Secure Financial World

AML Supervision, Compliance and Effectiveness

Plus TI Marketing Season 7 Episode 3

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 33:50
SPEAKER_00

Risk is evolving, fraud is innovating, and security cannot be left behind. This is Secure Financial World, your podcast on cybersecurity, fraud, AML, FinTech, and risk management. In every episode, you'll find clear insights, real trends, and essential tools to protect the financial ecosystem. Join us and transform challenges into opportunity.

SPEAKER_01

The fifth round of evaluations by the Financial Action Task Force, or FATF as it's commonly known by its acronym, is now underway. This is not merely a technical exercise, one that is exclusively reserved for regulators, but rather a pivotal moment that will redefine how countries and their financial institutions demonstrate that their systems genuinely prevent money laundering, the financing of terrorism, and the proliferation of weapons of mass destruction. At this stage, the focus shifts from technical compliance to results. Clear evidence that risks are understood, alerts become actionable intelligence, and the financial system isn't being used by criminal networks to legitimize funds or worse, finance illicit activities. For obligated entities, this implies a profound change. The assessment will no longer be solely concentrated on regulations, manuals, or formal organizational structures, but on something much more tangible, demonstrating that the system truly works, that it generates a real impact, and that it contributes to protecting our society. To a great extent, this country assessment will reflect the quality of the private sector's work and its level of coordination with the regulator. So, welcome to Secure Financial World, based on S the PlusTip Podcast. I'm Juan José Rios. In this episode, we'll discuss in truly clear and practical terms what the FATF expects, how it impacts institutions, and what opportunities it opens to strengthen processes, reputation, and compliance culture. Now, pay attention. If you are part of the financial system or are interested in its integrity, this dialogue will help you to understand why your work is so crucial and how it can make a real difference. For this conversation, I am very pleased to be joined by two distinguished experts. Joining us from Colombia, we have Juan Pablo Rodriguez, who is the president and CEO of RICS Management. And he is the author of the acclaimed book Compliance, Asset Laundering and Corruption, now in its second edition. He has also participated as an international speaker and in various internationally recognized podcasts. And Raul, Raúl Castellanos, AML product manager at PLUSTIP. Both welcome. Thank you for joining us.

SPEAKER_02

Hello, Juan José. It's a great pleasure to share a podcast with you once again, and on this occasion to have the company of Juan Pablo Rodriguez, an extraordinary friend with whom we have known each other for quite a few years.

SPEAKER_04

Juan Jose, thank you very much for the invitation. It's a pleasure to be with you all here on the Plus Tip Podcast, especially accompanied by my good friend and distinguished colleague Raúl Castellanos. We invite you then to review the work, which is now in its second edition, the book Compliance, Asset Laundering and Corruption. And on the other hand, we encourage you to check out the podcast with Adidas, where we discuss football and compliance, especially in this FIFA 2026 World Cup year. You'll find a simple, entertaining, and engaging explanation on how to combat organized crime by drawing analogies with football. So I'm very happy to be with you all. Thank you very much.

SPEAKER_01

Very well. Juan Pablo, that analogy with football is truly very interesting. We'll see who ends up being the world champion in the end. Alright. Juan Pablo and Raúl Sonas, are you both ready? Samocendone. Juan Pablo Sonas, I'd like to begin with you. When we discuss compliance, many organizations still perceive it as simply the ability to respond to regulatory requirements. However, the international conversation is already placing its main emphasis on effectiveness as the primary focus. So I want to ask you, Juan Pablo, what is truly required for obligated entities to transition from mere legal compliance to actual effectiveness?

