Regulators globally have shown financial institutions that violate tough post-crisis compliance rules no mercy and are now, increasingly, showing a determination to also punish corporates that don’t toe the line when it comes to know your customer, anti-money laundering and sanctions.
A decade on from the collapse of Lehman Brothers, regulators across the United States, Europe, Asia Pacific and the Middle East have levied an eye-watering US$26bn in monetary penalties against institutions for KYC, AML and sanctions violations, according to one of the most comprehensive studies of its kind since the financial crisis.
The research by US-based Fenergo, a provider of regulatory and compliance solution to banks and corporates, says inadequate customer due diligence procedures and the lack of cohesive, global KYC and AML compliance programmes were the most common charges levelled at penalised institutions. On the sanctions front, penalties were mostly handed out for screening processes that intentionally ignored the status of sanctioned entities.
Published in October, the Fenergo study draws on analyses of ten years of AML and KYC fines and found that at the regional level, the US accounted for over 90% or US$23.5bn of all global AML, KYC and sanctions-related fines between 2008 and 2018.
Europe followed with US$1.7bn issued in fines over the ten-year period. The current year however has already become a record year for AML fines across the region, with a total of US$903m levied, including the highest European AML fine of the past decade, totalling US$900m and levied by Dutch authorities.
Across APAC, AML-related fines totalling US$609m have been issued in the last ten years. As with Europe, fines across the region this year already amount to a new ten-year record, US$540m in penalties issued over the first eight months of the year. “There is a notably intensified appetite from Singapore and Hong Kong financial regulators to safeguard their respective financial systems by bolstering AML, KYC efforts,” says the report.
In the Middle East, meanwhile, regulators are starting to find their regulatory bite in an attempt to fix a global perception of a ‘light touch’ regulatory regime within the region. The Dubai Financial Services Authority (DFSA) has been the most active regulator in the area, levying five fines totalling US$9.5m for AML contraventions.
As for sanctions violations, they accounted for 20% of the US$26bn issued in enforcement penalties globally on financial firms.
With the implementation of new regulations, including EU’s MiFID II and GDPR; and US Treasury’s FinCEN Final Rule relating to customer due diligence (CDD) over the past year alone, the expectation across the financial industry is that regulators will continue to flex their enforcement muscles. Accenture’s 2018 Compliance Risk Study found that nearly 90% of 150 compliance officers surveyed across banking, capital markets and insurance are anticipating their organisations will boost investment in compliance over the next two years.
Warning for corporates
While both the Fenergo and Accenture studies are focused very much on financial institutions, their findings are a powerful signal to corporates that as clients of financial services firms they too will, inevitably, come under greater scrutiny under KYC, AML and sanctions rules.
The sanctions space has been especially lively this year thanks to US President Trump’s willingness to slap new rules on not just countries like Iran, Syria, Russia and North Korea but organisations and individuals as well. Data gathered by US law firm Gibson Dunn earlier this year shows that across the full range of US sanctions programmes, nearly new 1,000 entities and individuals were blacklisted during 2017. That represented a near 30% increase over the number added during President Obama’s last year in office, and a nearly three-fold increase over the number added during Obama’s first year in office.
A notable recent instance of a corporate being snared by US sanctions is Chinese telecom equipment maker ZTE, which was charged with “egregious” violations of rules on Iran and North Korea. In May the company was allowed to resume operating in the US but only after paying a US$1.3bn fine. It also had to change its management and board, hire American compliance officers and provide “high-level security guarantees”.
With sanctions rules there is no room for ignorance. Last year PayPal was fined over US$7m for breaking the US Weapons of Mass Destruction Proliferators Sanctions Regulations after unwittingly processing payments for a sanctioned individual. Elsewhere, US medical company Alcon Labs has been fined more than US$7m for selling medical equipment to customers in Iran and Sudan, and the PanAmerican Seed Company had to cough up US$4.3m for selling flower seeds to Iranian distributors.
Parth Desai, founder and CEO of payment compliance platform Pelican, says that, increasingly, personal executives are being held to account and individually fined by regulators following corporate non-compliance. The negative impact on business reputations of being shamed can be even more significant than the direct financial penalties imposed, he says.
“Despite these risks, there is still a reluctance among some companies to onboard proper sanctions screening processes, with many erroneously believing it is enough for their banks to do all screening,” says Desai. “As many companies have learnt the hard way, there is no excuse the regulators will accept for a failure to put in place adequate systems and processes to ensure all relevant sanctions obligations are adhered to.”
Desai says that while many companies around the world are either planning, implementing or already using sanctions screening and fraud prevention solutions, others are facing either compliance disaster or fraud exposure.
How companies handle their data is no longer simply about compliance – it is a competitive differentiator. Firms that fail to have a cohesive strategy and programme in place will struggle to succeed at best, or create a ticking time bomb at worst, Desai warns, adding: “Action is better than inaction – and complacency can lead to disaster.”
The KYC challenge
Corporates face many challenges on the KYC front too. A Thomson Reuters global survey of 1,122 decision makers, including treasurers and finance directors in non-financial corporations, found that banks are looking to alleviate some of the regulatory pressure on them by increasing the volume of KYC information they require from companies. An indication of the much tougher regulatory climate for banks is that, according to Fenergo, between 2009 and 2012 alone, more than 50,000 regulations were published across the G20 group of countries, with almost 50,000 regulatory updates rolled out over 2015. Not surprisingly, major financial institutions are spending between US$900m and US$1.3bn a year on financial crime compliance.
The Thomson Reuters study, which surveyed firms in countries including Singapore, Hong Kong, USA, UK, France and Germany, also found that the KYC burden on companies is being magnified by their high number of banking relationships. On average, each corporate surveyed had ten global banking relationships, with bigger organisations having more banking relationships, as many as 14 in some cases. Such multiple banking relationships make managing the provision of KYC documentation to financial counterparties significantly more time-consuming and complex for corporates.
The research furthermore reveals that banks were taking longer to onboard corporate clients who in turn were not passing on a significant proportion of material changes needed for KYC processing. As a result, senior managers within corporates were spending valuable time responding to multiple requests for compliance-related information.
One of the biggest bugbears for corporates is financial institutions’ lack of common KYC standards. As a result, document requests vary by bank and geography, making it difficult for corporates to predict exactly what will be required. Institutions and regulators have shown they are committed to moving towards standardised KYC requirements but there is still an awful long way to go.