How to keep your organisation free of dirty money

In-house lawyers need to make sure they know what their organisations are doing to prevent money laundering, and keep senior management informed about it, as Jonathan Watson explains.

Flemming Pristed, the former Group General Counsel at Danske Bank, resigned from his position at the bank in October 2018. After five and a half years at the company, he said, he wanted to try ‘something new’.

Who can blame him? His time at the bank coincided with ‘almost certainly the biggest money laundering scandal in European history, if not of all time, involving a total some 250 times bigger than that moved by HSBC on behalf of Latin American drugs cartels,’ according to the author Oliver Bullough.

Danske is being investigated in several countries, including Denmark, Estonia, the United Kingdom and the United States, over suspicious payments worth about €200bn moved through its Estonian branch.

‘To put that into further perspective: with 200 billion euros, you could buy HSBC outright, with enough left over to buy Danske Bank too,’ Bullough says in Moneyland, an analysis of the world of tax havens and shell companies.

Danish prosecutors have filed preliminary charges against a number of former Danske Bank executives, including Pristed.

In a statement, Danske says it has ‘taken a number of initiatives aimed at strengthening and improving our controls and systems for combating [sic] money laundering and other types of financial crime.’

The whole episode has left regulators and financial services firms in a bit of a panic. What can in-house lawyers do to ensure their firm is never caught up in a similar situation?

Know your organisation – and your customer

The first obvious point to make is that in-house lawyers need to be on top of how the anti-money laundering (AML) process works at their organisation. Due to the complexity of AML regulatory frameworks around the world, large organisations can end up with multi-faceted and very complex regimes, which as a result are delegated to specialists.

‘In many organisations, there is a money laundering reporting officer (MLRO) and staff around that person who specialise in AML rules,’ says Jan Putnis, Head of the Financial Regulation Group at Slaughter & May. ‘The general counsel (GC) may not be a specialist in AML matters, even in organisations where you might expect them to be.’

In the UK, the Money Laundering Regulations 2007 say that all businesses within the regulated financial services sector must have an MLRO. The MLRO provides oversight for the firm’s AML systems and act as a focal point for related inquiries. Their role is defined by the regulator, the Financial Conduct Authority (FCA), and is outlined in the FCA handbook.

The risk here is that if the GC does not drive AML compliance, it can end up being a bit of a blind spot, says Putnis. ‘The legal department can become beholden to the qualities of this group of specialists and effectively lose control of an area which they definitely should be on top of. It’s fine to delegate the implementation of money laundering policies, but GCs do need to understand what’s going on, the standards expected and the consequences of getting it wrong.’

AML compliance should be high on the agenda of financial institutions in the UK in particular as it is one of the FCA’s cross-sector priorities in 2019. That’s according to Claire Lipworth, a partner at Hogan Lovells who previously led the criminal prosecution function at the FCA as its Chief Criminal Counsel.

‘The FCA has around 70 open investigations into AML systems and controls breaches,’ she says. ‘Enforcement action can take the form of a regulatory or criminal investigation and some investigations are dual track. To date there have been no prosecutions by the FCA under the UK’s Money Laundering Regulations 2007 or 2017 but this may be coming down the line.’

Most enforcement cases simply relate to people not keeping proper records or not conducting thorough due diligence on their clients. ‘If you look at most of the big FCA fines in the last few years, they’ve been in that category, rather than involving evidence of actual money laundering,’ says Putnis. Most regulatory action is preventative and designed to penalise those who are not complying with basic administrative requirements.

Trouble in Europe

EU regulators have been trying to strengthen the 28-member bloc’s regulatory framework for AML for years. The first AML Directive was adopted in 1990, obliging organisations to apply customer due diligence requirements when entering into a business relationship (identifying and verifying the identity of clients, monitoring transactions and reporting suspicious activity).

We are now on the fifth AML Directive, which was adopted in 2018. It includes, among other things, amendments designed to enhance transparency by setting up publicly available registers for companies, trusts and other legal arrangements. It also seeks to strengthen the powers of EU financial intelligence units – such as the National Crime Agency in the UK or Portugal’s Financial Information Unit – and provide them with access to a range of information that helps them combat money laundering.

