Sure, U.S. banks are no strangers to the danger of reputational risk stemming from poor internal controls—but when your CEO is the pope, really, the risks of losing your moral authority with the public are that much higher.

Such was the problem confronting Istituto per le Opere di Religione (IOR), more commonly known as the Vatican Bank. Founded in 1942 by Pope Pius XII, its purpose is to accept deposits from within the Vatican—including clergy, religious orders, and diplomats—and serve as a facilitator for charitable efforts around the world. It currently holds nearly $7 billion in assets on behalf of roughly 17,000 customers.

This is the story of how the Vatican Bank got into trouble—and how it has worked to get out.

The litany of controversies surrounding the IOR can fill a book—and there have been several, plus a fictionalized account of misconduct that served as the backdrop of “The Godfather: Part III.” The most notorious scandal transpired in 1982, when Banco Ambrosiano, an Italian bank that counted the IOR as a large shareholder, collapsed. Banco Ambrosiano’s chairman was then found hanging from London’s Blackfriars Bridge, a suspected victim of Mafia hitmen over money laundering activity.

The IOR’s problems would multiply in the years to come.

In 2012, the U.S. State Department added the Vatican to its “of concern” list of countries deemed vulnerable to money-laundering. That same year, JPMorgan Chase’s Milan branch cut ties with the IOR over unexplained, undocumented money transfers to and from one of its accounts.

In January 2013, the Bank of Italy shut down ATMs and all credit and debit card services operated by Deutsche Bank inside Vatican City, fearing that its involvement could harm compliance with the European Union’s requirement that its banks can only operate in non-EU nations with a comparable regulatory framework and commitment to AML controls. (The Vatican is not part of the European Union.)

In 2013, Monsignor Nunzio Scarano, an official in the Vatican’s financial administration, was arrested, accused of attempting to help acquaintances smuggle money between Italy and Switzerland.

A starting point for reforming the IOR was enactment of the Vatican’s first AML law by Pope Benedict XIV in 2010, according to Markus Wieser, an IOR spokesman. Another key event was the signing of a revised Monetary Agreement between the Vatican City State and European Union, also in 2010. That agreement set rules for the Vatican’s use of the euro as currency and included demands to maintain AML and fraud protocols in line with those required of EU member states.

“You need to do your own internal risk assessment to get a proper understanding and then, based on that, you can start to build a tailor-made system of controls.”
René Brülhart, Director, AIF

The IOR also sought out external expertise. The noted bank consultant Promontory, as well as EY, KPMG, and Deloitte, were all retained.

“The big thing that they have done, from the point of view of the anti-money laundering community, is to bring in professionals to address those issues and put into place global standards for financial reporting and transparency,” says Kieran Beer of the Association of Certified Anti-Money Laundering Specialists. “They also brought in lay Catholics with financial experience and looked at what the bank was supposed to do, who it was supposed to serve, and the kinds of reporting requirements it should have.”

Beyond bringing in fresh faces and greater expertise, the Vatican created an institutional Anti-Money Laundering/Combating the Financing of Terrorism framework in line with international standards, Wieser says. One challenge was ensuring the adequacy, applicability, and relevance of regulatory standards developed for large-scale financial industry marketplaces with a small-scale, niche service environment with significantly reduced scope and complexity.

Another important step was the Vatican’s 2012 request to take part in the Council of Europe’s Moneyval evaluation process. That organization, using standards established by the international Financial Action Task Force, publishes reports that assess countries’ AML/CFT compliance. The Vatican received grades of “compliant” or “largely compliant” on nearly half of 45 guidelines that were reviewed. Despite a list of deficiencies, the Vatican Bank was praised for having “come a long way in a very short period of time.”

The IOR has also been in negotiations with the Organization for Economic Co-operation and Development to be added to its “white list” of countries. Outreach to other countries is ongoing. In 2013, the Vatican agreed to exchange financial information with the U.S. Treasury Department, adding to similar agreements with Belgium, Spain, and Slovenia. Late last year, it agreed to participate in the U.S. Foreign Account Tax Compliance Act and report information on IOR accounts held by Americans.

