In October 2008 the FSA issued Final Notices fining Money Laundering Reporting Officer ("MLRO") Michael Wheelhouse £17,500 for failures in overseeing and implementing the anti-money laundering systems at Sindicatum Holdings Limited ("SHL") and fining SHL £49,000 for failure to implement effective systems in relation to verifying the identity of some of its clients; the FSA stated that SHL's fine would have been significantly larger had it not been for SHL's limited resources. This e-bulletin summarises the decisions and identifies the key messages for MLROs and those in senior management positions.
- The FSA is prepared to reinforce its messages about senior management responsibility for anti-money laundering ("AML") controls by taking enforcement action against individual MLROs.
- MLROs must ensure not only that their firms establish robust anti-money laundering procedures but also that these are implemented, monitored and updated as necessary.
- Notwithstanding the "risk based approach" to AML compliance, and the FSA's emphasis on principles-based regulation, firms may still be criticised for detailed identification failings, and in that context may be assessed against the standards they have set themselves
Mr Wheelhouse jointly founded SHL and had been a director since it commenced regulated activities in August 2002. As SHL's MLRO (Controlled Function 11), Mr Wheelhouse was responsible for implementing, maintaining and ensuring the effectiveness of SHL's anti-money laundering ("AML") procedures. SHL was a small firm, advising and arranging deals in investments for approximately 35 clients.
The FSA found that:
- SHL breached Statement of Principle 3 of the Principles for Business ("A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems"); and
- Mr Wheelhouse breached Statement of Principle 7 of APER (the obligation on approved persons to take reasonable steps to ensure that the business of the firm complies with relevant requirements and standards), and in so doing was a cause of SHL's failure to maintain effective systems and controls.
In the first enforcement case in this field since the changes to SYSC1, the FSA drew attention to SHL's breach of SYSC 3.2.6 R, the obligation to "take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime".
Findings in relation to Mr Wheelhouse and SHL
The FSA found that between October 2003 and September 2007 both Mr Wheelhouse and SHL failed to take reasonable care to establish, operate and maintain effective systems and controls for countering financial crime risk, and in particular did not:
- implement adequate procedures for verifying the identity of clients;
- adequately verify the identity of a significant number of clients (SHL failed to ensure that customer due diligence (CDD) documentation was adequate for 13 higher risk clients, and in some cases failed to complete client acceptance checklists fully or at all); and
- keep adequate records with regard to verification of identity.
The FSA provided some examples of the detailed identification failures, which included failures to:
- obtain identification evidence for three clients at the time of client take-on;
- certify passports for relevant individuals until three years after client take-on;
- obtain evidence of an individual’s address until four years after client take-on; and
- obtain evidence for six corporate clients to verify that particular individuals were in fact the directors, beneficial owners or controllers of the client.
In addition, the FSA found that:
SHL accepted information from directors, beneficial owners and controllers of five clients rather than obtaining evidence of those matters from independent sources2;
- there was inadequate evidence to demonstrate that records (or translations of them) obtained by SHL with respect to five clients had been adequately reviewed by Mr Wheelhouse;
- photocopies of identification documentation were accepted for two clients with no evidence that originals had been sighted or that the copies were true copies; and
- SHL's records for two clients suggested that identification had been verified but the relevant documentation was missing from SHL's client files.
The detailed nature of the criticisms highlights the tension between the risk-based approach to AML procedures, now embedded in the Money Laundering
Regulations 2007 – which the FSA has publicly acknowledged3 cannot be a "zero failure" regime – and the fact that any enforcement proceedings will inevitably focus on identifying specific failings in systems and controls. It must be hoped that the emphasis on matters such as failure to certify documents does not herald a return to the "box-ticking" approach which the FSA and JMLSG have sought to move away from since around 2005. In practice, it may be that what appears to be an undue focus in the Notices on minor breaches should be seen in the context of SHL's limited client base; if a firm has only 35 clients, then a failure to complete identification forms for seven of them clearly gives rise to a potentially serious risk that it does not properly understand who a significant proportion of its clients are.
Specific findings against Mr Wheelhouse
In addition to the above, the FSA found that Mr Wheelhouse:
- should have been aware that between October 2003 and September 2007 SHL had not fully implemented the AML procedures in its own AML Handbooks, and that it had failed to implement adequate identification procedures or adequately verify and record the identity of a significant number of clients;
- failed to ensure that all client checklists were fully completed and failed to refer to this in the MLRO reports that he presented to the board of SHL;
- in one case, applied an exemption from identification to a deposit-taking bank in Lithuania notwithstanding that Lithuania was not an equivalent jurisdiction for AML purposes. In this case, Mr Wheelhouse acted both as the account executive collecting the information and as the officer reviewing and signing off the account, which the FSA believed reduced the likelihood of the failure being identified.
