September 21, 2018
In the UK, HM Revenue & Customs regulations stipulate that “businesses that are regulated by the Money Laundering Regulations must appoint what is known as a ‘nominated officer’. The nominated officer must be someone in the business.“
This requirement makes good sense: every organization needs a ‘fall guy’; a person who will personally feel the pain if the institution is not compliant. That person should have enough ‘skin in the game’ to be able to credibly drive the organizational effort and ensure the FI is operationally compliant on a day-to-day basis, and that breaches are limited and do not go undetected.
The recent news about several large European banks’ AML failings makes us realize yet again that reality is not working this way, so let me share two observations:
- In many countries this requirement to appoint a ‘nominated officer’ is not as clearly stipulated as in the UK. As a result, organizations interpret the requirement to be compliant in different ways and take different and often inadequate measures. Quite often this also implies that there is not one function or person responsible, but the tasks and responsibilities are spread othrough the organization. As we have seen in the case of ING, such fragmentation significantly impacts the ability to hold any single person accountable.
- Some FIs allocate the role of ‘nominated officer’ to the Compliance function – the 2nd line-of-defense. This ‘solution’ is a mistake for several reasons.
- Firstly, and most importantly, this violates a fundamental premise of the ‘three lines of defense’ doctrine, namely that it is the first line-of-defense, the business, who ultimately takes responsibility and accepts accountability for AML compliance.
This suggested ‘solution’ also has significant operational pitfalls:
- size – the Compliance team is often (too) small relative to the entire organization and hence it’s difficult to know and monitor everything that’s going on in an organization;
- reach – even if the Compliance team is staffed adequately it’s challenging to reach every corner of any organization;
- seniority – the Chief Compliance Officer is often not positioned at a senior enough level to have the necessary impact on the business;
- responsibility – the Compliance function itself often defines its responsibility in a narrow sense and doesn’t own up on achieving operational compliance;
- knowledge – a Compliance team often lacks the required (detailed) knowledge of the day-to-day operations to know what’s going on and understand if risks are managed properly.
In other words, the impact of the Compliance team on the 1st LoD is limited. As all core activities in an organization are executed in the 1st LoD, the 2nd LoD has very limited control, oversight and responsibility over these activities. It makes much more sense for the nominated officer to be the spider in the web of the business.