There have been no lack of Risk, Regulatory and Compliance issues to write about.
Of late, a couple of issues are hogging the headlines in this space that primarily points to one key generic theme - Know Your Customer (KYC). I would also suggest KYC as Know Your Culture.
The intention of this post is not to rehash what's already known about Panama Papers, BSI Bank or 1MDB and so on. Instead, using this as backdrop, I would like to put forth my thoughts around implications for financial institutions, non-FIs, senior management and Compliance Department going forward.
I won't go into the right or wrong about setting up offshore entities in Panama. In fact, depending on your definition of offshore jurisdictions or tax havens, there are many other countries and jurisdictions that we are familiar with besides Panama. Cayman Island, British Virgin Island, Seychelles, Delaware to name a few.
Closer in Asia, like it or not, some countries in the other continents see Singapore, Hong Kong, Labuan as falling into to the same category. It is a case of perspective. If it is in one's favour to view and label another country or jurisdiction as offshore and tax haven (ie. bad), people will have no qualms doing so.
In respect of transparency amongst countries in the world to tackle tax evasion, although I personally have much hope that the Automatic Exchange of Information (AEOI) framework by Organisation for Economic Co-operation and Development (OECD) will get us somewhere globally, my only concern is that given the scale, nature and complexity in terms of the Common Reporting Standard (CRS) regime amongst participating countries, there will invariably be arbitrage opportunities still. Regardless, it is far better than the one-directional FATCA regime that the United States had "forced" upon the rest of the world a couple of years ago.
Interestingly, amongst the 101 jurisdictions that have committed to implement AEOI, 55 have committed to have first exchange by 2017 and 46 have committed to do so by 2018. For jurisdictions such as BVI, Cayman Island, UK, Germany and so on, the collection of information for year 2016 to be reported in 2017 should have started and on-going as we speak.
Singapore, Hong Kong, Panama, Belize, Cook Island, Mauritius and Bahamas fall into the second batch of 46.
Although Panama Papers cast a big shadow on shades of grey in respect of offshore entities, the trouble FIs and even non-FIs (corporate services providers, accountants and lawyers in particular) normally face is that they hit a brick wall whenever they want to perform KYC on their clients that has multiple layer of ownerships.
Fundamentally, if there is little interest to even want to find out (ignorance sometimes is not bliss), then clearly, the regulatory issues will brew (unfortunately will not disappear) and eventually come back to haunt the senior management and Compliance in the future.
In my view, Panama is just an unfortunate first victim here.
Monetary Authority of Singapore (MAS) made it abundantly clear that it has zero tolerance for anyone to abuse Singapore financial system for money laundering and terrorism financing. In its Press Release, it referred to BSI Bank as the "worst case of control lapses and gross misconduct in Singapore financial sector".
Internal control is a nebulous concept. It takes several forms depending on who's perspective it is. If you ask the senior management of a FI, the finger points to Compliance and Risk Departments. If you ask the Compliance Manager, the onus sits with front office. If you ask Audit, it is never their responsibility.
MAS terms this 3 lines of defence in its Guidelines to MAS Notice 626. It cannot be more explicit that the responsibility and accountability to ensure compliance with its AML rules (and in fact with any other rules and regulations) rests with its board of directors and senior management.
The first line of defence falls within the business units or the customer facing department responsible for identifying, assessing and controlling risks. The second line of defence refers to Compliance function that is responsible for on-going monitoring of firm's compliance with regulatory requirements. Lastly, the third line of defence refers to firm's internal audit function that is tasked to independently assess and review the overall risk management framework and reporting to audit committee etc.
In the case of BSI Bank, the sanctions meted out to its senior management plainly reflects the policy intent - board of directors and senior management is ultimately responsible.
Senior management of FIs in Singapore can no longer point its fingers at other people to exonerate itself from the accountability and responsibility of ensuring compliance with rules. It may seem rather harsh because one would argue that this is precisely why Compliance Officers are hired in the first place. The key difference here is that whilst senior management can delegate tasks and duties, it cannot delegate accountability and responsibility.
If you genuinely want to run a proper business in Singapore financial sector, play by the rules. Work with your Compliance Officer. They should be able to advise you accordingly. Treating Compliance Department as a cost centre is a passé mentality of the 80s. Partnering Compliance Department and seeing them as a valuable asset future-proof your business in the long run.
Simply put, it is just the way it should (will) be. Suck it up even if you don't like it. The evolution of Compliance has begun more than a decade ago and if you still don't see it, good luck.
For Risk and Compliance people, I am unsure if you did heave a sigh of relief upon hearing the news of BSI Bank (provided you are not part of BSI Bank's Compliance team). It is almost like this is the thing that you've been trying to tell senior management all these while - that if you don't listen to Compliance, that's the consequence you suffer.
No better way to educate than to use a real life example to bring across your point. I am quite certain that any deserving Compliance Officer will be using BSI as a landmark example in many trainings and senior management meetings to come.
It is a powerful tool.
The other important implication for Compliance Officer to think about is besides doing what MAS prescribed in the 626 Guidelines referred to above in performing on-going monitoring (detective controls), how can you help the business to take more pre-emptive moves (preventive controls) in addressing the ever-increasing risks it faces.
I would advocate that prevention is always better than cure.
Time and time again, regulatory breaches ranging from Barings (segregation of duties), structured products (mis-selling), penny stocks debacle (market manipulation), LIBOR/SIBOR (wide spread collusion), BSI (money laundering) point to two key concepts - Bad Conduct and Poor Supervision.
The ability to work with senior management to create a good Compliance Culture throughout the organisation where each line of defence is very clear about respective responsibilities and that front office people are incentivise to do the right thing (rather than to adopt a stick approach) complemented with a forward-looking Compliance Department that can see its role beyond just being a "policeman" is a rather tall order.
A lot of traders and relationship managers are promoted to supervisory roles because they are good at what they do - to trade and to manage relationships with clients. However, this does not automatically transform these people into good supervisors or managers. Perhaps, there should be greater scrutiny of people's ability to supervise, understand and take ownership and accountability of risks before someone can be named as "Head of" a business function in a FI or bank.
No one single person or department is able to deal with this on its own. It is a collective effort over time. However, tone from the top is where it should all start. There is a Chinese proverb: "上梁不正，下梁歪". Loosely translated as "if the upper beam of a building is not straight, the lower beam will go aslant".