From April 2013 onwards, the IOR has implemented systematic steps to improve transparency, including launching the first-ever IOR website and the publication of an annual ?report.


The following, from a 2014 update on compliance reform underway at the Istituto per le Opere di Religione, commonly known as the Vatican Bank, details both internal actions and an update on recommendations in its evaluation by Moneyval, Council of Europe’s anti-money laundering group.
Adopting and enhancing the Anti-Money-Laundering Handbook
The IOR revised and significantly expanded the handbook on anti-money laundering procedures. The handbook defines a new, risk-based internal client rating, and substantially strengthens client data compilation and collection requirements. Specifically, the IOR has expanded its data templates in areas such as verification of identification, source of funds, transaction activity, and overall customer risk profile.
Enhancing IT systems
The IOR approved a 3-year IT investment and development plan. With regard to money laundering prevention, the Institute has implemented a “know your customer” application for individuals and legal entities and an automated internal client rating system.
Customer Data Remediation
The IOR has initiated a systematic screening of all existing client records in order to identify missing or incomplete information.
As part of this review the Institute updated its guidelines on client categories to be serviced by the Institute. These are: Catholic institutions, clerics, employees or former employees of the Vatican City State with salary and pension accounts and embassies and diplomats accredited to the Holy See. Client relationships outside those categories are being terminated [to date, nearly 3,000 accounts have been closed].
Forensic Transaction Review
Externally assisted forensic transaction reviews will verify the accuracy of the IOR customer list and to review unusual transactions.
Ensuring Mandatory Staff Training
IOR has designed and delivered to all employees a mandatory general and specialized anti-money laundering training curriculum with the aim to achieve and maintain an adequate level of trained and knowledgeable employees and ensure their full compliance with all obligations stipulated in the IOR Handbook.
Adhering to reporting obligations
A Chief Risk Officer was appointed to focus on compliance and reporting in accordance with new Vatican legislation.
Risk Management Improvements
The IOR has initiated a systematic effort to improve the management of financial risk. The effort included a quantification of capital adequacy and the implementation of advanced market risk measurement.
Source: Istituto per le Opere di Religione.

Overseeing the IOR reform process is the Autorità di Informazione Finanziaria, best known by the acronym AIF, or its English name, the Financial Intelligence Authority. In November 2012, a Swiss anti-money laundering expert, René Brülhart, was appointed director of the AIF. Previously, he worked for the Financial Intelligence Unit in Liechtenstein.

The starting point was to get a proper understanding of the institution, and the task at hand, Brülhart says. “You need to do your own internal risk assessment to get a proper understanding and then, based on that, you can start to build a tailor-made system of controls,” he adds

While the input of other countries and international organizations was important, the IOR had to keep the focus on its own characteristics and needs. “It is easy to just copy-paste legislation and modeling frameworks from other countries and jurisdictions,” Brülhart says, “but that won’t address your real issues.” 

To get involved in the Moneyval process and to become member of the Egmont Group—an international consortium of financial intelligence units seeking improve cooperation in the fight against money laundering and terror financing—“was and is a very positive and constructive process,” Brülhart says. He stresses, however, that when committing to international standards, actions speak louder than words. “It is not about having a window-dressing exercise, it is about building and establishing a functional and sustainable system,” he says. “That’s what we are doing.”

As for transparency, Brülhart stresses that he wants that openness to provide a window into reform efforts. “We are not talking about what we are going to do; we talk about it once we have done it,” he says. “The expectations out there are huge in regards to building trust and confidence, but you can only do that once you have put the relevant systems in place, they start to work, and will be sustainable.”

What’s next? The IOR will continue to build upon the Moneyval recommendations (see sidebar). “If you look back on the last two and a half years, we have put in place a completely new legal framework that has been approved by them,” Brülhart says.

Bringing in external expertise is fine, but success lies with the IOR having in-house talent. “If you are bringing in external consultants, that is great and going to help in the short term, but if you really want to build a sustainable system then you have to have a knowledge transfer. At some point external counsel and experts will leave.”

Brülhart sums up his view of the IOR reform process: “We are not doing it because we have to do it, we are doing it because we want to do it, and have a responsibility to.”