The MoneyVal and Deloitte Customer Due Diligence reports.
On June 12th 2013 the Cyprus Ministry of Finance made public some of the reports of the MoneyVal and Deloitte audits carried out as a condition of the EU/IMF bailout of Cyprus.
Unfortunately it turns out the full reports have not been made available publicly. (The Deloitte report is only the nine page Executive Summary).
Still, it is remarkable that these reports have been made available to download given that both state that they are strictly confidential.
The reports audit a sample of banks operating in Cyprus with regard both to their understanding of anti-money-laundering and procedures and the implementation of those procedures with regard to Customer Due Diligence.
The reports have been the subject of much controversy. Cypriot authorities initially declared that they gave the Cypriot banking system a clean bill of health with regard to money laundering.
Perhaps in response to this optimistic interpretation a summary report of the two reports’ findings was ‘made available’ by the troika of the EU/IMF/ECB.
Then in response to that the Central Bank of Cyprus put out on May 23rd a two-page press release that refuted the findings of the ‘summary report’.
Without access to the full Deloitte report it is difficult to make a full assessment of the Troika’s summary report. However, I am of the opinion that that there is enough critical comment in the findings of both reports to suggest, as the troika summary report did, that there are, ‘systemic deficiencies in the implementation of preventive measures by the audited institutions [with regard to Customer Due Diligence]’.
The Central Bank of Cyprus press release
Below I take the original CBC refutation
of 23rd May 2013 (text in red) of the troika Summary Report. I have then gone through both the MoneyVal and Deloitte reports made available by the Cyprus Ministry of Finance and identified where the quotes in the CBC press release come from and what the CBC press release also ignores.
I initially did this to help me organise my thoughts about the two final reports by MoneyVal and Deloitte. I subsequently wrote a blog entry on them here.
I must admit to being annoyed by the CBC press release when it came out.
Rather than presenting a summary of the audit reports and dismantling the troika summary report point-by-point the release presented what even then seemed to be a highly selective interpretation of the detailed work of the reports.
This was wittily summed up by Charles Forelle of the Wall Street Journal in a tweet subsequently reproduced in an FT Brussels blog piece by Peter Spiegel that covered the CBC release.
Forelle tweeted, "Those guys' [ie the troika's] three-page summary was too selective! Here's our [ie CBC] three-page selective summary!"
The CBC selective summary is a travesty of the audit reports and in my view fails to take them seriously.
The release played fantastically well with those who cannot or will not believe that Cyprus needs to do more with regard to money laundering.
But to the 'away' crowd the CBC release just delayed the day of reckoning - although using the troika summary report many had already made up their minds - see for example Der Spiegel's German language edition's cry of 'Betrayal'.
Others smelled a rat thinking the troika report another piece of crafty, mendatious and self-serving spin designed to both to sully the name of Cypriot banking and justify the harshness of the bailout.
But I have to say if there is a 'spin champion' in this particular episode the CBC wins hands down in its selective quotations.
There are substantive points in the troika summary that cannot be given the sniff test of fairness because the Deloitte report is a summary in itself and does not allow us (thankfully, probably) to get into the bilge-water below-decks of the Customer Due Diligence apparatus.
Throughout this whole grim unravelling one wished that someone might have come clean, broken ranks and said,
'You know what. The jig's up. The system is not fit for purpose. We are running an offshore banking system characterised by massive flows of money through accounts that are set up by 'introducers' and that operate through complex company structures where ultimate beneficial owners are very hard to identify.
Yes, we have made efforts to improve, to comply and at least on paper and in procedure (if not in implementation) we have really tried to get ahead of the game.
But we have to do more and these audits and their detailed findings (which are not so dissimlar from previous Moneyval reports) are a wake-up call and a signal that we need to look at the banking model we run and the hunger for risk that we as professionals and institutions are willing to countenance.'
But that hasn't happened and instead the denial and blame-shifting and selective revelations have gone on.
And meanwhile the credibility of the Cypriot authorities has been damaged further and the palpable European disquiet about the conditions and delivery of the bailout are have been buried beneath the indignant headlines of the 'international media'.
Many have also said, 'Who are the Brits or the Germans or the Dutch to tick us off about banking practices?' And as the Tyrie commission in the UK makes clear public anger with bankers and their acolytes shows little sign of abating.
