Introduction and background

In a recently published decision notice, the FCA has proposed to fine Mohammad Ataur Rahman Prodhan, the former CEO of Sonali Bank (UK) Ltd (SBUK), £76,400 for anti-money laundering (AML) failings which took place between 7 June 2012 and 4 March 2014. This follows on from final notices published by the FCA in October 2016 against SBUK and its Money Laundering Reporting Officer (MLRO) imposing financial penalties of £3,250,600 and £17,900 respectively. Mr Prodhan has referred the FCA's decision to the Upper Tribunal which will determine what action, if any, is appropriate for the FCA to take. Although the notice concerns events prior to the Senior Managers and Certification Regime (SMCR) coming into force, it has potential learning points for current senior managers.

The final notice published against SBUK in October 2016 found it had breached FCA Principle 3 for having serious and systemic weaknesses in its AML controls. This included identifying issues with SBUK's senior management team and failings in its AML policies and procedures. SBUK was also found to have breached Principle 11 for failing to notify the FCA (for a period of at least seven weeks) that a significant fraud had been alleged whilst it had been under FCA investigation. In addition, SBUK's MLRO was fined for failing to exercise due skill, care and diligence in carrying out his duties and for being knowingly concerned in SBUK's breach of Principle 3. The FCA found that the MLRO had demonstrated a "serious lack of competence and capability".

The FCA, in its more recent decision notice, found that Mr Prodhan had breached APER Statement of Principle 6 which required him to exercise due skill, care and diligence in managing SBUK's business. In particular, Mr Prodhan was found to have "failed to appreciate the need to give sufficient focus to regulatory compliance and to take reasonable steps to ensure the adequacy of SBUK's AML systems and controls to prevent financial crime." The FCA also found that Mr Prodhan had been knowingly concerned in SBUK's breach of Principle 3 which requires a firm to take reasonable steps to ensure it has organised its affairs responsibly and effectively, with adequate risk management systems.

Regulatory framework

Firms' AML obligations are primarily found in the Money Laundering Regulations 2017. Firms are required to carry out customer due diligence by identifying their customers and verifying those identities. In certain circumstances, firms must also take additional steps to verify a customer's source of wealth. Principle 3 requires an authorised firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems including in relation to financial crime.

The FCA Handbook provides a large amount of detailed guidance on how firms should act in relation to financial crime risks in the Financial Crime Guide section of the FCA Handbook. In addition, the FCA regularly issues Financial Crime Thematic Reviews on particular issues (for example, on banks' control of financial crime risks in trade finance).

During the period from June 2012 to March 2014, Mr Prodhan held the certified functions CF1 (director) and CF3 (chief executive) under the former approved persons regime. For banks, this has of course since been replaced by the SMCR which came into force in March 2016. The corresponding senior manager functions are SMF1 (chief executive) and SMF3 (executive director). In addition, banks must appoint as a senior manager the person who acts in the capacity of the MLRO (SMF17). This is no different to the position under the former approved persons regime. A key change compared to the approved persons regime is that, under SMCR, senior managers must be allocated certain prescribed responsibilities. One of these is the overall responsibility for the firm's policies and procedures for countering the risk that the firm might be used to further financial crime. This includes the risk that a firm will be used for money laundering and whoever is appointed as the firm's SMF17 will often be allocated this responsibility, although, given the responsibility is broader than just AML, this will not always be appropriate.

As mentioned above, APER Statement of Principle 6 requires an approved person to manage the business of the firm for which they are responsible with due skill, care and diligence. The equivalent requirement under SMCR can be found in Conduct Rule 2. All employees of an authorised firm, with the exception of ancillary staff, are now expected to act with due care, skill and diligence. COCON 4.1.4-8 provides guidance on this specifically for managers. In addition, senior managers are required to take reasonable steps to ensure the business they are responsible for is: (a) controlled effectively (Senior Manager Conduct Rule 1); and (b) complies with the requirements and standards of the regulatory system (Senior Manager Conduct Rule 2). Guidance on compliance with the conduct rules can be found within COCON 4.

Failings identified by the FCA and guidance on what firms should do

We set out below the key failings of Mr Prodhan and indications of the FCA's expectations as well as referring to COCON guidance that is relevant now and to events since 2016.

Risk assessments

Failing identified by the FCA

Failure to put in place a conduct risk framework

In June 2012, SBUK's internal auditors found that its risk register did not reflect the risks it faced and there was no link to the tasks listed in its compliance monitoring plan. There was also a lack of evidence to demonstrate SBUK had identified and considered its exposure to conduct risks. In addition, SBUK failed to act on the recommendations made by its auditors. Mr Prodhan was responsible for ensuring SBUK had appropriate systems and controls to deal with risk and its board had sufficient sight of any risks to which it was exposed. When SBUK decided to offer services to money service bureaus, the AML risks were not considered adequately.

What senior managers should do

The FCA advises that firms should have comprehensive and continuous financial crime risk assessments and should concentrate their resources on areas where the risks that have been identified are greater. In particular, firms should consider the financial crime risks when introducing new services (which, notably, SBUK did not do when it started offering services to money service bureaus).

The FCA suggests that an internal audit to monitor the effectiveness of a firm's systems and controls is an example of good practice. However, recommendations must be considered and acted on. COCON 4.2.15 states that reasonable recommendations from independent reviews of systems and procedures should be implemented in a timely manner and a failure to do so is likely to amount to a breach of Senior Manager Conduct Rule 2.

