A proliferation of lists?

For some years, the FATF has published various lists of countries with “strategic AML/CFT deficiencies”. These have become known in the trade as the ‘black’ list (jurisdictions subject to a call for counter-measures – Iran and North Korea feature on this list), the ‘dark grey’ list (jurisdictions that have not made sufficient progress or not committed to an action plan) and the ‘light grey’ list (those who have developed an action plan). The lists are drawn up by the FATF’s International Cooperation Review Group (ICRG) and approved by the FATF plenary meetings. The content of the lists are often used as part of country-risk assessments, although the correlation between a weak AML/CFT regime, in FATF terms, and actual ML/TF risk is a topic for another day. The AML/CFT authorities in other jurisdictions often re-publish these FATF announcements, and in some cases they are specifically mentioned in laws or regulations.

The Caribbean FATF (CFATF), the FATF-style regional body (FSRB), has been meeting in plenary session in Nicaragua this week. Yesterday (30 May 2013), they published their own lists, which use very similar language to the FATF public statements. Belize and Guyana appear on the ‘dark grey’ equivalent and Dominica on the ‘light grey’ version. There are key differences, though – the CFATF public statement suggests that if further progress is not made, the next step will be to refer countries on the ‘dark grey’ list to the FATF ICRG, for consideration of listing by the FATF.

Do we need any more lists? On the one hand, it is perhaps a useful thing for the FSRBs to use their greater knowledge and understanding of the situation in their region to identify those countries that are not making sufficient progress. On the other hand, the CFATF statement (which was immediately re-published without further comment by the FATF) appears to establish a hierarchy of such lists, which goes against the ethos that the FATF Standards should be applied equally across all jurisdictions. There are CFATF countries already on the FATF lists that are not included in the CFATF statement – are the strategic deficiencies in those countries to be taken to be more serious than those listed only by the CFATF? Should only countries and institutions in the CFATF region be expected to take account of the CFATF lists, or should they be taken acocunt of globally, but allocated a lower risk rating than those listed by the FATF? That would seem a high risk strategy for institutions to take, but we shall watch with interest to see what regulators make of this new listing.


A preview of the FATF approach to risk

At the time of writing, the FATF has not published its paper on national risk assessments, one of the most eagerly awaited outcomes of the plenary in Paris last week, certainly for  FATF Watchers.  The FATF has published its revised paper on financial inclusion and interestingly enough that quotes from the as yet unpublished paper – referenced as ‘FATF(2013) National Money Laundering/Terrorist Financing Risk Assessment, FATF, Paris’. It also includes references to two other papers with the same date, ‘FATF (2013a) Guidance on PEPs, FATF, Paris, forthcoming’ and FATF (2013b), Guidance on New Payment Products and Services, FATF, Paris, forthcoming’. Oddly, these two papers are not mentioned in the published outcomes from the February plenary.

So what can we glean from the references in the financial inclusion paper, which start at paragraph 42 on page 19? Well, the FATF is taking a standard approach of defining risk as a function of three factors: threat, vulnerability and consequence. This was implicit in the 2007 FATF paper on the risk-based approach, but it appears to be explicitly spelled out in the forthcoming guidance. There is also a three-stage approach to risk assessment: identification, analysis and evaluation. It is suggested in the paper that the UNODC’s Guidance on the preparation and use of Serious and Organised Crime Threat Assessments (SOCTA) might act as a precursor to the AML/CFT threat assessment (it is worthwhile noting in the context of FATF evaluations being due to start later this year that the UNODC suggest a good SOCTA will take six months to produce).

One of the few tools available to help with AML/CFT national risk assessment until now has been template in the Strategic Implementation Planning (SIP) Framework, developed by the Asia-Pacific Group (APG) and the World Bank. According to the Financial Inclusion paper, the SIP is in the process of being updated to reflect the revised FATF Recommendations – an outline of the SIP Framework can be found in Annex 6, along with some other examples of risk assessment tools. The template, a fairly simple spreadsheet-based tool, will no doubt be useful for lower capacity countries in particular.

Much of the Financial Inclusion paper is concerned with differentiating between ‘low’ and ‘lower’ risk, which is a subtle distinction drawn from the wording of the FATF standards, but does appear somewhat confusing. As the paper states, in a footnote:

«Low risk » situations refer to cases that may qualify for an exemption from the FATF Recommendations, while a simplified AML/CFT regime may apply to “lower risks” cases.

It is not clear from the extracts published if the forthcoming paper on risk assessment will provide guidance on measuring risk, particularly if there is to be this distinction between ordering risks (higher and lower risks) and categorising them (proven low risk). The risk analysis process is broadly described as gaining an understanding of risks “to work toward assigning some sort of relative value or importance” (our emphasis). We shall have to wait for the publication of the paper for more details.

Who’s next to join the club?

One of the unheralded outcomes of the recent Financial Action Task Force (FATF) plenary in Paris was this:

The FATF established a process for considering the case for/whether to undertake a limited expansion of its membership with the aim of ensuring it has an optimal membership in the fight against money laundering and terrorist financing.

