The keynote address by Kilvar Kessler at the International Conference of the Estonian Banking Association 'The New Era of AML' on 27 March 2019.

28. March 2019

Thank you for giving me the chance to share my thoughts with you on future of the sovereign state’s role in regulating and supervising the risks connected to money-laundering, terrorist financing, and violation of international financial sanctions. These three areas, and the risks connected to them and responses to those risks are all referred to as AML in various contexts.

International Conference of Estonian Banking Association
International Conference of the Estonian Banking Association 'The New Era of AML' on 27 March 2019

I have a couple of thoughts on how we should deal with AML in future. But before I get into visionary things, I think it is always fruitful to look back to give some context. When I was young I wanted to become a historian, so please bear with me a little here.

Tallinn was a member of the Hanseatic League, a network of powerful cities in the Middle Ages. This league had harmonised certain rules to facilitate trade, so for example Tallinn had adopted Lubeck law. To a large extent, trade was between East and West. 

Fast forward several centuries to the end of the 1980s. The large German-speaking community had been replaced by a Russian-speaking one, making up around 45% of the total population. Then in 1991 the Baltics were suddenly free and independent again. The nation was poor, there was almost no rule of law, and no national currency, and the Soviet armed forces maintained a strong presence.

At that time, Estonia became one of top metal exporters in the world. Those goods came from Russia and were sold to the West. No questions were asked. Next, it was oil and gas. Endless trains, busy ports. Again from Russia to the West. Part of Estonia believed that being Russia’s “window to West” meant there were masses of opportunities with almost no risks involved. Easy money.

The financial sector followed, mirroring trade flows. You see, if your economy is small and limited, you must look for new opportunities. And if your neighbour has almost unlimited natural resources and an environment which incentivises tax evasion and other similar things, why would you look any further?

When I returned in 2006 from my second spell in the US, the buzzword and big idea everyone was talking about out there was creating Tallinn as a capital for finances. Suddenly Estonians became bankers and asset managers out of nowhere. One of the main themes back then was “family offices for rich Russians.”

Then in 2008 Russia flexed its muscles in Georgia. Ukraine followed at the end of 2013. Basically, foreign relations became more tense, and terrorism and local conflicts, including Russian influence, climbed up the agenda.

In 2012 and 2013 FATF, the international standard-setter for AML, was taking steps towards using a more risk-based approach to AML. Earlier it was enough to make sure that financial intermediaries had the necessary internal rules in place and that these were enforced.

The risk-based approach stated that financial intermediaries had to fix their risk appetite and that risk control mechanisms should be adequate for that appetite. If you can’t control what you eat, soon your health will be at risk.

Following the introduction of the new FATF standards, countries started adopting and enforcing these norms. First, large USD correspondent banks fell under scrutiny, and as a result, they started a de-risking exercise by dumping a number of local respondent banks. I am not talking only about Estonia here, but about a wider context.

Second, as already mentioned, supervisors started to move. In some countries this was easier, in others it was more complex. There are always going to be a number of businesses and others who benefit from practices of certain types. And sometimes they are also well connected.

The Estonian banking sector was quite successful in attracting foreign customers, mostly from CIS countries, and approximately 20% of all savings accounts balances were held by these non-resident customers. This meant income and profit being earned not only by the banks but also by a variety of other business services segments. It should perhaps be mentioned that in the “most successful country” in the region, around 50% of all savings accounts balances belonged to non-resident customers.

In addition to that, we had a strong group working in and around the ICT business who were very keen on the e-residency programme and did not fully understand the dynamics behind developments in the financial sector and why certain types of non-residents were not welcome any more, at least given the risk control systems that financial intermediaries had back then.

The legal framework was a mixed bag. The financial supervisor of Estonia was independent and had relatively good tools for carrying out its main tasks of maintaining financial stability and transparency in financial markets. AML was a secondary kind of objective for us, especially as Estonia had a specialist agency, the FIU, within the police force that was responsible for AML. However, the possible penalties were nowhere near enough to address the risks – only minor monetary fines were possible and came with a complex procedural framework, the statute of limitation allowed unrealistically short time, and there was no protection for whistleblowers.

