How did FIUs come to be and what are they?
Creating and establishing an effective framework to fight against money laundering and terrorism financing is challenging, and it became even so in modern times. When starting to develop their modern anti-money laundering strategies around the mid-1980s, countries came across a serious deficiency: law-enforcement agencies had limited access to relevant financial information, which makes it a lot more difficult to show results. They realized that with the implementation of a system that required disclosures of suspicious transactions and activities by obliged entities (financial institutions), they have created the need for a central state authority that could process such disclosures and reports. They needed to enable a connection between the private sector (the financial market) and those enforcing criminal legislation. That is how Financial Intelligence Units (FIUs) came to be. The first FIUs were established in the early 1990s.
The core function of an FIU is to receive, analyse and transmit reports of suspicious transactions identified and filed by the private sector: the financial institutions and all other obliged entities. The added value here is that FIUs have – or should have – access to a broad range of other financial information in addition to those contained in the reports, and they can use these to better assess the information on suspicions handed over to them.
In addition to this function, they may have additional powers, such as issuance of guidance and provision of training of AML/CTF matters, supervisory functions, coordinating national initiatives at policy level, as long as these powers do not interfere with their main functions.
To those further interested in the different types of FIUs and their roles, we recommend this publication of the World Bank Group on the Role of the Financial Intelligence Unit.
Even though FIUs are supposed to be one of the most important actors within the framework established worldwide to fight against money laundering and financing of terrorism, practice shows that there are still serious deficiencies and dysfunctionalities among these entities worldwide and within the EU, that make for a less effective system.
A key component in the functioning of FIUs is their ability – and in particular cases, obligation – to cooperate with other FIUs outside their jurisdiction. This cooperation is becoming increasingly important with the growing cross-border networks of criminals and globalisation of crime. One of the tools of this international cooperation is the Egmont Group of Financial Intelligence Units. It was established in 1995 in order to enhance the exchange of information between different jurisdictions, and their aim is to ensure that all of the FIUs comply with a number of key standards for the purposes of enabling maximum cooperation. For these communication purposes, they have put together the Egmont Secure Web, through which the members of the Group can safely exchange information.
However, the international cooperation is still facing problems. For example, according to the report of the FIU of Trinidad and Tobago, their practice showed that some of the major challenges they face in the area are that (a) a big number of requests they have received are too widely drafted and lack specificity so they could be regarded “fishing”, (b) the fact that a lot of responses depend on information sourced from other authorities, etc., that they do not directly have access to, which delays response time, and (c) that a number of FIUs do not use secure email platforms which could compromise information integrity.
Solving these international problems and creating a widely effective international strategy and closer communication is a huge challenge the global community is working on, but it is a very long road still, and even if it is possible, first, we shall focus on the local: the EU system itself has its problems, and even within each separate Member State there are serious deficiencies. After fixing these, we can think about fixing the rest.
FIUs in the EU
The main Anti-Money Laundering legislation within the EU, the AMLD5 (and its predecessor, the AMLD4) provide the EU-wide framework for the FIUs. The Directive makes it an obligation for Member States to establish FIUs within their jurisdiction. The main tasks of the FIUs within the EU is the same as everywhere: to receive and analyses suspicious transaction reports and information relevant for combatting money laundering and financing of terrorism, distribute the results of their analysis and other information to the national competent authorities and other FIUs. However, the Directive goes beyond the international standards and sets out specific obligations and closer cooperation within the EU. The close cooperation is even more important than on the international level, because of the single market that provides for easier cross-border transactions.
This means, that one could argue, FIUs within the EU have an even more important key position compared to the worldwide picture, and their cooperation is all the more crucial in fighting money laundering. At least it would be, especially considering that according to Europol, as much as 0.7-1.28% of the EU’s annual GDP is ‘detected as being involved in suspect financial activity‘.
The EU has even established a secure information system connecting decentralised databases and allowing FIUs to exchange information, called FIU.net. In 2016, it has been embedded into Europol, in order to ensure stability and regular funding for FIU.net, therefore FIUs within the EU now have the opportunity for enhanced information exchange between them and Europol.
To sum up the system, its main element is the cooperation and exchange of information between different entities:
- between the obliged market actors (financial institutions such as banks) and their respective local FIU,
- between FIUs and other public authorities such as law enforcement authorities or tax authorities, and
- between FIUs in different member states.
At least that is how it’s supposed to work, but in reality, reports, such as the Report from the Commission to the European Parliament and the Council assessing the framework for cooperation between financial intelligence units and other events show problems and deficiencies on all levels of this framework.
The problems on a local level: FIUs
A huge issue is that a lot of FIUs from Member States are dangerously understaffed, despite the fact that the workload is getting bigger and bigger with the increasing categories of obliged entities (e.g. cryptocurrency exchanges only became subject to the anti-money laundering rules with AMLD5 on an EU level). This causes delays in processing the information and acting on the matter, due to which a lot of crimes go undealt with, and terrorist are slabbing through the cracks.
An article by Jan Keuchel shed light upon some serious deficiencies within the German FIU. At the time, the FIU worked with only 101 full-time employees out of which only two had law enforcement background. Therefore, even if they could process the information and tips in time, once their reports reached the police, they had to be processed all over again from their perspective. But the truth is, they couldn’t even process the information in time: it took months, sometimes as much as six months for the reports to reach the police officers’ desks. In that timeframe crimes like money laundering and especially terrorist financing can cause serious troubles, therefore this whole situation means sever danger to security. And even more so, if one considers that a particular list of people suspected of such crimes, arriving from a bank, through the FIU, to the police, included a member of Al Qaeda. That list took six months to arrive to the police. Now I believe no explanation is needed as to why this is unsettling. A possible way to eliminate at least the process delay that causes problems in this particular case could be to set up the FIU within the national police. While AMLD5 instructs the Member States to set up operationally independent FIUs, and specifies their major tasks, it is up to the Member States to decide the actual structure. Setting up the FIU as an independent police department, such as Sweden did, could be a solution. To those interested in more detail in this German case, I recommend reading the article.
