Enforcement and AML – our approach and priorities - Seana Cunningham, Director of Enforcement and Anti Money Laundering

Good afternoon, my thanks to the ACOI for the invitation to speak today about the work of the Enforcement and Anti-Money Laundering Directorate of the Central Bank of Ireland, and our priorities over the next few years¹.

I am delighted to have the opportunity to address this audience of compliance professionals.  The role you play in your firms and across the industry is a critical one in promoting and supporting the drive towards a culture of effective and ethical compliance.  

This morning I would like to set out our approach to our AML/CFT and enforcement work and tell you a little of our priorities for the future.  I trust that the context and insights I provide will assist you in performing your respective roles, and help your organisation understand our expectations better.

Let me begin by describing briefly the cross-sectoral work of the Directorate. It has two distinct functions of great relevance to your own areas of responsibility: first, risk-based supervision in AML / CFT; and second, enforcement investigations and actions against firms and individuals. Both of these functions serve to support our overarching strategic goal: a financial system that is well-managed, well-regulated, and sustainably serves the needs of the economy and consumers over the long term.

We are committed to setting and requiring adherence to a clear regulatory framework within which firms and individuals hold themselves to the highest standards of compliance, and where risks are actively anticipated, identified, managed and mitigated in a timely and transparent manner. That said, we do hold a stick as well as a carrot: the Central Bank will use its powers, and has done so, where firms or individuals fail to comply.      

AML/CFT

So, turning first to our AML/CFT mandate.  The Central Bank plays a key role in protecting the integrity of the financial system through the effective risk based supervision of AML/CFT compliance in credit and financial institutions. 

We have a dedicated division of AML/CFT supervisors and policy specialists, working to improve standards in AML/CFT compliance and regulatory policy. Our approach to AML/CFT supervision has evolved over time. We have implemented a graduated risk based approach to supervision based on the formal assessment and identification of existing and emerging risks. This is supported by the application of different levels of supervisory intensity depending on the level of risk identified in each of the different sectors and firms. Our supervisory resources have increased to support the implementation of our AML / CFT supervisory engagement model, which includes inspections, review meetings and risk evaluation questionnaires (REQs). The focus in this area is reflected in the level of supervisory engagement activity in 2017, when we conducted 77 on-site inspections, issued 309 REQs and held 83 review meetings with firms across banking, insurance, credit unions and other sectors.

Our outreach and communications engagement has also increased as we seek to provide firms and the industry as a whole with up-to-date guidance on their requirements and on our compliance expectations. Last year, we presented at 20 speaking events across the country, published guidance on our website and issued a number of thematic bulletins on topics such as customer due diligence, suspicious transaction reporting and investment firms.

Based on the last few years of our supervisory engagements, we would make some observations. The understanding of ML/TF risks and AML/CFT obligations by firms has moved a long way since the issuing of our ‘Dear CEO’ letter in 2012.  In recent times there has been a marked shift in the nature and scale of deficiencies being identified in firms. We have observed a move away from the more egregious deficiencies seen in the past, where controls may have been absent, to findings now that relate more to the depth, quality and sophistication of the actual controls in place. This is not to say that there is not further work to be done, but we have certainly seen improvements.    

I wish to underline the importance of cooperation and collaboration in combatting money laundering and terrorist financing.  It is a unique area in the financial services framework and entails a shared effort by public agencies such as regulators, law enforcement authorities and the private sector. Three areas of collaboration are of paramount importance to us: international, domestic, and with industry. As to the international angle, in today’s globalised economy, those engaged in criminal activities do not respect borders; in order to be effective in combatting ML/TF there must be a co-ordinated approach at international level; our voice is growing and recognised in European and international fora. In addition to this ongoing engagement outside of our borders, in Ireland we work closely with Garda National Economic Crime Bureau, government agencies and departments and other supervisors.

Finally, we have seen an increase in suspicious transaction reports (STRs) year on year, having doubled over the past 5 years up to 24,000 last year. While the increase in the number of STRs could be viewed negatively by some, and while it is important to guard against any “defensive reporting”, we believe that the increased number represents an increased awareness in firms of their obligations. We have also seen an increase in the number of criminal prosecutions being brought for money laundering. For me, this further highlights the increased understanding by firms of the risks posed and the importance of providing financial intelligence to law enforcement agencies. And, importantly, it supports the Directorate’s efforts to achieve our desired strategic outcome with firms taking responsibility for assessment, management and reporting of their existing and emerging risks.