Key learning point: Senior managers should ensure that effective risk assessments are carried out and that recommendations coming out of those assessments are acted upon promptly.

Management information (MI), delegation and culture

Failing identified by the FCA

Failure to inform himself of the AML risks

The FCA criticised Mr Prodhan for delegating responsibility for SBUK's AML systems and controls to the MLRO without maintaining appropriate oversight or understanding of the AML risks. This included failing to contribute properly to meetings at which AML risks were discussed.

AML management reporting

SBUK's MLRO produced monthly reports which did not properly analyse the effectiveness of the AML systems and controls SBUK had in place or highlight particular issues which should have been brought to the attention of management. Mr Prodhan did not challenge these reports and failed to identify that they were inadequate despite warnings from SBUK's internal auditors.

Failure to foster a culture of compliance

Mr Prodhan was criticised for allowing SBUK to foster a culture in which regulatory compliance was not seen as sufficiently important. Mr Prodhan received a request from SBUK's board to change this and received subsequent warnings but failed to address the cultural issues.

What senior managers should do

One of the prescribed responsibilities under SMCR is for the firm's policies and procedures for countering the risk that the firm might be used to further financial crime. In addition, a firm must allocate overall responsibility for the establishment and maintenance of effective anti-money laundering systems and controls to a senior manager. Often these are allocated to the senior manager holding the MLRO function (SMF17). However, it would not be appropriate to allocate the prescribed responsibility to the SMF17 where the SMF17 is only responsible for the firm's AML policies and there is a more senior individual who is responsible for all aspects of financial crime.

There is COCON guidance which now addresses delegation. COCON 4.2.23(1) requires senior managers to maintain an appropriate level of understanding about delegated areas of the firm's business. Senior managers should continue to pay regard to delegated matters and insist on adequate reports and test the accuracy of unsatisfactory explanations from those to whom responsibility has been delegated.

The FCA has recently placed a lot of focus on transforming culture in financial services and published a discussion paper on this subject in March 2018. The FCA expects firms to "foster cultures which support the spirit of regulation in preventing harm to consumers and markets". Examples of how such a culture can be implemented include removing targets and performance-linked pay or developing and implementing whistleblowing policies.

Key learning point: Senior managers should pay attention to warnings that are raised by internal auditors as failing to respond to such warnings may lead to a breach of the conduct rules as signposted by the COCON guidance. There is an additional learning point in relation to delegation. Senior managers should be mindful that they continue to be responsible for the areas of the business they have been placed in control of and cannot avoid responsibility by delegating aspects of their senior manager functions to another.

MLRO resourcing

Failing identified by the FCA

Failure to manage and resource the MLRO adequately

Mr Prodhan was responsible for managing SBUK's MLRO. Despite warnings from SBUK's internal auditors, Mr Prodhan failed to identify that the MLRO did not have adequate resources. When the MLRO raised concerns with Mr Prodhan, it took a year for an additional staff member to be appointed.

What senior managers should do

SYSC requires that a firm's MLRO should be sufficiently independent and have a direct reporting line to the firm's executive management or board. An MLRO must have access to sufficient resources and information to enable him to ensure compliance with the FCA's rules on money laundering systems and controls (SYSC 6.3.9). The FCA's COCON guidance is again relevant here in that it is suggested that senior managers should respond to warnings effectively and that adequate resource is provided to those who are delegated responsibility.

Key learning point: Senior managers should ensure that sufficient resource is allocated to those with responsibility for money laundering reporting and that, where warnings are raised about resourcing, those warnings are acted upon.

Suspicious activity reports

Failing identified by the FCA

Suspicious activity reports (SARs)

Between 2012 and 2014, the number of SARs completed by SBUK staff was significantly lower than it should have been or than would have been expected bearing in mind the work carried out by SBUK. SBUK's MLRO described the number of SARs as "surprising" in each of his annual reports between 2011 and 2014. Despite the warnings that were raised, Mr Prodhan failed to take steps to investigate the low level of SARs. On a review of its customer accounts in 2014, SBUK found that almost 250 additional SARs should have been submitted.

What senior managers should do

Where a person within a firm knows or suspects that a customer is engaged in money laundering or dealing in criminal property, they must submit a SAR to the National Crime Agency. Submitting a SAR acts as a defence to a number of money laundering offences.

Key learning point: Senior managers should ensure that they properly investigate unusual MI (including levels of SARs, customer complaints and profitability of a line of business) and appropriately challenge the explanations they receive. There is an additional staff training learning point here. Senior managers should ensure that staff understand AML issues, including customer due diligence and when SARs should be submitted.

Summary

This decision notice is interesting in that it highlights the FCA's current focus on holding senior managers accountable. While the former approved persons regime applied to Mr Prodhan at the time he was found to have failed to carry out his role with due skill, care and diligence, there are certainly a number of useful insights that current senior managers should be mindful of and which would be even more relevant under SMCR. The clearest message, repeated throughout the decision notice, is that senior managers should heed warnings that are raised and act to put in place measures to remedy the problems identified. In addition, senior managers should be actively involved in ensuring compliance with the regulatory framework, including investigating risks, allocating adequate resources and fostering a culture of compliance.