SPEAKER_04

That's a very good question, Juan Jose. Thank you very much. It's not just for the obligated subjects, but it should be a team effort from the entire ecosystem involved in the fight against organized crime. So let's add to these obligated subjects the supervisory and control entities, the financial intelligence units, the prosecutors' offices or public ministries, as they are known in other countries, the judicial police, and of course the judges. And what is truly necessary to transition from this technical compliance to achieving real effectiveness is a genuine commitment to ensure that the regulation is implemented in a truly rigorous manner. Because even though countries, to offer a simple illustration, have formally codified the crime of money laundering, their actual failure in effectiveness is in demonstrating the proper application of such conduct from a criminal law perspective. What this means is that even though it's clearly defined and criminalized by law, we don't have any statistical data available to show the actual enforcement of this rule through guilty verdicts for that particular crime. So to bring both scenarios together, there is a need for commitment, there is a need for teamwork, and perhaps a review of whether the regulation is in line with international standards. And if I may use assimile, we can say that technical compliance represents the blueprints for a house or a building. Effectiveness, however, is more about demonstrating whether those blueprints, when brought into the real world during the actual construction of that house or building, truly achieved their intended purpose. That will allow us, in our particular case, to be much more rigorous in the fight against organized crime.

SPEAKER_01

In that sense, I want to ask you if the effectiveness truly lies in sanctions or, on the contrary, in the prevention of money laundering risks. However, we also need to consider the financing of terrorism and the financing of the proliferation of weapons of mass destruction.

SPEAKER_04

Yes. For this, it's important to consider a more comprehensive response. No, Juan Jose, we're not talking about a binary model here, meaning it's not simply one or the other, black or white. On the contrary, it's complementary. That means that while effectiveness can be, on one hand, demonstrated with statistics, whether criminal convictions for money laundering, for terrorism financing, and in cases where it exists, for example, Argentina, Nicaragua, United States, and Canada, the crime of financing the proliferation of weapons of mass destruction, we could see other scenarios of effectiveness by increasing the catalogue of obligated entities. That is also a very uh positive instrument because we are bringing more actors onto the same platform so that they can protect the economy and also protect the nations. And on the other hand, this is an opinion that only uh commits me. But I also believe that effectiveness cannot be viewed from the negative perspective of sanction, condemnation, or a fine to a financial entity or obliged subject. But also its effectiveness can be demonstrated through a rigorous application of the regulations and perhaps the non-imposition of criminal sanctions or the non-imposition of fines on financial institutions or real sector entities as they are known in Colombia, when done appropriately, is indeed a clear indication that organized crime is being effectively contained. So, no, I wouldn't dare tell you it's one or the other, but rather that they should be treated complementarily, and we cannot ignore the influence of technology and new economic developments in a scenario like the VUCA world we live in, volatile, uncertain, complex, and ambiguous. So, Juan Jose, this will not be a static task, but rather a dynamic one, constantly challenging all the participants in the anti-money laundering, anti-terrorism, and weapons of mass destruction proliferation ecosystem every single day.

SPEAKER_01

Consequently, Juan Pablo, this completely redefines, and I want to express it this way, the entire manner in which organizations design their risk management systems because it ceases to be reactive and transforms into an anticipatory approach. Now, the theory truly makes more sense when it's observed in real-world evaluations, you'll agree. Countries that have left us with a valuable lesson, having recently gone through their own evaluation processes, provide significant learnings for those who are next on the calendar. On this note, Juan Pablo, what lessons do the evaluations from Belgium and Malaysia, for example, offer to the countries still on the fifth round's FATF calendar?

