FCA's recent fine on Standard Chartered Bank (the Bank) illustrates the importance not only of having appropriate and strong AML policies and procedures for high risk areas of business, but also (mainly in fact) of adhering to them.
The fine of over £100 million is the second largest fine FCA has imposed for AML failings. In this article, Emma Radmore of Womble Bond Dickinson looks at what went wrong, and how firms can learn from it.
Where the problems arose
The problems arose in two specific areas of the Bank's business – areas which are traditionally recognised to be high risk. These were the correspondent banking business within the Bank's wholesale banking operation, and its branch business outside the EU, in this case specifically in the UAE. As an institution with its head office in the UK, the Bank's head office controls were critical, in that they had to comply with UK regulatory requirements and form the basis for controls applied in non-EEA branches and subsidiaries, which had to be adequate to address the risks presented.
During the relevant time (which was from the end of 2009 to the end of 2014 in respect of the UAE branch issues, and from the end of 2010 to mid-2013 for the correspondent banking issues), the Bank operated in the UAE through licensed branches. It had 14 branches, with its main office in Dubai, and served nearly 350,000 customers through them. It had categorised the branches as presenting high financial crime risks, not least because of their geographic location, in particular the closeness to Iran. The wholesale banking side had correspondent banking relationships with over 1,300 financial institutions in non-EEA jurisdictions, providing among other things cash and clearing services. During the period of the breaches, it carried out nearly 2 million transactions at a value of over $1 trillion.
So far, so good. These areas of business were clearly high risk, and the Bank had recognised them as such.
What went wrong: CDD content and controls
A persistent failing, identified in internal reviews since 2009, was that customer files on UAE customers, in both the consumer and wholesale banking operations, contained inadequate information on the customers, the purpose of their accounts, and the nature of corporate customers' business. The due diligence carried out was not to the standard the Bank's procedures required.
In one of the later reviews, an internal review noted that 43% of the files reviewed did not have enough customer information, and over one quarter did not explain beneficial ownership or, in some cases, properly identify the authorised signatories and shareholders. A review a couple of years previously had identified as high risk the way the Bank "unwrapped" corporate entities to understand the shareholder structure.
There were, it seems, numerous incidences of failure to gather the right information, probably caused by a combination of clunky procedures and a failure to embed the culture that gave local staff the understanding as to why the checks were fundamentally important. Common themes of problems arose with customers with a connection with Iran, and assessing and addressing beneficial ownership.
The Bank allowed Iranian nationals to open accounts with its UAE branches, so long as they were not resident in Iran and did not carry on business involving Iran through their accounts. The Bank had adopted a new policy (the Iran addendum) aimed at better checking that Iranian individuals genuinely did not live in Iran. The new policy proved harder to implement than expected and the process was poorly managed. As a result, it took years to make inroads into the backlog of inadequately evidenced residence checks, which not only exposed the Bank to greater risks through lack of appropriate evidence but also meant that scheduled policy reviews ran behind.
The "unwrapping" process had equally serious consequences. Because staff fundamentally failed to understand the importance of identifying the person with ultimate control over a customer, absence of proper understanding of course of funds and the purpose of the customer's relationship with the Bank meant EDD was not applied in many instances when it should have been.
In its Final Notice, FCA noted one case where the customer exported a dual use good to numerous countries, including two where there was armed conflict at the time. The files did not show that the relevant UAE branches had considered the increased risks the customer relationship presented, nor was there adequate information on the source of funds, purpose of the account and anticipated volume of business. The Bank's policies and procedures in fact went further than regulation required in setting out what business should be considered high risk and should be subject to checks on source of funds. Failure by the UAE branches to do this was flagged repeatedly in internal reviews, but nevertheless continued. In another case, it found a consulate had opened an account in 2011 with a cash deposit worth just over half a million pounds. The consul had brought the cash, in UAE dirhams, in to the UAE in a suitcase. There was no evidence the branch had either considered the potential risks or investigated the source of funds. More generally, even in cases where there was evidence on file, there was almost always no evidence that the information had been assessed to establish whether the account in question presented a high risk.
