On 8 August 2013 the Financial Conduct Authority ("FCA") issued a Final Notice against Guaranty Trust Bank (UK) Limited ("GTBUK"), the fifth in a series of cases arising from the FSA's 2010 thematic review of banks' management of higher money laundering risk situations.
GTBUK was fined £525,000 (after the application of a 30% early settlement discount) in what may be regarded as a classic case of a firm failing to follow and/or document compliance with its own policies and procedures in relation to risk assessment, screening, senior management approval, enhanced due diligence and monitoring of higher risk clients. In this e-bulletin we summarise the important aspects of the case. For further information about the earlier enforcement actions arising out of the thematic review, please see our earlier briefing here.
- Customer risk assessments should be adequately documented – it is insufficient simply to have assigned a customer a risk rating if it is unclear how that was determined and what factors were taken into account.
- Firms must give active consideration to information they gather as part of customer due diligence and seek clarification and explanation of missing or inconsistent information.
- Source of wealth/funds information obtained as part of enhanced due diligence must be supported by adequate documentary evidence. Firms should be wary of over-reliance on customer explanations; vague responses should be clarified/challenged.
- Periodic reviews of CDD/EDD information may be necessary to ensure that forms are properly completed and that the information provided substantively makes sense and does not raise red flags.
- Firms should consider how 'nil results' from screening are recorded, so that there is a record that the screening has taken place.
- Where a firm's procedures require particular levels of management sign off, reviews of CDD/EDD at particular intervals, and/or screening to occur at particular intervals, the firm should ensure that these steps are in fact taken.
GTBUK is a wholly owned subsidiary of GTB, a leading Nigerian financial services institution. GTBUK was first authorised by the FSA on 10 March 2008. It has 50 employees operating out of one office in London, offering retail and wholesale banking products and services. During the period covered by the Notice, it had approximately 2,800 retail customers, of whom almost 70% were regarded by GTBUK as posing a higher risk of money laundering, primarily because of their country of residence.
The "relevant period" in respect of which enforcement action was brought dates back to the date on which GTBUK first started accepting customers, underlining the importance of having in place effective policies and procedures from the outset.
As is common in cases of this sort, the FCA's findings are based on a review of a sample of files. The sample comprised 51 files, of which 18 related to politically exposed persons ("PEPs"). On one view, this is a relatively small sample size – but the FCA identified one or more failings in respect of every file within the sample, presumably rendering a wider review unnecessary.
The FCA identified breaches in the following areas:
- Risk assessment of prospective customers
In 46 of 51 files reviewed, there was inadequate documentation evidencing that an assessment of prospective customers' money laundering risk had taken place, as required by GTBUK's policies and procedures.
The FCA recognised that the files had nonetheless been correctly identified as posing a higher risk of money laundering, but stated that it was not always clear what risks had been identified or that all relevant risk factors had been considered, and that this would impede the on-going monitoring of the customer relationships. This (and other similar findings within the Notice) highlights the importance of documenting relevant compliance steps – it is not enough simply to have taken relevant steps or have reached the "right" result, if one cannot evidence the steps that have been taken.
- Senior management approval for PEPs
Senior management approval of PEP relationships is a requirement of the Money Laundering Regulations 2007 ("MLR"). In 13 out of 18 PEP files, the correct level of senior management had not signed off at account opening in accordance with GTBUK's procedures. In one case there was no evidence of sign off by senior management.
- Customer due diligence
In 23 of the 51 files reviewed, GTB UK had failed to establish or adequately document the purpose and intended nature of its business relationship with its customers. This requirement forms part of 'basic' customer due diligence ("CDD") under the MLR, even where the client is not higher risk.
In one of the more interesting passages in the Notice, the FCA emphasises that CDD is not simply a requirement to gather documents, and that firms must give active consideration to information they gather and seek clarification and explanation of missing or inconsistent information. In the FCA's view "failing to make enquiries of customers about missing, insufficient or implausible responses to questions is indicative of treating CDD as an administrative box ticking exercise and not a meaningful assessment of the risks posed by customers".
