AsiaRi s k

DERIVATIVES

Dirty Derivatives
Regulatory interest has been rising in the use of derivatives for money laundering for the past decade. New regulations in the US and Australia underscore the importance of traditional know-your-customer, knowyour-employee and anti-fraud measures, says Rohan Bedi

audit trail. And with banks tightening their erivatives are an attractive product for controls, launderers are now turning to other sectors. money laundering and, with the retailisation of Rogue traders covered up trading losses markets, also potentially for terrorist financing. in the 1990s using derivatives, which attracted Over-the-counter derivatives markets are regulatory attention. The tragic events of particularly vulnerable to fraud and market September 11 heightened the AML/CFT focus. manipulation. Many factors make derivatives The revised Financial Action Task Force (FATF) attractive to criminals: the liquidity of the 40 principles of 2003, which bring in stricter markets; profit potential (even if the risks are AML/CFT and know-your-customer (KYC) high); ability to transfer funds globally; the lack standards, also specify 20 offences for money of historical oversight for the purposes of antilaundering, including terrorist financing, money laundering/combating the financing of corruption and bribery, fraud, insider trading and terrorism (AML/CFT); and the ability to blur the market manipulation. A derivatives broker-dealer with poor controls in any of the above areas Typical AML/ CFT program failures could potentially find itself in violation of The author has witnessed various reasons for the failure of anti-moneythe AML laws of the country. laundering programmes, such as the folllowing: Most common deficiency is in independent testing reflecting the Oppenheimer & Co in New York, for development need of internal audit staff Not looking at the whole business ie, branch-offices, outsourcing, example, paid a penalty of $2.8 million in M&A, automated systems aggregation of customer information December for a lax AML programme. Implicitly adopting an STR filing standard of knowledge whereas the law requires reasonable grounds to suspect Indeed, the US Securities and Exchange Lack of communication between introducing and clearing firms Commission (SEC) states that 58% of the Poor training and awareness program not customised to business model/risks and not useful to employees result is a weak culture AML compliance examinations Firms lacking in automation failed to fully screen clients against sanctions lists/ law enforcement requests conducted on securities firms in 2005 Lack of a qualified and empowered compliance officer revealed deficient programmes. Silos where for example, back-office staff talk to no-one Quality issues, such as reports being filed late, incomplete and failing to Laundering in the derivatives provide relevant detail. markets is often a violation of both the 1

June 2006

AsiaRi s k
DERIVATIVES securities and AML laws. And supervisors are now demanding more transparency and better controls at derivative broker-dealers. Perception of legitimacy The whole concept of laundering is about bringing more legitimacy to the perception of monies held by the launderer/nominees. Cheques from well reputed derivatives broker dealers enhance legitimacy, particularly if the launderer can show that the cheques are the proceeds from investments carried out over a period of time. The three stages of international money laundering are: the placement stage that puts cash from crime for example, drug trafficking into the financial system; the layering stage, which consists of numerous transactions designed to distance the money from its criminal origins; and the integration stage, where the money finally gets invested in, say, property or securities. If cash is not accepted by derivatives broker-dealers, the basic risks are in the layering and integration stages. Types of industry risk We will first review the specific industry risks companies are exposed to from money laundering before discussing firm-level risk management issues. Futures market wash trading: Blurring the audit trail in the exchange-traded futures market is quite easy with the help of a complicit broker. There is no need to even make a false entry or accept any false documentation. The broker holds two contracts in offsetting positions and assigns the trading loss to the dirty-money account and the trading gain to the clean-money account this is know as wash trading. The difference is the cost of laundering money. The dirty-money account is typically held on paper by a seemingly unlinked party. This
June 2006

Rohan, Bedi: changing company culture is a huge challenge

structure is sometimes used to bribe politicians through accounts of a politicians friends and relatives that is, accounts of politically exposed persons. Capcom Commodities, the BCCI commodity trading affiliate, exploited the futures market to launder money in the 1980s. Forward market offsetting positions: This method is used in layering once the money is placed into the system to add a layer of legitimacy, or at the placement stage if the broker-dealer accepts cash. The launderer buys spot and sells forward, or vice versa. In a market rally, one transaction records a capital gain for example, spot when the launderer liquidates the transaction. The other in this case, forward transaction has a notional capital loss that the launderer avoids by cancelling the trade and paying the broker the loss amount. The complicit broker then destroys the record of the losing transaction and the launderer exits with a capital gain. The laundering cost is the double commission plus any extra money

