and colleagues observed a significant increase in criminal attempts to exploit the pandemic through phishing campaigns and business extortions, email compromise and traditional fraud schemes.
Tying all this back to our initial discussion, the proceeds of these activities are being channeled and funneled through the regular banking and financial systems. This puts a higher burden on financial institutions as they are uniquely positioned to observe and detect the suspicious activity that results from cybercrime. Now they are required to report it through the normal channels of Suspicious Activity Report. This has led to an increased need for financial institutions to process, review and monitor transactions that go through their system and evaluate those transactions with a sufficient and comprehensive set of skills required to identify the illegal activities and to properly report it to authorities.
Just as ransomware attacks have become more ubiquitous so have ransomware payments. In September 2021, OFAC issued an updated advisory on potential sanction risks for facilitating ransomware payments, which is specifically designed to disrupting criminal networks and virtual currency exchanges responsible for laundering these ransom payments to encourage improved cyber security across all sectors, including the banking industry. Bambilia said this “emphasized the need to properly report ransomware incidents and related sanctions to US government agencies, including both Treasury and law enforcement.” It also re-emphasized the need to properly monitor bank transactions for potential illegal activities.
We turned to a discussion of what businesses and financial institutions need to do to prepare for the upcoming regulations and increased enforcement. Bambilia emphasized that a strong compliance program for AML, BSA and sanctions is the best place to start and build upon going forward. Bambilia laid them out as follows:
- First, make sure that your policies and procedures adequately address the new regulations, then update and validate your BSA risk assessment accordingly. Your risk assessment should consider factors like banks, products and services, customer entities and geographic locations and operating jurisdictions.
- Second, a designated individual that is responsible for the day-to-day compliance and who is familiar with the new requirements, who has the full support of both senior management and the Board of Directors to manage these changes.
- Third, update your current system of internal controls to reflect the change in regulation, then monitor and update as appropriate. Your controls testing should help you determine if your internal controls can effectively detect and identify possible breaches of your policies and procedures.
- Fourth, work together with your internal audit function to assure their yearly audits to assess the effectiveness of the updated compliance program.
- Fifth, training. Here Bambilia re-emphasized the importance of training via properly tailored and targeted trainings. They constitute a key element in the ability to successfully implement any new policies, procedures and controls for any new regulations.
We ended by recognizing that it is up to all employees, not simply the compliance function, to be a part of these new efforts. Employees need to understand their role on the first line of defense and how to report up violations or raise their collective hands to ask for information as AML regulations continue to evolve. COVID-19 has impacted compliance functions in many ways so compliance will have to re-double its efforts as well. Banks and financial institutions must commit the requisite resources to upgrading their compliance programs to meet these new regulatory requirements as well.
Bambilia concluded, “I will end by saying that the world of financial crimes continues to evolve. And our thinking must be as always one step ahead of those looking to take advantage of our financial systems. It is not just about identifying it, understanding today’s threats, but also being prepared for the threats of tomorrow.”
Check out the K2 Integrity website here. Check out my full interview of Koby Bambilia here.