Guard against crime – inside and out


11 November 2012


Recent headlines about big banks that have failed in their anti-money laundering efforts have concentrated the industry’s minds on the threat of financial crime, but very often there is a focus on one type of risk. Heidi Suila of Nordea Bank is not alone in thinking that banks and regulators are on their way to taking a broader view of the various angles of financial crime risks, as Jim Banks reports.


Since the global financial crisis struck, there has been intense scrutiny on banks and their practices, and they have often been cast in the role of villain. As a result, the industry has been on the back foot and it has been trying hard to rebuild its image as a force for good. In order to regain its moral authority, it is imperative that the banking sector is seen to be rigorous in its fight against the external risk of financial crime and internal risk of dubious practices.

Combatting financial crime requires an ongoing effort and the allocation of significant resources to identify and neutralise risks that are evolving over time.

"The financial sector has historically had a narrow focus due to regulatory pressure, mainly on money laundering."

"In terms of financial crime, the risks change all the time," says Heidi Suila, group financial crime compliance officer at Nordea Bank. "For example, 20 years ago, there was no cybercrime, or at least it wasn't visible. The scope of financial crime is evolving, but
the financial sector has historically had a narrow focus due to regulatory pressure, mainly on money laundering. There should be a more holistic view of everything, from tax evasion to bribery."

It is understandable that the eyes of the regulators are falling on money laundering. Stories that have hit the front pages of the newspapers recently about lapses in anti-money laundering (AML) safeguards have done the industry's reputation more harm at a time when it is trying to rebuild trust.

The headlines stem from a concerted effort by regulators across the world to clamp down on banks that may have - knowingly or unknowingly - laundered money from suspect sources, whether they are terrorist organisations or drug cartels. Their intention is to force the industry to clean up its act or face severe penalties.

Anti-money laundering investigations

New rules covering issues such as bribery, tax evasion and money laundering are being introduced that require banks to monitor the clients' money movements more closely and report suspicious transactions. They make it clear that it is unacceptable to turn a blind eye to crime and corruption.

Currently, there are over a dozen investigations underway by the US authorities into illicit money flows, and the names in the spotlight could not be bigger; for example, UK-based HSBC is in the frame regarding movements of money from countries such as Iran, Mexico, Saudi Arabia and Syria. The compliance standards of the bank, which has set aside $700m to cover possible fines from the regulators, are under the microscope.

"There are over a dozen investigations underway by the US authorities into illicit money flows."

Standard Chartered is also under investigation for transactions allegedly linked to Iran, against which financial sanctions are in place because of its nuclear programme, while Bank of America is being probed for accounts allegedly operated by a criminal organisation in Mexico. Such cases follow last year's fines levied on JP Morgan for violations of sanctions programmes.

"Despite the recent stories that have emerged about some large international financial institutions, AML is a big challenge that demands attention and resources, and therefore any large international bank gives a significant amount of attention to it," says Suila.

"How difficult is it to prevent money laundering completely? Very difficult indeed. It is the same with any kind of crime; it is hard to eliminate it 100%. You need to have the right kind of risk awareness and a clear understanding of roles and responsibilities among skilled employees, with robust routines, systems and controls in place to identify behaviour and transactions that are not in line with your customer profiles."

Financial crime

In such a climate, it is tempting to think that AML should be the main focus for regulators, but Suila is among many in the banking sector who think that there must be a wider scope in efforts to combat financial crime. Focusing too intently on one may only lead to other aspects of financial crime being missed.

Fighting financial crime effectively relies on basic principles that must be rigorously applied in the context of an understanding of all the different risks. Targeting one kind of risk, like money laundering, may result in the industry not being able to see the wood for the trees.

"At Nordea, cybercrime is prevented with software. IT security comes through software and training, both of which are very important."

"To get a holistic view, you need to start with each individual financial institution taking a strategic view of what the risks are to its organisation," says Suila. "The risk-based approach is what is expected from us. Each financial institution will approach those risks in its own way.

"At Nordea, for example, cybercrime is prevented with software. IT security comes through software and training, both of which are very important. We are not the world police, so we have to focus on our own internal security policy, which also involves an awareness programme for our employees. IT security comes through software and training, both of which are very important."

On the technology front, the move to service-oriented architecture under initiatives like the Banking Industry Architecture Network (BIAN) provides an opportunity to examine the strengths and weaknesses of existing IT infrastructure and the processes that surround it.

"It gives us a chance to look again at the controls that are in place - for example, if there are gaps, then we can make corrections in the approach; if the change in IT creates more risk and whether we need more quality assurance in place," says Suila. "Streamlining processes is not necessarily negative in terms of risk management. You must identify the trigger points within the organisation, which requires training and specialist resources. So, that needs to
be prioritised."

Know your customer processes

Training is as important as technology in the fight against financial crime, as is proven by the value of know your customer (KYC) processes in mitigating risks. KYC is not only key to the identification of possible money-laundering activity, it also plays a significant part in recognising and acting against other types of financial crime.

For a bank, security and compliance are as much about how it manages the relationship it has with its customers as they are about technology.

"Solid KYC routines cannot be replaced by a system," says Suila. "It needs the people working with the customers to be aware and vigilant. You can't replace the human eye.

"Banking is all about risk management, but risk is a moving target that demands constant vigilance."

"The recent news stories about money laundering have publicly aired the issue and made it clear that there are big fines for banks that have failures in their AML controls. I would think that most large international banks analyse these big incidents and try to become better in our own risk management processes."

For Nordea and other financial institutions, the ongoing effort to keep up with the constantly evolving methods of financial crime is characterised by a close review of internal controls and policy, as well as investment in new technology and processes like KYC. A successful approach is one built on two strands:

  1. looking inside the organisation to ensure compliance with policy and provide training to ensure staff understand all the relevant processes
  2. mitigating the risks posed by forces outside a bank.

Banking is all about risk management, but risk is a moving target that demands constant vigilance. The news stories that are so damaging to the industry's reputation have a silver lining in as much as they provide valuable lessons for financial institutions.

"Banks cannot close their eyes and ears to what is happening elsewhere," says Suila. "If we did, we would not be good risk managers. There is no status quo. Banking changes fast, as do the risks posed by criminals, so risk management has to change as well."

Banks and regulators are taking a broader view of financial crime risks. The banking sector needs to be seen as being rigorous in its fight against the external risk of financial crime and internal risk of dubious practices.
Heidi Suila is group financial crime compliance officer of Nordea Group. She has held numerous positions within the company and was appointed group AML compliance officer in 2005. Since then, Suila’s responsibility has increased to cover other areas in financial crime risk management.