At the front lines of the fight against money-laundering in Germany: Financial institutions are asked to do the detail work

In 2016, Germany received 40 percent more reports of suspected money laundering than the year before, the highest increase in 15 years, according to officials. The newly established Financial Intelligence Unit (FIU), which is now handling investigations of suspected money laundering, received a total of 40,690 reports in 2016, most of them from financial institutions and most of them related to fraud.

Starting in late June 2017, when the EU’s new anti-money laundering (AML) mandate went into effect, financial institutions had to revise strategies, processes and control mechanisms to ensure that transactions are monitored and risks are properly assessed. In Germany, financial institutions also faced hasty implementation: The German parliament only adopted the rules in February.

In the past, fines to financial institutions for errors or non-compliance related to money laundering were usually far under 100,000 euros; now, since money laundering prevention is seen as a key way to fight terrorism financing, fines can be in the millions. In addition, if authorities determine a financial institution has failed to comply, it will be named and shamed by being listed as non-compliant on the home page of the financial regulator (BaFin), and it’s possible that company money laundering officers will be held personally liable for non-compliance.

From my perspective as an auditor, I see that financial institutions struggle with the complexity of the new mandate and with finding talent to implement new systems and processes. That’s why I think it’s important to understand the three areas of financial institutions that will be strongly impacted by Germany’s new AML law. They are: know-your-customer (KYC) risk management, due diligence processes, and IT. I believe making targeted changes in these areas will help financial institutions keep their compliance costs down.

Know-your-customer risk management

In the past, financial institutions had to analyze the possible risk of money laundering with a technique called risk analysis (Gefährdungsanalyse), but audits found that many had trouble doing so correctly and completely.

Now, under Germany’s new AML law, financial institutions are required to expand use of the principle of risk-based analysis of money laundering and fraud. Specifically, this means institutions must assess their overall risk, plus they must individually assess the risk of money laundering and terrorism financing for every single business relationship and transaction.

They must know which of their customers and which of their own products may be susceptible to money laundering. Factors to be included in the analyses are overall customer risk and geographic risk, as well as risk from the products, services, transactions or sales channels used in the businesses of their customers. To help in the analyses, Germany and Europe have a new tool – a publicly available register of companies and their ownership, the so-called “transparency register”.

My experience shows that it will take two to three years, with audits, before something useful comes out of the new AML processes. Besides the complexities I’ve mentioned, there’s also a risk of bias – e.g. believing your own analyses could not be wrong, or oversimplifying during the analysis phase. In addition, the analyses must be understandable for third parties, which is difficult given their complex nature. I have heard about banks that hired new teams for compliance, only for people to struggle to make the jump from “this is my product and this is my customer” - to “this is my risk, and this is what I’m doing about it.” All in all, expect the process to take time before it is refined.

AML due diligence

Similarly, the customer due diligence related to AML got more complex with the introduction of the new law. Before, risks were classified by law, and now, financial institutions must prepare a rating, an explanation of that rating, and a statement on why it has changed or not.

Then there are Politically Exposed Persons, so-called PEPs. They have always been people of interest to officials fighting money laundering, due to their power or proximity to power. Now, under the new law, German financial institutions must also make assessments of domestic PEPs, not just foreign ones. PEP lists can be purchased from outside providers and integrated into IT systems to generate alerts, but sometimes that’s easier said than done with custom-designed IT systems, which is what many smaller financial institutions use.

IT matters

That leads me to the point of IT. Generally speaking, there is a technical component to the new law that gives financial institutions more options for identifying customers. They include video ID and smartphone legitimation processes. Financial institutions are free to choose whichever process they want, as long as they are able to prove that their chosen process is reliable. What’s new is that financial institutions in Germany must take a copy of their customers’ government IDs, which will not present a large compliance burden.

What can lead to compliance costs are adaptations to IT to meet the more detailed requirements. Typically, as financial institutions narrow filter terms to catch more potential cases of money laundering, or to review additional or new PEP lists, they may receive more false positives alerts (e.g. indications) that need to be investigated manually. This can raise the costs of compliance and may require IT adaptations.

In addition, financial institutions could assess their own risks as too high and over-correct by adding new layers of process, or they may second-guess the criteria and measures already implemented, thereby incurring costs to double-check them.  This is all possible because the requirement is risk-oriented. Often, only a handful of people in an organization know the details of AML matters so intricately that they can have an opinion on whether processes have worked as intended.

For these reasons, I believe it will take a couple of years before financial institutions have processes that will bring value to the business - and satisfy regulators.