Enforcement

And so to enforcement, which comprises two divisions made up of multi-disciplinary teams, engaged in the conduct of enforcement investigations and enforcement policy development. Where there are serious or significant breaches of regulatory requirements and standards, the Central Bank takes enforcement action against firms and individuals in order to deter misconduct and promote compliance.  

Today, there are three areas of enforcement’s work that I would like to speak about: the Administrative Sanctions Procedure, the Fitness and Probity Regime and Protected Disclosures.

The Administrative Sanctions Procedure, or ASP, has been and continues to be the primary means by which we take action against firms that commit breaches of regulatory requirements and senior individuals who participate in these breaches.

We have been proactive in our deployment of the ASP. Since 2006, 122 enforcement actions have been concluded, resulting in the sum of over €64m being imposed by way of monetary sanctions.  Statements on these settlements are published.  These public statements serve important functions, in facilitating transparency and communicating expectations to all firms and individuals working in financial services. I would strongly encourage you all to read and pay attention to what is set out in our public statements, which outline what occurred, and increasingly how and why it happened, in an attempt to assist future compliance within firms and across the industry. Indeed, we have been pleased to note good examples of firms using learnings from enforcement outcomes to focus on areas for improvement and better outcomes in their own business. 

Whilst our ASP outcomes to date have largely been arrived at through settlement by firms and individuals following acceptance of failings, this is not and will not always be the case. We may refer certain cases to Inquiry.  In recent years the Central Bank has successfully defended the Inquiry process itself through the courts. Several significant legal challenges were brought following the referral of a number of cases to Inquiry in 2015. One of these cases challenged the constitutionality of our legislation. In the High Court, Mr Justice Hedigan found for the Central Bank. Critically, he confirmed the constitutionality of the legislation. The Court of Appeal also found in favour of the Central Bank in April of this year. Importantly, Mr Justice Hedigan noted “the overwhelming public interest in maintaining the integrity of the financial sector of society [which] is something that requires… effective forms of regulation and enforcement. The Oireachtas has provided that those functions should be carried out by the Central Bank … and have established complex and sophisticated administrative machinery for doing so.” 

The Central Bank’s Fitness and Probity Regime is a further key tool which we employ to hold firms and individuals to account, and a means by which we seek to ensure that individuals working in financial services are fit and proper.  While firms have first line responsibility for ensuring people subject to this regime are fit and proper, the Central Bank has key powers to prevent individuals from taking up senior positions in firms if their fitness or probity is in question (known as the ‘gatekeeper’ function), and to remove individuals from the industry if we have similar concerns. The public expects that people looking after their financial affairs can be trusted to do so, and as Matthew Elderfield, former Deputy Governor of the Central Bank, pointed out when he launched the Fitness and Probity framework “the requirement to act honestly, ethically and with integrity needs little explanation”². We are serious about using our powers to this effect.

Our gatekeeper role is critical to the protection of the public interest and to ensuring that there are public trust and confidence in the financial system. This is an area where we have been robust and quietly effective. Individuals who expect to take up a senior role in the financial services industry can expect to be challenged, because senior roles in regulated firms come with serious responsibilities. As we all know, there can be dire consequences for consumers and the wider economy if such individuals do not behave responsibly. Our approach is intrusive and assertive: where it is necessary, we interview people to explain any apparent shortcomings or gaps in their application. Refusal is not the only outcome. It has been our experience to date, which is consistent with international regulators, that where the prospect of refusal is raised, proposed appointees are in most cases withdrawn. Since the commencement of the regime, 57 applications have been withdrawn where the prospect of refusal by the Central Bank was raised, and this number continues to grow.