But the spotlight has been, and is on, Cyprus. At least for now.
CBC Press Release (in red)
In response to the press coverage of the three page summary paper dated 10 May 2013, prepared on behalf of the "Troika" and intended to provide a resumé of the Moneyval and the Deloitte reports on the anti-money laundering (AML) audit recently carried out in Cyprus (the “Reports”), the Central Bank of Cyprus wishes to make the following comments:
The summary paper does not provide a synopsis of the main findings of the Reports but rather a description of the perceived weaknesses of the system, drawing inferences where none exist in the original Reports. The lack of consultation with the authors of the Reports and the failure to refer to any of the positive aspects mentioned therein, has resulted in erroneous and distorted conclusions in the media, especially the international press.
[SummRep does have some positives as in ‘while identifying no regulatory weaknesses.’ Note also that the CBC press release itself provides nothing like a synopsis of either report.]
A summary of the Reports cannot be considered balanced if it omits to mention that they reveal a number of strengths both in the Cypriot AML framework and in the effective implementation of customer due diligence by Cypriot banks. The authorities are in the process of providing a detailed response to the Troika as well as to the Eurogroup.
The main positive findings of the Reports are listed below.
a) A solid level of compliance on Customer Due Diligence (CDD) across the sector. “Most importantly... the “All” column appears to indicate a generally solid level of compliance across the six bankswith the following (4 out of 27) areas requiring further attention...”
[This quote is not in the report made public by the MOF which is in fact only the Executive Summary. The nearest quote to it occurs on page 6:
Most importantly, and again bearing in mind the limitations of the sample and further of using an un-weighted average, aggregating the results across the Covered Institutions appears to indicate a generally solid level of compliance across the six banks with the following areas requiring further attention: (1) Client Acceptance (certain key aspects such as Customer Business/Economic Profile and others), (2) Ongoing Monitoring, and (3) Reliance on Third Parties. Within this context we noted as a credit sector level general trend that more recently established client relationship appeared to have more complete due diligence files than accounts opened a number of years prior and especially before 2008.
This goes on
Also at the sector level, the adequacy of the rationale for the small number of suspicious activity reports submitted within the retrospective scope of this review is self-evident. Lastly, although the framework requirements appear to be sufficiently implemented, the identification of unusual transactions and the reporting of suspicious activity to MOKAS appear to be lower than could be expected under the Cyprus Legal Framework, whether applying CBC typologies or as compared to practices in other jurisdictions [My emphasis].
The Deloitte Exec Summ then details the areas of concern with regard to 1-3 above.
These are excerpts (Emphases added).
220.127.116.11. Client Acceptance
The banks sampled ‘do not seem to have a suitable degree of accuracy in gathering and documenting relevant information from customers in order to understand the purpose of the account, to define the customer’s business economic profile and to evaluate the expected pattern and level of transactions.’
‘This missing or insufficiently detailed documentation is primarily evident in accounts, which represent a large part of the sample, that have been established for passive investments and apparent tax minimization purposes as distinct from operating entities.’
‘The timing of customer identification was at times inadequate as there seemed to be a practice of collecting information and documentation after the business relationship was established, reportedly because of perceived familiarity with the customer’.
‘Covered Institutions were generally not considering as a higher risk factor the nature of offshore exposure, as well as multi-layered and less transparent ownership and control structures for their legal person customers.’
Ongoing Due Diligence updates: ‘even where there were summary forms or customer transaction statement showing updates, there has been observed a general lack of traceability of controls performed.’
Controls for high-risk customers: ‘Those controls were generally not consistently/programmatically performed during the course of the business relationship, on a risk based approach, according to each institution’s specific internal policy.’
Banks are, ‘overly reliant on third persons in providing such [ongoing CDD] information in the absence of risk based verification of the underlying information provided, in particular in multi-layered and less transparent ownership and control structures involving foreign jurisdictions, which are generally considered to be of higher money laundering risk.’
