Toward a new risk paradigm
Twenty years after 9/11 and after the passing of the USA Patriot Act, the year 2021 saw the most dramatic changes in the regulatory landscape and in the elevation of corruption to the highest priority.
It is likely changing how market participants deal with counterparty risk and corruption.
The Anti-Money Laundering Act of 2020 was passed in January 2021; one month later, countering corruption was declared a national security interest by the current administration. This made the fight against corruption a top priority as it threatens national security, economic equity, global antipoverty and development efforts, and democracy itself. At the same time, the U.S. Congress created a bipartisan Caucus against Foreign Corruption and Kleptocracy, which serves as a congressional incubator for measures and legislation to combat financial crime and corruption.
It was, however, the release of the Pandora Papers last fall that elevated the debate and showed how funds can be moved around through opaque corporate structures; this exposed a huge weakness in the financial system, particularly in the United States. It is in the United States that setting up an anonymous shell company, let’s say in Nevada, is as easy as shipping a package via UPS. The difference is that the UPS package can be tracked and traced.
It appears that the release of the Pandora Papers was a turning point, at least for the public and the political class, but lawmakers and industry observers knew this problem all along.
The global regulatory body, the Financial Action Task Force (FATF), for example, issued a revision to its Recommendation 24 this year in dealing with ultimate beneficiary ownership information (UBO) by requiring countries to hold beneficiary ownership information in the form of a registry or using alternative mechanisms. It is possible for anyone — or, as commonly done, for a lawyer operating on behalf of someone — to set up a shell company in the Virgin Islands that is the secret owner of a shell company in Nevada, which in turn owns real estate in Miami. This is the key, as the shell game is played globally. Close international coordination is key in combating this problem.
To put the final touch on the most dynamic year in Anti-Corruption regulation since the USA Patriot Act 20 years ago, the U.S. government launched its first-ever strategy on countering corruption with a set of measures and resources that will have a long-lasting impact and influence on the risk assessments of market participants.
Implications for market participants
What are the implications for compliance professionals in such a climate? How shall financial institutions and corporations implement regulatory changes into current third-party risk management programs? Unlike previous years, where market participants were adapting their compliance programs to certain changes in regulatory frameworks, such as the changes from the 4th to the 5th European Anti Money Laundering Directive or adaptions in the United States to the Customer Due Diligence (CDD) rule, it is fair to say that this year feels different.
As a result, compliance professionals at banks and corporations need to rethink how they are adapting to this new paradigm. What adds to the new paradigm as well is the emergence of environmental social and governance (ESG) as a risk category. ESG factors are becoming an important component of a risk management framework, which is relevant not only for assessing risk in the supply chains of corporations but also for the risk-based decisions that financial institutions are making about companies.
Second, beneficiary ownership structures need to be fully understood, ideally with the support of adverse media solutions. Third, compliance programs need to be truly global to ensure that there is no difference in assessing risk; this has often been the root cause of compliance shortcomings, resulting in billion-dollar fines for market participants.
Integrating ESG risk and AML risk
ESG risk and AML risk have traditionally been managed separately. In corporations, ESG strategy typically falls under the responsibilities of a Chief Sustainability Officer, while third-party risk management typically falls under the responsibilities of a Chief Compliance Officer. In a recent report by Deloitte about the roles and responsibilities of a Chief Sustainability Officer, roughly one third of survey respondents stated that they reported to the CEO directly.
The new risk paradigm suggests a more integrated evaluation of risk, including both ESG and compliance-related factors, such as AML and human rights-related regulations.
Understand beneficiary ownership structures of counterparties
In light of recent regulatory changes, a complete understanding of beneficiary ownership structures may become a more thorough way of managing risk. Having access to beneficiary data not only meets regulatory requirements but also improves the complete understanding of counterparties and provides transparency on something that is very much hidden today and is often a mechanism for conducting illicit activity. According to the compliance officer of a Miami-based bank, “the more complex these structures are, the more we have to assume that there is something strange going on that could expose us to risk.”
Adverse media solutions should be part of every due diligence program conducting UBO searches, as all relevant data can be enhanced by conducting dynamic searches that cut through any Google-type manipulation of results. As of today, Google ranks as the top service for adverse media screening, but this approach is very time consuming and inaccurate. In contrast, UBO information can be searched via adverse media, allowing due diligence to be conducted on company structures that may not appear to be visible at first.
Developing a global compliance management program — same data and same processes
To overcome compliance deficits and shortcomings, particularly in global firms, a global third-party risk framework may be considered that standardizes risk management by applying similar workflows and using similar, if not the same, data sources to conduct due diligence.
This typically includes all available information that can be collected on counterparties, including the screening of mandatory lists like sanctions lists, political exposed persons (PEP) lists, law enforcement lists, or other high-risk databases that include actors involved in financial crimes. State-of-the-art data-gathering capabilities, in combination with artificial intelligence (AI), allow for further improvement of visibility into counterparties.
Implementing such an approach is particularly challenging when compliance management is not centralized and compliance tools and programs are heterogenous. Often, purchasing decisions are made locally and vendor preferences may vary depending on the region. In third-party risk management, the risk mitigation process is still highly decentralized, using a variety of data sources and processes, often reaching different conclusions about onboarding clients — driven by very different dynamics.
Financial institutions need to develop a centralized risk management program that follows the same principles as financial risk management guidelines. They must understand clearly what factors would contribute to a risk assessment and use the same data sources so that there is a unified way of assessing risk.