Now as outcomes go, it’s not the most definite – a process for considering a possible case for perhaps doing something. But many observers thought that, once India and China had joined, the FATF was effectively closed. There is an existing policy on membership, which (this being the FATF) has ‘Fundamental’ and ‘Technical and other’ criteria.  The candidate jurisdiction should be strategically important (measured in economic and AML/CFT terms), should enhance the geographical coverage of the FATF and should be committed to, and doing well in, implementing the FATF Recommendations.

So why has the FATF decided to look at its membership again – or more accurately, establish a process for doing so, although it seems unlikely that given the existing policy it would not then use the process. Of course, we are not allowed to know – the FATF is famously secretive when it comes to releasing details of its deliberations, so the one sentence outcome above is all we are told. Can we infer that some members want some other folk to join? If so, who might the new candidates be?

Well, let’s look at the criteria. The FATF was established by the G7 in 1989, but since the global financial crisis the real economic and regulatory powerhouse is the G20. This Group has a relationship with the FATF, calling on it to do various things and receiving FATF progress reports, even though the FATF is actually responsible to the Ministers of its members. Taking membership as a proxy for strategic importance, there are two countries in the G20 that are not FATF members – Indonesia and Saudi Arabia (although Saudi Arabia is a member of the Gulf Cooperation Council (GCC), itself an FATF full member). Both countries would also satisfy the geographic criteria, the FATF being light on members from the Middle East (Qatar reportedly applied to join in 2009), South-East Asia and Africa. If one were to look for a strategically important jurisdiction in Africa, it would be difficult to overlook Nigeria, of course.

There is one problem with this line of reasoning, though. Looking at the technical criteria, Indonesia and Nigeria are on the FATF ‘dark grey’ list of countries with strategic deficiencies. But then so is Turkey, which narrowly avoided suspension of its FATF membership by passing a terrorist finance law the week before the plenary. On balance, though, maybe Saudi Arabia, a key US ally, which receives good ratings on compliance with the Recommendations, should be our favourite?

In short we don’t know, but we can speculate. Perhaps the answer may be for another economic union, from one of the under-represented areas to join, in the same way as the European Union (represented by the Commission) and GCC. One thing is for sure, as this photo of a plenary session borrowed from the FATF website shows – they are going to need a bigger room if too many new members join the club!

Plenary in Session


Not just a Methodology, more a way of life

The Financial Action Task Force (FATF) plenary, which concluded on Friday last week, produced several interesting outcomes – updates on jurisdictions which allegedly pose a risk to the international financial system, revised guidance on financial inclusion, guidance on a national risk assessment (which has not yet been published) and establishing a process for a possible further expansion of the FATF membership. But by far the most interesting outcome was the adoption of the new Methodology for Assessing Technical Compliance with the FATF Recommendations and the Effectiveness of AML/CFT Systems.

The significance of this document should not be underestimated. Previous Methodologies have been very much for those involved in the process or FATF geeks like us here at FATF Watch. For those jurisdictions wishing to ‘game’ the system, they have provided clues as to how the FATF would like to see its Recommendations implemented , but the useful detail of the various criteria tended to be lost in very dense Mutual Evaluation Reports (MERs).

The new Methodology goes further, as it attempts for the first time to measure effectiveness of implementation. Yes, the first part (technical compliance) is very much like the previous version, but the second part (effectiveness) adopts a radical new approach. For pretty much the first time, a clear and unambiguous overriding objective in implementing AML/CFT measures has been spelled out:

“Financial systems and the broader economy are protected from the threats of money laundering and the financing of terrorism and proliferation, thereby strengthening financial sector integrity and contributing to safety and security”

The FATF has then identified three Intermediate Outcomes (major thematic goals; broadly policy, preventative and investigative) and 11 Immediate Outcomes, which feed the Intermediate Outcomes and are the key goals against which effectiveness will be measured. For each of the Immediate Outcomes, the FATF has published Characteristics of an Effective System, Core Issues to be considered and Examples of Information and Specific Factors that could support the conclusions the assessors will reach. There are four possible ratings for each Immediate Outcome: High level of effectiveness; Substantial level of effectiveness; Moderate level of effectiveness; and Low level of effectiveness.

Got that? The obvious issue is how these ratings will be measured. The Methodology is very clear that the various characteristics, examples of information and specific factors are NOT a check list, just guidance for the assessors. Clearly there is going to be a great deal of training required for the assessors, who generally do a very small number of evaluations (they all have other jobs, tending to be public sector officials from other jurisdictions) and the small FATF/FSRB Secretariats will have a key role in ensuring consistency across evaluations – we wonder if the staff of the IMF/World Bank may have a greater role to play. No doubt there will be a handbook to help assessors – according to the Methodology they have to answer very subjective questions, such as “How useful…”, “How well…” Evaluations under this new Methodology are due to start this year – time is very short to train the assessors.