The situation at Danske, along with others in Europe such as ABLV in Latvia, seem to suggest the EU framework still is not working. ‘Where these measures fall down is at the enforcement level or the monitoring level,’ says Neil Swift, a partner at Peters & Peters.

‘It’s all very well having a robust set of rules, but then you as a person who’s subject to the rules, are you ensuring compliance?’ he says. ‘What are the carrots and sticks, as it were, in each of the jurisdictions in which you operate that make you do that? What sort of level of ongoing regulation or review is there from the financial regulators in these jurisdictions? And how quickly do they react when something of concern comes up?’

The EU is currently exploring the creation of a central authority to crack down on money laundering activity. The bloc’s finance ministers are expected to formally mandate the European Commission to make recommendations on a new ‘independent’ enforcement body with ‘direct powers’ when they meet in December 2019. Its mission would be to police financial institutions’ compliance with EU rules on customer due diligence and other safeguards.

The Danske case has strong implications for in-house counsel in financial institutions, says one lawyer who asked not to be named. ‘As I understand it, the management information going to the board was insufficient,’ the lawyer says. ‘The board didn’t fully appreciate the level of risk involved in the Estonian branch nor the extent to which AML issues were arising. To the extent that issues were flagged to the board, it was generally just to tell them that everything was being taken care of.’

Danske Bank appointed law firm Bruun & Hjejle to compile an internal investigative report on the affair. Published in 2018, it contains numerous references to the role of the Group Legal Department and the Group Compliance and AML Department.

In 2012, Danske Bank’s GC (Pristed’s predecessor) had his reporting line redirected from the chief executive officer to the chief financial officer, and in 2014, Danske’s in-house lawyers urged an internal investigation prompted by whistleblowing allegations. Other senior executives overruled a decision to investigate, so a full inquiry never took place.

Perhaps the scandal could have been avoided. ‘The thwarted investigation alone demonstrates why putting roadblocks between the GC and the CEO is a bad idea,’ says Veta Richardson, president and CEO of the Association of Corporate Counsel.

‘Every in-house counsel in a financial institution needs to be aware that information going to the board has to be sufficiently detailed,’ says Imelda Higgins, a senior associate at Irish law firm McCann Fitzgerald. Higgins works closely with Louise Delahunty, a member of the IBA Anti-Money Laundering Forum and a consultant in McCann Fitzgerald’s cross-departmental Investigations Group. ‘Board members themselves have to be aware that they should be watching for any efforts to whitewash information coming towards them,’ says Higgins.

One worrying sign is that external lawyers, whom in-house counsel may need to rely on for AML advice, do not seem to be getting the message. In March, the UK’s Solicitors Regulation Authority (SRA) wrote to 400 firms asking them to demonstrate compliance with the UK Money Laundering Regulations 2017 by filing risk assessments. Of the responses, 83 were found not to be compliant. Firms either did not address all the risk areas required or they sent over something other than a concrete risk assessment.

The majority of firms (64 per cent) used templates, many of which were of low quality. The SRA complained that too many firms seemed to take a ‘copy and paste’ approach without thinking through the specific risks and issues they face individually.

As the use of technology in AML processes increases, it seems even more likely that firms in all sectors will opt for a ‘copy and paste’ or ‘box ticking’ approach. ‘The temptation is for people to start investing in machine learning and other sophisticated platforms that claim to be able to detect suspicious activity before humans can,’ says Putnis. ‘Those platforms are of course based on data, so they’re taught based on very large volumes of data from the past. While these systems can provide really valuable insights, they can also make incorrect inferences and mistakes.’

Every effective automated system needs to have mandatory human intervention points embedded in it at appropriate points. Specific individuals need to be given the responsibility of making sure that happens. ‘At the moment, with people buying off-the-shelf machine learning products, I don’t think enough thought is going into that, because these products risk being sold as a one-stop shop solution to identifying suspicious activity,’ says Putnis.

Watch out for tougher AML regimes – and weaker ones

US law enforcement authorities have a reputation for being more alert than their European counterparts. They were the ones who uncovered institutionalised money laundering in 2018 at the now defunct Latvian bank ABLV.

Following the Panama Papers leak that included evidence of money laundering, US regulators have also accelerated their attempts to secure greater transparency. In May 2016, for example, the US Department of the Treasury’s Financial Crimes Enforcement Network issued the final version of its customer due diligence (CDD) rule under the Bank Secrecy Act 1970. This rule imposes a new requirement on financial institutions to identify the beneficial owners that control certain legal entity customers when a new account is opened.