Examples of failings in this area included customers responding to a question on the form about "What is the main reason for applying for the account? Please specific e.g. day to day expenses" with the answer "Day to day expenses" (13 Nigeria-resident customers) or failing to answer this question at all (10 customers). The former example highlights the risk of including suggested answers on forms of this nature (it is very easy for staff to take the 'path of least resistance') and, more importantly, highlights the importance of:
- periodic assurance steps in respect of CDD information, and
- training for those who are responsible for completion and/or review of CDD forms.
- Source of wealth and source of funds
In addition to the general requirement to obtain information about the purpose and nature of the business relationship, in respect of PEP customers there is a specific requirement under the MLR to take adequate measures to establish the PEP's source of wealth and source of funds (reg.14(4)(b)). GTBUK was found to have failed to adequately establish source of wealth in respect of 42 of the 51 customer files reviewed.
The FCA incorrectly state in the Notice that EDD includes taking adequate measures to establish source of wealth and source of funds (in fact, the source of wealth/funds requirement strictly apply only to relationships with PEPs). This is one of a number of examples of the FCA "reading up" the requirements imposed by the MLR and interpreting parts of the JMLSG Guidance as imposed legal requirements (other examples include the FCA's approach to non-face to face due diligence in the Habib Bank AG Zurich Notice, and some rather robust interpretation of the JMLSG Guidance on sanctions screening in the GTBUK Notice). Irrespective of the strict position under the MLR, however, it is clear that it will very often be appropriate in higher risk cases, irrespective of whether a PEP is involved, to undertake additional due diligence in relation to source of wealth/source of funds – and indeed, GTBUK's policy required it to do so.
It would therefore be difficult to argue with the proposition that GTBUK was in breach of its obligations in circumstances where 36 files did not hold any documentary evidence to back up customer responses, and in five cases there were no responses to questions about source of wealth. In one case, there were inconsistencies between the information and evidence provided. The problem was exacerbated by vague responses to source of wealth questions, such as "sale of business" with no indication as to what business, or "earnings or profit" without further clarification. Where the source of wealth/funds was said to be a customer's salary, few files provided documentary evidence such as payslips or bank statements verifying the employer and level of income.
- PEP and sanctions screening
GTBUK utilised a third party screening service to screen customers and to periodically re-screen them. The FCA found that the results of screening carried out were not recorded unless there was a positive match, and screening had not been carried out in all cases prior to opening accounts or within a reasonable time frame for 29 of the 51 files. Indeed, three had been open for more than two years before being screened, two for more than one year and five for more than six months.
It is unclear from the Notice how this situation came about.
- Enhanced on-going monitoring
GTBUK's policies and procedures required it to review PEP and higher risk customers annually. The FCA found that 14 higher risk customers had not been reviewed for more than three years.
Basis for imposition of fine
The FCA imposed the fine of £525,000 on the basis of a breach of Principle 3 of the Principles of Business (the requirement on a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems). The FCA found that the failings referred to above also amounted to breaches of SYSC 6.1.1R (the requirement to establish, implement and maintain adequate policies and procedures, inter alia, for countering the risk that the firm might be used to further financial crime) and SYSC 6.3.1R (the requirement for these policies and procedures to include systems and controls that enable a firm to identify, assess, monitor and manage money laundering risks, and which are comprehensive and proportionate to the nature, scale and complexity of the firm's activities).
In the introductory section of the Notice, the FCA identified its enforcement action as being consistent not only with its operational objective of protecting and enhancing the integrity of the UK financial system (the "Integrity Objective"), but also as being consistent with its duty to discharge its functions in a way which promotes effective competition, on the basis that firms do not meet minimum AML standards may be perceived to have an unfair competitive advantage over firms that are compliant.
The Notice tells us relatively little that is novel about the FCA's interpretation of firms' obligations under the MLR and SYSC. The themes that come through most strongly are the importance for a firm of complying with its own procedures, of being able to evidence such compliance through an adequate document trail, and of periodically reviewing AML files to identify what must, in this case, have been very obvious deficiencies.
In setting GTBUK's penalty level, the FCA had regard to the fact that the failings occurred in the period during which the FSA brought and published other enforcement cases against institutions for shortcomings in their financial crime programmes – such that GTBUK ought to have been aware of the importance of AML systems and controls. The FCA indicated in its recent AML Annual Report that it has a further two cases in enforcement in relation to AML failures, and it can be anticipated that any further breaches of a similar nature may be regarded as even more serious still.