SPEAKER_04

So, we'd like to invite Juan Jose and all of our audience to read an article that we prepared in our office together with Camilo Rueda and René Castro, our partners. We set ourselves the task of thoroughly reviewing those first two mutual evaluation documents. And specifically for the case of Belgium, we encountered a very relevant issue within the specific context of that jurisdiction. First, it serves as the primary gateway to the European Union, owing to its strategic geographical position. Second, it functions as a crucial cross-border financial hub. And third, it is widely recognized as the global logistics center as it effectively links Antwerp with Bruges. That's on the positive side. Unfortunately, they are affected and impacted because organized crime well takes advantage of these very conditions. And despite the fact that Belgium has, for example, solid international cooperation, rigorous work from its financial intelligence unit, or that banks have an adequate understanding of the risk of money laundering and terrorist financing. What the report from this jurisdiction reflects is that there is a weak sanctioning regime, and that's where the standard places its emphasis on effectiveness. So is there a sanctioning regime in place? Yes, but if it's too weak, then it won't have the intended deterrent effect, either because the penalties are limited or because there isn't sufficient transparency. And very important issue there isn't very good regulation, and what we do have isn't as strong as one would expect for designated non-financial activities and professions, particularly with two economic activities, notaries and lawyers. So if we speak of notaries and lawyers as gatekeepers, as these archers who are meant to protect society from criminal activities, on the contrary, we discover that they are a crucial part of organized crime. So in this assessment of the Belgium case, what exactly do we encounter? We are faced with a very clear need to significantly improve transparency regarding the ultimate beneficiaries, wouldn't you see? And uh the roadmap to put it in terms of the lessons learned from this report is that we must strengthen supervision and sanctions. We need to intervene more and better in high-risk sectors. And we must guarantee the transparency and reliability of records regarding ultimate beneficial owners to optimize the investigation and prosecution chain. It makes no sense to be generating many good, suspicious activity reports if, in the end, one jose, it's not going to be reflected in convictions for criminal behavior, because that would clearly demonstrate that the system is inefficient. And for Malaysia's case, it's very important that you keep in mind a relevant background story. And here we have a recommendation for you on dirty money. On Netflix, you can watch the episode about 1MDB, which is the most complex recent money laundering scandal in Malaysia, and it is specifically mentioned in the FATIF report. And that report tells us that we are currently facing a two-speed system. This dual-speed system implies that while they might be performing very well in certain specific aspects of the standard, they still have a considerable need to improve in other areas. Returning to our examples, there could be excellent regulation in place, but the actual implementation of it might not be the best. And finally, the shadow of this case leaves some important lessons for the countries of the region so they don't fall into these same errors or encounter such risks. We could frame this discussion in terms of both strengths and opportunities. So to conclude, strengths, performing very well in national risk assessments, strengthening the methodologies, not only with quantitative data but also with qualitative data, achieving very good coordination between authorities and obligated entities at the national level, and moving towards a best practice in terms of what the report refers to as a standardized dictionary of terms. That's very important in evaluations because even if we think about a specific concept, to give an example, weapons of mass destruction, it's assumed that we all know the same thing. If those who are going to be evaluated don't have a conceptual agreement, well, they won't do very well in their interviews with the evaluators. And among the opportunities for improvement, we find the following: we must improve in terms of the classification of cross-border crimes, the execution of the crime of money laundering by third parties, the impact it has on the so-called TBML, trade-based money laundering, or money laundering based on trades, due to what we have already discussed. To work rigorously on financial regulation and ultimately to close the impunity gap. It's not enough to have many investigations if we're going to have few convictions, and that requires rigorous teamwork from all stakeholders in this area.

SPEAKER_01

Hey Juan Pablo, besides all this incredibly interesting information, all of this also puts into perspective that effectiveness is not an abstract concept, but a standard that is already being measured and compared internationally. Up to this point, we've been discussing the overarching framework, the core philosophy, and the methods used to evaluate effectiveness across the entire country. The immediate question that arises is unavoidable. How does all of this translate into practical systems, advanced technology, and tangible concrete evidence within our organizations? To address this, we're now moving on to the operational vision. Alright, Raul, let's really get into the core of the matter now, because ultimately, effectiveness is always measured by its results. So, technology plays a pivotal role. The systems must be able to clearly demonstrate that risk management is producing a real and measurable impact. Now please tell us what are the essential key results that a software solution should provide to the obligated entity, enabling them to demonstrate its effectiveness to their regulator.