Changes like this add an extra layer of complexity for GCs. ‘If you are going to be operating in different countries, and particularly if you’re going to be operating in the regulated financial services sector, then you need to have a handle on all of the regulatory requirements in each of those jurisdictions,’ says Swift.

Awareness can vary according to industry sector, says Swift. ‘Those in the regulated sector are under particular obligations,’ he says. ‘If information comes to them in the course of conducting business in the regulated sector, then there are obligations to make reports of that activity. Those who work in financial institutions are going to be very, very aware of all of that.’

But in other sectors, that is not always the case. A company operating in the wholesale sector, for example, might discover that some of their wholesale shipments are not as described. Goods described on the shipping documentation as being of very high value might turn out to be nothing of the sort.

This is trade-based money laundering, where on the face of it, there is a shipment of goods which satisfies the need for money to move from one place to another. In reality, it may be the case that low-value goods are being moved around in order to move large amounts of money between various companies. In circumstances such as these, GCs could easily be caught out.

‘Companies outside the regulated sector still need to think about AML risk, particularly trade-based money laundering, as part of their BAU (business as usual) activities and during any significant transactions,’ says Lipworth. ‘A know your customer (KYC) process which includes customers and counterparties is a good idea.’

In some parts of the world, many in-house lawyers have found themselves dealing with AML issues for the first time in 2019. In the last few years, in many organisations this has moved away from being a purely administrative exercise, with much more involvement now from legal departments, says Putnis. Many high-profile enforcement cases have made people realise that they should be paying more attention. ‘We’ve seen a lot of in-house lawyers who haven’t traditionally known much about this having to up-skill,’ he says.

This can lead to external lawyers becoming more involved. ‘In-house lawyers who are not sure about AML will naturally pick up the phone to their friends in external law firms and ask for their help,’ says Putnis. ‘We are quite often involved in helping in this way.’

In-house lawyers will also lean on external counsel if they find that money laundering has been going on at their organisation. ‘When an issue arises, there’s usually a couple of decisions that have to be made very quickly,’ says Higgins. ‘One of the things I would do immediately is contact external counsel and the reason for that is professional privilege. Putting that privilege structure in place, making sure you maintain it and that you don’t inadvertently waive privilege, is fundamental. You can always waive privilege if you want, but if you haven’t attracted it in the first place, you don’t even have the choice.’

GCs will then need to know what their reporting obligations are. ‘Financial institutions will generally have some sort of specific reporting obligations which may apply to the institution or may apply specifically to certain functions within the financial institution,’ says Higgins. ‘Then there are wider reporting obligations. In Ireland, section 19 of the Criminal Justice Act 2011 requires organisations to report money laundering offences – that includes not only actual money laundering but also certain breaches of anti-money laundering requirements.’

Anecdotal reports suggest that in the aftermath of the financial crisis, some institutions have become less averse to taking money from sources that they wouldn’t have taken money from previously because of the need to satisfy capital requirements.

‘It seems to be a very high-risk strategy if that’s what institutions are doing,’ says Higgins. ‘But there seems to be a lot more activity going on in high-risk jurisdictions. This is perhaps simply down to globalisation, which means that firms are active in areas they would not necessarily have been involved in before.’

The message for in-house lawyers on money laundering is a fundamentally simple one. ‘All senior managers need to own the financial crime, including AML risks, for their area of the business,’ says Lipworth. ‘Compliance and legal are there to assist with the AML control framework but do not own the risks.’

As part of this, GCs need to satisfy themselves that the institutions they work for have appropriate AML systems and controls. ‘You can’t close your eyes to it, delegate it and assume someone else is going to deal with it,’ says Putnis. ‘That’s the BAU element to this. Delegation is fine, but overall oversight from the legal and compliance departments is essential and the legal department’s role is ultimately the responsibility of the GC. Those departments need to work together effectively and to have clearly delineated roles.’

‘Secondly, any institution that is potentially vulnerable to money laundering will get hit by it sooner or later, and you must have arrangements in place to ensure you know what to do if you suspect this has happened,’ adds Putnis.