Recent actions by FSA against firms with overseas head offices, and approved persons working in those firms, should sound warning bells to all FSA-authorised firms with an international client base for whom a UK presence serves greater global needs. In this article, Emma Radmore and Katharine Harle of SNR Denton LLP look at what can be learnt from two recent enforcement actions. The actions stem from different concerns but send a similar message – firms operating in the UK must comply with their UK regulatory obligations regardless of their size and the location of their client base, and their approved persons must do likewise, or suffer the consequences with the firm.
On 4 May, FSA announced that it had fined Habib Bank AG Zurich (Habib) £525,000 and its former Money Laundering Reporting Officer (MLRO)(Syed Itrat Hussain) £17,500.
The Bank: FSA found Habib breached Principle 3 of the FSA’s Principles for Business by failing to have in place over a three year period appropriate anti-money laundering (AML) systems and controls. It also found Habib breached various parts of Chapter 6.1 of FSA’s Senior Management, Systems and Controls Sourcebook (SYSC). FSA found failings in:
- the risk management process and AML systems and controls;
- assessment of AML arrangements; and
- AML training and record keeping.
The MLRO: Mr Hussain was registered as holding controlled function 11 (money laundering reporting). FSA found he had breached Principle 7 of the FSA’s Statements of Principle and Code of Practice for Approved Persons (APER). He failed to take reasonable steps to ensure the part of the business of Habib for which he was responsible complied with the relevant regulatory requirements.
Habib is a privately owned Swiss bank. During the period in question (December 2007 – November 2010) it had twelve UK branches employing around 200 staff and around 15,500 account holders. Habib offered a full range of banking services including deposit-taking, private banking, trade finance, correspondent banking, and money remittance services to retail and corporate customers.
Its target markets included East Africa and South East Asia. Nearly half its customers were from outside the UK and nearly half its deposits from countries identified as having less stringent AML controls than the UK.
Habib had in place AML procedures that focussed on the Corruption Perception Index (CPI) as the main method of assessing risk. It had (but was unable to explain why) chosen a CPI score of 3 as the trigger for treating business as high risk. However, it automatically excluded from its high risk list any jurisdiction where it had a business presence. Because of this, it excluded Kenya and Pakistan, even though these had high CPI scores and would otherwise have fallen within its high risk classifications.
FSA also found the bank omitted other jurisdictions scoring above 3, where it did not have offices, but could not explain why this was the case.
Also, FSA found the AML assessment matrix too simplistic: it looked only at corporate clients’ country of incorporation and did not consider risks posed by the locations they did business.
Habib: Breach of Principle 3 and SYSC 6
FSA found Habib had:
- failed properly to risk-rate some jurisdictions. In particular, jurisdictions where it had a branch were automatically excluded classification as high risk, although it could not show sufficient familiarity with the laws of those places to justify this decision; this approach was described by FSA’s Tracey McDermott as “entirely misconceived”;
- wrongly classified some high risk business as "normal" risk and failed to identify these customers on whom enhanced due diligence (EDD) should have been performed. For example, it failed to recognise that non-face to face business should trigger EDD and following a skilled persons’ report in 2010, a significant number of customers were re-classified as high risk;
- carried out inadequate EDD - for example, some transactions were carried out before EDD was completed and high risk customers were not subject to appropriate levels of EDD;
- made inadequate assessments of its own AML procedures; FSA identified significant flaws in the risk assessment matrix, for example, CPI alone was not an acceptable way of grading risk; and
- failed to ensure senior management received appropriate information.
Mr Hussain: Breach of APER Principle 7:
FSA found Mr Hussain failed to take reasonable steps to ensure that Habib:
- established and maintained adequate procedures for assessing the risk customers posed;
- carried out appropriate EDD on higher risk customers;
- carried out adequate reviews of its AML systems and controls; and
- senior management had appropriate information -for example, his reports did not assess the adequacy and effectiveness of arrangements or consider the transaction monitoring arrangements or risk scoring arrangements Habib had in place;
- took account of AML failings in its training or kept records of CDD and staff training. For example, although he identified and reported failings in compliance of staff with the bank’s AML policies, he failed to take action to address these in training or otherwise.