Senior management responsibility
Whilst this is not the first time that the FSA has imposed penalties against senior managers in respect of AML failures (Ram Melwani was fined in 2005 for failing to act with due skill, care and diligence to ensure that the company of which he was Managing Director complied with the FSA's ML Sourcebook) the language adopted in the Notices accords with the FSA's recent emphasis on the role and responsibility of senior management, both in the AML sphere and in respect of compliance issues more generally. Indeed, in the Notice the FSA explains that the penalty against Mr Wheelhouse was imposed:
"to strengthen the message to the market that it is imperative that senior managers who perform significant influence controlled functions take reasonable steps… to ensure that the business of the firm…complies with the relevant requirements and standards…" (emphasis added).
In the decision against SHL, the FSA again emphasised that MLROs and other senior managers must "actively engage in ensuring that firms are compliant" with AML requirements.
SHL's small size meant that Mr Wheelhouse was, in some respects, an "obvious target" for the FSA. He was clearly closely involved in, and responsible for, all relevant aspects of SHL's business and compliance functions. Nonetheless, it is likely that we will continue to see enforcement actions against individuals for systems and controls failings including, in appropriate case, at larger institutions.
In the brave new "risk based" AML world, it can be difficult for firms to determine what standards they should adhere to and to determine when the FSA might choose to take enforcement action in respect of perceived shortcomings in identification procedures. In that context, it is of interest that:
- The FSA, whilst noting that the JMLSG Guidance has been amended over time, distilled a number of "general principles" which it applied in considering SHL's conduct, namely that:
- satisfactory evidence of identity should be obtained as soon as practicable after initial contact is made;
- for lower risk corporate clients, documents evidencing the existence of the corporate entity along with lists of directors and shareholders may suffice;
- further evidence of shareholders and, if appropriate, directors is required for higher risk corporate clients;
- evidence should be obtained from official, independent sources;
- copies should be adequately certified; and
- records of evidence and the methods used to verify identity must be retained.
Interestingly, these "general principles" do not entirely accord with current JMLSG guidance (for example, certification of documents is no longer mandatory); the Notice makes no attempt to reconcile the "general principles" with the current position, notwithstanding that the FSA's findings extend into 2007. Nonetheless, they may be useful in considering the standard against which the FSA may measure historic AML compliance.
- Irrespective of the existence of external standards/guidance against which to benchmark their procedures, firms may be exposed if they fail to implement or comply with their own procedures; the FSA criticised Mr Wheelhouse for failing to be aware that SHL had not complied with its own AML handbooks. These had been drafted by independent compliance consultants who had also been instructed to give training and conduct quarterly reviews of SHL's adherence to its procedures. The FSA found that this "process was often informal, with no adequate processes for ensuring that feedback and advice was used to make necessary improvements… ". The three principal points arising from this are that those responsible for AML compliance:
- should ensure that their firms establish and implement robust AML procedures; preparing appropriate policies, even with the involvement of external consultants, is not enough;
- must monitor and make any necessary changes to AML procedures;
- may wish to consider, when drawing up procedures, avoiding "setting the bar too high" by requiring excessively burdensome steps to be taken – which could leave the firm open to criticism in the event of non-compliance.
- The FSA also criticised SHL for failing to properly verify the identity of high risk clients incorporated in "less transparent jurisdictions". There are, of course, significant difficulties surrounding the categorisation of
"equivalent jurisdictions"; the JMLSG's revised guidance4 suggests that a presumption of equivalence only applies with respect to EU/EEA member states and countries on the (limited) EU/HM Treasury list, and that in any event firms must consider enhanced procedures where there is "substantive information which indicates that a presumption of equivalence cannot be sustained…". Thus, a majority of countries cannot be presumed to be equivalent and firms "will need to carry out their own assessment". This may give rise to substantial divergences of practice. The Notices are therefore of interest in suggesting that the FSA will not view these uncertainties as a bar to enforcement action in respect of failures to conduct enhanced due diligence on clients based in high risk jurisdictions – at least in clear cases where there are other deficiencies.
The FSA has been signalling for some time that it will take enforcement action, including against senior management and MLROs, where there has been a failure to properly assess and manage AML risk, particularly where those failures are systematic, or where a firm does not address identified weaknesses. Now that the risk based approach has had time to "bed in", it is likely that we will continue to see the FSA reinforce those messages with robust enforcement action in appropriate cases.