Despite all this, we at Finantsinspektsioon were crazy enough to start cracking down on Danske in 2014, and we were successful in doing this by the end of 2015. Please note that Danske was the third largest bank in Estonia at time, with a share of 40-50% of the total non-resident market.

Versobank, which was a rising star in the ML market, was chased by Finantsinspektsioon immediately, doggedly and determinedly, until the ECB set a precedent in 2018 by withdrawing the licence from that bank. Finantsinspektsioon has worked together with all the banks, and with the CEOs of all the banks personally. Some institutions understood the changes in the trends quicker, others were slower. Today, the share of non-residents in the system is smaller than 7%. The composition of these non-residents has changed as well. We continue unceasingly with our intense AML work, which has been our strategic priority for years by now.

Now some thoughts for future. As a starting point, I would like to reiterate a couple of specific points:

  1. Finantsinspektsioon works to improve the risk controls of financial intermediaries. We demand that the organisation of risk controls must adequately match risk appetite. This is completely different from saying that Finantsinspektsioon would like to cut the number of non-residents. Cutting numbers of non-residents is a result that comes from the ability of the bank to deal with certain types of risk in an acceptable way. But reaching some certain per cent is not a goal in itself, as there are many different types of foreign customers out there;
  2. Finantsinspektsioon wants to see risk-sensitive risk control organisations. Every time I hear that the banks require tons of paperwork even from a pensioner with fixed and transparent income and minimum spending, my heart breaks. This is not at all the idea behind the framework nor its wording, it is simply a lack of banking professionalism in setting up compliance. Full stop.

Let’s look at why it is like that. Well, we have a limited market. The population is decreasing, and it is probably hard to sell even more banking services to households and maybe to businesses too. This means that total income is more or less fixed if services are not provided in other regions. The winning team in terms of profits is the one that operates with the lowest costs. In the short term, AML risk controls are pure cost.

Those who have been in operation for a longer period also face the question of legacy systems. These definitely should be revamped. For example, one large Nordic bank has 5% of its total staff, more exactly 1500 people  dealing with AML on a daily basis. The same bank has in recent years poured approximately half a billion euros into its AML control systems. Again the ICT needed for the bank’s surveillance systems might be substantial cost for a bank. But hey, we are e-Estonia and obviously tech companies are lining up to offer ideas and services to fill the gap in the market. And given that perspective, I would dare to say that e-Estonia with its infrastructure is more of an opportunity than a risk. 

Sometimes we tend to overestimate technology and underestimate the human factor. All the algorithms developed so far are the result of human activity, and value judgements. This means the key in AML is the tone at the top. I have seen various different approaches here. In some cases, management teams have been responsive, in others quite reluctant. If I were a banker, I would think that I have been in business for, say, 200 years and would like to continue for another 200 years. So I would tend to follow regulatory trends, listen carefully to what the supervisor has to say, and be quick. As one of my favourite childhood metal bands Iron Maiden sang – Be Quick or Be Dead.

Anyway, the last part of this speech will be my favourite. This year, I think it will be 16 years that Finantsinspektsioon has been encouraging the state to increase monetary penalty levels. Cato the Elder would join me in saying ceterum censeo Carthaginem esse delendam. The main weaknesses in the legal framework as we see them are (i) the low penalty levels; (ii) excessively complex procedures; and (iii) weak whistleblower protection.

Finantsinspektsioon sees these three issues as one way that we can strongly influence the moral hazard by bankers. Bigger fines and a greater likelihood of having to pay them for breaches committed make bankers much more law-abiding. The more they operate within the acceptable rules, the less inclined they are to take risks which may affect all of us in a negative way. You see, trust, stability and transparency are our common assets, like fresh air and clean water. Bankers are also using our common assets in their business. If the moral hazard for a bank grows too big and the bank is earning millions or billions from dodgy business practices, one day the risks will be realised and we will all suffer. Loss of reputation, elevated margins and much more besides. It would be especially bad if several countries were to suffer but Estonia was only able to ask for a marginal sum, like a couple of thousand euros or so as monetary penalties, in compensation for the losses suffered by society. While other countries were able at the same time to impose penalties running into the millions.