‘Briefly, whereas UBOs [Ultimate Beneficial Owners] identities were almost always verified through certified true copies by an independent source (e.g., a Passport) the intermediate and ultimate beneficial owners in an ownership structure [that is, in company structures – my emphasis] were typically not verified via original documents from independent sources (e.g., certificates of official registry from a foreign country such as of incorporation or incumbency).
b) A very low level of suspicious activity that may be undetected. Deloitte’s forensic analysis covered over 570,000 transactions, with only 29 circumstances in which a transaction or pattern of activity was recommended for further investigation by the bank to establish reasonable explanation or a need to report. The data, therefore, provides an indication that any potentially suspicious transactions that may not be detected are not necessarily significant or systemic.
This appears to be based on para 2 of 3.3.3. which says,
The Deloitte transaction monitoring rules adopted were selected on the basis of their alignment with the specific requirements of the agreed upon procedures and were programmatically run against the electronic data gathered. This generated 10,173 alerts to be investigated, from a sample of 570.000 transactions. Said alerts as well as other potentially unusual activity stemming from the manual review were investigated by the project teams and either cleared as not representing unusual activity or warranting further investigation. Deloitte identified 536 instances of potentially suspicious activity that required further investigation, out of which 29 appeared to be potentially suspicious. Said potentially suspicious activity is contained in the main body of this report [which has not been made public] and has been referred to the CBC to determine if reporting to MOKAS is warranted.
See also the last para in 3.3.3 on transaction monitoring and suspicious activity reporting which concludes,
‘A general finding nevertheless can be made that at the sector level the identification of unusual transactions and the reporting of suspicious activity to MOKAS appears to be lower than could be expected under the Cyprus Legal Framework and specifically in applying the CBC typologies, as well as compared to practices in other jurisdictions.’
Furthermore the report explicitly states that ‘caution should be taken in relying on these numeric findings’ due to the limited time frame of two weeks to carry out the research for the report. (see 3.3.3.)
c) A stricter legal framework beyond normal EU standards. “In the audit for compliance with the CDD requirements of the Cyprus legal framework, it is worthy of note that these requirements are more detailed, and to a certain extent prescriptive, than in many other jurisdictions, including other EU Member States that similarly have implemented the requirements of the Third Money Laundering Directive.”[This is from 3.1.]
d) An enhanced due diligence conducted by Cypriot banks in obtaining passports and verifying addresses of ultimate beneficial owners, including in cases involving PEPs when exceeding a 10% ownership level. This is more thorough than the EU standard of 25% ownership.
[This is from 3.1 and followed by ‘This seems to be a recognition of the unique risks in the jurisdiction, and thus an effort to tailor requirements to mitigate those risks’.]
e) A proactive approach taken by the Cypriot authorities to reduce the risk of AML. “A recognition by the Cypriot authorities of the unique risks in the jurisdiction, and efforts to tailor requirements to mitigate those risks...”
[This is from 3.3.1]
Other points from the Deloitte Exec Summ.
25 per cent of the top 100 depositors give their country of residence as the British Virgin Islands
The sector level findings with respect to deposits show that with respect to the “Top 100” depositors, 90% are legal persons, having Cyprus as the country of residence in 40% of cases, followed by the British Virgin Islands in 25% of cases, Russia at close to 10%, followed by Belize and the Seychelles.
In comparison, for the ultimate beneficial owners of these legal entities, the country of origin is Russia in 35% of the cases, Cyprus in 25%, followed by Greece, the Ukraine, the British Virgin Islands and others. Again, this trend seems to be generally true if measured by the count of borrowers or the value of the loans.
The findings of our manual review indicate that for deposits, overall the instances of incorrect information are not insignificant and relatively more relevant to customers than to ultimate beneficial owners [my emphasis].
Activity that is rather common in Cyprus as witnessed through the customer sample àin terms of a combination of high-risk factors including foreign investors, introducing third persons, and cross-border transactions, would in many other jurisdictions be quite rare and thus such a customer profile at any given financial institution might be the focus of compliance attention as a high-risk outlier. [My emphasis] This was not the case with respect to the sampled files.
This appears to say that what would be considered a high-risk account in other jurisdictions is considered common in Cyprus and not given the ‘focus of compliance attention’ it would merit in other jurisdictions.
a) Strong implementation of CDD measures. [In fact the MoneyVal report talks about ‘knowledge/experience’ and ‘broad commitments’ but does not mention ‘strong implementation’. Rather its says that implementation of CDD ‘as described by the banks appeared strong’. NB The report is prefaced by the comment at A/1 that the assessment ‘has not been verified by access to customer data or files in the bank’’.] “In general, the banks interviewed demonstrated high standards of knowledge and experience of AML/CFT issues, an intelligent awareness of the reputational risks they face and a broad commitment to implementing the CDD requirements set out in the law and in subsidiary regulations issued by the Central Bank of Cyprus (CBC). Implementation of CDD measures, as described by the banks, appeared strong under most headings.”
