Last year saw an unwelcome re-emergence of the so-called ‘laundromat’ scandal; the term, which harks back to the dry-cleaning establishments into which Al Capone and the Chicago mob funnelled their ill-gotten gains, was popularly attributed to a large-scale criminal money laundering scheme (uncovered in 2014) in which $20.8bn was laundered out of Russia through 96 countries and, more recently, to the rapidly developing scandal involving Danske Bank and its Estonian subsidiaries.
In the former, a team of journalists and investigators from the Organised Crime and Corruption Reporting Project (OCCRP) trawled through thousands of transactions from Moldindconbank in Moldova and Trasta Komercbanka in Latvia, before announcing the discovery of an incredibly complex money laundering scheme involving complex ownership structures, entity types and Russian Politically Exposed Persons (PEPs) whilst, in the latter, the accusation is that the Estonian branch of Danske Bank A/S failed to fully take into account the risks posed by their customers and, as a result, upwards of €200bn of potentially suspicious non-resident funds flowed into (and out of) the bank between 2007 and 2015.
The Azerbaijani laundromat (again uncovered due to involvement by the OCCRP) was a complex money-laundering operation that handled $2.9bn over a two-year period through shell companies registered in the UK and is particularly notable insofar as it involved several very prominent Azeri PEPs, including the family of the incumbent First Deputy Prime Minister.
Screening of prospective customers
The clear and enduring lesson which financial institutions and obliged entities must learn from the above is the importance of implementing appropriate internal policies, procedures, systems and controls to mitigate the risks posed by certain specific customers and situations.
Where attempting to mitigate the risks posed by political exposure, then, a firm should first put in place an appropriate screening tool to identify PEPs in relation to prospective customers (including the significant controllers and/or the ultimate beneficial owners of a corporate customers) and an ongoing monitoring function to identify where an existing customer or connected person becomes a PEP at some point during the customer lifecycle.
Mitigating risks posed by sanctions
Similarly, the above rings true as regards to the method by which financial institutions and obliged entities can effectively manage and mitigate the risks posed by exposure to domestic and international financial sanctions regimes; as with PEP screening, a firm should put in place an appropriate tool to identify sanctioned persons in relation to prospective customers (including the significant controllers and/or the ultimate beneficial owners of a corporate customer, as well as the entity name itself) and a means for screening existing customers against new additions to applicable sanctions lists. Firms must also implement transaction screening where this is relevant to the firm’s business model.
Importance of effective sanctions screening
In 2015, Commerzbank AG paid $1.5bn to settle US Department of Justice charges alleging that, from 2002-2008, the German bank cleared transactions worth $253bn for Iranian and Sudanese companies that were sanctioned by the US. In 2014 and, perhaps most notably, BNP Paribas SA were fined $8.9bn for breaking US sanctions against trade with Sudan, Iran and Cuba. HM Treasury’s Office of Financial Sanctions Implementation (OFSI) operate a zero-tolerance approach to serious financial sanctions breaches and the penalties incurred can be up to £1m or 50% of the breach, whichever happens to be higher; as such, the importance of effective sanctions screening simply cannot be understated.
Dealing with PEPs and Sanctions
It is important to note, however, that the mere integration of a screening tool is only one component of an effective control framework. Firms must first consider their exposure to potential PEP and Sanctions risks before tailoring a pragmatic approach to risk mitigation and, once a system has been put in place, define requirements as part of documented policies and procedures, ensure staff are fully trained and responsible and conduct testing to validate that the control itself is fit-for-purpose.
There is no single approach or guaranteed right way for firms to mitigate the inherent risks facing them; the manner in which effective mitigation is achieved should be grounded in the ideals of a risk-based approach.