AML – How a Small Financial Institution Can Be as Compliant as a Bank
Managing partner and attorney at law of ACG International in the Netherlands, Edith N Nordmann tackles a problem faced by small financial institutions around the world.
Edith N Nordmann
During a legal conference in Dubai in May 2023, professionals from all over the world gathered to discuss the ever-changing and increasingly strict AML regulations. I had the privilege of being one of the speakers on AML compliance during a session titled: “Global Risk Mapping: Leveraging Your Due Diligence to Mitigate Multi-jurisdictional Risks”.
“Surely it is not reasonable that small financial institutions must meet the same KYC and Due Diligence (DD) requirements?”
One of the questions from the audience was: "How can a small financial institution be as compliant as a bank, while having fewer resources at its disposal?"
The question went even further: "Surely it is not reasonable that small financial institutions must meet the same KYC and Due Diligence (DD) requirements – can’t something be arranged with the Regulator?"
Excellent question – that’s how I started my answer – but the answer is not so simple.
The compliance legislation seems unambiguous – but that is not quite right. The purpose of the rules is clear – but the nuances make the correct application of the rules challenging in practice.
Money Laundering Plan Bill
In 2020 the Dutch Ministry of Finance submitted a “money laundering plan” bill (Wetsvoorstel plan van aanpak witwassen) to the Council of State or “Council” (Raad van State) amending the Prevention of Money Laundering and Financing of Terrorism Act and the Supervision of Trust Offices Act 2018.
The bill includes the obligation for an institution to make enquiries with other institutions when investigating a high-risk (potential) client. The institution being asked is then obliged to share data. The Council subjected the proposal to thorough scrutiny and came to the conclusion that two of the proposed measures would lead to far-reaching infringements of the fundamental rights of citizens and businesses, preventing the protection of confidential data and privacy.
“The Council... came to the conclusion that two of the proposed measures would lead to far-reaching infringements of the fundamental rights of citizens and businesses...”
The Council stressed that however important the fight against money laundering and terrorist financing is, the question with these measures is whether the end justifies the means. It ruled that these means (information exchange in joint monitoring of banking transactions and customer DD) go too far in the design of the bill. This data sharing violates the protection of confidential business and personal data.
The proposal is also at odds with the professional secrecy required of notaries and lawyers. Under the bill, they are not bound by their duty of confidentiality if they share the data. Therefore, the Council recommended better justification of the necessity and proportionality of this measure and that the bill should not be submitted to the House of Representatives (Tweede Kamer) until it had been amended.
“However important the fight against money laundering and terrorist financing is, the question with these measures is whether the end justifies the means.”
Currently, the bill is being further amended, after which the House of Representatives will debate the proposal. In short: there is still a lot of work to be done.
Recent Developments to Ease the Burden on Banks in AML Compliance
The Dutch Central Bank (De Nederlandsche Bank or DNB) has just recently reached a compromise with other banks not to subject all their customers to intensive KYC and DD, but to focus only on their high-risk customers. This is because, much as the government and regulators want to track down criminals and terrorists –- and banks and (small) financial institutions want to comply – it is a complicated and, above all, time-consuming and very costly affair.
“[The DNB] has just recently reached a compromise with other banks not to subject all their customers to intensive KYC and DD, but to focus only on their high-risk customers.”
A bank may be able to bear these costs, but a (much) smaller financial institution struggles to follow the AML rules because it is a time-consuming and expensive process. In addition, even though they have far more resources to get their affairs in order, the banks have been able to negotiate less rigid compliance checks, whereas it is still uncertain if this will also apply to small(er) financial institutions.
The Unbearable Burden for Smaller Financial Institutions
When teaching AML courses to non-banking financial institutions, it is noticeable that the required culture shift in the organisation, in particular, takes a lot of time and effort.
On top of that, the control of the ultimate beneficiaries is often underestimated – it can be quite a puzzle, but it is strictly necessary, even without being able to use the Ultimate Beneficial Owner (UBO) registry!
"‘Give us a roadmap we can stick to,’ is the understandable wish of financiers and advisers.”
There are of course roadmaps, but they are of limited help and only provide direction, not certainty, because the assessment and control must be risk based and therefore require case-by-case assessment of the overall situation. In short, the assessment is subjective and highly casuistic – which brings not only a lot of uncertainty, but also a huge administrative workload and high compliance costs.
So – given the huge costs and workload – does it make sense at all, and is there still a future for small financial institutions? Certainly, but only for those financial institutions that are smart about it.
The Solution
It starts with KYC – make sure you really get to know your customer. Don’t just ask the obvious, ask for a CV, be seriously interested in who your customer really is and what they are up to, not just within your jurisdiction, but also worldwide. Do the world check, the news check, etc!
This is not only a means to meet KYC and AML obligations, but also gives you a holistic picture of your customer and can at the same time make it clearer which (other) services might be of interest to this customer.
“Good KYC can lead to a better proposition and, therefore, also to a better customer relationship.”
This is then actually “reverse engineering” – use the KYC/AML check as the basis for the commercial proposition! At the same time, the meticulous detective work becomes more exciting for the employees engaged in KYC research within the organisation, with or without the help of (new) technical tools.
To answer the original question of the delegate in Dubai: compliance laws and regulations cannot be adapted for smaller financial institutions, but the way smaller institutions deal with them can.
The application of AI, if done correctly, is also among the possibilities, and good KYC can lead to a better proposition and, therefore, also to a better customer relationship.