AsiaRi s k
DERIVATIVES paid for the brokers silence. Such a scheme might typically take place in a smaller firm. Options trading: Frequent transactions with modest capital gains say, through options trading in currencies, commodities or stocks would not attract as much attention as, for instance, a large real-estate gain. Launderers can also use off-market derivatives trades non-standard direct contracts between bilateral parties to show capital gains. By structuring these transactions with offshore companies that they owned/control, launderers can show some losses (to appear legitimate), but with larger profits. Client-originated insider trading: The World Bank states: Derivatives that replicate insider-trading opportunities (for example, a synthetic version of a company stock subject to merger or takeover) can be used to avoid detection of an unusual change in a listed stock price. Hence, significant trading positions taken on a specific stocks options could highlight client-originated insider trading. In securities fraud, it is common for insider trading to be done through offshore entities, with the perpetrators hiding behind nominees. Swaps smoke screen: More broadly, derivative products such as swaps (interest rate, foreign exchange) add a layer of legitimacy to company funds, giving the perception that regular business is under way for which risks are being managed. OTC swaps have been used by large companies such as Enron to take profits from schemes manipulating the natural gas sales market. New derivatives-trading platforms auto trade: Trading platforms have also evolved, and auto-trading on options/futures enewsletter recommendations is now available with reliable broker-dealers and access to an online account. This creates a new channel for layering/ investing monies, as the launderer no longer needs to rely on a private banker or any other adviser in face-to-face interactions. With retailisation of the derivatives markets, low-value trades say, $5,000 or less can be done, and this creates terrorist-financing vulnerabilities. Terrorist profiles include individuals with petty criminal records who are self-financing. Client pressure: The launderer allows an open position to become under-margined. The broker-dealer would be keen to reduce its credit risk and may become vulnerable to accepting monies from unknown sources. The launderer funds the account and closes the position, making a loss but converting the proceeds of crime into a clean cheque from the firm, supported with a record of trading activity.

The three AML risk models The standard AML risk management models employed globally by banks cover the following risk areas: geography and country; business and entity; and product and transaction. The methods used by launderers to enable them to carry out transactions include the use of intermediaries, offshore structures and special-purpose vehicles. Higher-risk scenarios include: The use of complex corporate and accountholding structures for example, layered structures, including offshore trusts, shell companies (including bearer-share companies); nominee shareholders/ authorized signatories/directors (including corporate directors); and professional intermediaries. Launderers exploit the fact that information about the beneficial ownership of legal entities and arrangements in offshore financial centres can be difficult to obtain, other than the basic registration details. Broker-dealers should note that while offshore shell companies can be legitimately used as private investment companies for 3

June 2006

AsiaRi s k
DERIVATIVES holding assets, they are also misused by criminals and terrorists. Shell banks continue to play a role in laundering schemes; the US Treasury s Financial Crimes Enforcement Network (FinCEN) seventh SAR review identifies several east European countries with shell banks and shell companies. The SAR review provides feedback to financial institutions about suspicious activity reported to FinCEN. Customers who are politically exposed persons (PEPs) are a significant laundering risk, especially if they are from a highly corrupt country. PEPs in certain countries may also have a connection with terrorist financing. Introduced business, where a broker-dealer may place undue reliance on the due diligence conducted by an introducer. The US Office of Foreign Assets Control (Ofac) (US sanctions) identifies high-risk areas for Ofac transactions, which include OTC derivatives and online transactions. Wire-transfer activity should be subject to heightened scrutiny. Monitoring of this area should include review of unusual wire transfers, including those that involve an unexpected or extensive number of transfers by a particular account during a particular period and transfers involving certain countries identified as high-risk or non-cooperative. The big risk is of rogue employees. While this risk is not unique to the securities sector, the large sums of money involved, combined with a weak AML culture, may expose a derivatives broker-dealer to greater risk (see also Know your employee). Supervisors worldwide are increasingly targeting corruption associated with PEP accounts. Subscription to a good know-yourcustomer database of PEPs, suspected criminals and terrorists is a must, using good namerecognition technology. Money laundering risks are mitigated to the extent that a derivatives broker-dealer adopts one-account, same-account policies for receipts/payments and does not allow cash

Settlement Arrangements

June 2006

    

Moreover, in developing a detailed listing of unusual activity, a derivatives broker-dealer should take into account local risks and market practices. A transaction may not always appear suspicious if reviewed in isolation, and comparison with history/peers may be necessary. Close attention is needed to any transactions that appear to be linked. Depending on volumes, technology may be required for AML/CFT monitoring, especially for online broker-dealers.

