Mark Pieth and Gemma Aiolfi

‘There is a tide in the affairs of men Which, taken at the flood, leads on to fortune; Omitted, all the voyage of their life Is bound in shallows and in miseries . . . And we must take the current when it serves, Or lose our ventures.’[^1]

INTRODUCTION

This paper examines how the Wolfsberg Anti-Money Laundering Principles[^2] came into being; it charts their subsequent development and also looks at what the Wolfsberg Group of banks may tackle in the future.

The first part of the paper deals with the placing of this industry-led initiative into its recent historical context. The background to these developments is outlined, as well as the interaction that has emerged between the various legislative and ‘soft-law’ initiatives that continue to contribute to the growing body of anti-money laundering rules. The prospects for expansion of the Group itself are also addressed, as are some of the possible implications that this might have on its workings.

WHY THE PRIVATE SECTOR BECAME ACTIVE

One point that the critical discourse on multinational enterprises has long maintained is that conglomerates, major industrial groupings and the financial services industry may have larger turnovers than the GDP of many a small state and wield even greater power, not only within the countries where they operate but also on the world stage. At the national level, the power of multinational enterprises has traditionally been channelled through lobbyists with the aim of influencing legislative initiatives that impact their businesses. But, given the dynamism of globalisation, it would be logical for the private sector to take a more proactive approach in influencing regulations and defining their own rules, particularly at the international level. In the context of the development of anti-money laundering initiatives this subject is even more acute. Why have companies only become active since the end of the 1990s and why, for more than a decade, did they leave the definition of the rules against money laundering entirely to regulators?

In 1988 the banks requested the influential G7 countries and others to clamp down on illegal drug markets. US banks in particular had already learned to live with routine cash reporting (Cash Transaction Reporting),[^3] which dated back to the provisions of the Bank Secrecy Act of 1970 and were regarded as the acceptable price to pay for being involved in the fight against organised crime. Although ‘know your customer’ (KYC) policies were not unknown to US securities firms as a result of the New York Stock Exchange Rules, banks were not, however, prepared to engage in serious KYC policies and customer due diligence (CDD). These concepts were regarded as intrusive, costly and over-burdensome, and they were seen as European notions that did not fit the American banking tradition. It is appropriate to recall in this context that the original US delegation to the Financial Action Task Force (FATF) in the autumn of 1989 had no desire to promote KYC policies or the reporting of suspicious transactions. At that time their primary interest was to create worldwide control mechanisms over money flows, both cash and — insofar as it was possible — over electronically transferred funds. There is nothing to suggest that banks themselves held different opinions to their regulators at that time. By focusing on the transfer of cash the emphasis was placed on the so-called placement stage of money laundering, namely the initial depositing of currency into the financial system. The complexities of the subsequent layering and integration stages were thus not tackled directly. This approach may have been adopted for various reasons — perhaps because measures to counter money laundering in the latter stages were regarded as too costly, or because the tracking of cash would, theoretically at least, solve the problem at source, thereby rendering any further controls at later stages redundant.

The developments in the late 1980s appear to have caught the banking world unawares, not least because the supervisors of the UK, France and Switzerland teamed up and managed to strike a deal with the US regulators in the context of developing the FATF 40 Recommendations[^4] into which the Europeans introduced their own concepts, which included attaching to the process one of the most rigorous enforcement mechanisms known thus far in international law. The CDD rules in the FATF 40 Recommendations were created by taking a combination of national strategies and an early international recommendation of the Basel Committee (the Basel Statement of Principles (BSP) of 1988.)[^5] The KYC provisions in the Recommendations drew on Swiss law and the BSP’s increased diligence in unusual circumstances; reporting obligations had their roots in UK guidance notes. In return, the USA essentially obtained in the FATF recommendations the endorsement of what had been achieved in the Vienna Convention of 1988,[^6] namely the commitment of the international community to criminalise money laundering, to forfeit ill-gotten gains and to share information, even though at that time it was still restricted to the topic of drugs.

