The regulatory compliance landscape of the post-9/11 epoch is a far cry from the relatively unregulated context that preceded this major terrorist attack. The following article provides an overview of the major regulatory compliance laws implemented in its aftermath, and explores the KYC/AML and CFT compliance challenges faced by regulated financial service providers worldwide.

Why the need for regulatory compliance?

A succession of corporate scandals and terrorist attacks at the turn of the millennium revealed that criminals were exploiting numerous system loopholes to commit a broad range of financial crimes, including embezzlement, money laundering and fraud. Of much concern was the fact that the proceeds of these crimes were being used shadowy extremist figures to finance terrorism on an unprecedented scale.

Global political stability was being threatened by elusive forces, and the need to curb financial crime and the funding of terrorism became an international priority overnight.

Essentially, financial criminals’ ability to create bank accounts and transact under a false identities had to be curtailed, which called for a level of transactional monitoring and client due diligence unlike any required prior to 9/11. 

Regulatory compliance laws: the “Usual Suspects”

The USA PATRIOT Act of 2001 – the legislative benchmark informing all current regulatory compliance legislation in the USA, UK and further afield – included extensive regulatory requirements for banks, accountants, asset management houses, legal practitioners and other financial service providers in terms of client identity verification and Enhanced Due Diligence (EDD) procedures.

Some other well-known pieces of regulatory legislation informed by the USA Patriot Act include the Sarbaines-Oxley Act (SOX Act), the Health Insurance Portability and Accountability Act (HIPAA) and the Bank Secrecy Act (BSA), to name only a few.

Amendments to Know Your Customer (KYC) compliance legislation, and especially those pertaining to AML and ATF considerations, saw pre-2001 guidelines being turned into mandatory obligations. The introduction of the risk-based approach to due diligence, the enforcement of ongoing client and transactional filtering requirements and the increased scrutiny of Politically Exposed Persons (PEPs) were all hallmark features of this new compliance era.

Given impetus by laws such as the USA PATRIOT Act, the resulting class of cross-border regulation made Anti Money Laundering (AML), Know Your Customer (KYC), Advanced Due Diligence and Anti Funding of Terrorism (ATF) compliance mandatory, and extended the regulatory scope to include conveyancers, law firms, hedge fund companies and a host of formerly unregulated financial service providers.

This, for all its positive effects, has had far-reaching operational implications for regulated companies.

The costs associated with meeting compliance mandates using in-house infrastructure is staggering, and generally places a huge administrative burden on key resources within an organisation. These challenges would all contribute to the market demand for a one-stop compliance solution and a centralised risk intelligence database that would consistently outpace emerging regulatory requirements.

Regulatory compliance in the UK

The European Union Second Money Laundering Directive, also known as 2 MLD, was concerned with preventing the proceeds of crime from being laundered, the impending Third Money Laundering Directive focuses on the processing of funds before a crime or act of terror has been committed.  

In essence, the broader financial community’s compliance mandate now includes the mitigation of operational risks, while the advent of cost-effective global communication networks and regulatory infrastructure has made enforcement a reality. Other significant pieces of UK regulatory legislation include the Proceeds of Crime Act of 2002 (PoCA), and the Financial Services and Markets Act of 2000.

The JMLSG (Joint Money Laundering Steering Group), comprising several trade associations in the UK financial sector, supports enforcement agencies and publishes best practice guidelines for regulated companies. It also provides information that aids interpretation of UK AML legislation, and compliance to their guidelines has been made mandatory by HM Treasury. In practice, the ongoing expansion of regulatory requirements will see UK authorities implementing an even more rigorous enforcement regime to persecute non-compliant law firms, for example.

Businesses that have never made a disclosure regarding suspect activities are already being targeted, as the parameters of what constitutes money laundering are drawn so wide that not unearthing something suspicious is virtually impossible. As such, failure to notify the Serious Organised Crime Agency (SOCA) of suspicious activities or transactions is treated as a sign of non-compliance.

It is worthwhile noting that much of the UK’s regulatory compliance legislation is informed by European compliance legislation.

European Union (EU) AML legislation

The impending EU Third Money Laundering Directive, which builds on the stipulations of the Second Money Laundering Directive, expands the scope of industries being regulated, and requires companies not only to implement a Client Identification Programme (CIP), but also to keep electronic records of ongoing due diligence and transactional filtering. Adopted in 2005, this directive afforded companies a grace period of two years to fulfil their compliance responsibilities.

As such, regulated companies will need to prioritise the implementation of effective compliance processes as a matter of urgency during 2007. 

Regulatory compliance in the USA

THE USA PATRIOT Act (2001) included the Financial Anti-Terrorism Act, a bill aimed at increasing the US Federal Government’s ability to control and monitor financial criminals internationally. Significantly, it made the implementation of an Anti Money Laundering programme compulsory for all financial institutions. 

Entities such as the Financial Crimes Enforcement Network (FinCEN), an initiative by the US Department of the Treasury, is one numerous big agencies fighting money laundering in the United States and further afield.

Leveraging the enforcement provisions of the USA PATRIOT Act in implementing US-specific legislation such as the Bank Secrecy Act (also known as the Currency and Foreign Transactions Reporting Act or BSA), FinCEN ensures that financial institutions in the USA assist government agencies in the detection and prevention of fraud and money laundering.

Although the BSA has been effective since 1970, subsequent amendments have significantly increased regulatory agencies’ enforcement powers. Title III of the USA PATRIOT Act – the International Money Laundering Abatement and Anti-Terrorist Financing Active of 2001 – for example, is a case in point. It expanded the BSA’s requirements, and made detailed record-keeping and reporting of underlying transactions and beneficial ownership of accounts mandatory.

Other benchmark regulatory compliance laws included Federal Information Security Management Act of 2002 (FISMA), Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA ).

AML and CTF Compliance: Implications for banks and financial institutions

The above-mentioned laws have formed the foundation for the regulation of banks, asset management houses, lending companies and related financial services providers. Non-compliant institutions face severe financial penalties. Yet as the Riggs case had shown, the dangers of non-compliance doesn’t stop at financial penalties: the reputation damage resulting from the financial scandal this US bank had been embroiled in sent its share price plummeting, and effectively caused the demise of one of America’s top banks.