What should a money-laundering reporting officer do if Hunter Biden is an applicant for business? What are the 'red flags' associated with the beneficial ownership of corporations by a HNW customer? How might the Senior Managers & Certification Regime make MLROs' annual reports more honest? In this article Rachel Woolley (pictured) of Fenergo answers these and other questions.

So it might not have to verify the identities of individuals (although it will for direct customers and anybody acting on their behalf) but it does have to know who owns the entities that the HNW customer is receiving money from. If the money's coming from listed companies, that's reliable. It is also looking for online presence and it wants to see if the business is established. The big thing to check on that is if there’s been a recent change of shareholders or directors, or when the company in question ceased to be dormant. Fenergo is plugged into Companies House, so we do that.

Q: In your opinion, does good compliance require the hiring of more than one software vendor to screen the same things, e.g. worldwide reputation? Or is reliance on just one firm all right?

A: It depends. Some vendors have better data in different jurisdictions. You may want to have more than one if you're global.

Q: What else should the MLRO look for?

A: Relationship patterns are also significant, as the same service providers are often used, as was the case with Mossack Fonseca in the Panama Papers scandal.

Q: Are we talking about links to dodgy law firms? If so, does Factiva/Fenergo software tell you whether such firms are involved?

A: We are and it can. You could have the same singatories on the HNW's accounts. If you have a single viewpoint of that, you can see if that law firm has been indicted. If it has, you then ought to check each account. It comes down to your screening.

Q: Let us talk about the vague rules (known as 'Principles for Business') that the UK's regulator enforces. For example, it recently punished Commerzbank for not fulfilling principle 3, which tells firms to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems. How can one trust the regulator not to abuse its power, when it can punish anyone for being unable to live up to these lofty and nebulous ideals?

A: It's a difficult one. The vast majority of fines are issued for vague reasons. The regulator has a relationship with the firm, so at least its expectations are clear. Part of the big issue in the European Union is that the Money Laundering Directive is applied inconsistently. In some jurisdictions, what generally happens is that the regulators will do an investigation if something bad happens but also they do thematic inspections. Then they might punish the firm with the assertion that "we've seen enough to form an opinion that money laundering will occur." Commerzbank, incidentally, were pinged on accounts that were overdue for checking. They were probably building up because the job of checking is a relatively manual thing still.

Q: What jobs do you think that banks fail to do the worst when spotting and dealing with risks associated with PEPs?

A: Overdue customer checks. They typically ought to review the risks associated with customers every 2-3 years. Failure to do so is common.

Q: At Commerzbank, certain business areas did not always stick to internal bank rules. This ‘internal policy’ thing is a big thing for regulators, isn’t it? Even if the policy isn’t in line with a particular rule.

A: Absolutely right – even if it's not expressing a rule. The regulator wants to say: "If you can't stick to this rule, what else are you not doing? Your word is questionable."

Q: As we know, the FCA often tells this-or-that firm that its compliance headcount ought to be higher. Have you ever evolved a rule of thumb to work out how many compliance people a department should have?

A: It comes down to the environment and the complexity of the environment. Some firms use manual checkers and rely on subject-matter experts, others automate the process. If we look at the Financial Action Task Force's mutual evaluation reports on countries, Iceland and Germany were called out by their own financial intelligence units which told the inspectors that they didn't have enough people. Then there is the worry that the MLRO might avoid disclosing the fact that he is under-resourced in his annual report for fear of offending his employers - this might be alleviated by certain accountability regimes such as the Senior Managers & Certification Regime in the UK. Now, because of this reform, the board itself is facing hefty fines. If the MLRO's annual report is not followed on, to some extent the MLRO could use it as a defence.

Q: What are the latest developments in AML/CTF RegTech that strike you?

A: Geo-tagging and geolocation. That's coming out from a Covid perspective. Also, advances are being made with software that takes a holistic view of risk with integrated systems. Fenergo and Smart KYC, for instance, sit on top of many systems. So we're talking about orchestration and an end-to-end view. Both of those trends are accelerating.

Q: How is AML RegTech different from CFT RegTech?

A: Although the intent and purpose behind money laundering is clearly different from that of terrorist finance, the methods that people use to disguise the funds are often the same. This is why laws refer to both subjects. Financial institutions' compliance processes are designed to detect suspicious activity, whether it relates to money laundering or terrorist financing. The software that exists is therefore typically applicable to the detection of both types of crime, rather than distinct offerings.