We also have an oversight function, and we regularly investigate individuals when we have concerns as to either their fitness or their probity. Such an investigation can give rise to a suspension, or to a prohibition for a specified period or indefinitely. We have issued a number of prohibition notices following such investigations and published statements about the outcomes. You are probably aware of the statement we published at the end of August. It was issued against the former Director of Citybus Employees Credit Union, and prohibits him from carrying out any controlled functions in any regulated firm for an indefinite period. The prohibition follows an investigation which revealed that the Director was responsible for the misappropriation of a significant sum of money from the credit union.

A final area I would like to reference today in the context of our approach to enforcement is Protected Disclosures. The Protected Disclosures regime allows members of the public or staff of regulated firms to provide information on suspected regulatory wrongdoing in a confidential form to the Central Bank. As you are aware, senior individuals are under an obligation to report wrongdoing to us.

Protected Disclosure reports are an important supervisory tool to assist the Central Bank in discharging its supervision and enforcement mandate. These reports provide information that might otherwise be unavailable to us, and indeed they have triggered action such as on-site inspections, the issue of risk mitigation plans, firms being placed on a watch list and enforcement action. The numbers of protected disclosures are increasing year on year. 113 protected disclosures were received in the twelve months to June 2018, compared to 79 in the year before that.

We encourage individuals to come forward to our dedicated Protected Disclosures team where they have concerns or information relating to suspected regulatory wrongdoing in financial services. We understand that this can be a difficult and indeed stressful step to take. However, we truly value people coming forward and we have a team of people answering your call or receiving your email, listening carefully to you and dealing with your information professionally and sensitively.

So what of the priorities for the Directorate moving forward?

AML/CFT

Recent significant AML issues arising in some European banks highlight the need for constant vigilance by firms and regulators.  We have a number of ongoing priorities in the area of AML and CFT, including the enhancement of our own supervisory approach in light of regulatory and external environmental changes. We shall continue to allocate our resources and use the appropriate supervisory tools to respond to the changing environment and meet challenges. Our active engagement at a national and international level will continue in order to influence AML/CFT policy development so that it is fit for purpose. I shall speak briefly about four priority areas in the AML/CFT sphere.

Upcoming legislative changes

As you are doubtless aware, there is a bill before the Oireachtas to transpose the Fourth EU AML Directive. We intend publishing AML/CFT guidelines in line with the new law and hope to go to public consultation before year-end to get industry input. These AML/CFT changes are not a fundamental shift in approach for firms and we will expect firms to reflect these changes in their risk management frameworks. I would emphasise, in particular, the importance of firms bringing their risk assessment and policies and procedures in line with the Fourth EU AML Directive.  

Making Suspicious Transactions Reports promptly

Suspicious Transaction Reports are high on our list of priorities. The prompt filing of STRs can be critical, particularly where there may be an ongoing investigation into criminal offences, which would not typically be known to the reporting firm. A well-functioning reporting regime in a national system can deter criminals from using banks and other institutions from laundering the proceeds of crime, thereby protecting the integrity of the financial system. An area where we would like to see further importance placed by firms is to recognise the ongoing need to file STRs promptly to An Garda Síochána and the Revenue Commissioners. Reporting suspicious transactions is the central component of an effective AML/CFT regime, as the reports provide law enforcement with intelligence that may lead to the detection, investigation and prosecution of money launderers and terrorist financiers.

Technology and Innovation

With Ireland rapidly becoming an international hub for companies operating in FinTech, this innovation presents challenges to AML/CFT compliance. One such challenge facing firms is the implications for customer identification and know-your-customer requirements arising from technological innovation.

We are keen to engage with industry on AML/CFT related technological innovations. There is a considerable focus on FinTech with the rise of cryptoassets, blockchain and artificial intelligence.  Recognising the need to listen to innovators and experts in this field, the Central Bank has established an Innovation Hub for firms to share information and ideas, and to engage directly with us³. This new unit focuses on “engagement, sharing and listening”⁴ and is a contact point for new and existing FinTech firms to engage with the Central Bank on a less formal basis. For our part, it will help ensure that our AML supervisory programme continues to remain fit for purpose as the pace of change in financial services continues to gather momentum.

While AML/CFT legislation is technology neutral, the Central Bank would like to remind firms who do wish to utilise FinTech solutions that they continue to remain responsible for compliance with their AML / CFT and regulatory obligations; the responsibility cannot be outsourced. Outsourcing is not a defence for regulatory failings.  

Effective compliance

There needs to be continued engagement and cognisance across firms, including at senior management level, of ML/TF risks and the role played by AML/CFT compliance and embedding it as a cultural norm that influences behaviour across organisations. Compliance culture and behaviours are set from the top, and it is the responsibility at board level to ensure it is cascaded and embedded across all business lines to ensure that compliance measures are in place to protect businesses from being abused by criminals and to protect the integrity of the financial system. This is not an unnecessary nuisance or hindrance to doing business. It is part of efforts not only to protect the financial system and the wider economy but also to keep all of us safe from criminality and terrorist acts.

So what does good AML/CFT culture and behaviour look like in firms? We have seen that the type of attitude and culture embedded within a firm is of critical importance in the fight against money laundering and terrorist financing. We have seen positive AML/CFT compliance cultures within certain firms. Such cultures recognise the important public interest aspect of their role in the fight against ML/TF. This means having an approach to AML/CFT compliance that considers the legislative obligations as only the starting point. Such firms have a commitment to investing in resourcing the AML/CFT framework, in terms of both personnel and systems, and senior leadership participate actively in instilling the right culture. Further, firms with a good AML/CFT compliance culture engage with us in a positive, transparent way and are proactive in bringing matters to our attention. This is what we expect to see across the board.

The findings and actions that we issue to firms seek not only to correct weaknesses in systems and controls, but also to influence and foster a corporate culture that contributes to effective risk management and compliance with national laws.  These findings will often require some action by the boards of firms, by way of a specific finding to be addressed by it, or action to address the finding requires board approval.  This is to ensure that firms take both top down and bottom up approaches to AML/CFT compliance and that good practices are embedded into their ethos and culture. 

Enforcement

Turning then to emerging and future priorities for our enforcement work.  We shall continue to take action that holds firms and individuals accountable and serves to deter misconduct and promote compliance and high standards. 

Transparency and outreach is a key part of our enforcement strategy. We believe that the public dissemination of enforcement action outcomes provides transparency and engenders trust and confidence in the effectiveness of regulatory regimes.  It is important that we continue to get our messages out to the industry about the standards of behaviour we expect, and also to the public about our role. Public statements on concluded enforcement actions will continue to focus on clearly communicating the standards we expect, and are available on our website and in our Annual Performance Statement.

We work closely with our supervisory colleagues across all sectors and as part of this engagement we seek to identify the cases where enforcement action may be needed.  We have a number of significant and complex enforcement investigations ongoing. 

In our enforcement investigations, all possible angles will be explored, including potential individual culpability. It is worth pausing for a second to address a criticism we sometimes hear with regard to some of our enforcement taking too long. Some of you will have experience in regulatory or other types of investigations, in which case you will know that it is necessarily a meticulous process. When done correctly, it is painstaking. Our investigators, forensic accountants and lawyers act with appropriate haste to bring actions. But they provide the due process that firms expect and the rigour that the public deserves. It should also be said that sometimes we face legal strategies designed to slow and frustrate our investigations⁵, and we must tackle these head-on. Bear in mind that cooperation is one of the factors that we weigh in deciding on the appropriate sanction. Where there has been unnecessary obstruction, firms and individuals may see enhanced monetary sanctions, and reputational damage where their lack of cooperation is noted in public statements. 

To my mind, the Central Bank has established the credible threat of enforcement that it set out to achieve with the establishment of the separate enforcement function.  My message for firms, their boards and their senior management, is that the Central Bank has and will continue to take robust enforcement action where serious or significant regulatory failings arise.  We will also continue to focus on firms’ compliance with requirements under the Fitness and Probity regime, and to challenge senior individuals seeking appointment to senior positions in financial services where concerns arise in respect of their fitness and probity. 

I cannot stress enough how important it is for firms and senior individuals in them to be open and frank in their engagements with the Central Bank, and I would remind all PCF role holders that cooperation with the Central Bank is key to acting in accordance with the Fitness and Probity standards. It is also a requirement in the context of those holding the most senior positions in financial services, who are under a legal obligation to bring serious issues to the attention of the Central Bank pursuant to section 48 of the Central Bank Reform Act 2010.   

