On 24 July 2019, the European Commission published a report assessing recent alleged money laundering cases involving EU credit institutions (Report). The Report found significant shortcomings regarding both the implementation of the Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF) rules by institutions as well as their enforcement by competent authorities.

The publication of the Report follows the adoption of the Council's Anti-Money Laundering action plan in December 2018, which required the Commission to conduct a post-mortem review of recent money laundering scandals involving the EU banking sector. The sample of ten case-studies considered within the Report were highly publicised and related to events that largely took place between 2010 and 2018. These included analysis of the events which led to the closure of ABLV Bank, FBME Bank, Versobankin as well as the Estonian branch of Danske Bank. Other notable cases which were reviewed include the imposition of fines on Nordea and Société Générale.

The Commission clarified that it does not intend to attribute blame to specific institutions or supervisory authorities, by selecting these cases for review. It was also noted that there are other institutions – beyond the ones mentioned in the Report – that are experiencing similar issues.

The Report focuses on both the events that took place within institutions and the reaction of competent authorities to those events. According to the findings, banks failed to implement core AML/CTF requirements. At the same time, competent authorities often intervened only at a later stage, when the relevant failures had become significant. It was clarified, however, that not all shortcomings identified were common to all institutions or authorities examined.

Broadly speaking, the failures identified within banks fall into the following categories:

1. Ineffective or lack of compliance with the legal requirements for AML/CTF systems and controls

The Report found that a number of credit institutions reviewed “did not prioritise compliance” with the AML/CTF rules. Even in instances where there were control systems in place, no appropriate risk assessments were conducted at either individual or group level. Due to insufficient due diligence checks, credit institutions lacked a clear understanding of their customers' activities, so were ultimately unable to determine whether activities conducted were suspicious or not. In several instances, institutions failed to identify politically exposed persons and to classify them as high-risk customers. Other institutions did not report suspicious activity to the competent Financial Intelligence Unit (FIU), even though they were obliged to. One institution had even put a cap on the amount of flagged reports its staff could produce.

2. Governance failures in relation to AML/CTF

The analysis highlighted “deficiencies” in the internal governance arrangements of credit institutions as well as their internal reporting practices, group policies and senior managers' responsibility and accountability. Often employees failed to fulfil even their “basic obligations” under AML rules, while risk management and compliance oversight were weak and did not pick up on those failures. In most cases, reporting of ML/TF risks to management was inadequate, which meant that senior managers were often unable to respond to these risks in a timely manner. The findings also suggest that, in many cases, overall corporate culture focused predominantly on “profitability over compliance.”

3. Misalignments between risk appetite and risk management

The Commission identified cases in which credit institutions may have “actively pursued” riskier business models from an AML perspective. These included engaging in high-risk business in third-country jurisdictions or with high-risk customers, such as politically-exposed persons or commercial entities with an unidentifiable owner, without allocating a sufficient level of care to the establishment of thorough due diligence processes and attentive risk management.

4. Ineffective supervision of group AML/CTF policies

There was evidence of a lack of uniformity and application of group-wide AML/TF policies, especially where some branches of a bank's group were located in countries with less stringent domestic AML/TF policies to those of the Union. In such circumstances, it was often found that interpretation and application of group risk policies were left to the discretion of local management without the enforcement of “rigorous and consistent implementation of […] group policy and control processes.”

Swedish bank admits ‘shortcomings’ in AML practices

As noted in the Report, the findings are not unique to the specific institutions reviewed. Interestingly, on 17 September 2019, Swedbank, which is the largest bank in the Baltic region, published a press release acknowledging the “shortcomings” in its AML/CTF practices. This was in response to requests made by the Financial Supervisory Authorities in Sweden and Estonia, as part of the ongoing investigations into the bank for alleged money laundering breaches.

In this press release, the bank admitted that it had failed to dedicate “sufficient resources and competence” to effectively manage the ML/TF risks presented by clients and third parties. It further conceded that the division of responsibilities was not sufficiently clear and internal policies were not always complied with. The bank also admitted that Know Your Customer and risk assessment are areas where it still demonstrates shortcomings.

Failures relating to AML/CTF supervision

The Report also looks at the failures in supervision by competent AML/CTF authorities. According to the Report, often authorities were understaffed, while onsite visits were limited, delayed or not sufficiently thorough, even in instances where the risk was high. In addition, in many cases the supervisory measures taken, if any, did not amount to proper sanctions, but were instead limited to informal letters and recommendations. According to the Report, prudential supervisors expressed their “unease” to use their powers in relation to ML/TF matters. Difficulties were also identified with regard to cooperation and information exchange both within the EU as well as with third countries.

Next steps

The Report outlines steps that the EU has already taken in order to address the above issues. These include the adoption of the fifth Anti-Money Laundering Directive (MLD5) and the European Supervisory Agencies reform, which will make the European Banking Authority (EBA) the supranational authority responsible for AML in the financial sector. It also suggests possible future steps, such as the adoption of an AML Regulation and the establishment of a pan-EU AML authority.

The key takeaway is that firms, especially banks, should generally expect heightened awareness from their supervisors (both AML/CTF and prudential) in relation to ML/TF risks. They are advised to review, among other things, their internal policies and procedures, allocation of responsibilities and risk management practices in this area and take steps to correct any deficiencies in a timely manner.