SPEAKER_03

That's very interesting, Juan Jose. Indeed, as Juan Pablo so clearly illustrated, we are now moving from the planning stages to actual execution. In general, for the financial sector and for all obligated entities, automated systems have truly ceased to be merely a regulatory component and have instead become a crucial strategic asset. We must understand that regulation needs to keep pace with the economic dynamism of our countries. This way, it can be a tool to foster the continued growth of our economies. In respect, and when it comes to the results, one of the most crucial and significant aspects that must be addressed is the thorough analysis and effective management of institutional risk. The ability to clearly define what the risks are that we face, including emerging risks, and all of this based on the specific business lines offered by various financial institutions, market niches, and customer types. And this must guide us towards dynamic profiling and a comprehensive segmentation of both risks and opportunities from the standpoint of being able to identify those high-value clients with whom we can grow, and on the other hand, to be able to demonstrate to the regulator the outcomes of our management. From that point of view, it's essential to integrate these tools into the company's risk appetite and tolerance as well as the corporate strategy. Therefore, when we speak of the strategic results from an automated system, they should be designed to clearly demonstrate the bank's or the institution's strategy as it is reflected in its execution, how customer risks are being evaluated and how they are being managed, what growth we are achieving in terms of attracting to new generations to participate with us, and by doing so, revitalize the market. In other words, the automated system must be integrated as a management tool to demonstrate regulatory compliance and economic growth.

SPEAKER_01

Thank you, Raul. So beyond just the results, there's essentially a technological architecture that must be put in place to sustain that effectiveness. We're understanding what you're conveying to us, that it's not merely about having tools, but about how they are integrated and operated. And along those lines, I'd like to ask you the following question. What technological components will need to be enabled to manage the results, for example, those expected in the evaluation round for the obligated entity?

SPEAKER_03

This question is very important given the technological era the industry is experiencing. API fication or the interconnection of systems is fundamental nowadays. Therefore, management systems must have easy integration with multiple financial or management platforms, depending on the business line of the obligated entity. In this way, we are able to receive data or share information as we previously mentioned. This involves both receiving crucial data to effectively analyze and define potential risks, and then manage appropriate action plans. Additionally, it means sharing that information so it can be fully utilized within business intelligence repositories, enabling us to monitor and reconfirm our strategic approaches. In that sense, the system needs to be very intuitive, easy to configure, and what we are referring to is that it must be adaptable, adaptable to the type of business, have a strong communication base with other platforms, so that from that information, analysis techniques can be applied. Analytical techniques are today reflected in artificial intelligence, machine learning, generative artificial intelligence, and all these models must incorporate explainability systems to effectively demonstrate to regulators and internally document how artificial intelligence is being applied. All of this documenting cases of investigation, clearly outlining the specific basis upon which a client is being qualified, and most importantly, to also be able to provide feedback to the board of directors of the institutions. So, in conclusion, a system absolutely must possess strong interconnectivity, efficient information processing, effective information management to ensure sound decision making.

SPEAKER_01

Raul, this clearly demonstrates that effectiveness isn't solely dependent on a single isolated system. Instead, it's about a comprehensive, truly technological ecosystem that's fully aligned with effective risk management. And ultimately, all of this needs to be properly supported. The evaluation not only reviews the results, but also the evidence that demonstrates how the management was conducted. And concerning this, what documentation, Raul, and what kind of support should be reflected in an automated management system for financial crime prevention risks.

