Hong Kong: Universal Banking Soldier

The Money Laundering Compliance Officer in the spotlight.
Last Updated: 29 April 2003
Article by Peter Gallo

Part 1. The Financial Battle Lines

The designation of an appropriate person to be the Money Laundering Compliance Officer (MLCO) in a financial institution is not an altogether new legal requirement, but one that has come under increased focus as Money Laundering and Terrorist Financing assume a new importance.

The reporting element of the MLCO’s role is to receive reports from members of staff of their knowledge or suspicions of money laundering, and, unless he decides that it is not, in fact, suspicious, his responsibility is to pass that information to the relevant authority.

When this post was created, different institutions made the appointment according to different criteria, dependent on such internal variables as their internal understanding of a suitable individual profile or competencies, the availability of suitable staff, and their interpretation of whose bailiwick the work fell in. In terms of the latter, some large organisations took the view that it was related to fraud, and consequently it fell to whoever would be responsible for investigation work, wherever that might be. Others allocated it straight to the security function, others to internal audit departments or to the legal or compliance function. In most cases the positioning decision would have been made, or at least strongly influenced, by pre-existing departmental responsibilities. Whatever else may have happened, it is rare to find an example of an entirely new department being created or where the duties of the function were allocated to someone not already busy with other primary responsibilities.

There were no hard and fast rules for how the MLCO had to be selected, and the profile of the person selected was often a reflection of the times and the actual values of the corporate culture.

There was certainly no prohibition against the designated person having any number of other responsibilities, many of which might have had little relevance to the prevention of money laundering.

The position can therefore be found in various functional departments in different organizations, and there is unlikely to be one definitive correct answer as to where it ‘belongs.’. The question is not so much where it should be in terms of left to right on the Organization Chart, as much as it one of top to bottom.

It was, however, originally established as a compliance responsibility; and that meant compliance with the regulations and guidelines as issued by the governing regulatory authorities. There is little to suggest that any thought was ever given to this role having a contribution to make at a strategic level.

Unfortunately, as later events in the UK were to demonstrate, the administrative and reactive nature of the compliance culture proved to be one of its weaknesses. The role of the MLCO was consigned to too junior a level in many organisations, and because the regulatory authorities had their focus elsewhere and did not insist otherwise, in many cases the issue was allowed to slip lower and lower down management’s scale of priorities. There were few prosecutions and little incentive for the matter to be considered at a more senior level. Corporate policy was just to comply, passively, with anything the regulators required.

That, unfortunately, was one of the contributing factors that led to the embarrassment of the Abacha scandal. It is probable that no one really knows for sure exactly how much money Sani Abacha looted from his impoverished country, we only know what was later traced and returned, and that was a lot.

Between them, no fewer than 23 otherwise highly respectable financial institutions in London were found to have handled over US$1.3 Billion connected to Abacha, his family and close associates in Nigeria. If we assume that the money was evenly distributed among those institutions, they would still have handled over US$50 Million each.

Faced with business on this scale, the sad fact is that the institutions involved showed either a naivety that makes a complete mockery of their education or a complete disregard for their legal and moral responsibilities. The Financial Services Authority, although critical of the banks involved, was muted in its condemnation. 15 of the 23 banks were told their anti-money laundering measures were inadequate, so we assume that the remainder did have adequate policies and procedures in place, they just failed to implement them.

The scandal was not so much that it happened, but that the funds were so obviously connected to the President of Nigeria, a notoriously corrupt country where half the population live in abject poverty. Abacha was a military ruler, so without even enquiring as to salary levels in the Nigerian armed forces, the question has to be asked; where did these banks think the money was from?

Did they just assume his wife ran a successful legal practice? Generating over US$50 Million? Perhaps she augmented her income by taking in laundry, or selling cosmetics door to door.

The sad implication remains that the levels of "due diligence" performed was simply inexcusable, replaced by negligence, greed and wilful blindness.

The world has woken up to the question and now wonders why, when the leaders of these African countries have such enormous personal wealth, charities have to raise money for famine relief in their countries. As the legal environment evolves, future Abachas may find the financial community more apprehensive about accepting their wealth.

