Special Report - Paying the price

Published on Mar 13, 2016

Failures in anti-money laundering controls

This exclusive KYC360 research paper expands upon the landmark analysis of FCA/FSA enforcement actions undertaken by AML expert Anu Ratan

The UK is the world’s largest exporter of financial services, exporting £62bn more than it imported in 2014. It accounts for 17% of all international bank lending, and there are over 250 foreign banks in the UK. They belong to a huge and complex sector, and the global nature and enormous volume of transactions passing through the system daily exposes City institutions to a significant risk of – knowingly or unknowingly – facilitating the movement of domestic and international criminal funds.

The UK government estimates that billions of pounds in criminal money passes through the country’s financial system each year. In the past decade governments and non-governmental organisations have made significant advances in the understanding of the social and economic impact of financial crime. The National Crime Agency perceives money laundering as a threat to national security, a contributor to overseas political instability, and a compromise to the integrity and stability of the UK’s financial markets and institutions.

Banks are viewed as a key component in the fight against financial crime, and the results of regulatory investigations into their role in money laundering (combined with other misdemeanours such as rate-rigging and misselling) have placed the sector under an unprecedented degree of pressure to reform.

The Financial Conduct Authority (FCA), instituted in 2013 to replace the Financial Services Authority (FSA) as a result of major changes to banking regulation following the 2008 crisis, demands that banks adopt ever more rigorous controls to identify and prevent illicit gains from flowing through the UK’s financial system. Although no criminal conviction has been secured against any one individual for failings in this area, banks are increasingly feeling the reputational and significant financial repercussions of falling short of regulatory requirements.

The principal pieces of UK legislation

The principal pieces of UK legislation, regulation and guidance relevant to the industry’s management of financial crime risk are The Money Laundering Regulations 2007, The Financial Services and Markets Act 2000, The Terrorism Act 2000, The Proceeds of Crime Act (POCA) 2002, The FCA’s Handbook, and The Joint Money Laundering Steering Group (JMLSG) Guidance.

Financial institutions are additionally expected to integrate the FCA’s reviews, policy statements and anti-money laundering (AML) annual reports into their policies and procedures. Failure to digest “the number and detailed nature of such publications” was specifically cited by the FCA in its recent assessment of Barclays’ oversights in managing risks posed by some of its high-risk customers. Ignorance is not seen as an excuse, and tolerance is waning in light of the knowledge and analysis available to banks. There is, naturally, far less analysis of the instances where banks have chosen to exit relationships, or reject applicants, on the basis of money laundering risks. Such ‘successes’ will never be measured on their own terms as they do not inherently address the inadequacies which lead to breaches.

Headline-grabbing fines, once solely the domain of regulatory transgressions in the US, are becoming more common in the UK.

In 2011/12 the FCA issued 83 fines, at a combined total of £76m. While the number of fines has steadily decreased since then, the total value of fines has increased year on year, and in 2014/15 the regulator handed out 43 fines, with a total value of £1.4bn. The fines are accounted for across a range of breaches, and only a proportion of this sum directly relates to AML deficiencies. An analysis by independent AML practitioner Anu Ratan estimates that the FCA/FSA has issued fines of over £100m to financial institutions and individuals for failings in AML procedures in the 2002-2015 period, a sizeable portion of which was the £72m fine against Barclays in 2015. It is important to note that a fine does not necessarily imply evidence of money laundering, and the level of a fine may reflect the extent to which a bank has risked exposing the system to financial crime, rather than having committed any crime itself.

These figures suggest that the FCA is investing more resource into targeted investigations, and as the research into the effects of financial crime advances, and methodologies to identify AML failings improve, it seems likely that financial penalties will continue to rise.  The FCA has described a number of enhancements to its AML programme in the past few years. During 2014 the FCA said one of its key areas of focus in its ‘deep dive’ assessments was AML and financial controls.

