Do Anti-Money Laundering (AML) requirements solve the Common Reporting Standard’s “fake residency” concerns for automatic exchange of banking information?
Short answer: we wish…
Here’s a longer answer:
In response to our recent blog about the use of fake residencies to avoid the OECD’s Common Reporting Standard on automatic exchange of banking information – where we proposed extra questions by the bank, whenever someone declares to be resident in a tax haven offering residency or citizenship in exchange for money – we were questioned a about whether the bank’s own AML requirements would make these extra questions become unnecessary.
It is true that the CRS constantly states that banks should use information obtained pursuant to AML to check for consistency with the information declared by account holders. However, if the CRS were that confident about the AML processes in banks, why even bother to ask for an extra self-certification (where the account holder declares their residence) whenever a new account is opened or when some old accounts have conflicting information? Why not simply say: for all accounts, old or new, just trust whatever information was obtained pursuant to AML? Otherwise why would the OECD say it is putting “citizenship-for-sale schemes” in its sights when referring to schemes that avoid the CRS?
While we cannot know what’s in the OECD’s mind (after all, we weren’t invited to design the CRS, however much we tried to make it accessible for developing countries and loophole-free), we have our guesses. AML provisions try to ensure, among other, that the origin of the funds is legal – the residency of the account holder is part, but certainly not the main focus of AML.
As for how trustworthy banks’ AML processes are, here are a few examples about “effective” measures by major banks, relating to the core issue of preventing money laundering:
[In 2013] HSBC was accused of failing to monitor more than $670 billion in wire transfers and more than $9.4 billion in purchases of U.S. currency from HSBC Mexico, allowing for money laundering, prosecutors said. The bank also violated U.S. economic sanctions against Iran, Libya, Sudan, Burma and Cuba, according to a criminal information filed in the case.
You’d think that HSBC might have learned their lesson and now they’re “super” compliant:
[In 2017] The Financial Conduct Authority (FCA) commissioned a skilled person review – a so-called “166 report” […] The investigation was launched after the monitor installed by US authorities to oversee improvements in HSBC’s financial crime measures flagged worries about its progress.
Banamex USA, a subsidiary of the US banking conglomerate Citigroup, accepted responsibility for “criminal violations by willfully failing to maintain an effective anti-money laundering (AML) compliance program … and willfully failing to file Suspicious Activity Reports,” according to a May 22 press release from the US Department of Justice.
Between 2010 and 2014, at least $20.8 billion was laundered out of Russia, funneled into banks in Moldova and Latvia, and spread from there into 96 countries across the world… a lot—an awful lot—of international banks ended up as hosts for the money, despite their anti-money-laundering controls… This cash then ended up in accounts at 732 banks, including giants like HSBC, Bank of China, Credit Suisse, Deutsche Bank, Citibank, and Royal Bank of Scotland.
This doesn’t just involve major banks – just look at Andorra’s Banca Privada d’Andorra:
In 2015, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) said BPA had helped organized crime groups from Venezuela to China launder billions of dollars.
And sadly, this isn’t just a problem of banks either. The CRS requires many other financial institutions to identify account holders and their residencies, including investment entities, insurance companies and some trusts – all of these likely have even less stringent AML requirements overall, than banks. So, do we feel any more confident because financial institutions collect residencies pursuant to AML requirement? Not really.
Now let’s look at how countries are doing in terms of their compliance with FATF Recommendations on AML, especially regarding old Recommendation 5/new Recommendation 10 about customer due diligence (basically, the information financial institutions must obtain from their clients, which is supposedly relevant to identify fake residencies, even though this is not their main focus):
In fact, Switzerland and the U.S., at the top of TJN’s Financial Secrecy Index and two indisputable major financial centres and global players for holding bank accounts, had their FATF Mutual Evaluations published in December of 2016. What did they find? For both:
- Recommendation 10 on customer due diligence: “only partially compliant”.
- Recommendation IO4 (Immediate Outcome 4: Financial institutions and DNFBPs adequately apply AML/CFT preventive measures commensurate with their risks, and report suspicious transactions): “only Moderate Effectiveness” (which is the same as “only partially”, since better options include “Substantial Effectiveness” and “High Effectiveness”).
In addition, as this PWC 2014 AML Guide shows (see question 9: “What are the high level requirements for verification of customer identification information”), even for banks and countries fully compliant with AML recommendation, the residence of the account holder is usually determined asking for a government-ID, e.g. a passport (available for wealthy people acquiring citizenship in exchange for money) and a utility bill, which is exactly what the CRS requires.
However, while determining the address is just one of the many issues covered by AML, in the case of the CRS it is the key issue (to make sure that the relevant country will receive the information) – even in that case, we are simply asking to strengthen requirements not always, but only whenever someone declares to be resident in a tax haven offering residency or citizenship in exchange for money. Notably, if a financial institution already has this extra data (pursuant to their AML processes), they wouldn’t need to ask for anything else – only those that never asked for it would have to do it. (How crazy are we to even suggest this?).
In any case, even if all financial institutions and all countries were fully compliant with 2012 FATF Recommendations on Anti-Money Laundering, only new accounts would be properly covered. But how about pre-existing customers that already had accounts before AML Recommendations were in place?
Here’s the complacent answer in the Handbook for CRS Implementation:
“where accounts were opened prior to AML/KYC requirements being in place and Documentary Evidence has not been obtained at the time of or since the opening of the account, provided the Financial Institution’s policies and procedures provide sufficient comfort that the address on file is current, as set out in the Standard, then the Documentary Evidence condition can still be satisfied” (page 53; emphasis added)
Could it get any worse? Yes. For some accounts, if you don’t even have an address for the beneficial owner, you can pretend they don’t exist – just look at the Handbook’s FAQ 4:
Reliance on AML/KYC procedures for identifying Controlling Persons
With respect to Pre-existing Entity Accounts with an aggregate account balance or value that does not excess USD 1,000,000, what is the due diligence and reporting requirement in cases where the Financial Institution holds information on the names of Controlling Persons and no other information as it was not required to collect such information pursuant to applicable AML/KYC procedures?
The Standard provides that for accounts with a balance or value below USD 1 million (after applying the aggregation rules), the Financial Institution may rely on information collected and maintained for regulatory or customer relationship purposes, including AML/KYC procedures to determine whether a Controlling Person is a Reportable Person (Section V, D, (2), c)). Since, in the example given, the Financial Institution does not have and is not required to have any such information on file that indicates the Controlling Person may be a Reportable Person, it cannot document the residence of the Controlling Persons and does not need to report that person as a Controlling Person. (page 104, emphasis added)