[This is taken from A/3. The MoneyVal report continues in the next sentence:
‘However, a range of shortcomings with the potential to undermine the effectiveness of CDD was identified in many of the banks interviewed. In one bank the assessors had particular concerns about the overall effectiveness of their CDD procedures. (MoneyVal 2013 A/3)
This seems to me a particularly egregious case of selective quoting of the report by the CBC.
The CBC press release then ignores the next points A4 -11 in the MoneyVal Executive Summary.
These show (excerpts):
Point 4 ‘Given the significant role played by introducers in attracting international business to Cyprus, it was noted with concern that one of the categories of introducers (ASPs- Administrative Service Providers) although made subject to regulation is not yet supervised in practice for compliance with AML/CFT requirements and the supervision of the other categories of introducers (lawyers and accountants) needs to be strengthened further.’
See also Point 17
‘The assessors are of the view that Cypriot banks’ reliance on introducers represents one of the largest areas of vulnerability for them.’
The absence of a bank-wide risk assessment and lack of consultation with the banks’ compliance functions in the acceptance of high-risk customers, ‘in combination, constitute material deficiencies in light of the level of high risk international business being conducted in the banking sector.’
Later at Point 20,
Indeed, it appeared to the team that some banks mechanically address the points listed in the CBC Directive rather than conducting their own risk analysis, as required.
The measures being applied to PEPs [politically exposed persons – that is people with an official government etc position] are not yet fully effective in some of the banks interviewed in respect of measures to determine the source of wealth of PEPs, identifying family members and close associates of PEPs and identifying a customer who subsequently becomes or is found to be a PEP.
Various banks appear not to obtain sufficient information to create a meaningful economic and business profile of the customer and beneficial owner at the inception of a business relationship. This may undermine the effectiveness of ongoing monitoring carried out in the course of the relationship.
And at Point 21
However, it was concluded by the assessors that, despite the documentation provided by the business introducers, banks remain in many cases one or more step(s) removed from the beneficial owner.
And at Point 23
With regard to individual components of CDD, weaknesses in the establishment of the business and economic profile of the customer have been identified. Banks should ensure that the customer business and economic profiles – particularly for high risk customers – are detailed, meaningful, accurate and regularly updated in order not to undermine the proper application of ongoing monitoring and that the purpose of the business relationship is identified and recorded in all cases.
The management of alerts regarding high risk accounts is under-resourced. ‘As a consequence, insufficient consideration may be given to these alerts before being cleared.’
And at Point 24
Indeed, on the basis of information provided, not many cases of ML/FT suspicion are identified through ongoing monitoring.
And Point 25 with regard to Politically Exposed Persons,
‘measures to determine the source of wealth of PEPs were not always convincing.’
And Point 26 where
‘a large backlog of amendments to registration documents at the Company Registry and a lack of follow up of a significant number of unsubmitted annual returns and financial statements’ [is noted]. ‘This raises questions about the ability of banks to fully apply CDD measures with respect to legal persons registered in Cyprus.’
Notwithstanding the fact that, as a result of a recent amendment, certain tax crimes (including tax evasion) are now predicate offences for ML, many banks interviewed are either unaware or unclear about the full implications of such changes.
Overall, therefore, the assessors are concerned that the combination of a number of features associated with international banking business (e.g., introduced business plus complex structures plus use of nominees) may in higher-risk cases bring the cumulative level of inherent risk beyond a level that is capable of being effectively mitigated by the CDD measures currently being applied.
That is, the risks of Money Laundering are not being effectively countered by the CDD measures.
