‘No matter how equipped a compliance unit is, it cannot do its job without strong corporate governance’

For ARQ’s recently appointed Head of Risk & Compliance, Martina Scalpello, it does little to have a well-equipped compliance department without an organisation having good corporate governance in place.

While it may seem for some that an increased focus on compliance has taken place overnight, calls for improvements in the way the global economy is run has been mounting for some time. Global events such as the so-called ‘LuxLeaks’ scandal in 2014 and the Panama Papers scandal in 2016 heralded in calls for reform in the way the global network of corporate structures conduct business.

In Europe, increased focus on the combatting of the financing of terrorism, together with events such as those just described, saw the European Union respond by introducing its fourth anti-money laundering (AML) directive in 2015, and an updated fifth directive in 2018.

For Ms Scalpello, who was appointed to the role last November, compliance has been an area close to her heart for some time. Prior to joining ARQ several years ago, she worked with the Financial Intelligence Analysis Unit (FIAU), conducting AML/CFT reviews and inspections on other related projects.

At a time when Malta’s FIAU has significantly beefed up monitoring and enforcement, her expertise in AML/CFT audits, gap analyses, training and enterprise risk assessments for financial institutions and gaming operators leaves her well placed to meet the challenges of this intensified regulatory environment.

In 2020, the FIAU had a record-breaking year for the imposition of published fines on subject persons. Penalties have ranged from €50,000 to over €1 million, imposed on notary publics, credit institutions, investment services firms and the remote gaming sector.

But the FIAU did not step up its enforcement this year alone.

Back in 2018, 70 administrative fines were levied, 60 of which related to the non-submission of annual compliance reports. And, in 2019, €3,932,801 of the total fines levied came from three administrative penalties related to supervisory examination within the financial sector.

“Compliance is vital as it provides credibility to the entity concerned, the sector and the jurisdiction as a whole,” argues Ms Scalpello.

“The consequences of non-compliance can be major – from hefty penalties, reputational damage, loss of important third-party relationships, loss of licence – not to mention it leaves doors and windows open for criminals to launder funds and finance terrorism,” she adds.

With Malta’s regulators stepping up their enforcement, and the Council of Europe’s Moneyval assessment looming based on Malta’s response to a failed review in 2019, it has never been more important for local stakeholders to give compliance the attention it deserves.

While compliance requirements vary from industry to industry, and organization to organization, Ms Scalpello is asked to broadly describe what it takes to properly equip a compliance department in today’s climate.

“No matter how equipped a compliance department is, it cannot do its job unless the organisation has good corporate governance – the tone has to be set at the top,” she says.

“Without strong support from the executive team and the Board of Directors, a compliance department will not succeed.”

Once a good corporate governance structure has been created, Ms Scalpello elaborates, “then all other areas needed to equip a compliance department come naturally – automation, the right level of human resources, a good understanding of the risk exposure of the business, frequent auditing and testing of internal processes and systems and a well-executed training programme”.

Asked about common pitfalls she has seen throughout her career in terms of compliance shortcomings, Ms Scalpello stresses that it depends on the industry, adding, however, that she believes “most struggle with obtaining enough information to be able to build a profile of their clients”.

“Compliance is intrusive,” she says, adding that “to know who your client really is and to monitor their transactions effectively, you need to ask a lot of questions”.

Where is the money coming from? What is the source of wealth? Why is this transaction taking place? Why is the customer requesting a particular service?

These are just some of the questions organisations ranging from banks, credit institutions, gaming companies and beyond are required to ask their clients, and which can often irritate customers.

Another common pitfall, Ms Scalpello points out, is that of skimping on resources. In fact, such a pitfall has been identified to be such an issue, that in September 2020, the FIAU issued a revised version of Part I of the Implementing Procedures, which apart from tightening deadlines for subject persons to pass on suspicious transaction reports, emphasizes the importance of strengthening the resources of Money Laundering Reporting Officers (MLROs) within organisations.

On this front, Ms Scalpello comments that “often a company has drawn up excellent policies and procedures but are unable to implement them fully because they have not employed enough human capital or enough automation”.

“Employees often become unable to keep up and start to cut corners. This is very dangerous especially if senior management is not made aware of this gap.”

Every company who is subject to anti money laundering regulations has to appoint an MLRO.

The main responsibility of this person is to receive reports from employees on information or matters that may give rise to knowledge or suspicion of ML/FT, consider these reports to determine whether knowledge or suspicion of ML/FT subsists and based on this analysis report knowledge or suspicion of ML/FT to the FIAU.

“Often the role is given to somebody who does not have the necessary skills or time to carry out the role effectively. This is another common pitfall,” Ms Scalpello highlights.

She also points towards a lack of understanding in the importance of business risk assessments and customer risk assessments.

“Unless a business properly identifies and evaluates its risk exposure, it will not be in a position to determine where the main gaps are and what measures need to be strengthened to mitigate risk. The same applies to the customer risk assessment – if you don’t know the risks of your customers, you cannot apply the necessary measures to mitigate the risk exposure.”

Despite the risk of administrative fines and reputational damage, Ms Scalpello remarks that it still takes a lot of convincing to get some companies to strengthen their compliance measures.

“Again, it really depends on the industry and the size of operations.”

She says that some companies have not yet fully understood the extent of their obligations, and there remains uncertainty as to how they should be implementing the regulations.

Attitudes and perceptions of compliance have changed drastically throughout the years. From a tick-the-box approach which can far more easily see requirements satisfied, today it is a risk-based approach that reigns.

Ms Scalpello believes that a lack of sectorial guidelines contributes to this uncertainty on the extent of a company’s compliance obligations, adding that this is something the regulator is currently working on.