What went wrong: Respondent Assessment
The Bank's process for assessing respondents in its correspondent banking business incorporated the quality of the AML supervision in the respondent's jurisdiction, but FCA found it did not include a proper assessment of the quality of the respondent's own AML controls. While the Bank asked about AML controls, or asked the respondent to complete a questionnaire, there was no evidence to show any assessment had taken place or that the Bank had a good understanding of the effectiveness of the controls. A report in 2010 that had been escalated to the Group Financial Crime Risk Committee noted the issues, going so far as to suggest there was evidence of a tick box approach to compliance.
An example of the problems with the approach was with a respondent that was in a jurisdiction in which there was armed conflict, and whose parent had been the subject of a search and seizure warrant by a law enforcement agency, yet the Bank held only the standard questionnaire and a statement that the respondent's AML policies were satisfactory.
In other cases, FCA's review found that in over one third of cases, the Bank had not taken sufficient steps to identify PEPs associated with the respondent. Sometimes there was no evidence of any screening, and in many others the files lacked evidence that the Bank had sought to understand the PEP's role in the respondent.
An additional concerning aspect of the review was the discovery that for a few correspondent relationships between the UK wholesale bank and non-EEA correspondents there were no due diligence records at all.
What went wrong: Group introductions
Part of the arrangements for the correspondent banking business included the use of group introduction certificates when one office of the Bank introduced a customer to another overseas Bank office. The Bank's policy stated that one group entity could rely on the due diligence performed by another, subject to local laws and provided a group introduction certificate was in place. The purpose of the certificate was to ensure that the receiving office could apply an appropriate risk rating, and had the added benefit of allowing the UK wholesale bank to review due diligence that had been done overseas to check it was not deficient – and, if it was, to remedy any deficiencies. This all sounds good.
Given the nature of the business, the vast majority of non-EEA correspondent banking business had initially been taken on by an overseas branch or subsidiary. But the Bank failed to ensure a group introduction certificate was in place for each relevant customer, and did not check for deficiencies in certificates that did exist, even where it knew there were issues with the quality of the due diligence that was being done overseas. Although the Bank reviewed the underlying due diligence on many of these certificates, it failed to identify the shortcomings. Additionally, the Bank had granted some dispensation to branches which meant they would be operating at a standard lower than UK regulation required, yet it did not take steps to ensure compliance due diligence was carried out before the customer was offered products and services by the UK bank.
FCA's review showed deficiencies in nearly one third of the sample it reviewed, even though its sample should have included the most compliant documents as it picked documents from an enhanced electronic platform the Bank had introduced.
The importance of ongoing monitoring
To add to the problems at inception, there were failings in both standard ongoing monitoring, and monitoring that was triggered by a particular event. The UEA branches did not complete their periodic reviews in the timescales set – and many were significantly overdue because of inability to complete the "Iran addendum". FCA found instances where staff readily accepted unconvincing information where otherwise the circumstances would have suggested the relationship should terminate. It also found cases in which incomplete forms were approved, or the appropriate sign off not obtained.
Other failings in the process included that the UAE branches did not consistently apply policies which, variously, required them to repeat due diligence if a defined trigger event happened, such as a reason to doubt information held, a change in the business, negative press or the making of a SAR. Evidence showed that several customers who should have been subject to a review following a rejected transaction were not reviewed, and that 80% of the files in the sample that were reviewed did not refer to red flags or identify issues that had arisen (rejected transactions, payments involving Iran or cheques from sanctioned entities).
The problems with compliance monitoring spread across the affected parts of the business, and specific failings noted included:
- Failure to implement the part of the Iran addendum that would have sampled payment instructions to ensure none had come from Iran
- Failure to follow up trigger events
- Many overdue periodic reports, a significant number of which related to higher risk accounts and
- Failure to review business subject to ta group introduction certificate.