This is complimented by the second part of Point 28 which says,
The assessment team therefore considers that the accumulation of high risks emanating from the use of complex structures, combined with introduced business, warrants the application of the highest level of enhanced due diligence, which needs to be fully reflected in the bank-specific risk assessments. Concretely, banks should as part of their overall risk policy:
In effect the report here appears to be saying that the nature of Cyprus’s offshore banking system requires the highest levels of anti-money laundering framework and procedures. This is due to the complexity of the company structures used coupled with the ‘introduced’ nature of many of the account holders who are not ultimately known to the banks and where those ‘introducers’ are not adequately regulated.
b) Awareness of AML risks among managers.“In general, bank managements appear conscious of AML/CFT risks and supportive of strong preventive measures, including, where warranted, the rejection of some high risk business and/or closing of existing accounts.”
This is from Point 19. The rest of this point is far from complimentary. In particular with regard to the involvement of the compliance department in taking on new business,
in a significant number of banks it appeared that compliance is involved in these decisions only where there is a query from the relationship manager. The assessment team considers that banks should review their policies and procedures for accepting higher risk customers and, where not already the case, ensure that ML/FT risk issues are taken fully into account. This process should involve the expertise of the compliance function in an enhanced advisory role. Banks should also ensure that their compliance functions are adequately resourced, in particular to facilitate effective ongoing monitoring. It would also be valuable, for the banks’ own risk management purposes, to record rejected business more systematically, with particular emphasis on reasons for rejection.
c) Strong compliance in the identification of customers. “In line with the CBC Directive, banks confirmed that they identify customers in all cases and do not operate anonymous or numbered accounts. For international business, most customers are corporate entities and supporting documentation is obtained to confirm the identification of the customer, the directors and the owners. Although some of these structures are complex and can involve legal entities in two or more jurisdictions, there was a consistency in the responses of the banks that they are required to, and do in practice, identify all relevant parties through all layers of these structures. The assessors did not come upon any examples to suggest lack of understanding or weak compliance on this aspect.”
[This is taken from Point 84 on page 27 of the report. Point 86 seems to cast some doubt on the statement in Point 84 that ‘banks confirmed that they identify customers in all cases,’ vis
However, a few banks indicated that projects to update verification documentation for customers existing at the time of the material upgrading of the Cypriot AML/CFT requirements in 2007/8 were, to some extent, still in progress. The banks concerned informed the assessors that the outstanding work related to retail business and the omissions were mainly technical in nature (e.g. no copy of utility bill, out-of-date identification document) but may also include incomplete customer profile to provide the base line for ongoing due diligence. In general, most of the customer base, including larger, riskier, and corporate customers appeared to have been addressed at this stage. The assessors are not in a position to confirm the extent of the gaps or determine whether they are sufficiently material to undermine the findings of the current exercise.
d) Nothing unique to Cyprus. “A number of individual features of international banking business conducted in/through Cyprus, none of which are unique to Cyprus and many of which can be found in banking systems worldwide.”
This is taken from Point 118 on page 37 of the report. The general conclusion of this point is that,
‘In general, and based on detailed interviews with the banks rather than direct checking by the assessors, the implementation of CDD measures in relation to these risks was seen to be proportionate to the individual risks, with a possible exception in the case of one bank.’
But Point 119 raises a ‘residual concern’. This again goes back to the accumulation of risks in the offshore, complex structure, and introduced character of many account holders in the Cypriot banking world.
Point 20 states that,
In seeking to mitigate the risks it is best practice for a bank to have determined in advance its risk appetite for such complexity and to have set predefined limits for business acceptance.
Out of a report of 76 pages and 163 Points the CBC press release selects text from only 4 points. Only 2 of these are from the Executive Summary. The other two are from pages 27 and 118 of the report.
Considering the above findings as well as the Reports as a whole, there is no reference to or indication of systemic deficiencies. In contrast to the summary paper, the Reports indicate that the standard building blocks are in place, the AML preventive measures and procedures in banks are generally sound, and, generally, the banks have a high level of compliance with the statutory and regulatory requirements, which in some areas are more demanding than EU and international requirements. Some weaknesses are identified in the Reports, but the general picture portrayed is not negative, something that is not reflected in the summary paper.
AML is a challenge for all the international community. There is no perfect system that can guarantee the complete elimination of money laundering risk, as shown in the evaluations of the AML framework of countries in the relevant Moneyval and FATF reports. In addition, it should be stressed that no benchmarking of the Cyprus AML audit results was carried out, as this was a unique, focused and exceptional evaluation procedure not carried out in other countries.
The Cypriot authorities remain fully committed to strengthening any weak areas identified in the Reports