Throughout the following decade bank supervisors at the national level struggled with their banking communities (and later the non-banks) to implement these regulations. The outcome was the creation of a patchwork of rather diverse rules which had the effect of immediately increasing regulatory competition and regulatory arbitrage, thus enabling the money launderer to profit from these discrepancies between the various financial centres. The 1990s saw the progressive extension of anti-money laundering legislation to cover the transfer of proceeds of other serious crimes, but in relation to CDD at the international level things quietened down and nothing happened for nearly a decade (until around 1999). This was particularly disquieting for internationally active banks because they had to apply all of these standards concurrently — and at the same time they constantly risked losing clients to competitors who were operating under a more flexible regulatory framework elsewhere.

The need for greater harmonisation became ever more apparent, yet banks waited for regulators to make the next move. However, eventually the banks realised that this move would probably not be made for the foreseeable future, not least because between 1996 and 2000 the FATF had developed other priorities and was focusing on offshore centres and specifically on the so-called non-cooperative countries and territories (NCCTs) rather than further refining its own standards and performance.

The Basel Committee of Banking Supervisors (BCBS) and also to some extent the Working Group on Bribery of the Organisation for Economic Cooperation and Development (OECD) each, independently of the other, started to take the view that more work on CDD should be done. Supervisors and central bankers worldwide had become increasingly concerned about the risks that offshore havens posed to global financial stability, although concrete evidence for these concerns is difficult to ascertain let alone quantify. The issues were addressed on a macro level by a specialised group in the Financial Stability Forum (FSF).[^7] The BCBS picked up the direction given by the FSF but pursued its analysis on a micro level in that they looked at the need for the regulated banking area to fend off risky clients. In a sense this initiative mirrors the efforts of the FATF in relation to NCCTs, but it gives it a different thrust — cleaning up one’s own house and controlling the entry points rather than picking on the non-compliant with the aim of getting them to conform.

The OECD’s Working Group on Bribery — which had just concluded a far-reaching Convention on combating bribery in business transactions[^8] — had started to expand its scope of work by looking at the abuse of financial centres by way of bribery. This development proved to be important because in the same context Transparency International, the non-governmental organisation specialising in combating corruption, launched an initiative with some of the key private banks to help prevent the misuse of financial centres for the creation of slush funds, bribe payments and bribe money laundering. The timing seemed particularly apposite as US banks had just experienced serious problems with key Russian clients and at the same time Swiss, British, Luxembourg and US banks had demonstrated a singular lack of compliance with anti-money laundering concepts in the case of the Nigerian ruler General Abacha and his family. The damage to the reputations of the banks involved was serious and further exposure was contained in the report by the US sub-committee on private banking,[^9] which levied criticism by pointing to specific failings and weaknesses not only with respect to the banks involved but also with regard to the nature of global private banking. These developments contributed to the creation of a climate of change — with the notable difference that this time the affected banks themselves decided to grapple with the issues.

DEVELOPING THE INDUSTRY STANDARD

At an early stage in the Wolfsberg process, facilitators talked to key US and European banks to convince them that getting together and defining a common anti-money laundering (AML) standard could be beneficial for the banks as well as wider society. It was also clear that such a development could help to create a level playing field for banks in terms of competition. If picked up by regulators, a common standard could also help reduce the diversity and uncertainties — a net effect of which would be to cut risk-management costs. From the perspective of combating corruption and profits obtained through the abuse of power as practised by potentates in particular, the banks’ effort to review their procedures and internal rules could make it harder for clients to circumvent the then new anti-corruption laws by engaging in offshore transactions.

The participating banks were very cautious in the early days of the initiative as it was a novel process the outcome of which was not certain. The criteria for extending invitations to banks to join the group were based on the significance of their private banking activities and aimed at ensuring a geographic spread as far as it was possible. Some banks needed a lot of convincing, especially by their peers, to join the process. The initiative really took off after the first meeting in October 1999, when the two leading banks decided that as a first step they would exchange their internal corporate AML compliance rules. The Group subsequently decided to extract a common denominator on which to build a standard. The original Wolfsberg Principles were the result of these early efforts. The first revision of the Principles was published in May 2002 and came about partly as a result of the usual internal updating that Group members had undertaken in the intervening period, as well as in response to new developments at the international level such as the Basel Committee’s ‘Customer Due Diligence for Banks’.[^10] This process indicates that the development of the Principles was clearly not an end in itself, and that further evolutions in the Principles are to be expected. The working dynamics of the Group have similarly progressed as the expeditious drafting of the Wolfsberg Statement on the Suppression of the Financing of Terrorism showed; the Statement was published in early 2002.

