On 4 December 2018 the FCA published a Decision Notice in respect of Mohammed Ataur Rahman Prodhan, imposing a fine of £76,400 on the former CEO of Sonali Bank (UK) Ltd ("SBUK") for failings in relation to AML systems and controls.
The obligations of CEOs and other senior managers as regards regulatory compliance (and the extent to which senior managers can be held liable for regulatory or compliance failings) was explored in the leading case of John Pottage v The Financial Services Authority (in which this firm acted for John Pottage).
Drawing on the observations of the Upper Tribunal in the Pottage case, the recent Decision Notice in respect of Mr Prodhan (which is subject to reference to the Upper Tribunal), and also the FCA's new Financial Crime Guide (issued December 2018) a number of important, practical lessons on AML Compliance can be discerned, and, in particular, the "reasonable steps" which senior managers should take – as a matter of routine – to meet ever-growing FCA expectations around AML and financial crime.
1. AML / financial crime is a senior management responsibility
The FCA's newly-issued Financial Crime Guide could not be clearer:
"We expect senior management to take clear responsibility for managing financial crime risks, which should be treated in the same manner as other risks faced by the business. There should be evidence that senior management are actively engaged in the firm’s approach to addressing the risk." (FCG 2.2.1)
Boards, Management Committees and individual senior managers with responsibility for AML (hereafter "Senior Managers") should be clear as to the mechanism that they rely upon to "satisfy themselves as to the adequacy of AML systems and controls". (See the Final Notice issued to Canara Bank, June 2018).
- Is there a standing item on AMF / financial crime on the Board / Management Committee Agenda? If not, can the absence of such an item be explained?
- Do Board / relevant committee minutes provide evidence that senior management are "actively engaged" in AML / financial crime issues? In the Prodhan Decision Notice the FCA specifically criticised Mr Prodhan for having "contributed little to meetings at which AML issues were considered" (Prodhan Decision Notice, para 4.15).
- Has the Board set "clear criteria for escalating financial crime issues"? Where are these criteria documented? Do staff (e.g. in Compliance) know precisely what must be escalated to the Board? (FCG 2.2.1)
2. Delegation of responsibilities must be appropriate, monitored and challenged
The Upper Tribunal makes very clear in the Pottage case that the role of a CEO (and, by extension, any senior manager) is oversight. In the context of compliance a CEO (or senior manager) is not personally responsible for the creation, design or implementation of controls.
Extensive guidance on delegation is provided in the FCA Handbook, including at COCON 4.2.17 (for individuals subject to the Senior Managers Conduct Rules, e.g. in banking) and APER 4.6.13 (for senior managers at firms yet to transition to the SMR, e.g. asset managers).
In the Prodhan Decision Notice the FCA recognises that a senior manager is "entitled to delegate the day-to-day operational management of AML systems and controls", but that senior managers "remain responsible for ensuring that these systems and controls [are] properly established and maintained". Mr Prodhan was criticised on the basis that he "should have taken reasonable steps to ensure that he had at all times an adequate understanding of the AML risks and how they were being addressed." (Prodhan Decision Notice, para 4.15).
In practice, this means:
- Prior to delegating a responsibility or task, a senior manager must ensure that the delegate has the necessary "competence, knowledge, skill and time to deal with the issue" (APER 4.6.13). The question of "time" requires consideration of resourcing: if a compliance department only has resources to deal with day-to-day functions, delegating a significant new project (e.g. a remediation exercise) will not be appropriate;
- Oversight must be evidenced. If oversight takes place in the form of meetings (e.g. between a CEO and MLRO) are these recorded? What reports or analysis are sought by management and produced? Do those exercising delegated responsibility know precisely what senior management expect to be escalated and in what timeframe / form?
- "Trust but Verify". Senior Managers must be able to demonstrate that they have tested and challenged what they are told by those in the second line of defence.
It is not sufficient to receive, or even request and receive Management Information. Intelligent questions must be asked around it: how is particular risk being addressed; why is the level of SARs / STORs so low / high; do you have adequate resources to meet all of our regulatory requirements; how do we test whether monitoring tools are working effectively; what emerging risks have we considered; what regulatory developments will affect our business in the coming year and how are we preparing?
3. Personal engagement with AML / financial crime risks and controls
The FCA recognises, in the Prodhan Notice, that a CEO / senior manager "is not required to be an expert in all areas of AML" (Prodhan Decision Notice, p.47). However, in order to provide effective challenge, senior managers must understand – as a minimum:
- The risks of financial crime to which the business is exposed. In this regard it would be helpful for a senior manager to show that s/he has been involved in drafting, or at least considered, the AML risk assessment;
- The key requirements of the UK legal and regulatory system as regards AML / financial crime.
In both the Prodhan Decision Notice (p.45, para 3) and the Canara Bank Final Notice (p.2, para 2.3) the FCA expressed that it is no answer to an alleged regulatory failure to claim "inexperience in the UK regulatory environment", even where a senior manager has been seconded or appointed from, or by, an overseas parent.
4. Supervisory Visits must be prepared and FCA feedback given prompt effect
In both the Sonali and Canara cases one or more unsatisfactory supervisory visits led to the appointment of a Skilled Person to conduct a report, which in turn led to enforcement action, financial penalties and restrictions on business.
The FCA's Annual Anti-Money Laundering Report 2017/18 showed that AML supervisory visits are taking place with ever-greater frequency, as are appointments of skilled persons in respect of AML / financial / crime issues.
Supervisory visits must be taken seriously and prepared for appropriately. Where the FCA provides feedback this must be considered carefully, challenged where it is unfair or inaccurate and otherwise given effect as a matter of priority.
5. Senior Managers and Reasonable Steps: what to look out for
A notable feature of the Prodhan case is the fact that Mr Prodhan was the senior manager with responsibility for the establishment and maintenance of effective AML systems and controls under SYSC 6.3.8R. This seems to have been the basis upon which the FCA pursued a case against him for contravening Statement of Principle 6 and opposed to Statement of Principle 7 (the Principle the FSA alleged had been contravened in the Pottage case).
The Prodhan Decision Notice has been referred to the Upper Tribunal. If the case reaches a judgment further guidance will likely emerge as to the expectations on senior managers as regards AML, and – in particular – the extent to which the judgment in Pottage is relevant to a case brought under Principle 6.