Individual Accountability

It will not surprise you to hear that a particular area of focus is individual accountability. There was an understandable outcry following the financial crisis at the lack of action by regulators against individuals. Our focus in this area has been sharpened. We consider the appropriate regulatory response for individuals, and, as I noted earlier, actions have been taken against individuals under the fitness and probity regime. We have also pursued individuals as participants in regulatory breaches by firms under the ASP, as evidenced by our referral of cases to Inquiry in respect persons formerly concerned in the management of Irish Nationwide Building Society and Quinn Insurance Limited.

Notwithstanding this evolution and increased focus on individuals, we believe that more can and should be done. That is why we recommended strongly in our submission to the Law Reform Commission in January of 2018⁶, and again in our July 2018 report to the Minister for Finance on Behaviour and Culture of the Irish Retail Banks⁷ that reforms assigning responsibility to senior personnel be adopted in this jurisdiction. The primary purpose of our reform proposals is to act as a driver for positive behaviours and the recognition of responsibilities by individuals.

A key element of the proposals recommends the introduction of a Senior Executive Accountability Regime, or “SEAR”, to ensure clearer responsibility and accountability by placing obligations on firms and senior individuals within them to set out clearly where responsibility and decision-making lie for their business. This would permit the Central Bank to require every senior manager to present a statement of responsibilities that clearly states the matters for which they are responsible and accountable. For their part, firms should be obliged to provide maps setting out the responsibilities and accountabilities at an individual and an organisational level. These requirements will assist us in assigning responsibility to individuals. There will be no doubt as to where responsibilities lie. The ability for individuals to avoid liability for regulatory wrongdoing will be constrained. 

Conclusion

Poor, lacking or corrosive organisational culture in financial services is widely accepted as a key root cause of the major conduct failings that have occurred within the industry in recent history. These cultural failings have had severe consequences, both for customers and shareholders and also, in the case of the crisis, for the stability of the financial system as a whole.

The embedding of an effective and ethical culture in financial services is essential given the central role that the financial sector plays in our everyday lives and the modern economy, supporting growth, employment and future prosperity. It is also essential to the sustainability of financial services firms themselves, with growing evidence that the lack of a consumer-focused culture in firms erodes competitiveness and damages their long-term prospects. What we want to see is an effective and ethical culture within and owned by our regulated firms. This will only be achieved when it is set right from the top and cascaded throughout the entire organisation, from the boardroom through the back office to client-facing services.

The Central Bank expects that compliance professionals and employees across all levels of a firm should be empowered to provide senior management with an honest appraisal of both the risks that are inherent and the effectiveness of a firm’s systems and controls. Employees should also feel empowered to raise questions of ethics and have the necessary communication channels in place to facilitate this. The correct culture needs to live and breathe in every part of the firm. While roles might differ, there should be a shared sense among staff across a firm of the importance of protecting the firm and, more generally, maintaining the integrity of the financial system. When firms get this right, the rest should flow into everything from strategy, to decision-making, and down to simple everyday tasks. 

Christine Lagarde, Managing Director of the IMF, said that “The goal of the financial sector must be not only to maximise the wealth of its shareholders, but to enrich society by supporting economic activity and creating value and jobs – to ultimately improve the well-being of people.”

I agree.

And I hope you do too.

¹ With thanks to John Lynch and Tony Cahalan for their assistance in preparing my remarks

² Elderfield, Matthew. 2011. Raising Standards in Banking. Speech. Foresight Business Group, Trinity College Dublin.

³ Central Bank of Ireland Innovation Hub

⁴ Rowland, Derville. 2018. Innovation and technology in financial services: a regulatory perspective. Speech. University College Cork Financial Services Innovation Centre.

⁵ Moloney, Martin. 2018. Transforming Culture in Regulated Financial Services in Ireland Speech. Alvarez & Marsal / Byrne Wallace Solicitors Seminar on Transforming Culture in Regulated Financial Services in Ireland.  

⁶ Central Bank of Ireland Response to the Law Reform Commission Issues Paper “Regulatory Enforcement and Corporate Offences”

⁷ Central Bank of Ireland. 2018. Behaviour and Culture of the Irish Retail Banks