An integral part of the process has also been the Group’s efforts to make the Principles accessible and practical to other financial institutions who may want to apply them. To assist these institutions, the Group has tackled some of the details of the Principles in the ‘frequently asked questions’ section of its website. These guidance texts and commentaries are formulated by sub-working groups composed of experienced and senior personnel drawn from the participating banks.

To round off the initial process, the Wolfsberg Group held a media conference in October 2000 to publish and publicise the Principles. The international press was intrigued and many journalists as well as regulators asked, ‘So what’s new?’ and, ‘Will these Principles defeat money laundering?’ The conference also raised — and continues to raise — questions about the message this Group is sending to regulators: in taking the initiative, are the banks reacting against further regulation in an already highly regulated industry, or is it a move by the private sector to complement the regulatory framework?[^11]

WHAT IS THE REASONING BEHIND THIS INITIATIVE?

As a voluntary code of conduct that focuses on private banking, the Principles are specific to this business segment. At the same time, however, they are also broadly drawn and in certain areas downright vague. It is also correct that the first version of the standards does not revolutionise CDD, it builds on some advanced but well-established concepts of identification and increased diligence in unusual cases. It addresses the issue of how to identify beneficial owners, but remains unspecific on the matter of delegating CDD to third parties, be it to agents or other financial institutions (especially correspondent banks).

Whilst they are not a panacea for combating money laundering, the Principles do have the potential to bridge the ‘transatlantic gap’, bearing in mind that up until quite recently the USA had a hard time toughening up its AML laws: proposals by President Clinton to tighten the regulatory regime were rebuffed by the Republican-dominated Congress, which was opposed to meaningful change at the time.[^12]

The real strength of the Wolfsberg Principles, however, lies in the fact that the participant banks commit to apply the rules to all their operations at home and abroad, including in offshore centres. If it may be assumed that the Group members make up more than 60 per cent of the world market in private banking, with perhaps 50 per cent of the market share in each key offshore destination, in practical terms these rules have great potential for becoming the leading principles throughout the industry.

Although it is difficult to second guess the motivation of the individual participants to join this initiative, there can be little doubt that the various risk elements (that are actually described in the Basel CDD paper)[^13] must have been uppermost in the minds of the bankers invited to attend the initial sessions. Moreover, it should be remembered that the requirements set out in the Basel CDD paper and the FATF recommendations are aimed at national supervisors and are guidelines for minimum regulatory standards. But the implementation of rules and any subsequent amendments takes time. This time lag was perhaps one factor that prompted the banks to get active on their own behalf: the need to counter risk in a comprehensive manner had become a paramount question of credibility for some banks, and they could not wait for piecemeal legislation. It is also the case that although the aforementioned guidelines are essentially aimed at regulators, the banks also recognise that influence can be exerted at the national level, because governments will always look at what has been going on in terms of self-regulation. Given that the private sector has adopted best practice whilst drawing on a variety of traditions, the Principles will almost certainly impact any proposed legislation at national level in this area.

It has also been correctly observed by critics that these Principles lack a specific enforcement mechanism. However, monitoring is indirectly provided by supervisory institutions, with whom the Wolfsberg Group meet on a regular basis. The standards have provoked regulators to be substantially more specific than they were in the 1990s.