Getting AML oversight controls right
Deficiencies in group level controls exacerbated all these problems. The Bank operated a "three lines of defence" model comprising
- Periodic assessments of sample files
- Advice from a specialist sanctions advisory function and due diligence checks by the financial crime risk unit, which also set standards and policies for regulatory compliance. The reviews were to assess the effectiveness of controls, and the financial crime risk unit reported to the group head of compliance; and
- A third line, including the group internal audit function, that reported to the group audit committee.
FCA identified flaws in how the first and second lines conducted reviews, not least that the UAE function was under-resourced. The inadequacy of the first line reviews gave rise to false comfort in the MI that resulted from it, while the financial crime risk group failed to identify all relevant issues and, for a lengthy period, did not carry out any reviews on the majority of customers in the UAE branches for various reasons. In 2011 there was evidence of collusion between certain employees and customers to avoid sanctions issues, and other evidence of non-compliance, but this was not effectively challenged.
FCA found the Bank did not approach identification and mitigation of AML risks in a holistic or proactive manner. In particular it did not consider the risks posed by the channels customers used to access services, specifically the risks of dealing with Iran or systems being accessed from Iran. FCA noted that even if the Iran addendum had been properly implemented, it would not in fact have addressed all the risks.
The final oversight failing related to failure to respond to warnings. The Bank did not take appropriate action over evidence that customer transactions were being rejected, nor did it fully take on board advice from its New York office in relation to customers it considered to pose a high sanctions risk. Eventually the Bank started work on a protocol, but this took nearly three years to implement. Similarly, insufficient action followed an internal report flagging concerns that UAE branches did not properly understand the ownership structure of many SME customers. Again, when there was a response, it took a long while to action it, and even after this the Bank continued to find problems with ownership structures of these clients.
All these issues were exacerbated by the failure properly to escalate them. Again, the group internal audit function had raised issues when it found evidence that concerns had not been escalated as suggested in relevant reports. The upshot was a combination of misleading MI and problems identified in the branches were not escalated in the way the Bank's policy required.
The fine related to breaches of 9 specific provisions of the MLRs (the then current 2007 version). In particular, it:
- Failed to ensure adequate EDD and enhanced monitoring of non-EEA respondents
- Did not require UAE branches to apply CDD and ongoing monitoring requirements at least equivalent to the MLR requirements; and
- Did not establish and maintain appropriate and risks sensitive AML policies and procedures or ensure they were applied appropriately and consistently.
In addition to the specific failings, FCA was concerned the Bank did not ensure a positive culture around AML compliance. All in all, not only did the failings result in an unacceptable risk the Bank would be used by money launderers or those seeking to evade sanctions or finance terrorism, in a situation the Bank knew was high risk, but were particularly serious because of the many industry-wide messages and publications FCA had communicated on high risk financial crime prevention as well as the specific feedback it had given to the Bank on two occasions and the Bank's involvement in the action the US authorities had taken in 2012 for wire-stripping.
Lessons to be learnt
A key tenet of financial crime prevention is that it is no good having compliant policies if they are not both understood and observed in practice. In this case, not all of the Bank's problems would have been solved if it had put in place better measures to ensure its policies were implemented and understood, but it would have helped considerably. Equally, both regulation and regulators clearly articulate that monitoring and adapting to change are key. Again, if the Bank had properly policed the timing, content and follow up of ongoing reviews, problems should have been identified and addressed sooner. The two specific areas of business affected by the problems are among the highest-risk areas possible, yet the Final Notice suggests that insufficient resource at all levels, allied to what appears to be a practice of paying lip-service to the requirements rather than instilling a compliant mindset and culture, shows that it is critical to have policies and procedures that anticipate and address risks specific to particular business. And, ultimately, of course, the controls failings that meant senior management were not apprised of problems mean we cannot know if issues could have been addressed sooner and more meaningfully had it been made aware earlier and more often of the problems that both internal and external reviews had identified since 2010.
This article was first written for Financial Regulation International.