Quotes: ‘Money laundering is for drug dealers and terrorists. We do not have any exposure’; ‘We have never checked against AML lists. Competitors don’t do it. Why would we?’; ‘Lawyers just don’t understand business. That’s just scare tactics’; ‘Yeah, we do have compliance. They don’t generate any revenue’; ‘We here in compliance can preach. But we cannot stop business.’
If these quotes sound familiar, you are in good company. They come from CEOs, legal counsel and CCOs of German companies, very visible corporations as well as hidden champions, big and small alike, and show a noteworthy underappreciation of the pitfalls companies face. But also of the opportunities they have.
The European Commission has recently pledged itself to further tackle money laundering as it feels the Financial Intelligence Unit as well as Europol have not been successful enough in fighting money laundering. That, against the backdrop of 2017’s AMLD4 and 2018’s AMLD5 (that will take full effect in January 2020) which require much from all kinds of companies (including SMEs). Germany has adopted the directives (AMLD5 will be implemented through a new AML Act by the end of 2019).
Money laundering in Germany is a criminal offence that has been around for quite some time now and has hardly been fiercely enforced by investigators. Partly because their ability to uncover money-laundering schemes have been limited by data protection legislation and weakly-recognised reporting obligations. This is changing rapidly, as AMLD4 and 5 have created a tight system of compulsory mechanisms within companies that will make money laundering much more likely to come to light.
When we think money laundering, we most commonly think of organised crime and terrorism. That is what he criminal offence was meant to address in the first place, when it was introduced in 1995. However, nowadays you will have committed money laundering when you at least help concealing proceeds of crimes from trafficking and the like, but also fraud, theft, tax evasion, patent law offences, capital market offences and many others. The nasty part here is: you do not even have to know that something you accept from another person stems from criminal activity, as long as you at least negligently assess its origin. If you could at least have known that your business partner got his money from one of those crimes (think tax evasion eg), and you accept it nevertheless, you could be guilty of money laundering and therefore be charged.
Probably many people will be surprised by the scope of the offence but still think ‘We never had a criminal investigation. Why should it happen to us now?’ (or along those lines). That is, of course, what most of our clients have thought before they were raided by prosecution. And given that the (just the German) Financial Intelligence Unit has multiplied its personnel (by a factor of 20 just within 2019) along with the fact that AML obligations within companies have become much stricter through AMLD 4 and 5, this attitude does not show a proper risk assessment that is fit for the future.
Denominators and trends
Thinking AMLD 4 and 5, almost everyone will know of the €10,000 cash threshold (used to be €15,000). Accepting cash above that line will trigger AML obligations, among which are identification of business partners, documentation, etc. Many will also generally know when they have to file SARs (Suspicious Activity Reports) and what KyC-measures (Know your Customer) have to be taken and when. But did you know that most companies under the new AML laws will have to have a continuous risk assessment? Did you know that there is a risk of personal liability for AML officers but also for board members as well as low-level employees if the company fails to have a proper AML compliance system?
It is not only AML laws that are about to change. One hot topic in Germany right now is the introduction of a proposed corporate criminal liability. The bottom line for AML cases – very different from criminal investigations in the past – is this: German criminal law will widen its extraterritorial reach. Companies will be prosecuted in Germany if their employees and some of their business partners commit a business crime in another country. Even if the company (especially the board) itself did not know of the crime. Also, the principle of legality will be introduced for the prosecution of companies. That means that prosecutors will have to investigate. There is no leeway. They will have no choice but to prosecute.
AML usually comes in three steps. Placement (where you mix clean money with dirty money), layering (when you move money around to disguise its origin), integration (where you spend the money on luxurious, expensive items). AML legislation aims at these three steps. Investigators see trends here: according to a recent Europol AML report, two of the most important issues for AML in the near future will be the use of shell corporations in real estate and the use of crypto currencies (both addressed explicitly in AMLD5). The former gets its claim to fame from the so-called Panama Papers. The well-known scandal showed the use of shell corporations that have been established in, for example the Cayman Islands. Those companies get loaded with money and then buy expensive real estate without having to apply for a loan at a bank. Therefore, they avoid bank scrutiny and the AML mechanism of integration can be effectively handled. The latter is easily explained, too. If you have a piece of code (crypto currency) that is worth a lot of money and can be transferred to anyone in the world without the use of banks, the supervisory and reporting function of the banking system cannot take effect and therefore the ‘layering’ aspect of money laundering becomes very easy.
Good measure and best practice
However, the problem for most companies will not be willing participation in a money laundering scheme. But what if prosecution believes you should have known, and you negligently did not know, that money you accepted resulted from a criminal offence? We need to realise that any company can (unwillingly) be used for money laundering by criminals. And if the company then failed to file an SAR – even negligently – it will have committed an offence (either criminal or administrative, both can be costly). If, for instance, one of the debtors starts paying from an account that belongs to another company – with no known affiliation to the debtor – that will raise a red flag. There are many of those scenarios that have to be flagged in any given company and therefore would call for an SAR.
This is where good compliance management really comes into play. It should be competent enough to reduce the risk of (negligently) falling for an AML scheme. AMLD 4 and 5 present rather specific obligations that the CMS would have to abide by, as does the AML Act 2018.
In this lie opportunities: A company who is demonstratively a ‘good corporate citizen’ will not only be better at preventing AML offences. They will also have a proper edge vis-à-vis business partners who require good compliance, as well as vis-à-vis prosecution who must be able to trust in the company’s sincerity at being compliant. Part of every compliance management must be to know all the risk scenarios a prosecutor would look into and train staff accordingly. It takes a lot of experience to find the right risk scenarios for any given company and also assess their likely impact. But in this day and age, closing one’s eyes to the problem is not an option. You cannot hedge a problem if you do not know exactly what kind of exposure you really have.