ESTABLISHING A RISK-BASED APPROACH

Even if the CDD rules prepared by the Basel Committee were already well advanced in their preparation when the Wolfsberg Principles were published, and even though the CDD paper makes only brief mention of Wolfsberg in terms of it being a voluntary code of conduct that may underpin regulatory guidance but is no substitute for it, it is nevertheless virtually certain that these papers mutually influence each other.[^14] The Wolfsberg Group is continuing the self-critical process in the light of the Basel Committee text and will make further amendments to the Principles in due course. This reciprocal process could also be ascertained in subsequent meetings between the banks and regulators in the years following the publication of the Principles. This ‘dialogue’ is perhaps most apparent in the final paragraph of the Wolfsberg Statement on the Financing of Terrorism. The list of areas for further discussion with governmental agencies is not only a response by the banks indicating what they consider as feasible to assist in the fight against terrorism; it also takes the offensive by highlighting areas where regulators themselves should be active and taking responsibility — a role that would normally be associated with rule makers themselves. One example is the request that regulators ensure that national legislation be in place to permit financial institutions to play their part in the fight against terrorism. There is no question that the banking community is committed to fighting terrorism, although this open ‘lobbyist’ approach may in part also have been a reaction against the apportioning of responsibility in the aftermath of 11th September, 2001, and it reveals the level of confidence the Group has developed when it comes to interacting with regulators.

In some areas the views of regulators and bankers conflict: for example the banks are increasingly uneasy about the extension of rules which, whilst they may make sense in private banking, may not be appropriate to retail banking or other sectors of the industry. To counter this tendency to generalise, the banks are trying to indicate to Basel what is realistic and where a more flexible risk-management approach would be more effective. It could be said that one of the main achievements of the banking industry between 2000 and 2002 has been to win the regulators over to follow a ‘risk-based approach’ when developing their norms, as opposed to one that is rule based.[^15]

But what are the differences between these ‘risk’ and ‘rule’ approaches? The latter is the preserve of the state acting autonomously at national level, be it in response to international obligations or in self-interest. The risk-management concept also involves the making of rules and procedures but at the micro level of the individual company, although this may also be in response to legislation or international recommendations — so thus far there appears to be common ground between the two approaches. However, the rule-based approach deploys abstract, prescriptive norms and is reactive in the sense that it takes account of past failures in the system. Risk management, on the other hand, tends to be practice-based and is rooted in both past and ongoing business experience. Thus one of the characteristics of risk management is its flexibility: whilst there are internal compliance procedures to be followed, there are also systems that enable the risk parameters to be altered by the individual company — and this can manifest itself in clashes between those at the business front line and those responsible for the management of risk, particularly in highly competitive markets. This sort of tension may be the downside of the risk-based approach, but at the same time it seems that those companies that actively promote and develop their risk-management systems are also typically in the top quartile in performance terms and exhibit the best in class governance and control capabilities.[^16] Perhaps the traditional view of compliance as a costly burden may gradually be revised.

Other characteristics of risk management in this context take into account the components of business risk and certain aspects of operational risks in an interlinking strategic and policy network. This means that the management of risk has fully evolved from a back office function into a CEO concern. The strategy aims to ensure that risk management is embedded in the organisation through a framework that is specifically designed and implemented, in which risk is identified, quantified, controlled and reported.[^17]

In terms of outcome there are also differences between the two approaches. Following the rules may still leave the onus of the outcome on the state, because those that comply with the law cannot be held responsible for shortcomings that were not envisaged by the regulations. This, though, is not particularly constructive in the changing environment in which private banking operates. Traditionally risk management has focused on controlling large losses which have historically been associated with credit and market risks, whereas it is increasingly the case that large losses come from business and operational failures (and private banking is particularly exposed to certain types of operational risk).[^18] Thus it is not an adequate response for banks merely to comply with legal obligations; strategies that address the risks have to be adopted — and here the banks take the responsibility upon themselves to meet this challenge.

In practical terms the banks have been given the green light to start monitoring customers via simple (and relatively cheap) means, unless risk indicators are detected. Once risks manifest themselves the financial institutions can activate a highly differentiated and graded approval of further investigation — a system that is far more efficient than the standardised ticking of boxes of the early days of AML compliance. The new procedures applied in cases of so-called ‘PEPs’ (politically exposed persons) are an illustration of this risk-based approach (ie identifying officials, legislators, members of the government, high-ranking military and their entourages, and establishing bona fides/legitimacy of the acquisition of their funds).

On the other hand, banks need to be ready to do more to identify the beneficial owners, which would include understanding the structures related to corporate entities that may be used by natural persons to open anonymous accounts.[^19] To date, banks did enquire and take note of the information they received. However, rarely did they require documentary evidence for the beneficial ownership. As part of the risk-based approach the Basel CDD paper encourages the banks to go beyond their current standard. Here Wolfsberg needs to be adapted to the Basel recommendation which states that a banking relationship should only be established once the customer’s identity has been satisfactorily verified.[^20] Of course, as mentioned above, the contents of the Basel paper are not automatically law; they are recommendations to supervisors of member states and may still be watered down at a national level. Therefore what the Group defines as best practice is crucial.

The convergence by regulators and bankers on the risk-based approach has resulted in the empowerment of financial institutions to develop far-reaching new concepts in areas such as correspondent banking and agents, and these are briefly previewed later in the paper.

RECENT DEVELOPMENTS

The Wolfsberg Group has not been left untouched by the events of 11th September, 2001. It was impressive to realise how quickly the senior compliance and risk officers of the key banks grasped what impact the terrible events could have on their institutions. On the evening of the fateful day their systems were already in a position to start hunting for names. Although searching on the basis of lists of names and organisations is part of the pattern of preventing and tracing the finances of terror, it is not an area that would typically come within the domain of private banking. The focus on terrorists has not usually been comparable to that on large-scale economic crimes and far smaller sums are involved. Such amounts typically fall in the sphere of retail banking rather than private banking. This has implications for the standards of awareness that banks should maintain. By necessity the standards have to be lower in routine business — the example of payments to ‘students’ who perpetrated the attacks in the USA is one of the most striking illustrations of the difficulty. Therefore, expectations that banks may autonomously be in a position to detect funds primarily destined to finance terrorist activities should not be high. This problem is accentuated by the unwillingness of many national regulators to define ‘terrorism’, leaving banks without abstract guidance, rendering it difficult for them to translate such concepts into risk-management mechanisms. As has already been mentioned, this problem clearly has influenced the Wolfsberg Statement on terrorist financing, and whilst the banks have unequivocally pledged cooperation, they have also requested information.

FUTURE MOVES

Wolfsberg as a key partner in developing the new FATF recommendations

The most significant current text (apart from the Basel paper) is undoubtedly the Consultation Paper of the FATF.[^21] Much of what has already been addressed has been picked up by the FATF review, and the FATF is once again ready to discuss the range of entities covered by its CDD rules. It is also interesting that for the first time it concentrates on actual CDD procedures including such issues as the reliance on third parties to perform identification and verification obligations.

It is to be expected that the Wolfsberg Group will be a valuable contributor in the consultation process since it can credibly argue which measures are practicable. On top of this the Wolfsberg sub-working groups have developed some very original concepts in specific areas, especially on ‘correspondent banking’ and on ‘agents and introducers’. The major contribution lies in its concrete elaboration of what risk-based due diligence means in these areas, namely what questions need to be asked about respondent banks in relation to the status of their supervision which may differ greatly according to company domiciles.

Will Wolfsberg grow?

The Wolfsberg Group currently comprises 12 banks, all of which have a significant private banking business segment. There are obvious advantages and attractions of being part of a small group including:

(a) the way the decision-making processes function; (b) the practicalities of drafting; (c) the development of trust amongst the participants; and (d) ensuring active participation in the meetings.

The downside of remaining a small group is that accusations of elitism and exclusivity may be levied — although a place in the Group is not a prerequisite for an institution to adopt the Principles and to implement them within its own organisation. Also, if the scope of topics that the Group examines in the future overlaps into other areas of business that its banks are engaged in, then this may also have implications both for existing and potential members.

The role of facilitators and consultants who played a pivotal role in the early part of the process in getting the initiative up and running will continue to be important, not least to counter anti-competition regulations. Moreover, in a situation where there is no formal monitoring mechanism the presence of civil society does at least provide an external presence that increases the Group’s credibility in the wider world.