A general issue, according to the Commission’s report is that a number of FIUs maintain paper-based working procedures, which slows down the process and by adding unnecessary difficulties to it, makes it a lot less effective and efficient – especially considering the high volume of reports incoming. Now this is only topped by the fact that only very few FIUs use standardised templates for reporting, and even if they do, they are most likely focusing on banks, and do not fit for reports from other obliged entities. However, at least something is being done about this: The EU FIUs’ Platform is working on a project with Europol with the goal to develop a common template for these reports to be used on a uniform basis throughout the EU. A uniform template would facilitate reporting by obliged entities and the dissemination of reports from one FIU to another.
Speaking from experience, we can also state that sometimes it is the lack of knowledge on different technologies that causes delays and essentially unprocessed reports by FIUs. A number of Member States implemented some parts of AMLD5 early, including the introduction of cryptocurrency exchanges under the scope of anti-money laundering legislation. This was valuable progress, however, what these Member States neglected to do in most cases is preparing FIUs staff for processing reports from these market actors. If one has no knowledge on the general processes which these companies use, on the functioning of blockchain, Chainanalysis or the nature of cryptocurrencies in general, reports from these companies cannot be processed efficiently. This causes real-life problems where the lack of feedback in merit from the FIU means the company is stuck with a frozen transaction and in a situation that endangers the business operations.
The problems on local level: the obliged entities
The blame is not entirely on the FIUs however: in a lot of cases, it is the obliged entities that are at fault. There are failures by credit institutions to comply with core requirements such as risk assessment, customer due diligence, and of course, reporting suspicious transactions to their respective FIU.
An enormous issue is the speed – or rather slowness – of supervisors within credit institutions to raise the alert about risks. The European Commission in their Communication titled Towards better implementation of the EU’s anti-money laundering and countering the financing of terrorism framework points out that “in a number of other cases, supervisors only intervened after significant risks had materialised or in the face of repeated compliance and governance failures.” Even though the goal would be to pre-emptively identify shortcomings, minimalize the risks, detect suspicious transactions, report to the FIU, this does not happen in a lot of cases. A series of oversights and inadequate procedures were what caused one of the biggest money laundering scandals in European history, where over €200bn of suspicious transactions originating from Russia, former Soviet states and elsewhere flowed through Danske Bank’s Estonian branch non-resident portfolio.
The situation is even worse with smaller entities and even more so with relatively new services. Complying with all AML obligations and detecting risks requires a very special set of skills and knowledge. Smaller entities may not have access to people on the market in possession of these and even if they try their best, without a trained employee, consultant or advisor, it is extremely difficult to navigate. Business with relatively new services, such as those dealing with cryptocurrencies also face the obstacle of lack of guidance by authorities. In a lot of cases, the general AML obligations cannot be applied to these entities the same way they are applied to banks for example, but there are usually not enough information available for these businesses to help them with their compliance. The different approaches of different countries to the mere existence of cryptocurrencies does not make it easier either.
The problems on an EU level
On an EU level, the main form of cooperation is the exchange of information between the FIUs of different Member States. This seems easy and logical, however, even this does not work completely.
In the event of a case of cross-border nature, FIUs need to transmit the relevant information to the relevant Member State’s FIU. This disclosure is compulsory and depends on the objective criteria that the information received concerns such Member state. No other evaluations are necessary or permitted, the information needs to be transmitted. However, according to the Commission’s report, there has been a very low number of cross-border reports counting from June 2017, since the date the obligation has been in force. It states that “apart from one Member State, there has not been any substantial increase in the volume of cross-border reports by the FIUs to their counterparts since June 2017.” Considering the high number of local reports and the nature of anti-money laundering, it seems impossible that there had been such a low number of cases with cross-border relevance.
Another problem is the timeliness of responses in FIU-to-FIU cooperation. In several cases the delays in receiving information from foreign FIUs could have an impact on the effectiveness of an investigation and law enforcement actions. However, according to the report, this issue is decreasing and the timeframe of one month that is recommended by the Egmont Group is kept, and in most cases, it is even shorter.
The background of the lack of exchange of information and transmitted reports is not only the overworked and understaffed nature of FIUs. It is also the recent troubles with FIU.net. The platform is supposed to be the main channel of these exchanges and primary tool of communication. This is indisputably more difficult when the system doesn’t actually work reliable: it is experiencing recurrent technical difficulties, and according to the Commission’s report, needs to be upgraded. Therefore, FIUs are turning to Egmont Secure Web even for intra-EU exchanges, due to the technical difficulties relating to the functioning of FIU.net.
What’s to come?
We see that a lot of the problems are not unknown to the Member States and the highest decision-making entities in the EU. The good news is that there are also discussions on how to potentially fix these problems. The mentioned Commission Report mentions a few, such as the possibility of a single contact point for the reports by obliged entities to the FIU.
The European Parliament however, went even one step further. In its resolution of 26 March 2019 on financial crimes, tax evasion and tax avoidance, it called on the Commission to consider the establishment of an EU FIU. This could centralize investigation and coordination in cases of cross-border nature and make the framework a lot more effective.
While such EU FIU is not in the make yet, at least the tendency shows that the EU has recognized the deficiencies and is working on ways to fix them. We can only hope that Member States are doing the same within their own competence.