SPEAKER_03

This is a subject that holds just as much importance as the ones we have been developing. And it's not solely about how we can demonstrate to the regulator exactly what we are accomplishing, but rather how the entire system is actively supporting institutional growth. I wouldn't want to lose sight of the importance of economic growth because obligated entities are not sustained solely by regulation, but rather by having secure management, being able to grow and expand in the market, offering a variety of financial products and ultimately facilitating the overall growth of the economy. From that point of view, the evidence that needs to be demonstrated on the one hand is to have it clearly defined in reports or in dashboards. How is my customer distribution structured? Who among them are considered high risk? With which politically exposed individuals are we Currently engaged. Where do I identify areas of potential opportunity and where are the zones of risk and so on? Therefore, the proper handling of all this information becomes absolutely crucial. From that perspective, being able to obtain copies of the board's approval manits for policies, procedures, decision making criteria, the institutional risk assessment, how our clients' activities are being monitored, and the operational volumes we have by products, by channels, and by jurisdictions. That needs to be clearly reflected in dashboards covering aspects of performance risk or overall management. And of course, this also includes the processing of whistleblowing channels and reports submitted to the regulatory body. In this regard, reports of suspicious transactions must be clearly defined so that the criteria upon which reporting decisions were made can be established, and, as we mentioned, the explainability that arises from artificial intelligence. So to summarize, the effectiveness and the evidence that these automated systems are expected to provide operates in two distinct ways. On the one hand, internally within the institution, the ability to display through dynamic dashboards the risk profiles of our clients, how they are behaving across our channels, what transactions we have in different jurisdictions, and how we are leveraging that information to grow in business opportunities. And on the other hand, the good quality of the report submitted to the regulatory body. It is extremely important that management is well documented, that the criteria upon which decisions were made can be clearly explained, and that this serves the regulator as raw material to analyze and carry out effective supervision. From that point of view, the evidence works in this duality of cooperation, both within the institution and with the regulatory body.

SPEAKER_01

The ability to document, explain, and sustain management becomes a crucial determining factor when dealing with the regulator. To wrap things up, we'd like to hear the conclusions and recommendations from our panel of experts. And we're going to move forward now, specifically with you, Juanpa.

SPEAKER_04

Thank you very much, Juan José. Well, by way of conclusion, the first thing we must state is that the recent report from the Global Organized Crime Index places us in a rather complex situation. It states, and I quote, the global criminal landscape is best understood as an intricate and dynamic network composed of a dense web of illicit activities. This means that we're now living in a world of criminal franchises. They no longer operate in isolated silos. Some are drug traffickers, others are smugglers, and others are involved in human trafficking. What we have to take is a criminal convergence, and this situation must be addressed by the responsible authorities. On the other hand, we must state that there is a significant gap between the investigation and the subsequent conviction in the cases we have previously mentioned. It is crucial to place a much greater emphasis on the relationship with virtual asset service providers and indeed with the entire cryptocurrency world, which has by now progressed at truly enormous speeds. We need to improve transparency regarding the information of the ultimate beneficial owner. And on that point, I must emphasize that it truly requires a great deal of political will and a strong sense of corporate responsibility to accurately provide the details of the natural persons who are ultimately behind any given legal structure. Without this crucial information, it simply won't be possible to conduct thorough and effective due diligence. Fourthly, the impact that high-profile cases have within evaluations, as was already seen with 1MDB in the case of Malaysia. And as a fifth conclusion, sanctions must fulfill that deterrent effect. If they don't, then despite our desire for effectiveness, we will remain stuck in mere technical compliance. And to put it in very, very simple terms, I could ask the audience, tell us who here has a partner. That is a question that goes down the path of technical compliance. But the second question would be tell us who is truly happy with their partner. That is the question that resolves effectiveness. So, I can certainly have anti-money laundering models. The question is whether the risk matrix, the manual, and the technology tool are truly fulfilling their intended effect. And regarding recommendations, allow me to share six very relevant points with you. The first is to prioritize effectiveness over mere paperwork. It's not enough to simply possess the manuals. We must ensure that what they state is actually implemented and complied with. Secondly, it is crucial to ensure that there are adequate resources, and this demands that the fight against organized crime be a priority for companies, public entities, and nonprofit organizations. In the third place, as we had already mentioned, it would be ideal to work on single registers of ultimate beneficial owners that compliance officers can access because it makes no sense, as we already experienced with PEPS, to demand a list that the state has already compiled and deny access to those obligated because we are repeating the task and that probably won't send a positive message to those subject to this control. On one hand, public officials and on the other, business owners. Fourth, strengthen international cooperation. Here, the Egmont group gains vital importance, which brings together all financial intelligence units, the use of technology in many scenarios and the world of supervision, Juan Jose is no exception. That's why we've already discussed the subtech world. We had previously covered the reg tech sector, and we began this entire discussion with FinTech. And lastly, a key message that this new country evaluation methodology provides us with are the key recommended actions, known by their acronym in English, KRA. We are no longer operating with very long time frames for a country to change, reformulate, or adopt new regulations to meet FATF requirements. The time frames are now shorter and much more expedited. So there's no longer any legislative excuse to claim it's this Congress, it's this assembly, it's these deputies, it's these congressmen who haven't reached an agreement. And I'll finish by saying this. And not that the government within a certain political or economic dynamic might propose legislative initiatives and then we change leaders, and all that effort is lost because that wouldn't matter to the International Financial Action Task Force. And on the contrary, it would very much affect this jurisdiction. So the final message is working as a team, uh working with humility and without vanity. We need both public and private sectors, all the actors within the ecosystem dedicated to combating organized crime, to work together on the same side. And to conclude with some football analogies, let's not be caught off sight, right? Let's not be given a red card. We all need to follow the rules so that hopefully we can win this championship in the fight against organized crime.

