But these explanations don’t appear to appreciate how banks actually think about illicit finance risk, which is likely driving their hesitance to set up shop in Iran. And much to disappointment of Tehran (and perhaps Kerry), sanctions relief isn’t a magic wand that can make all illicit finance risk or international anti-money laundering norms disappear. Part of the problem may be that Iran is no longer running up against purely political decisions. Rather, Iran looks to be running up against new, but established, norms of international financial conduct. And even if the Iran deal disappears, understanding these norms will be critical for future efforts to wind up or down unrelated sanctions regimes. I briefly discuss some of these norms below.

The Financial Action Task Force (FATF)

One of the hallmarks of international anti-money laundering efforts is what sanctions officials refer to as the “risk-based approach.” But to appreciate the force of this, it’s critical to understand the central role that the Financial Action Task Force (FATF) has played—and continues to play—in combatting international illicit finance.

The FATF was established during the G-7 summit in 1989 to address growing concerns surrounding international money laundering. It describes itself as “an inter-governmental body” which endeavors “to set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system.” (The phrase “other related threats” is not empty language; though the FATF may have been inspired by counter-narcotics efforts, the illicit financial activity it covers now includes terrorist financing, proliferation financing, corruption, and all manner of money laundering.)

But notice what the FATF is not—it is not a formal international organization; it was the result not of a treaty but rather of a non-binding political commitment (like the JCPOA itself), and it does not act with the force of law. Rather, the FATF is the product of international soft law and relies on a name-and-shame approach to compliance, which has proven extremely effective. Its comprehensive standards, robust mutual evaluation process, and public identification of countries with deficient anti-money laundering controls helps explain why, in the words of Daniel Glaser, Assistant Secretary of the Treasury for Terrorist financing, the FATF has “proved extraordinarily successful in raising global capacity to combat illicit finance.”

So the FATF matters. And when the FATF makes a major point about the importance of risk-based counter-illicit finance controls, people listen. (People listen so closely that some argue the FATF’s focus on risk has contributed to the broader de-risking problem.) And it’s not just countries that notice what the FATF says; banks do too. According to Stuart Levey, former Under Secretary of the Treasury for Terrorism and Financial Intelligence and current Chief Legal Officer at HSBC, “[f]inancial institutions around the globe pay close attention to FATF’s assessments and use them to decide whether or how to operate in specific countries.” Juan Zarate, another former Under Secretary of the Treasury for Terrorism and Financial Intelligence, has explained the central role that bank perceptions of risk can play:

This approach worked by focusing squarely on the behavior of financial institutions rather than on the classic sanctions framework of the past. In this new approach, the policy decisions of governments are not nearly as persuasive as the risk-based compliance calculus of financial institutions. For banks, wire services, and insurance companies, there are no benefits to facilitating illicit transactions that could bring high regulatory and reputational costs if uncovered. The risk is simply too high . . . . Indeed, the international banking community has grown acutely sensitive to the business risks attached to illicit financial activity and has taken significant steps to bar it from their institutions. As the primary gatekeepers to all international commerce and capital, banks, even without express governmental mandates or requirements, have motivated private sector actors to steer clear of problematic or suspect business relationships.

“This focus,” Zarate concluded, “reshaped the international financial landscape forever.”

Back to Iran

A number of sanctions-watchers and writers have suggested that insufficient anti-money laundering controls and continued illicit finance risk within the Iranian financial system are contributing to Iran’s continued isolation (for example, here, here, here, here, here, here, and here). And Tehran seems to understand this. At a CFR roundtable earlier this year, Iran’s central bank governor went to great lengths to defend Iran’s anti-money laundering controls (“Iran’s economy is very transparent”) and explicitly blamed the FATF for contributing to Iran’s continued isolation. Moreover, in a report on the JCPOA to the Iranian Parliament, the Iranian Foreign Ministry also observed that non-compliance with the FATF’s requirements was “a leading cause of concern for foreign financial institutions.” (In a Rip Van Winkle-worthy moment, the report also observed: “Of course the regulations for the use of international financial and banking relationships have changed greatly during the period in which the Islamic Republic of Iran has been sanctioned and outside of these relationships.”) In fact, one news report suggests that coming into FATF compliance seems to have become a source of political disagreement within Iran, pitting President Rouhani against regime hard-liners.

Back to Kerry

There is no reason to think Kerry doesn’t understand what’s going on here. He did, after all, sponsor a bill in 2000 that looks an awful lot like the enhanced anti-money laundering provisions included a year later in the USA PATRIOT Act. And in support of his bill, he extolled the FATF’s work while also warning U.S. financial institutions to be cautious:

In recent years, the United States and other well-developed financial centers have been working together to improve their [anti-money] laundering regimes and to set international [anti-money] laundering standards. Unfortunately, other nations . . . have moved in the other direction . . . . Just last month, the Financial Action Task Force, an intergovernmental body developed to develop and promote policies to combat financial crime, released a report naming fifteen jurisdictions . . . that have failed to take adequate measures to combat international money laundering. This is a clear warning to financial institutions in the United States that they must begin to scrutinize many of their financial transactions with customers in these countries as possibly being linked to crime and money laundering. . . . This report has provided important information that governments and financial institutions around the world should learn from in developing their own anti-money laundering laws and policies.

So if we assume that Kerry sees what’s going on here, he’s likely trying (or signaling that he’s trying) to change what have become very well-established international norms. Either way, bankers don’t seem to be buying it. On the heels of one of Kerry’s campaigns to get European banks to do business with Iran, Levey lit into Kerry in an op-ed in the Wall Street Journal:

No one has claimed that Iran has ceased to engage in much of the same conduct for which it was sanctioned, including actively supporting terrorism and building and testing ballistic missiles. But now Washington is pushing non-U.S. banks to do what it is still illegal for American banks to do. This is a very odd position for the U.S. government to be taking.

Levey’s bottom line?

Our decisions will be driven by the financial-crime risks and the underlying conduct. For these reasons, HSBC has no intention of doing any new business involving Iran. Governments can lift sanctions, but the private sector is still responsible for managing its own risk and no doubt will be held accountable if it falls short (emphasis added).

That last sentence helps explain why Kerry continues to be frustrated—this is about more than just sanctions. Kerry is likely correct that he has done more than the U.S. was obliged to do under the text of the JCPOA itself. But as Zarate pointed out, international risk-based anti-money laundering controls have changed everything. So if you’re sitting in a compliance department at Deutsche Bank, Credit Suisse, or Barclays (all of whom have been slapped with fines in the past for violating sanctions) and you’re sweating about what DOJ has in store for you next, you might not take John Kerry’s word that all will be fine. After all, enforcement actions haven’t stopped; even in the midst of its current crisis, Deutsche Bank has excepted anti-money laundering compliance from its company-wide hiring freeze. Of course, it also probably doesn’t help Kerry’s case that his recent compliance advice looks like it was wrong. As the Financial Crimes Enforcement Network (FinCEN) recently noted in an advisory, enhanced due diligence is appropriate, and not what Kerry described as “just normal due diligence.” Just ask recently-penalized Mega Bank if this distinction matters.