Smarting from the embarrassment of that case, one of the changes introduced by the newly inaugurated FSA in London was to examine the role of the MLCO. One significant finding was that, all too often, the role was being filled by someone too junior; so one of the most significant changes the FSA introduced was the rule that the person appointed to be the designated compliance officer must be a senior executive who is of sufficient maturity and independence to carry out the role. Additionally, their appointment must be approved by the FSA.

Corporate politics being what they are, it would be naïve to expect that this will insulate and protect the MLCO from operational and business pressures, but the rule was introduced so that senior management cannot abdicate their responsibilities in this area.

There are different aspects to the role. In addition to having a designated compliance officer, an anti-money laundering programme must include policies and procedures at both the prevention and the discovery stages, as well as a staff training programme. In some institutions, the role is largely restricted to the reporting function. The account opening due diligence procedures are left entirely to the marketing or operations staff, with little practical consideration of the money laundering implications, and similarly, the training function is often not considered a compliance responsibility either.

The problem is that no matter how well qualified, how senior and how diligent the MLCO might be, it is patently unreasonable to expect any one individual to keep an entire financial institution free from involvement in money laundering scandals. This would not even be possible with a large compliance department behind him. There are simply never going to be enough compliance personnel to be everywhere at once, looking over the shoulder of every other employee in the organization, policing every transaction.

The only way to build effective defences to keep money laundering out of the organization is for every member of staff, from the lowliest trainee clerk up to the Boardroom, to be alert in conducting their due diligence procedures in the first place, and to be vigilant in handling business on a daily basis. The MLCO cannot do this alone, nor can it be left to the compliance department. There is a need for Policies and Procedures that strike a balance between protecting the institution from exploitation by criminal elements yet do not undeservedly impede the flow of business, and it is of paramount importance that all staff are properly trained to be alert for signs of possibly suspicious transactions.

One of the MLCO’s most important management functions, therefore, should be to act as a catalyst for change in the organization, protecting the institution by raising the general awareness of the threat and fostering an environment where anyone intent on laundering the proceeds of crime is simply deterred and denied access.

The problem remains that some senior management appear to be living in the past, and cling to the old concept that anti-money laundering is just one more minor burden to be shouldered; not unlike the obligation to provide handicapped parking, a smoke-free workplace, RSI breaks or any number of other bureaucratic procedures that must be complied with. In many cases, the implications have not sunk home – that preventing money laundering is now a pre-requisite for staying in business, and the role of the MLCO must evolve with the times.

There is a widespread belief among senior staff throughout the finance industry that they have "enough" compliance already, and although there may be a perfectly understandable reluctance to allocate resources to something that is a cost-centre not a profit-centre, they forget that the price of liberty went up on 11 September 2001.

Although this was certainly not the only factor, it was certainly the most dramatic, and the most public signal that money laundering is being forced higher up the corporate agenda. The drive to identify and freeze terrorist financing may have been the spark that brought about the PATRIOT Act, but the greater effect of the fire will be felt against financial crime and the conventional use and abuse of the international financial system for money laundering.

The effect, not only of the PATRIOT Act, but of the EU Second Directive, the Proceeds of Crime Act and the new unitary regulatory environment under the FSA in the UK, and various other factors that have focused international attention on money laundering, has been to push an increasing burden on to the private sector.

Investigating money laundering is no longer something that can be dismissed as the responsibility of the police. In this brave new world it is the private sector, the financial institutions themselves who are being forced to assume responsibility for their own protection. The previous model was that compliance was a passive issue; the obligation was just that – compliance - meaning to do what we are told by the regulatory authority. The reality, however, is that it has evolved from a passive compliance role to a proactive preventative role; and the MLCO has been pushed forward to stand in the front rank; facing an enemy that is the proceeds of every crime ever motivated by financial gain.

Part 2: Fighting The New Fight

The battle lines drawn, with the gnawing realization that the consequences of losing even one battle might prove terminal, the MLCO’s orders are simple; he has to protect and defend against the infiltration of a subversive threat.

There is widespread consensus that money laundering is a terrible blight on the international finance industry and that terrorist financing is a scourge to be eradicated, and in the current climate, it would be a foolhardy man who said otherwise. Talk, of course, is cheap. The real question is how seriously committed the financial industry really is, and whether or not anyone is prepared to show their commitment to the battle by actually committing resources to it.

