A key element in the application of the risk-based approach (RBA) to financial crime is the identification by a firm of those countries with which its customers are closely linked and which are also adjudged to be high risk in financial crime terms.
There are many lists of such high-risk countries produced by both public authorities and private organisations that may assist a firm in the production of its own high-risk list.
The purpose of this article is to consider a few issues around some lists produced by the public sector.
FCA survey of annual financial crime returns
The FCA has required some 2,000 of the largest UK firms to submit an annual Financial Crime Return (FCR).
The purpose of the FCR is to increase the FCA’s understanding of a variety of issues on a firm by firm basis, such as the total number of clients, the number of high risk clients, the number of internal suspicious reports and external suspicious activity reports (SARS) submitted as well as the most common types of fraud.
One element of the FCR deals with high risk countries. Each firm must advise the FCA which countries the firm deems to be high risk. In a recently published analysis of data submitted in FCRs for 2017, the FCA sets out in a list the firm’ collective view of the degree of risk associated with each country.
Iran, Panama and Russia are deemed to be the highest risk whilst the US, Sweden and Norway are believed to represent the lowest risk.
In light of recent events involving Danske, it is likely that Denmark ranked 222 (of 228) and Estonia ranked at 193, will be adjudged to represent much higher risks when the 2018 analysis is published.
Freedom of Information Act requests
The analysis make clear, in bold font, “This ranking does not represent the opinion of the FCA”. The analysis does not state which countries the FCA views as high risk as previously the FCA encountered some embarrassing difficulties when it did publish its views on this matter.
In 2014, in response to a Freedom of Information (FOI) Act request, the FCA published a list of 95 countries that it assessed to be high risk .
Interesting, its list contained three EU Member States (Bulgaria, Latvia, Romania) and twelve Financial Action Task Force (FATF) members (Argentina, Brazil, China, India, Malaysia, Russia, South Africa and Turkey plus four member states of the Gulf Cooperation Council, a FATF member in its own right).
Furthermore, the FCA did not issue a Press Release announcing the publication of its list, which is contrary to its usual policy of giving extensive publicity to financial crime issues.
Within six weeks of publication, the FCA withdrew its list, again without any publicity. On learning of its inclusion in the FCA list, the government of the Caymans Islands, a UK Overseas Territory, protested to the UK Foreign & Commonwealth Office (FCO).
After discussions between the regulator and the FCO, the FCA took down the list from the FOI page on its website.
In the following year, 2015, another FOI request was made in order to obtain a copy of the regulator’s list.
On this occasion, the FCA, whilst acknowledging it held such a list declined to publish it on the grounds that publication may prejudice relations with foreign countries, which is an exemption from publication provided by the FOI Act.
The matter ended up before the Information Commissioner’s Tribunal who adjudicates in cases where public bodies decline to meet FOI requests. The panel upheld the FCA’s view.
EU list of high risk countries
A little discussed element of the Fourth EU Money Laundering Directive (4AMLD) was the obligation, set out in Article 9 of the Directive, on the European Commission to produce a methodology to produce a list of third countries that represent a high money laundering risk to the European Union and then publish such a list.
The Commission quickly published the FATF list of jurisdictions with significant deficiencies in their financial crime systems.
Soon after, the European Parliament expressed its displeasure at the Commission’s actions in that the Commission failed to publish its methodology, the Commission [had taken a] “short cut” in exclusively relying on the FATF list and the omission of any tax havens on the high risk list.
Although 4AMLD was passed in June 2015 with a member state implementation deadline of June 2017, it was not until June 2018 that the Commission produced a Staff Working Paper on the production of a methodology for a high risk list .
The document makes clear that the Commission’s policy is not one of “name and shame”, nor is it to restrict trade with the countries in question.
Rather, the policy objective is to “protect” the EU internal market. Interestingly, the European Economic Area (EEA) countries, i.e. Iceland, Norway and Lichtenstein. are not deemed to be third countries.
Also, in line with EU policy, all member states are assumed to have satisfactory financial crime systems and thus will not appear on the EU’s high risk list.
In the first phase of analysis, the Commission is aiming to produce a list of the highest risk countries by the end of 2018.
The initial assessment is focussing on those countries deemed to be high risk by Europol, those countries that are on the EU list of non-cooperative tax jurisdictions (currently American Samoa, Guam, Samoa, Trinidad & Tobago and the US Virgin Islands), those on the FATF high risk list and those countries subject to a Moneyval evaluation, which are deemed to be a strategic importance to the EU. Other third countries will be assessed at a later date.
The importance of this EU list for firms is highlighted by Article 1 (11) of the Fifth Money Laundering Directive (5AMLD) which requires firms to adopt specified enhanced customer diligence measures for “transactions involving high risk third countries”. Additionally, those EU firms with subsidiaries or branches in such high risk countries are also required to take additional specified governance measures in relation to those foreign units.
Should the UK avoid a “no deal” exit from the European Union and remain with links to the body, the FCA may face a dichotomy.
On the one hand, the regulator refuses to publish its own assessment of high risk jurisdictions on the grounds that it may damage the UK’s foreign relations.
On the other hand, it will have to enforce the 5AMLD mandatory measures against firms with customers based in and transactions involving those countries that appear on the EU’s high risk list. It will be interesting to see how the FCA resolves this quandary.
It can be seen that the question of the production of a high risk list of jurisdictions is fraught with political sensitivities faced by those bodies that produce such lists.
The failure to produce such lists causes a considerable duplication of work across the financial services industry that some may argue is unnecessary.
5AMLD to some extent addresses this issue, but firms may not exclusively rely on it for their own list of high risk jurisdictions.
They will still have to consider which additions they may want to add to the EU list for their own purposes.
It may be worthwhile for the Commission to adopt its model used in terms of the dozen equivalent jurisdictions for data protection purposes.
Firms may assume these dozen countries have data protection legislation that is substantially the same as the EU and therefore, when firms transfer personal data to entities based in those countries, no additional measures are required.
Conversely, firms transferring personal data to non-EU countries who do not appear on the equivalence list are required to take additional measures. Perhaps adopting such a model for financial crime would be easier for both the public and private sectors.
About the author: UK-based Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016. He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.
This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.
Drawing on deep subject matter expertise and our many customer and partner relationships globally we deliver valuable insights through weekly KYC newsletters, white papers, podcasts and events.Explore the Knowledge Hub
Exclusive event with former F1 Head of Race Strategy
Mastering Compliance Process Transformation - Lessons from the frontline