On the question of expansion, the non-governmental organisations (NGOs) that chart the developments of the Group would like to see the Principles adopted as widely as possible and would perhaps therefore prefer to see some sort of expansion plan. On the other hand, these NGOs may take the view that now that the banks have shown their willingness to confront the risks of money laundering, they should address other areas of concern as well — and thus NGOs may then regard expanded membership as less of an issue than the fact of having established an entrée into the senior echelons of some of the largest banks.

REFERENCES [^1]: William Shakespeare, Julius Caesar IV.iii.216. [^2]: See www.Wolfsberg-Principles.com for the full text of the Wolfsberg Principles and the Wolfsberg Statement on the Financing of Terrorism. The original Principles were made public on 30th October, 2000 in Zurich, Switzerland. [^3]: In the period 1987–96 US banks filed 77 million CTRs leading to 3,000 money laundering cases; 7,300 people were charged, of which 2,875 were found guilty. [^4]: www1.oecd.org/fatf/ [^5]: Bank for International Settlements: Basel Committee on Banking Supervision, Prevention of Criminal Use of the Banking System for the Purpose of Money Laundering, Statement of Principles, December 1988. [^6]: UN Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances, 1988, concluded in Vienna on 20th December, 1988. [^7]: Financial Stability Forum, Working Group on Offshore Financial Centres Report, April 2000. [^8]: Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, 21st November, 1997, signed on 19th December, 1997, in force since 15th February, 1999. [^9]: Minority Staff Report for Permanent Subcommittee on Investigations; Hearings on Private Banking and Money Laundering: A Case Study of Opportunities and Vulnerabilities www.senate.gov/gov_affairs/110999_report.htm. [^10]: Bank for International Settlements (2001) Customer Due Diligence for Banks, Basel Committee on Banking Supervision Working Group on Cross-border Banking, October. [^11]: For examples of press comment see The New York Times, editorial 11th June, 2000; American Banker, 11th June, 2000; Financial Times, 23rd October, 2000; The Banker, 1st October, 2001. For further references see also the press comments section of the Wolfsberg Principles website. [^12]: See International Counter-Money Laundering and Foreign Anti-Corruption Act 2000, House of Representatives Report 106/2728, Committee on Banking and Financial Services, Chairman Sen. Leach. [^13]: See ref. 10 above, paras 8–17. [^14]: Ibid., p. 5, n. 4. [^15]: Ibid., para. 20. [^16]: PA Consulting Global ‘IRM’ Survey 2001. [^17]: Ibid. [^18]: Shepheard-Walwyn, T. (2002) ‘Operational Risk Management in Private Banking’, Association of Foreign Banks in Switzerland, Zurich, 21st June, 2002. [^19]: Basel Committee on Banking Supervision, ref. 10 above, paras 32–33. [^20]: Ibid., paras 21–23. [^21]: Financial Action Task Force on Money Laundering (2002) Review of the FATF 40 Recommendations Consultation Paper, 30th May.

Mark Pieth, Professor of Criminal Law and Criminology, Basel University; Gemma Aiolfi, Programme Manager OECD.

© City & Financial Publishing. The above paper is taken from ‘A Practitioner’s Guide to International Money Laundering Law and Regulation’, publishing in May 2003, and is reproduced by permission of City & Financial Publishing Ltd, Surrey, UK (www.cityandfinancial.com).

---

Law Society to run research into Euro arrest warrant

A research project on the ways countries will implement the Euro arrest warrant and how a Euro bail system could be run alongside it is to be run by the Law Society. Under the planned Euro system an arrest warrant issued in one EU country can be quickly enforced in another country provided it is approved by a judge. The warrant is scheduled to come into effect across Europe on 1st January, 2004, along with a system of bail. In the UK, the Extradition Bill currently before Parliament legislates for the introduction of a Euro arrest warrant.

The research project, which has been given a £70,000 grant by the European Commission, is being run in conjunction with the Spanish and Czech Republic Bars. It will culminate in an autumn conference in London attended by representatives of all 25 EU members and applicants.

The Commission will be looking at related criminal law issues this year, such as sentencing policy, seizure of assets and common standards in procedural safeguards.