Suisse Secrets: interesting, but is it useful?
The Suisse Secrets leak undeniably makes for interesting reading, but practically speaking, leaks like this can be very hard for firms to respond to.
The failings are likely in part at least to mirror the findings of the recent NatWest fine. Given the historical nature of some of the clients it appears the Bank’s periodic review, trigger event review and ongoing monitoring processes did not consistently identify material money laundering and sanctions risk. Clearly governance and cultural issues are likely to have played their part too.
How to handle these types of leaks
For MLROs and Senior leadership the Suisse Secrets leak has the potential to create a lot of noise if not addressed in the right manner. The data doesn’t (currently) appear to be available in a structured format. This makes it difficult for firms to take any meaningful steps, given the names detailed in press articles are a small proportion of the apparent total.
After other high-profile leaks, regulators including the FCA contacted firms to ask what they were doing to identify their exposure and the actions taken. Firms should detail in their board minutes the work which has been done, or not done, by the first and second line to manage potential exposure and identify and remediate associated control failings. This might include:
Assess your exposure
In the case of the Suisse Secrets, there’s very little for you to use. You may be able to glean some information from press reports to support some manual interrogation of your client base. This will be unstructured, manual and inefficient. It will require good record keeping to avoid duplication and will be hard to show return on investment in terms of time spent.
With more structured data (as we’ve seen with previous ICIJ leaks) you could run a bespoke search across your client base, or speak to your screening solutions vendor about the list. You need to understand if you will be able to screen the list using their tool and whether the screening will also be able to flag counterparties and known associates. If screening the list on an automated basis isn’t possible, consider if it is feasible to run manual queries against your client book.
Take action on any matches
In the event you find names from the leak in your client list, assess if the negative news is new to you and if it is material – if so, you should initiate a formal trigger-based review. This might result in no change, enhanced due diligence / monitoring or exiting of the relationship.
Root cause analysis
If you end up exiting relationships as a result of the leak, then root cause analysis will be required. To prevent exposure of this kind from reoccurring firms need to understand whether systems or controls failed. Take time to update frameworks and assess exposure to similar customer types who weren’t named in the leaks. This is arguably the most difficult but most valuable part of the process. When considering which parts of your framework have enabled bad actors to lurk in the client book don’t consider controls in isolation - think about how your controls interact and co-depend across the framework to establish root causes.