An AML supervision strategy

An AML supervision strategy was launched by the FCA in 2013/14 and the regulator has also increased its use of attestations on financial crime issues with large and small firms. The FCA states in its 2014/15 annual report that it has adopted a strategy of targeting more resources at firms that pose a higher money laundering risk, which is presumably likely to result in more enforcement actions in this area. In the same report, “the importance of firms’ systems and controls in preventing financial crime” is listed as one of seven of the regulator’s “forward-looking areas of focus”.

The increasing scrutiny of AML controls, and resources made available to tackle financial crime, points towards the FCA attempting to create a climate in which City institutions will not in future be so inclined to repeat the mistakes of the past. In the case of the RBS group, three large fines were paid for inadequate AML controls over a ten-year period. In 2002, the FSA fined RBS £750,000, after examining 181 account files, around half of which demonstrated one or more AML failures. A significant finding was a lack of identification verification in the bank’s account opening procedures. Given the general upward trend in the scope of investigations and the size of fines, it is worth considering whether that fine would be in the millions in today’s regulatory climate.

In 2010 RBS and three other group banks were fined £5.6 million after failing to screen customers against sanctions lists. One among several findings was that in one day in October 2008, around 14,000 SWIFT payments with a value of £2.5bn bypassed sanctions screening software. Two years later, in 2012, Coutts (which belongs to the RBS group) was fined £8.75m for failures in AML controls. The FSA identified “serious and systemic” deficiencies, with failures in nearly three-quarters of the Politically Exposed Persons (PEPs) and high risk customer files reviewed.

RBS group

This brief example of RBS group fines highlights two common occurrences in AML failings: poor customer due diligence and inadequate sanctions screening. In her analysis of recurrent findings by the UK regulator since 2002, Anu Ratan identified 40 specific failings spread across ten general areas, the most salient of which are listed here:

Area Specific failings

Culture of compliance

  • failure to demonstrate the culture and level of cooperation expected by the authority

Senior compliance/business management oversight

  • lack of clarity regarding roles and responsibilities within business and compliance
  • gaps in providing key management information to the MLRO
  • overseas branches not subject to regular visits by Compliance department

Policies and procedures

  • policies and procedures not up-to-date with regulatory developments

Risk assessment methodology

  • failing to consider high risk products and services
Customer due diligence
  • lack of understanding of source of wealth/funds
  • failure in controls and sanctions screenings for PEPs
  • transactions not in keeping with customer profile

Suspicious activity reporting

  • high risk indicators ignored
  • series of high-risk transactions not followed by adequate investigations or review of account

Three lines of defence

  • concerns around the effectiveness of the internal audit function

Enterprise-wide risk assessment

  • failure to carry out gap analysis between regulatory requirements and implementation within the bank

Training and education

  • failure in training employees adequately

Record keeping and retention

  • failure to keep records of customer information and evidencing actions
 

 

Barclays’ implementation of AML procedures

A number of these themes are present in the FCA’s ‘Final Notice’ to Barclays in November 2015, when the bank was handed the FCA’s largest ever fine for AML deficiencies, in respect of the bank’s failings between May 2011 and November 2014. The fine, £72m, brings total disciplinary sanctions against the bank since 2009 to just under £500m.

The FCA examined Barclays’ implementation of AML procedures for a £1.88bn highly confidential structured finance transaction, comprised of investments in notes backed by underlying warrants and third party bonds. The deal, the largest of its kind for individuals, involved high-risk customers (ultra-wealthy Qataris, according to media reports), and was, according to the FCA, in breach of Principle 2, which obliges institutions to conduct their business with due skill, care and diligence.

Section 2.5 of the FCA’s report enumerates six specific breaches of Principle 2. None of these are particularly unique in nature; they each fall into the common themes in the table above. The first of these related to a failure of oversight and understanding of financial crime risks by management. The second represented Barclays’ failure to respond appropriately to features of relationships which indicated a higher risk of financial crime – primary among them that the clients were classified as ‘sensitive’ PEPs. The third way in which Barclays breached Principle 2 was a failure follow its own standard procedures for such PEPs, or implement alternative procedures. The fourth was a lack of understanding on the nature of the transaction, the clients’ source of wealth, and the source of funds for the deal. The fifth corresponded to a lack of risk monitoring. And lastly, Barclays failed to maintain due diligence records, and to make those records readily accessible.