Unusual Activity Examples

Main risk country by transactions/business or domicile is high-risk/ non-cooperative Complex offshore ownership structures and difficulty in identifying the ultimate beneficial owners Suspected nominee relationships A corporate customer lacks general knowledge of its own industry A customer exhibits an unusual level of concern for secrecy Unknown third party connections in account funding or in account operations Lack of concern regarding investment risks (eg, tax), commissions, transaction costs, or losses. A complete disregard for due diligence / research in connection with the investments Unusual requests not in line with firms products Residential address is a post office box or lawyers office

Transaction Patterns

Matching buys and sells in futures (wash trading) in apparently unrelated accounts Frequent derivative trades resulting in losses raising issues on the clients knowledge A customer engages in extensive, sudden or unexplained wire activity (especially with high-risk/ noncooperative countries) Series of small cash deposits over a few days Transfers between unrelated accounts especially if employee accounts involved A large number of transactions across a number of countries which do not appear justifiable Insider trading - offshore companies doing large derivative stock trades in a specific company Funds held in derivative accounts not being used for trading and requests for payment Monies routed through and account closed

The instructions on the client file does not match the settlement instructions on the transaction Large or unusual settlements of transactions in cash or bearer form Requests for payments to third parties (eg, offshore companies)

After investigation, classify as Suspicious

AsiaRi s k
DERIVATIVES deposits. Derivatives broker-dealers with exposure to the US markets should also be aware of the extra-territorial powers implicit in the US Patriot Act. The US Internal Revenue Service qualifiedintermediary certification also affects the KYC standards adopted. Know-your-customer vulnerabilities These largely depend on how the trading account is set up. A securities account can be opened by the customer or on his behalf, in person or by remote means (such as the internet), by a thirdparty introduction or with indirect relationships through omnibus accounts of institutions. Vulnerabilities arise if, for example, online account opening is not matched by proper verification processes; beneficial owners are not identified for nominee relationships or complex ownership structures; the omnibus account is held by an institution or in a jurisdiction that is not regarded as equivalent (that is, regulated to FATF standards); or reliance is placed on an unsuitable broker or adviser. More generally, market-trading characteristics create a smoke screen. The FATF states: The way derivatives are traded and the number of operators in the market means that there is the potential obscuring of the connection between each new participant and the original trade. Furthermore, no single link in a series of transactions will be likely to know the identity of the person beyond the one with whom he is dealing. KYC profiles The key to recognising suspicions is knowing enough about the customer and the customer s normal activities to recognise when a transaction or instruction, or a series of transactions or instructions, is abnormal. The typical profile of a derivatives customer would cover the nature of
June 2006

the transaction, value, volume and frequency. These profiles will differ depending on whether the derivative products are OTC or exchangebased. Regulators expect the private-banking sector to have more stringent due-diligence standards than other sectors because of the inherently higher risks. The US definition of private-banking operations is where assets under management are $1million or more, and a dedicated relationship manager is allocated to a client. If private-banking AML standards/ definitions apply, a more rigorous KYC process drafted on Wolfsberg guidelines for private banks, covering information such as clients businesses, source of funds, cash assets, source of wealth and so on may be necessary to collect and independently validate the relevant information. In any case, this would be best practice for high-value relationships even if regulations do not specify such an approach. Tone at the top Clients of one bank that lost millions of dollars in derivative transactions thanks to unscrupulous derivatives dealers recently led a lawsuit charging the bank with, among other things, a criminal corporate culture. Changing culture is a huge challenge. The tone at the top has a significant impact on programme quality. It directly determines the investment in technology, the firm-wide approach to information-sharing and the seriousness with which business functions regard AML/CFT requirements. A periodic repetition by senior management of the key message of good-quality business in the context of a bank s role in AML/CFT is essential. Adoption of best practices such as the UK Money Laundering Reporting Officers Annual Report to senior management would also help develop the tone at the top. 5

AsiaRi s k
DERIVATIVES Building culture without silos Compliance officers are in the unenviable position of having to manage investment advisers and brokers who are commissiondriven, over-worked and hyper-competitive. Derivative broker-dealers need an integrated approach to detecting suspicious activity. The front-line staff are central, but they do not see everything. Other parts of the firm such as the back-office staff need to be brought into the AML/CFT loop. As Lori Richards of the US SEC says, firms need to avoid the silo problem that was highlighted by the AmSouth Bank case, in which the AML compliance group did not receive key information to allow it to make informed decisions. An inadequate compliance culture can manifest itself in several ways, such as: An attitude among junior employees that their suspicions and concerns are of no consequence. This is particularly dangerous, as junior employees are exposed to the dayto-day transactional activity that can place a derivatives broker-dealer on notice of suspicious activity. Failure to adequately document KYC information on file. Management pressure to transact. Over-zealousness in the attraction of new business relationships. Unwillingness to subject important clients to an appropriate degree of vigilance.