SPEAKER_01

Yes, be careful with the yellow card. That's quite a challenge, Juan Pablo. Thanks. Alright, finally, let's go to you, Raul. Based on your experience, please share with us what your main recommendations are for this stage of conclusions.

SPEAKER_03

Without a doubt, I believe that leveraging technology is fundamental for this era of globalization we find ourselves in. From the perspective of what the FATEF requires, effectiveness takes precedence over mere technical compliance. From that standpoint, it's crucial to have robust support systems capable of demonstrating how controls effectively detect, mitigate, and report actual risks. And on the other hand, how these very controls actively support the business operations. Juan Pablo was discussing cross-border organized crime and therefore prevention shouldn't be limited by territory. We need to take a holistic approach where the system processes our clients' information regardless of the product or jurisdiction they are operating in. So, number one, effectiveness. Number two, the risk-based approach, which begins with the institutional assessment of risks for the prevention of money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction. From that perspective, having a dynamic scoring system that can evaluate all these risks in a consolidated manner, as well as in a disaggregated form. The third component, the quality of transactional monitoring, is extremely important. Far more so than just the sheer volume of alerts. We do not need to overwhelm ourselves with an excessive number of alerts. What we truly require are high-quality alerts that effectively enable us to identify both potential risks and emerging opportunities. Finally, I would assert that advanced analytics solutions are no longer merely optional. They are essential. Any institution that wants to grow and capitalize on market opportunities must have a profound and thorough utilization of the different technologies at its disposal. A leading bank can transform its automated prevention systems into a truly powerful engine for business management. And all of this, let's not forget, is contributing to the stable and secure growth of our respective nations and the overall strengthening of our economies. Therefore, I firmly believe that a truly coordinated effort between regulatory supervisors and all obligated entities is the absolute key to our continued success in maintaining a much safer financial world.

SPEAKER_01

Very well, after listening to the Sissuit conclusions from our invited guests, it becomes quite clear that supervision and compliance can no longer be understood solely from a purely regulatory perspective. The fifth round of FFTF evaluations marks a shift towards real effectiveness, demonstrating that risks are understood, that decisions are based on intelligence, and that systems are generating concrete results in preventing financial crime. Ultimately translating into genuine tangible protection for the entire financial system and for society as a whole. Effectiveness isn't declared, it's demonstrated. And in this demonstration, the articulation between strategy, operations, and technology will be decisive for facing the evaluation processes already underway and those that will come in the coming years. Thanks then to Juan Pablo Rodriguez and Raul Castellanos for joining us and contributing their vision and experience to this conversation, to this dialogue.