It would be helpful, of course, if we knew what the enemy looked like. The problem, unfortunately, is that it is a compulsive and dynamic shape-shifter that could be disguised in any ostensibly legitimate account or transaction. Money Launderers cannot and should not be thought of as stereotypes; they come in all shapes and sizes, of every creed and colour, from every walk of life. At the higher and most profitable levels of criminal endeavour, where sophisticated schemes will be utilised, sophisticated and highly educated professionals will invariably be involved. The traditional tick-the-box clerical approach, therefore, may leave gaps in the barbed wire wide enough to march an entire Colombian drug cartel through in parade order to the accompaniment of a Mariachi band.

All organizations depend on rules, of course, and it is one of the most important Compliance functions to assess the risks pertaining to different activities, and to devise and implement operating procedures so that staff understand their responsibilities and remain alert to potentially suspicious behaviour. Those rules and regulations are fundamentally important, and they provide the foundation on which the MLCO can do his job.

From the criminal law perspective, the MLCO’s primary concern must be the company’s system for receiving reports of suspicious transactions, and, where necessary, passing that information on to the relevant law enforcement agency.

The amount of work involved in that effort, of course, is connected with the number of suspicious transaction reports generated by staff, and that is dependent on the nature of the bank’s business. Staff training also has a bearing on the diligence with which transactions are scrutinised and staff’s sensitivity to the risk, thus impacting on the number of reports generated.

The paradox, unfortunately, is that the more successful the MLCO is in training staff, the more time will be consumed with Suspicious Transactions Reports (STRs) and hence the less time will be available for him to engage in any other investigation work. These reports will always take priority.

Accordingly, one suggestion is that in addition to the compliance staff engaged to handle STRs, large financial institutions should appoint an additional team of proactive investigators, unburdened with STR duties, specifically to investigate, in depth, potentially suspicious activity within the customer base. This simple but innovative suggestion probably represents the most effective model available to an institution serious about weeding out criminal funds, and defending itself from the associated litigation.

The analogy is that rather than just employing a guard dog, it is also becoming necessary to have a bloodhound, to ‘sniff out’ potentially suspicious activity before the guard dog has seen the intruder or even knows to bark. The role of such an investigation unit would essentially be to supplement the more reactive efforts of their colleagues whose primary concern is the legal duty relating to STRs from staff. The investigation role would be a proactive one, to try to stay one step ahead of whatever money laundering strategies might be encountered, and to look for suspicious activity where it has not yet been identified or reported. This will generate valuable corporate intelligence for the senior Compliance Officer so that the institution might pre-empt any problems by initiating action early.

In smaller or lower risk operations, one person might be able to cover both these roles, but larger and more departmentally structured institutions might consider creating a new position, thus strengthening their existing structure to reflect the increased risk. Whether these two functions should be split will be dependent on a number of factors, not least of which are the size of the operation and the compliance resources available. However it is structured, the underlying principle is that the primarily ‘reactive’ compliance environment must evolve into a more proactive one. That being the case, the skills required in the position are also changing.

The priority is no longer simply to comply with the regulations and guidelines as issued by the governing regulatory authorities, but to take the initiative and identify problems before they arise. That takes the "Know Your Customer" ethic to a new level, and entails a degree of familiarization that might even be considered intrusive, particularly as it is so closely affiliated with the erosion of the traditional concepts of banking secrecy and the right to privacy.

Sincerity is always subject to proof, and information that customers may share about their background and the source of their wealth may not always be totally reliable. It therefore becomes necessary, in certain cases, to conduct discreet enquiries to determine if the institution should have grounds for concern. This cannot be done in every case, but it has become a requirement in the case of individuals or accounts deemed to be high risk.

Many management traditionalists might be inclined to keep such a new activity hidden so as not to risk upsetting sensitive customers. The contrary view, however, would be to give it a very high profile, making the presence of such a department widely known. Cynical as though it may be, one of the advantages of doing is not simply to identify evidence of crime, but to satisfy the regulatory authority! The importance of been seen to be doing all that is reasonably possible to defend against money laundering cannot be under-estimated, not just in order to keep the regulators at bay but to establish a defence for the inevitability of the legal challenge.

Reference was made above to how the anti-money laundering function can be found in different institutions departments of different institutions; ranging from Security to Internal Audit to Legal, but when recruiting for the position from external candidates, many institutions naturally looked to the ranks of ex-policemen.