There are many components of an effective awareness programme that emphasise the firm s commitment to AML/CFT regulatory requirements and expectations: The awareness programme must be technology-driven. This would be achieved by having a firm-wide intranet portal to share information, including e-newsletters on case studies and KYC issues. Senior management ownership of the AML/CFT programme can be emphasised through technology channels. Compliance staff must be encouraged to attend business-unit meetings. Other tactical measures include screensavers, morning login messages, posters and desktop items, such as cubes. The message must be driven from the top and must be clear and consistent, to create a culture of compliance. The ultimate objective of any AML/CFT training/awareness programme should be to instil

New US and Australian rules

Under the US Patriot Act, a US AML/CFT compliance programme must provide for certain minimum requirements: the development of internal processes policies, procedures and controls; the designation of a compliance officer; the implementation of an employee training programme; an independent audit function to review and test the implementation of the AML programme; and a customer identification programme to identify the beneficial owners of funds and take reasonable measures to understand the ownership and control structure of customers that are legal entities or arrangements. The programme should be developed based on the boards risk-tolerance levels and should be board-approved. The actual programme will depend on the type of business, the size and complexity of operations, the breadth and scope of the customer base, the number of staff, and the firms resources. On top of following obligations similar to those of the US Patriot Act, securities and derivatives broker-dealers under the Australian 2005 exposure bill would also have to report international funds-transfers whenever reporting obligations are triggered; and include with the funds-transfer instructions the customers name, address and account number (in line with FATF special recommendation 7 for combating the financing of terrorism). These requirements create new information collection, monitoring and reporting responsibilities for regulated entities.
June 2006

AsiaRi s k
DERIVATIVES a strong intuition on AML/CFT issues in both frontline and back-office staff, as well as a riskbased decision-making process. But this is easier said than done. Know your employee Know-your-employee (KYE) programmes are vital for protecting a derivative broker-dealer s money and reputation. This is a particularly sensitive issue for private banks and other large derivatives broker-dealers that have high revenue target numbers to achieve annually. KYE processes must be risk-based. Internal audit plays a key role in any effective KYE programme. There are many signs that could indicate potential laundering/fraud by an employee for example, changes in employee characteristics, such as lavish lifestyles or avoiding taking holidays; changes in employee performance; or new business referred by a new employee in which the ownership structure of the entity is unduly complex. The nine levels of a KYE programme Pre-hiring background screening checks for risk management and to meet regulatory requirements, where applicable. Monitoring by verification with online databases to make sure an employee being promoted does not have a criminal record. A code of conduct specifying employees financial relationships that are not acceptable or other relationships that need to be controlled, such as insider trading, Chinese walls and so on. Regular employee declarations of bank accounts and shareholdings, including conflict-of-interest reports, every three months or so. Monitoring of employee account transactions above a certain threshold this can vary depending on the employee s status. Observing employee lifestyles and social connections to ensure they are a logical fit, given salary levels/status. This should happen in an unobtrusive manner. Employees assigned to service the brokerdealer s higher-risk client relationships and their client accounts should be subject to heightened scrutiny especially for new employees and high-value new accounts. Properly communicated whistle-blowing policies, with a dedicated channel that guards privacy, are necessary in order to highlight unusual activity. Checks and balances to ensure high-risk functions have adequate levels of oversight to avoid risk of employee fraud, particularly by senior executives. Internal audit reviews to test the overall effectiveness of all the above, including specific tests for insider complicity and collusion within the firm.

Anti-fraud vulnerabilities Studies highlight the key role of senior executives in high-value frauds and the fact that perpetrators are most often men. Fraud typically occurs due to internal-control deficiencies, such as inadequate skills and experience; lack of clarity in organizational structure; improper segregation of duties, poor whistle-blowing policies and channels; a weak anti-identity-theft programme that does not exploit technology fully, inadequate internal audit and follow-up action; or inadequate management oversight (where, for example, if an individual generates a significant profit, its reasonableness is not independently validated). Senior management should be explicit about the company s view on fraud through a

June 2006

AsiaRi s k
DERIVATIVES documented policy that is communicated to employees. Conclusion As we have seen, the expectations of regulators from derivatives broker-dealers with regard to AML/CFT has increased significantly, and attention to this issue should be the number-one priority of senior management. Nonetheless, supervisors do not expect zero failure. They expect firms to manage their financial crime risk as they manage other business risks. This means resourcing the activity adequately and putting resources where there is most marginal benefit, against the backdrop of their legal obligations. The priority for senior management has to be building an enterprise-wide AML/CFT culture backed by technology tools. Supervisors will look for documentation of a firm s decisionmaking process. Compliance staff must think laterally and make a creative use of feedback from law enforcement. Internal audit must recognise the importance of its role, and capabilities must be enhanced. Ultimately, it s all about effective implementation.
Rohan Bedi is author of the PricewaterhouseCoopers Singapore publication Money Laundering Controls and Prevention and the senior anti-money laundering implementation manager at an international bank. email: rohanbedi@rohanbedi.com www.rohanbedi.com
Disclaimer: the opinions in this article are the authors own and do not represent the organisations in which he works and is/was associated with.

June 2006