Probably the most important finding described above is that which deals with the nature of the transaction, the clients’ source of wealth, and the source of funds for the transaction. These elements strike to the core of the nature of the funds flowing through bank accounts, and are too often poorly understood and analysed in risk assessments. This was highlighted in the Barclays case: when the bank questioned its clients’ rationale for the payment of tens of millions of dollars to a third party, the payment request was withdrawn. There was no evidence that Barclays considered whether the customers’ reluctance to supply an explanation for the payment indicated a higher risk of money laundering and, consequently, whether the relationship demanded a higher level of scrutiny.

Account activity monitoring becomes redundant when there is inadequate understanding of funding, and where source of wealth has not been assessed for particularly high risk clients. One explanation provided to Barclays for its clients’ source of wealth – “landholdings, real estate and business and commercial activities” – was so generic as to make the statement virtually meaningless. Analysis is in reality multifaceted and relies on an informative dialogue between compliance and business (the latter usually having a more detailed understanding of the customer and funds associated with that customer), and an accurate understanding of the purpose of the account and the regular flows in and out. Flagging unusual activity is impossible when there is a lack of understanding of what ‘usual’ means. There is a recognised reluctance in relationship managers to ask for information from customers to support source of wealth/funds analysis, one of the many chinks in the ‘three lines of defence’ armour which ought to be protecting the financial system from criminal exploitation.

The FCA found that Barclays did not want to “irritate” the clients, and “requested information only if it was absolutely necessary”. In a more effectively regulated environment, customers will have to become accustomed to requests for information regarding their wealth and use of their accounts. Banks should not be acting out of fear of customers taking their business elsewhere.

It bears emphasising that information alone, when obtained, only becomes useful and relevant once it is used to assess the risk of financial crime. This was very clearly seen in the FCA’s examination of EFG Private Bank Limited, which was fined £4.2m in 2013 for various AML failings, among them inadequate measures to evaluate source of wealth and source of funds. The regulator found that an EFG relationship manager had understood that a prospective client had acquired wealth through their father’s business activities and connections, and that further research uncovered allegations that the father had been connected to organized crime and money laundering. The FCA recorded that “despite these serious allegations, there was insufficient information on file to understand how EFG had concluded that the increased risk associated with the account was acceptable and how these risks were evaluated or how they would be mitigated.”

Clear risks were also highlighted in an independent intelligence report (which said that establishing or maintaining a business relationship with the customer’s father, who was recorded as their source of funds, “could expose (EFG) to heightened reputational and/or financial risks”), but an account was nonetheless opened for the customer, with no supporting rationale for having done so in light of the information the bank possessed. The extent to which banks successfully manage the source of wealth/funds issue, then, relies on gathering reliable and good quality information, assessing that information in terms of financial crime risk (disregarding the profitability of the client), and reaching appropriate decisions with supporting rationales.

The FCA found that an EFG relationship manager had understood that a prospective client had acquired wealth through their father’s business activities and connections, and uncovered allegations that the father had been connected to organized crime and money laundering.

The AML failings described thus far comment on the FCA’s treatment of banks operating in the UK, but there are clearly wider consequences for City institutions with weak AML controls. The most obvious is the might of US regulators, which have levied billions of dollars in fines to UK and international banks (this will be dealt with in a subsequent article).

But that is not only a regulatory gauntlet the banks run. Civil actions arising from AML breaches may increase in a theory of causation framed by the US Anti-Terrorism Act, which allows the victims of terrorist acts to claim damages from organisations providing material support for terrorists. One such recent case was filed in the US District Court for the Southern District of Texas in February 2016 against HSBC Holdings Plc, HSBC Bank USA and HSBC Mexico SA.

