Covid-19 is here to stay, and with it a change in the way that we work. Driven by policy decisions by health authorities or employers, or by the preferences of individuals, we need to recognise that the Working From Home ("WFH") revolution promised for so long may well be with us, whether we are ready or not, and that with it has arrived a further layer of complication to the assessment of risk on either side of the corporate or employee divide.
Whether or not this has fully sunk in, the Channel Islands regulators and international standards setters have certainly grasped it. At the international level, bodies such as the Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism ("Moneyval") and the Financial Action Task Force ("FATF") are also publishing guidance in light of the increased risks facing business. In particular, on 2 September 2020, Moneyval published a report on money laundering ("ML") and terrorism financing ("TF") trends during the Covid-19 crisis in Moneyval jurisdictions.
WFH staff and the impact on controls
Throughout the communications from the global standard setters runs a theme that relaxation of controls and a distracted workforce are leaving the door open for an increase in crime. They acknowledge that policy-making may also suffer at the national and international level as a consequence of those bodies policy making dealing with Covid-19.
It is clear by now that the increase in the number of staff at all levels who are WFH increases the risks to businesses. These increased risks include:
- Impersonation fraud, exploiting the fact that the people may no longer be in the same physical location
- Cyber attacks, in particular looking to attacking weaknesses in WFH systems
- Data risks, including data breaches and loss of confidential information through inadvertent disclosure or employees printing or storing documents at home. There can be particular problems if employees are dismissed or made redundant and have had access to confidential information or personal data when WFH and are able to retain this
- Internal fraud due to pressure on staff to achieve targets and relaxation of controls
- Issues arising from a business's inability to monitor the application of its internal policies and procedures
With Channel Islands regulators themselves expecting to be inspected by Moneyval, regulated businesses should tune into the mood music on financial crime and whether the relaxation of controls to enable WFH, easier client take-on or the facilitation of staff absence and leave is opening that business up to criticism. If the regulator is being inspected, don't expect it to be soft on breaches.
Regulatory Trends & Themes
The themes that are particularly relevant to regulated businesses and which run through the Moneyval report, the Financial Action Task Force Information Notes and the GSFC's and JFSC's guidance are around a fraud, corruption and cybercrime uptick due to Covid-19.
The FATF had already arrived at the conclusion by May 2020 that the threats and vulnerabilities from Covid-19 "represent emerging ML and TF risks. Such risks could result in: Criminals finding ways to bypass customer due diligence measures; increased misuse of online financial services and virtual assets to move and conceal illicit funds".
In the same paper they identified increased threats for ML: "Governments, businesses and individuals are increasingly turning to online systems to enable remote work. Individuals under "lockdown" (or other movement restriction measures) are also increasingly turning to online platforms for social interaction" and "Criminals finding ways to bypass CDD measures by exploiting temporary challenges in internal controls caused by remote working situations, in order to conceal and launder funds".
Moneyval has seen that despite the economic downturn, illicit financial flows continue to run. Criminals seeking to exploit temporary weakness in AML/CTF controls of financial institutions with significant numbers of staff working from home have increased the exposure to risk of fraud.
In the May 2020 paper the FATF counselled the supervisory bodies to encourage full-use of a risk-based approach to CDD and address practical issues. Some supervisors have put in place some of the following measures in relation to CDD:
- Applying simplified due diligence measures where lower risks are identified
- Providing guidance that there may be legitimate reasons for customers not providing information for ongoing due diligence or 'know-yourcustomer (KYC) refreshers' (e.g., if they are confined, under quarantine or ill)
- Allowing reporting entities to accept recently expired government-issued identification until further notice in order to verify the identity of an individual
- Considering the application of delayed verification provisions for new business relationships in line with the FATF Standards
- Encouraging the use of responsible digital identity and other responsible innovative solutions for identifying customers at onboarding and while conducting transactions
The FATF has already staked out the ground on using Digital ID to help bridge the gap.
In their May 2020 paper under "Potential AML/CFT Responses" they note: "Encouraging the use of responsible digital identity and other responsible innovative solutions for identifying customers at onboarding and while conducting transactions" and they refer to their own paper in March 2020 on Digital ID stating that "non-face-to-face onboarding and transactions conducted using trustworthy digital ID are not necessarily high-risk and can be standard or even lower-risk".
To facilitate the smooth processing of applications, some supervisors have approved simplified due diligence measures (including for customer verification) for transactions under government assistance programs as such programs are assessed to present lower risks. They include obligations for regulated entities to put in place mitigation measures, such as ongoing due diligence and to review CDD if other risks are later detected.
Stick to the FATF Standards
The regulators and standard setters are also flagging that for
them, as well as regulated businesses, sustaining regulatory
evolution and innovation i.e. keeping up with the criminals, will
be a challenge.
In their report Moneyval emphasised the need for compliance with the FATF Standards and how it is important to enhance vigilance in the light of the COVID-19 crisis. Jersey and Guernsey (and all other countries) are strongly encouraged to continue to fully apply the FATF Standards. As a regulator any JFSC or GFSC exemptions or simplified measures applied to expedite processing of payments and boost economy may be challenged by its own regulator and will need to be properly justified and supported by a risk analysis.
It is clear that whilst the regulators and supervisory bodies are making sympathetic noises about the position that businesses find themselves in - they are also clearly signalling the risk that WFH poses to the established processes and procedures which are critical to maintaining an effective control environment for CDD that properly identifies AML and TF risk.
In response to the (possibly permanent) increase in WFH, a regulated business should as a priority:
- Review its employee WFH policy to ensure it is comprehensive and meshes with its AML and CDD policies and wider staff policies (such as data protection and IT security). If it doesn't have a WFH policy for staff then putting on in place is an urgent priority
- Review and adjust its risk-based matrixes placing sufficient emphasis on emerging risks and trends due to the pandemic, such as new clients accepted during the lockdown, or remote operations and be able to justify them as proportionate and, of course, properly documented and communicated
- Review and update the policy body including any compliance policies, risk appetite statements, counterparties' risk confirmations and contracts with suppliers who's staff may be WFH
- Communicate these updates and expectations to staff. Not only will this help head off issues but will also make it easier for the business to deal with employee malpractice and demonstrate to the regulator that it is actively doing so
- Remind staff of the above risks, in particular from cyber fraud and refresh employee training on these areas
- Remind staff of their data protection and confidentiality obligations and restrict, where appropriate, the ability to print documents or save them outside of the IT systems
- Review employee monitoring arrangements. Monitoring is lawful provided that it is undertaken appropriately and (in nearly all cases) that the employees know it is being undertaken
- Engage fully with appraisals or performance management meetings to ensure that employees are actively following good practice. Where employees are not doing so then the business should be clear that, no matter how great the individual's performance is in other areas, noncompliance or carelessness will not be overlooked nor rewarded
- Review the support for successful WFH set up. Does the IT infrastructure need an upgrade? Does HR need additional support to ensure proper performance by staff? Are there increased or different training needs for staff?
Unlocking a true WFH capability and keeping your AML processes in step whilst communicating sympathetically yet firmly to an anxious workforce is part of the 2021 balancing act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.