Money Laundering Regulations 2017 — use of software systems and technology

Money Laundering Software Systems Technology

Speed read: On 11 October 2017, Jonathan Fisher QC delivered a presentation at the BAE Business Defence Forum: The Financial Crime Front Line. Jonathan addressed the topic of recent developments and interesting cases in anti-money laundering and provided an overview of legislative updates. Natasha Reurts draws out the aspects of the presentation helpful to ‘relevant persons’ interested in the use of software systems and technologies in compliance with UK money laundering regulations.

It should come as no surprise that crime, particularly ‘white-collar crime’, has become increasingly harder to detect, police and enforce in the digital world. As such, what role can regulated professionals play in fighting financial crime in the digital age? Arguably, a very important one. Software systems can assist in detecting suspicious activities and aid in the implementation of anti-money laundering policies and procedures. However, how much of this comes down to the use of software systems and technology is up for debate. As much as software systems and technology can assist regulated professionals with compliance, and the fight against financial crime more broadly, much of the daily anti-crime measures will necessarily involve human decision making.  This is, and will always be, important.

Article 8 of the 2015 Fourth EC Directive on Money Laundering discusses the use of ‘model risk management practices’ which can inform anti money laundering policies, controls and procedures. Indeed, it is commonplace to see the use of software and technological assistance in customer identification and verification deployed during the Customer Due Diligence phase of compliance. Most software programmes will now run background checks, return adverse reports, and confirm the veracity or otherwise of what the client has said.  In short, these software programs and technological advancements can assist in triggering or identifying suspicious circumstances.  A classic example would be the identification of a PEP, a sanctioned individual or the flagging of irregular trading activity.

English Courts have been welcoming, yet cautious, of the role that technology and software can play in assisting decisions makers reach conclusions. In Shah v HSBC [2009] EWHC 79, Mr Justice Hamblin stated:

“[a]s to mechanical suspicion, the Claimants contend that if a suspicion was generated automatically by, for example, a computer programme, then it would not be a relevant suspicion. If there was no human held suspicion, then that may well be correct. However, again that is not this case, nor is it realistically ever likely to be the case. Human intervention and decision making is going to be an inevitable part of the disclosure process” (at paragraph 50).

In short, human analysis of the facts and circumstances presented with the assistance of software systems will still form an integral part of rationalising (or confirming) the basis of the suspicion. Without doubt, however, automatically generated suspicions ensure that human error does not mean a suspicion is missed which could, as is known, have liability implications for the firm.

Recently, as Jonathan Fisher QC noted, the need to ensure that the software systems and technology put in place is regularly updated cannot be stressed enough. Firms should ensure that screening software or other automated systems are periodically checked to ensure that they work in the manner proposed and contingency plans are put in place should the systems fail.

Indeed, the Financial Conduct Authority in Financial Crime: A Guide for Firms [1] (April 2015) stresses these very points – and the good practice guidance’s reads as the regulator’s expectation of firms. With respect to automated systems, the regulator expects the following good practice from firms: that the limitations and capabilities of automated systems used to monitor transactions are properly understood; that firms (particularly large retail firms) deploy alternative efforts to spot money laundering by using automated systems to monitor transactions; that firms use ‘monitoring results’ to review whether the Customer Due Diligence documentation is adequate; and that the threshold for automated systems are set lower for higher risk clients (such as PEPs) with an expectation that there are systems in place to escalate to senior management.

Recent examples have demonstrated how important it is to ensure that technology itself remains compliant with the changing nature of the regulatory regime.  In October last year, the Financial Conduct Authority fined Sonali Bank (UK) Limited £3.2million and imposed a restriction the effect of which prevented the bank from accepting deposits from new customers for 186 days.[2] Moreover, Sonali Bank’s money laundering reporting officer was fined £17,900 for a number of identified shortcomings. One such shortcoming was that despite numerous warnings from internal audits it had failed to put in place appropriate anti-money laundering monitoring arrangements which were focussed on the risk faced by the bank and which demonstrated that the anti-money laundering systems of the bank were working effectively. During the relevant period, the MLRO reassured the bank’s board and senior management that the anti-money laundering systems which were in place were working effectively, something he knew to be misinformed. With respect to software systems, Sonali Bank was found to have failed to provide and implement necessary IT upgrades and software in a timely manner. The Financial Conduct Authority acknowledged that such assistance would have helped an overworked and under-resourced anti-money laundering department conduct their duties more efficiently.

Again, in one of the many enforcement cases taken by the Financial Conduct Authority in recent years, Deutsche Bank was fined £163million for failing to maintain an adequate anti-money laundering control framework during the relevant period. This failing was said to have enabled unidentified customers to transfer approximately $6 billion in funds from Russia to bank accounts in overseas jurisdictions. The movements of money could be said to have all the hallmarks suggesting an element of financial crime. Aside from failing to have performed adequate customer due diligence, having deficient anti-money laundering policies and procedures, the Financial Conduct Authority found that Deutsche Bank has an inadequate anti-money laundering IT infrastructure and lacked automated anti-money laundering systems for detecting suspicious trades. The advantages of employing software systems and technological assistance are manifold. They are resource sensitive and can assist in preforming tasks that would otherwise take up time if performed manually. This has positive costs implication for business generation. Moreover, as stated earlier, the wealth of information provided to anti-money laundering teams by anti-money laundering software may reduce the likelihood of suspicions being missed – so long as the systems and monitoring procedures are adequate updated and tested for accuracy. However, the take-away lesson from the enforcement cases is that regulated professionals and relevant persons cannot become relaxed by relying on a mindset that the implementation of a software system is sufficient to achieve complaint status with the money laundering regulations.  Anti-money laundering compliance, with support from software systems, is a constantly evolving process and firms place themselves in peril if they do no more than the bare minimum which the  regulations require.

[1] Financial Conduct Authority, ‘Financial Crime: a Guide for Firms (Part 1: A Firm’s guide to preventing financial crime’ (April 2015) Available at:

[2] Financial Conduct Authority, ‘FCA imposes penalties on Sonali Bank (UK) Limited and its former money laundering reporting office for serious anti-money laundering system failings’ (12 October 2016) available at: