Global Shifts in AML Enforcement, Iran and FATF, and Regulatory Reform

In this episode of This Week in AML, John Byrne and Elliot Berman cover a wide range of developments in the financial crime and compliance landscape. They look at international enforcement actions, including record AML fines for UK law firms and Switzerland’s updated typology report. The conversation spans topics such as life insurance vulnerabilities, cultural heritage protection, Rabobank’s compliance-driven leadership shift, Iran’s FATF ambitions, insider threat mitigation in Canada, and Nigeria’s efforts to combat terrorist financing via crowdfunding. Domestically, they unpack major U.S. regulatory proposals, including redefining community banks, eliminating reputation risk as a supervisory focus, and evolving model risk management guidance.

Global Shifts in AML Enforcement, Iran and FATF, and Regulatory Reform - Transcript

Elliot Berman: Hey John. How are you today?

John Byrne: Great, Elliot. We were able to have the arrival of our first granddaughter Lucy Marie. She was born yesterday. Owen's now, baby sister. So everybody's doing great. So we're really excited about that. Whatever else is going on in the world, uh, these kind of things are just, uh, what it's all about.

So really happy about that.

Elliot Berman: Well, congratulations to you and Sue. I have two granddaughters and I can tell you granddaughters are lots and lots of fun.

John Byrne: Yeah. She can't wait. And everybody's excited.

Elliot Berman: That's good. Where would you like to start?

John Byrne: There's a lot out going on internationally as well as domestically. So let's just jump around a little bit. I saw a piece in a publication called FinTech Global. The title is UK Law Firms hit with a record AML Fines in 2025. According to the report, a sharp escalation in enforcement actions against UK law firms over AML failings and again with regulators there handing out some of the largest fines to date. One of the highest penalties of the year came in March. The firm is Simpson Thatcher and Bartlett's London office was fined 300,000 pounds. Following a review, this US firm was found to have longstanding weaknesses in its control framework, including the absence of a compliant firm-wide AML risk assessment.

So that was definitely interesting in, in that story also talks about a couple of other items in terms of the fines and penalties.

Elliot Berman: Yes. For our audience from the US who isn't familiar with the UK rules. Unlike the US, law firms and lawyers are subject to the UK's Money Laundering Regulations of 2017 which requires them to do a risk assessment, CDD and other things.

As you pointed out, the largest fine was leveled against the London office of a US firm which is interesting. Maybe the US will ultimately catch up on the gatekeeper side, but not yet.

John Byrne: Yeah. Right. In Switzerland, the Money Loan Reporting Office, MROS issued an updated typology report. It's 30 pages of things that we always talk about, sanctions evasion, there's some real estate related cases in there. There's also on various criminal organizations, even though it is based in Switzerland, obviously these sorts of reports have value far beyond their own jurisdiction, 'cause it gives you some clear cut examples on some of the things that law enforcement and AML officials are seeing in their jurisdiction. So again, uh, it's a free download. It is the MROS report from Switzerland just issued, uh, late last week.

Elliot Berman: I saw that and two things caught my eye. First, they had a section called Focus on Enablers, and attorneys showed up there too, so a little bit of a through line. And then there were two different case studies related to life insurance, and we don't talk a lot about life insurance.

Way back when the PATRIOT Act was passed and the number of entities that fit under the definition in the Bank Secrecy Act of financial institution, they added insurance. And as you recall, there was a big debate about were the, underwriters, life insurance companies actually gonna be covered, or was it gonna be the agents and how was that all gonna work?

I just, uh, thought it was interesting that the Swiss report had several topologies related to life insurance, which we don't talk about a lot.

John Byrne: Again, staying internationally, an area that we've spent a number of, uh, webinars and podcasts on, and that's dealing with, uh, antiquities, UNESCO, uh, has issued a report. There is a virtual museum now of stolen cultural objects. So a very interesting posting by the folks from the Antiquities Coalition. According to the note, every four years, uh, they put together an agenda. And the agenda for this year included the launch of this virtual museum. A call for the UN to add culture to the Sustainable Development Goals. Uh, a release of the global report on cultural policies that offers recommendations on protecting artists and cultural heritage at risk while bolstering resilience, peace, and security. So, um, you can either get that on the UNESCO website or through the Antiquities Coalition.

Elliot Berman: I also saw something that caught my eye, and that was that Rabobank's head of financial crime has been promoted to be become the bank's new Chief Operating Officer. And the reason it caught my eye is usually I would say you don't see folks coming up the compliance side and ending up, at at a position like COO and that is a new position created to move him in. So. Uh, and the announcement from the bank talked about unifying and centralizing their operations, but also bringing compliance to, uh, the same level across the entire institution.

So just interesting to see how different organizations are looking at, uh, the importance of compliance.

John Byrne: You'd, uh, noted something, uh, with Iran. Do you wanna mention that?

Elliot Berman: Yes. Iran has taken some steps to try to get off the FATF blacklist. Their Expediency Council has conditionally approved joining the Convention for Suppression of the Financing of Terrorism. Back in May, the same council approved participation in the UN Convention Against Transnational Organized Crime. These are both significant steps for a country on the blacklist in its efforts to align more with international AML/CFT standards and at least move from the blacklist to the gray list.

Now, there was no comment by FATF, but as they do their periodic reviews, this will put Iran in a little different light. I don't know how much impact it'll have, but directionally it's different than Iran has been for quite some time.

John Byrne: Um, you also have something about Canada that we talked about briefly before we jumped on uh, you have an update there?

Elliot Berman: Yes. So FINTRAC and, uh, the large Canadian banks are focusing on improving efforts to combat insider threats. And we've talked on a number of our webinars about, uh, the risk of insider threats in the fraud space. And in addition to fraud, these efforts are also working to ensure that, uh, the banks have adequate processes to ensure that rogue employees are not accessing bank records, uh, particularly customer records that they shouldn't and things like that. The article was interesting 'cause there were several comments from folks in Canada indicating that this was an effort to make significant forward progress, even though they still view themselves as lagging behind Australia and the US in this area.

John Byrne: I have another, uh, international update. The Financial Services Volunteer Corps, FSVC and early on in my career, I did some work with this group, it's a great group that helps around the globe in a number of important areas. They're particularly challenged now because of the change in US government funded technical assistance. So they definitely accept donations. So something to think about.

But their newsletter for September was, uh, just recently issued, and they have a number of things dealing with the spaces we care about. And I just wanted to highlight one. They're working on a project in Nigeria to deal with, um, terrorist financing through crowdfunding. So they have an update there and they say there's been a number of training, sessions and they highlight the fact that, um, they're trying to strengthen, uh, Nigeria's capacity to combat, uh, terrorist financing through crowdfunding, uh, and prevent the misuse of nonprofit sectors and that sort of thing. So, obviously this is an area that there's a lot of vulnerabilities with cryptocurrency and issues regarding financial inclusion.

Take a look at that if you get a chance. These newsletters are free, and as I said, this organization is, uh, continuing to thrive, but mainly now through donations. But it's a group that I imagine a number of listeners to this podcast have participated in at some point in their career.

So, the FSVC, when get a chance, uh, take a look at or potentially sign up for their newsletter. I think you'll find it valuable and certainly instructive.

Elliot Berman: John, I know you mentioned that you saw something about the Justice Department and reorganization that's proposed there. Do you wanna talk about that?

John Byrne: Yeah, it was a Reuters story that I saw on, um, on LinkedIn. And according to the reporting, the US is scrapping a DOJ task force that, uh, looks at cartels which seems counterintuitive given the fact that obviously that is still a major priority. In this reorganization is a plan to merge the nation's top drug and gun law enforcement agencies. And this is the most, according to the reporting, the most sweeping reorganization of DOJ in two decades.

The organized crime drug enforcement task force is to be closed. And there may be a merger with DEA and ATF, but there's been some bipartisan pushback. So we'll see how that goes. So just, uh, something that I didn't see anywhere else reported, but we did see it in Reuters. I wanted to just throw that out there for you to take a look at.

Elliot Berman: And the underlying explanation for the why was budgetary savings. I think the last big thing that we talked about before we started was, uh, a number of announcements by the US Federal Bank regulators. You wanna start there somewhere?

John Byrne: Well, there's a number of some were done. I can't recall now if they were all done together with the other agencies. I believe they were. So, um, uh, well, I, one thing Go ahead. You go ahead.

Elliot Berman: Yeah. One thing that I noticed is. It's the FDIC and the OCC, the ones that are joint and the Federal Reserve does have a bank regulatory element to it at the bank level. And they were not a party to any of these announcements. Now whether these same announcements will come out separately from the Fed or not, uh, they have not as of the time we're recording.

John Byrne: Yeah. And so before we mention some of the proposals, I also wanna highlight, there was an American banker story sort of related to this. And the story goes into the fact that the FDIC is operating with just three Republican board members and no Democrats. They're supposed to have five members. And so there's only three. Travis Hill, the acting FDIC chair, Jonathan Gould, OCC, and Russell Vought, the CFPB.

So that's interesting that's happening without all five members. So there may be some challenges going forward. We'll see. But one of the several proposals is to define, quote, unsafe and unsound practice unquote, and to revise the framework in these agencies for MRAs, matters requiring attention and other supervisory communications.

There's a, there's another one that deals with eliminating the focus on reputation risk we'll talk about in a second. But Elliot, is there anything you wanna mention specifically about the one that's focused on community banks?

Elliot Berman: They're updating the definition of community banks. And community bank and community thrift organization appears in regulations regularly. But the definition is being updated so that it will be institutions with assets less than $30 billion with a b dollars. And as I mentioned to you before we started recording. You and I have been in this business a long time and a community bank used to be thought of as a bank that had branches in two small towns.

And while $30 billion is not gigantic by today's banking standards that's still a big bank. I think the point of the change is community banks are very different and less complex than the mega banks. I think when you get to $30 billion, you're pretty complex. So we'll see. I don't think it'll make a huge change. Some of these other changes are head scratchers for me.

John Byrne: Yeah. And the, the last one that we'll reference, uh, unless you have something to add, is the prohibition on the use of reputation risks. So this is, uh, by the FDIC and, um, the OCC. To me, I must admit, I think this is more performative than practical. We'll see what happens in terms of the, the comment process.

But just reading from this a 44 page notice for comment and the part of the premise that's listed early on in the document says there's no clear evidence that interference in bank's activity or relationships in the interest of protecting the bank's reputation has protected banks from losses or improved bank's performance.

It also then says this, in addition to not enhancing safety and soundness, again, their term focusing on reputation risk, we can argue about the premise, can distract institutions and its agencies from devoting resources to managing core financial risks. Such as credit, liquidity, interest rate, risks, which are quantifiable and presents significant threats.

Of course I agree with that. Monitoring requires dedicated resources. And I'll leave you with this next sentence. For example, in order to confront such risks, institutions frequently purchase expensive risk monitoring models that must be maintained. Implement detailed loan review programs, hire expensive outside advisors, and provide time intensive training for staff. And they have limited, uh, resources to cover other areas. In the judgment of the agencies examining for reputation, risk, diverts, resources that could be better spent on other risks. That's in fact if you actually agree that agencies are examining for reputation risks.

So I have seen some things, Elliot, on LinkedIn it's really interesting. So former regulators commenting on this have just raised a couple of questions about previous bank failures and other issues in terms of what is meant by reputation. I find this whole debate, quote unquote, to be fascinating. Because it's gonna bear watching.

I've talked to a few of our friends in the industry, and they've done some things like taking the words reputation out of all the policies, that sort of thing. It's really gonna be fascinating to see if there's any cases brought against institutions by the agencies or by the Small Business Administration, that sort of thing. A lot more here, but take a look at this.

Elliot Berman: The other one that I just want to mention is the OCC put out a bulletin about model risk management. For those who've been around for a while, model risk management started out as something that was pretty narrow. And over time the guidance expanded so that more and more things fell under the definition of models. And the new guidance from the OCC says that modeled risk management should be customized when applied by community bank management to be commensurate with the bank's risk exposures, its business activities and the complexity and extent of its model use.

And this next sentence I find to be very interesting, a community bank using relatively few models of only moderate complexity may conduct significantly fewer model risk management activities than a bank where the use of models is more extensive and complex. And that I a hundred percent agree with. I think though, that the complexity of the models you use may have something to do with your size, but it has much more to do with your product set and your customer set.

And so, it'll be very interesting to see if we see actions by the regulators related or we start to see a trend within the industry of saying, you know, we're going to only look at our non-complex models once every five years, uh, which would I think be unusual today. Model risk management has been bouncing around as a difficult internal issue for banks for a while, and we'll see if this actually clarifies anything or just makes it more confusing.

John Byrne: Sounds good. I'm working on efforting, a couple of interviews. I will say that Elliot was kind enough to review, uh, several papers from my students from our summer class on money laundering and terrorism. And we've published on our website and on LinkedIn, three final papers that I think you'll find interesting. We certainly did.

We have a couple of interviews coming up in the next, uh, month or so. But as always, if you have ideas for themes, topics, or individuals or entities you'd like us to interview, please let us know.

Elliot Berman: Our next, uh, webinar is the 23rd this month at 1:00 PM and, uh, you should sign up for that. And John, enjoy your new granddaughter and give my best to Sue and we will talk next week.

John Byrne: Sounds good. Stay safe.

Elliot Berman: Yep. Bye-Bye.