Another key issue will be reporting. The results of effectiveness evaluations should be very useful for those managing country risk, but there is a great deal of detail in the Methodology, which could result in even longer and denser MERs (see this previous post for some of our thoughts on that issue). Annex II of the Methodology is supposed to be an MER template, but is blank and “to be finalised” in the published version.

Of course, this new focus by the FATF on effectiveness is welcome and probably overdue. We know that it is the result of a huge amount of work by both a Working Group and the FATF Secretariat, who should be commended for getting this far. However, the new Methodology should not just be seen as a manual for assessors – it is, de facto, the technical guide to effective implementation of a national AML/CFT system, and perhaps it would have been better to position it as such, with a separate guide for evaluation (including a toolkit for answering the difficult questions the Methodology poses). At the very least, it seems a little strange that the objective and outcomes of an AML/CFT system should be buried in an evaluation methodology – they are fundamental to identifying risks and also to understanding how effective the FATF Recommendation themselves are in achieving those goals.

We will post further thoughts in the days ahead – the treatment of risk is particularly interesting and important. Watch this space!

I like an MER, but I couldn’t manage a whole one.

As the great and the good of the AML/CFT world continue to debate improvements to the regime at the Financial Action Task Force (FATF) plenary in Paris, MONEYVAL (the Council of Europe’s FATF Style Regional Body) has published its latest report on Moldova. And it highlights some issues that we hope the FATF will have addressed by the time the white smoke rises above the OECD building and the report of the plenary’s outcomes is issued.

The Moldovan report is part of MONEYVAL’s 4th round of evaluations, which were designed to look at key and core “and some other important” FATF Recommendations, as well as those Recommendations where the country concerned had been marked poorly (Non or Partially Compliant) in the previous round. As MONEYVAL was ahead of the FATF and the other FSRBs in finishing the previous round, they undertook this round of evaluations instead of waiting for the revised Recommendations and Methodology (here at FATF Watch we call it the 3.5 Round). All very sensible, especially since they decided to have a go at measuring effectiveness, which will be taking up a great deal of time in Paris this week.

But the report does highlight some issues with the evaluation process (and some with the Moldovan AML/CFT regime, obviously, but that’s not the point of this post). The report was published this week, after being adopted at the MONEYVAL meeting in early December last year. But the on-site visit for the report, when the team of assessors spend time in country and gather the information used for the evaluation, was in November 2011. So anyone using the report to inform their country risk assessment of doing business with Moldovan entities or processing transactions from that country, is relying on information that is at least 15 months old. This is not uncommon or atypical of all Mutual Evaluation Reports (MERs); we are not picking on MONEYVAL or their Secretariat. MERs have similar gestation times  to large whales. Risk assessments should be timely and accurate, but the information supplied under the FATF/FSRB system is neither – it is noticeable how often a poor MER triggers significant legislative or institutional change (a Good Outcome), rendering out of date and therefore pointless large chunks of the MER. Is your quantitative risk assessment relying on ratings in an outdated, qualitative report?

Of course, the FATF and FSRBs have follow-up procedures, where countries have to submit information on progress. These reports, whilst not a substitute for a full evaluation, can be used to update your knowledge of a country and come to a better assessment of the risk. If you can find them, that is, as the FATF and FSRBs do not appear to have a common publication policy, although all MERs have to be published. Take Russia, for example – a member of the FATF, MONEYVAL and the Eurasian Group (EAG). On the FATF and EAG websites you will find the Russian MER from 2008. Only on the MONEYVAL website will you also find two progress reports from 2009 and 2011. Does the provider of your risk ratings dig that deep?

Another issue, which was alluded to in the FATF’s Public Consultation on the revision of the standards, is the length of MERs. Having taken as long to be born as a whale, they are frequently as indigestible. The report on Moldova only concentrates on a subset of the Recommendations, yet it runs to over 300 pages, with 600 pages of Annexes, consisting of codes, laws, regulations and orders. Fortunately, there is an Executive Summary of about 30 pages and the one screen press release does a pretty good job of identifying the main points. Again, these are fairly typical numbers. Of course, some, if not most, of that information is not designed for the private sector. It is for the Moldovan authorities to understand in detail what they need to fix and to justify the ratings the assessors have given. But a tailored package, designed to identify risk for the private sector, would surely be of great value and in the spirit of the revised FATF Mandate?

The FATF this week is considering its revised Methodology or, probably, Methodologies, one for technical compliance and one for effectiveness of implementation. Those are not easy issues to define and measure, and will put even greater strain on the evaluation system and particularly the FATF/FSRB Secretariats. Hopefully, they will find time to consider the reporting too and will have listened to the private sector. The premise of the original FATF Watch was that much valuable data was lost to the private sector because of the way the FATF and FSRBs reported and published their work. They have made great strides in presentation (for which we like to take some credit!), such as improving their websites to include country profiles, and they have recognised the not always useful nature of MERs in their consultation. Now is the time for more change. Consistent, timely and accurate reports can only benefit the private sector and strengthen the AML/CFT regime.