The rationale for such appointments was usually related to the candidate’s knowledge of who the local criminal fraternity actually were, and their personal relationships with former colleagues still on the Force. In reality, however, these attributes come with a relatively short shelf life, and life in the private sector often calls for a different set of investigative skills, where the lack of executive authority entails more emphasis on analysis rather than criminal investigation skills, or interviewing technique. More important than an encyclopaedic knowledge of the local villains is an understanding of the dynamic nature of the money laundering risk, with the ability to analyze financial products for their potential vulnerabilities.

It is a rare banker whose career has been built on seeing vulnerability as quickly as others see opportunity. Where such individuals have the mental dexterity to assemble a multi-dimensional jigsaw pieces in his head, it should be rarer still, we hope, that one would have the thought processes, not so much of a Sherlock Holmes as that of his arch-rival, the criminal Professor Moriarty.

Unfortunately for the HR Department, these rare animals are now needed.

In addition to these qualifications, the greater challenge is in the implementation of counter-measures, and advising on anti-money laundering measures which are effective, but do not interfere with the primary role of the organisation, which is to do business and make money.

The problem with the anti-money laundering function in any financial institution, unfortunately, is that it is counter-profitable if not actually counter-productive. In an expansion-minded organisation whose stock-in trade is money, the movement of money and finding profitable investments for money, the corporate culture has to promote business expansion and the accumulation of more money to manage.

Against that, the anti-money laundering effort demands that somebody stand in the face of this, and, in the worst case, draw a line in the sand and forbid certain transactions. This calls for one of two things, therefore, either such seniority that he can neither be easily intimidated nor over-ruled in a confrontation, or considerable strength of character, with the moral fibre and thick-skinned tenacity of an alligator who would rather be right than President.

Much of the job should involve being a strategic advisor to senior management, nurturing and shaping the operations of the organisation, and steering them away from potential problem areas. However, when push comes to shove, although the Chief Executive should have enough savvy and faith not to get into such a drama in the first place, when the MLCO squares off against him in a Mexican Stand-off, with guns drawn at twenty paces; the Compliance Officer’s job is to protect the institution, from itself if necessary - he cannot be the one to flinch.

In almost any other situations, this would be absolute and certain career suicide. Even to contemplate the prospect might be signs of certifiable madness, but there is method in this particular strain of madness. The reporting element of the MLCO’s role involves receiving reports from staff and passing that information on in the form of a Suspicious Transaction Report. Of course, if the staff’s concerns are deemed to be unfounded, no further action is necessary, but if it transpires that the activity was, indeed, related to the proceeds of crime, but that no report was made to the authorities - either through error or negligence - the liability for the oversight rests on the shoulders on the MLCO. ‘Failing to report’ is a criminal offence. In Hong Kong it is punishable with a HK$500,000 fine and a three month prison sentence.

Moreover, in the UK, in addition to the ultimate threat of criminal prosecution, failure to perform these duties adequately can now lead to disciplinary procedures and personal fines being imposed by the FSA.

Admittedly, convictions for ‘failing to report’ may be notoriously difficult to obtain, but law enforcement authorities are only too well aware of two simple facts. The first is that they cannot investigate or prosecute serious criminal conspiracies or complex financial crimes without the support and co-operation of the financial community. The second is that unless and until senior executives and board members of major financial institutions appreciate the gravity of this obligation, and the real risk that they themselves might face a stiff sentence on money laundering charges, there is little incentive for real change.

Without such a threat over them, the financial community can be relied upon to resist each and every meaningful increase in their compliance duties.

In all wars, much depends on the vigilance of the soldier on sentry duty. The war against Money Laundering and Terrorist Financing is no different, but the sentry is no longer the man in uniform, armed with a rifle and bayonet, the role has been passed to every member of staff who is involved with a financial institutions customers and their business. It is a collective responsibility.

Staff must be trained to be mindful of the risk and they must be encouraged to report any suspicions they may have, because a policy of "Don’t ask, don’t tell" is a recipe for certain disaster for senior management and for the institutions itself.

The MLCO himself has an ‘HQ job.’ He does not interact with customers in the normal course of business so it is unlikely that he will be the one in the front line position who first flags a potentially suspicious transaction. He will, however, be the one person standing in front of the Chief Executive if the institution fails in its responsibilities in this area and the Firing Squad is assembled. His incentive should be to make sure that that day never comes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Mondaq Advice Centre (MACs)
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.