https://rusi.org/explore-our-research/publications/commentary/i-know-it-when-i-see-it-effective-anti-money-laundering-supervision
The Financial Action Task Force has changed the way in which it assesses the effectiveness of anti-money laundering supervision. Will this drive better supervisory outcomes in the UK?
Effectiveness is a word that is flung around by many in the financial crime community, but it remains a somewhat vague and nebulous concept. To paraphrase a quote from the US Supreme Court, do we just know it when we see it?
Notwithstanding questions that have been raised about its Theory of Change, the Financial Action Task Force (FATF), the global standard-setter for anti-money laundering (AML) and countering terrorist financing (CTF), sets out a high-level objective for an effective AML/CTF framework:
‘Financial systems and the broader economy are protected from the threats of money laundering and the financing of terrorism and proliferation, thereby strengthening financial sector integrity and contributing to safety and security.’
In 2012, the FATF added the requirement for countries to be assessed not just on their technical compliance with the FATF’s 40 Recommendations but also on the effectiveness of the measures that they had put in place. In order to assess effectiveness, the FATF defined three intermediate outcomes, reflecting the thematic goals that a country should seek to achieve. These are 1) having a framework in place to mitigate money laundering and terrorist financing; 2) the detection and disruption of threats, including sanctioning criminals and seizing assets; and 3) preventing the proceeds of crime and funds in support of terrorism from entering the financial system. Supporting the three intermediate outcomes, the FATF also defined 11 more granular objectives, referred to as the Immediate Outcomes (IOs).
While all of the IOs are tricky in their own way, the one that has historically tripped up a lot of countries is IO3 – the requirement for countries to demonstrate a risk-based approach to the AML/CTF supervision of regulated entities (including both financial institutions and non-financial institutions, referred to in FATF language as Designated Non-Financial Businesses and Professions (DNFBPs)). The risk-based approach is an essential component of effectiveness – implementing a risk-based approach allows a country to focus resources on areas of higher risk, thereby allowing it to be more effective at meeting the overall objective of preventing the financial system from being exploited by criminal actors.
The FATF’s analysis shows that no country has achieved a ‘high’ level of effectiveness in relation to IO3, and only a handful have achieved a ‘substantial’ level of effectiveness. The UK is not included within that handful. In its 2018 mutual evaluation, the UK was assessed as only having a moderate level of effectiveness. Although the Financial Conduct Authority (FCA) and the Gambling Commission both got a relatively clean bill of health, assessors highlighted the that ‘the level of understanding of ML/TF [money laundering/terrorist financing] risk varies across the legal and accountancy professional body supervisors’ and that this has ‘impacted their ability to apply a risk-based approach to supervision’. So, not really very effective then.
Given the deficiencies identified back in 2018 and the FATF’s focus on what it calls the ‘gatekeepers’ (and what others, less charitably, call professional enablers), it is likely that the application of risk-based supervision of this community, and particularly of lawyers and accountants, is going to feature heavily in the UK’s preparation for its rapidly-approaching next mutual evaluation.
The UK – and indeed every other country that is part of the FATF network – will also need to take heed of the changes to the evaluation methodology. As the new round of evaluations – the fifth to date – kicks off, keen FATF watchers will no doubt have spent their summer holidays deep in all 241 pages of the new methodology. One of the interesting changes is to split the previous IO3 into two IOs. The ‘new’ IO3 will focus exclusively on financial institutions and virtual asset service providers (VASPs), while IO4 has been re-formulated to separate out the assessment of the effectiveness of DNFBP supervision into its own standalone IO.
Without wishing to pre-empt the findings of the UK’s assessors in three years’ time, it seems likely that the UK will perform relatively well when it comes to the supervision of the financial sector. That will probably come as a relief to the FCA, which has generally been on the front foot with it comes to AML supervision and will now see its effectiveness assessed in its own right. However, achieving a good score for supervision of the non-financial sector is likely to require a significant amount of effort; the Gambling Commission, one of the other UK supervisors that fared well in 2018, and which will be assessed under the new IO4, will be unlikely to make up for the deficiencies in the other DNFBP supervisors – particularly the Professional Body Supervisors (PBSs), which are responsible for supervising the legal and accountancy sectors.
On the plus side, there have been a lot of developments in the UK since 2018 – the Office for Professional Body Supervisors (OPBAS) was established to try to bring consistency across the 22 legal and accountancy sector supervisors, although it has had, at best, mixed results; the National Economic Crime Centre, National Crime Agency and OPBAS have released a cross-system strategy on tackling professional enablers; and the UK government has consulted on supervisory reform in the UK, including the prospect of consolidating the fragmented supervisory landscape.
In the absence of big structural changes, hopes will have to rest on incremental improvements to the effectiveness of supervision, which have not been forthcoming to date
Effectiveness is not, however, measured by the number of reports, strategies and consultations that have been issued. For FATF, effectiveness requires there to be outcomes and, ultimately, that criminals are ‘discourage[d]’ from abusing and exploiting the sector(s), thereby reducing the amount of ML/TF activity. The FATF methodology provides examples of the kinds of questions that assessors might consider during their evaluation, including the strength of the controls within the gatekeeper sector; supervisory outcomes and enforcement activities; understanding of risk both by supervisors and industry; and the extent to which there is collaboration and information sharing across the ecosystem. All of these areas have been identified by previous RUSI research as being challenges that the UK faces in improving both the standard of AML/CTF compliance and the quality of risk-based supervision, although it is worth noting that the UK is not alone in its struggles.
With the FATF mutual evaluation in mind, the Treasury has developed an Effectiveness Framework that will gather data to better assess the effectiveness of supervision (and presumably, pre-empt the potential findings of the UK’s mutual evaluation). But, as the Treasury’s latest annual report points out, supervision remains inconsistent across the legal and accountancy sectors. Likewise, OPBAS has concluded that while there have been improvements in PBS supervision, the improvements are ‘not yet where we [OPBAS] want them to be’ and that there was a need for ‘material supervisory system reform’. Frankly, this is not going to happen, at least not in time for the UK’s 2027 evaluation. The aforementioned consultation on AML supervisory reform in the UK closed at the end of September 2023, but there has yet to be a response from the government or a proposed way forward. In the absence of big structural changes, hopes will have to rest on incremental improvements to the effectiveness of supervision, which have not been forthcoming to date. The UK is running out of time. Indeed, it is probably more accurate to say that the UK has run out of time.
Beyond the UK’s success – or otherwise – in its next mutual evaluation, there’s a bigger question here. If a country, whether the UK or another, can demonstrate a high level of effectiveness as per the FATF guidance for an IO, does it then follow that the country is actually effective in preventing and detecting ML/TF? One could, arguably, be effective at the latter without necessarily ticking all of the FATF’s boxes. That would certainly present another challenge to the FATF’s legitimacy; to go back to the US Supreme Court, would we just know effective AML/CTF supervision when we see it, regardless of a country’s level of compliance with the FATF’s Recommendations? At the moment, it does not seem like any country is managing to do either particularly well, so it is far more of a hypothetical problem than anything else. It would be a nice problem to have though, wouldn’t it?