The plaintiffs – four families affected by the violence of Mexican drug cartels – claim that money laundering at HSBC materially aided the activities of the cartels and proximately caused them injury. The plaintiffs’ complaint cites a number of the findings made by the US Senate Permanent Sub-Committee on Investigations, which were published in its 339-page 2012 report ‘US Vulnerabilities to Money Laundering, Drugs and Terrorist Financing: HSBC Case History’, which formed the basis of the $1.9bn in penalties it was later ordered to pay.

The plaintiffs are seeking judgment for the maximum amount allowed under the US Anti-Terrorism Act (although it remains to be seen how the case will regard the Mexican cartels, which are not designated terrorists in the US). HSBC has said that it will ‘vigorously’ defend itself against the claims, despite already having admitted in 2012 to laundering hundreds of millions on behalf of the drug cartels. HSBC is not alone; other UK banks involved in claims in the US under the Anti-Terrorism Act include RBS and Standard Chartered. We will return to the treatment of breaches of US regulation and legislation in the next article in this series.

There is an increasing awareness of how weaknesses in reputable organisations’ AML procedures can facilitate international crime and terrorism. Regulation is demanding more from UK financial institutions, particularly in evidencing the steps they take to demonstrate an understanding of risks, how they reach decisions in relation to those risks, and how they mitigate against identified risks. Frustrations at ‘disproportionate’ amounts of resources allocated to meeting regulatory requirements will not diminish until all corners of institutions embrace investment in staff and systems and a regulation-alert culture is embedded in organisations. This is not measured by the quantity of time or money spent on people and controls – although clearly this often correlates – but on the robustness of systems and policies and the quality of analysis and decision-making. The financial consequences for not doing so are significant and show no sign of abating.

[1] www.cityam.com/220569/city-leads-uk-top-spot-among-financial-exporters

[2] ‘An indispensable industry, Financial services in the UK’, published by the City of London, November 2013 (www.cityoflondon.gov.uk/business/economic-research-and-information/statistics/Documents/an-indispensable-idustry.pdf)

[3] ‘UK national risk assessment of money laundering and terrorist financing’, published by HM Treasury and Home Office, October 2015 (www.gov.uk/government/uploads/system/uploads/attachment_data/file/468210/ UK_NRA_October_2015_final_web.pdf)

[4] Final Notice to Barclays Bank Plc, 25 November 2015: www.fca.org.uk/your-fca/documents/final-notices/2015/barclays-bank-plc-nov-2015

[5] FCA – Annual Report and Accounts 2014/15 (for the year ended 31 March 2015) www.fca.org.uk/static/documents/corporate/annual-report-2014-15.pdf, p.135

[6] ‘Analysis: UK FCA AML fines 2002-2015: Common and Recurring Themes: The 40-point checklist’, by Anu Ratan: www.linkedin.com/pulse/uk-fca-fines-related-anti-money-laundering-from-2002-ica-dip-aml-?trk=mp-author-card

[7] FCA – Annual Report and Accounts 2014/15 (for the year ended 31 March 2015) www.fca.org.uk/static/documents/corporate/annual-report-2014-15.pdf, p.85

[8] Final Notice to Royal Bank of Scotland Plc, 12 December 2002: http://www.fca.org.uk/static/pubs/final/rbs_12dec02.pdf

[9] Decision Notice to The Royal Bank of Scotland Plc, National Westminster Bank Plc, Ulster Bank Limited and Coutts & Company, 2 August 2010: www.fca.org.uk/your-fca/documents/decision-notices/fsa-decision-notice-2010-royal-bank-of-scotland-group

[10] Final Notice to Coutts & Company, 23 March 2012: www.fsa.gov.uk/static/pubs/final/coutts-mar12.pdf

[11] Final Notice to EFG Private Bank Limited, 28 March 2013: www.fca.org.uk/your-fca/documents/final-notices/2013/fsa-final-notice-2013-efg-private-bank-ltd

 

Advance your CPD minutes for this content,
by signing up and using the CPD Wallet

Get started