Multi-million (and billion) dollar fines for AML/CTF breaches are no longer the preserve of United States and United Kingdom. In this post, we describe the recent ground-breaking action in Australia, as well as recent global trends and the Russian sanctions fiasco.

A$45 million fine for gaming giant

On 16 March 2017, the Federal Court of Australia imposed the highest ever civil penalty in corporate Australian history – a civil penalty of AU$45million was imposed against members of the Tabcorp Group (“Tabcorp”) for non-compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

What went wrong?

Full details are not publically available, but it is clear that the action involved insufficient suspicious activity reporting to the Australian anti-money laundering and counter-terrorist financing (“AML/CTF”) regular, AUSTRAC.

In addition, the failings of Tabcorp related to the following:

  • policies and procedures;
  • customer identification; and
  • enrolling with AUSTRAC, the Australian regulator (in Australia, those that provide designated services, and remittance service providers, must enrol with AUSTRAC on its “Reporting Entities Roll”).

The announcement from AUSTRAC in respect of the penalty was particularly focused on cultural non-compliance and the lack of engagement from the company’s management.

It follows what we see as heightening scrutiny generally over the gaming sector. However, it is ground-breaking in terms of the scale of the penalty. Against that penalty, Tabcorp made a number of admissions relating to non-compliance with AML/CTF standards, but also signalled that it had undertaken significant remedial work and that deficiencies were not intentional.

How does this compare with global trends?

The significant financial impacts of the decision echo the large financial penalties seen around the world in recent times for AML/CTF non-compliance.

Please click here to view table

In global terms, the penalty against Tabcorp remains dwarfed by penalties emerging from the United States and the United Kingdom. However, the momentum of regulators seeking large financial sums is consistent.

In Hong Kong, we have seen the regulators continue the take action for AML/CTF failings, although the penalties have not yet reached the heights of those seen elsewhere. See our March 2017 post about momentum building on AML/CTF enforcement trends, available here.

What are regulators so worried about?

As well as having large financial penalties in common, the investigations have familiar themes leading to the relevant enforcement action.

For example, three key themes in recent New York State Department of Financial Services (“NYSDFS”) cases involving large AML/CTF-related fines were the following:

1. Lack of control framework; In the Mega Bank consent order, poor internal controls were cited, including a compliance function without appropriate knowledge of relevant AML/CTF laws and conflicting roles.

What stood out to us: The consent order describes the Bank’s “dismissive response” to the regulator and “perhaps most egregious” the bank’s declaration that certain transactions were not suspicious – a position the regulator described in the Consent Order as “a complete misstatement of well-established [Bank Secrecy Act] law”.

2. Lack of senior management oversight and “buy-in”; In respect of the Agricultural Bank of China, the NYSDFS found that management had failed to address suspicious activity concerns raised by the Chief Compliance Officer (“CCO”) and subsequently curtailed the CCO’s authority and their ability to carry out their compliance responsibilities.

What stood out to us: The consent order describes the reaction of the bank to the views of a newly hired CCO that transactions were not screened appropriately. The CCO was directed not to communicate with regulators and was required to have all requests for information to complete transaction information made to the bank’s headquarters and branch networks reviewed by the General Manager or Deputy General Manager.

3. Inappropriate application of internal policies and procedures; In the Intesa action, deviations from the bank’s transaction monitoring policies and procedures were overseen by the AML Officer, resulting in thousands of alerts being closed through an “unauthorised and ad hoc” process.

What stood out to us: The NYSDFS consent order states that the AML Officer viewed a risk-based policy to mean that “if you miss one, you miss one” and therefore the unauthorised process of clearing transactions outside of the bank’s policy was acceptable. The consent order also noted that the technology adopted by the bank meant that while the system searched for “Russian Federation” it did not search for “Russia” and while it searched for “Libyan Arab Jamahiriya” it did not search for “Libya”.

Further action – UK and US

The significant penalties applied to Deutsche Bank in the US and the UK stem from the same activity out of Deutsche Bank’s operations in Russia.

Specifically, it was alleged that a Deutsche Bank Russian based subsidiary (“DB Russia”) engaged in securities trading with its clients while the Moscow front office of Deutsche Bank engaged in mirror trades to allow US dollars to flow out of Russia. The two sides of the trading were undertaken at the same time. The following chart illustrates some of the key aspects of the mirror trading alleged:

Please click here to view diagram

The effect of the mirror trades was to convert Russian Roubles into US Dollars and enable this money to be transferred outside of Russia.

Failings that were found as part of the relevant investigations included:

  • deficiencies in control framework, particularly in respect of customer on boarding and ongoing monitoring. The KYC procedure was described by the relevant US regulator as “manual and functioned merely as a checklist…rather than shining a critical light on information provided by potential customers”;
  • lack of accountability and failure to clearly define roles and responsibilities; and
  • lack of sufficient resources including inadequate IT infrastructure and understaffing of compliance and internal audit.

Did self-reporting help?

The AML/CTF concerns that were identified as part of this mirror trading were self-reported by Deutsche Bank. However, the significant failings that it demonstrated still meant that it was subject to such significant financial penalties. Nevertheless, self-reporting and cooperation was recognised by the regulators and, in respect of the UK fine, resulted in a 30% discount on the financial penalty.

Key lessons

These large financial penalties demonstrate that continued, meaningful engagement in ensuring compliance with AML/CTF obligations is vital. It is not enough to adopt a standard AML/CTF program and “set and forget” – real engagement from senior management and a program and infrastructure which responds to the environment in which it is used, and is implemented through a well-trained and resourced business, is crucial. This is echoed by AUSTRAC’s recent insights from Compliance Assessments which notes that templates or off-the-shelf AML/CTF Programs are not enough – compliance programs must be tailored.

Some of the key messages from these recent enforcement actions include the following:

Please click here to view diagram