Notably, FSA also found around 2/3 of files Mr Hussain retrospectively reviewed as part of an audit still had one or more of the following serious failings: wrongly classified account; inadequate EDD; and/or transactions took place before EDD was completed. Mr Hussain has now retired from the industry.
FSA found the failings particularly serious, not least because they lasted for three years (from the date the Money Laundering Regulations 2007 took effect) and created an unacceptable risk of the bank handling the proceeds of crime. FSA also noted that no action was taken to improve the AML procedures despite a raft of newsletters, speeches and FSA guidance during the period.
When sanctions were announced, FSA stressed that MLROs have a responsibility to minimise the financial crime risks a firm faces and that FSA would not hesitate to take action against individuals who fail to meet their regulatory responsibilities. In mitigation, Habib complied with the investigation and acted on the findings of a skilled persons report. Overall, this meant fines of £525,000 and £17,500 for the firm and MLRO respectively.
Days later, on 8 May, FSA announced that it had imposed a £3.345 million fine on Mitsui Sumitomo Insurance Company (Europe) Limited (Mitsui). It also imposed a lifetime ban on Mitsui's former executive chairman (Yohichi Kumagai) as well as a personal fine of £119,303.
The Company: FSA found that Mitsui breached Principle 3 of the FSA’s Principles for Businesses by failing to take reasonable care to organise and control its affairs responsibly and effectively.
The Executive Chairman: FSA found Kumagai, who held controlled functions 1 (director) and 3 (chief executive) breached Principles 5 and 7 of APER by failing to take reasonable steps to ensure the business of the firm for which he was responsible as a significant influence holder was organised so that it could be controlled effectively and comply with the relevant regulatory standards.
Mitsui is a London-based subsidiary of one of Japan’s biggest insurers whose business was traditionally the supply of wholesale insurance cover solely to Japanese firms operating in Europe and the Middle East. However, from 2007 this shifted to include non-Japanese business and by 2010 it earned 50 per cent of its premium income from this market.
In April 2009 Kumagai was seconded from Mitsui’s parent company to hold the role of executive chairman as part of a staff rotation programme. Shortly after this FSA advised that expansion into Europe required careful oversight from an appropriately skilled and experienced board; systems and controls would need improvement both to identify and address the inherent risks in the strategy.
Mitsui did not take effective steps in time; FSA found it was poorly organised and managed as a result of significant failings of corporate governance and control arrangements for which Kumagai was also responsible.
FSA considered both Mitsui and Kumagai were more focused on achieving increased profitability through expansion, at the expense of ensuring appropriate organisation and control of the firm and adequate risk management systems. Their failure to address issues, in particular capital adequacy concerns, indicated a lack of appreciation by the firm and its management of the importance of complying with regulatory requirements and taking effective steps to address concerns.
Mitsui: breach of Principle 3
Mitsui breached Principle 3 in failing to take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems. In particular, it failed to:
- ensure corporate governance arrangements operate effectively – corporate governance was poorly organised and managed across the business and internal warnings were not acted on. The firm accepted its governance system was “clearly deficient and not fit for purpose”;
- adequately control and oversee European branch business – despite FSA warnings, prompt and effective action was not taken to comply with UK requirements;
- staff key posts with appropriately skilled and experienced individuals – the firm's rotation policy meant key positions were often staffed by employees lacking vital skills and experience, making the board less effective and unable to cope with the size and complexity of its growing business;
- ensure appropriate division of responsibilities - staff had too broad a span of control and there was not adequate segregation between compliance and operational functions;
- implement effective IT systems in time – this was repeatedly delayed and then under-resourced. Management then lacked the information to control and oversee business written in branches;
- ensure sufficient capital to meet its individual capital guidance (ICG) – management knew that growth might lead the firm to fall below its ICG but postponed acting to address this.
Mr Kumagai: breaches of APER Principles 5 and 7
Kumagai breached APER Principle 5 in failing to take reasonable steps to ensure Mitsui’s business was organised so as to be controlled effectively. In particular, he failed to:
- take reasonable steps to ensure key functions were properly resourced and duties segregated – in particular, he failed to hire a chief underwriting officer, which hindered the firm’s ability to control expansion of the business;
- ensure management structure and composition changed to reflect Mitsui’s changing business – despite clear guidance from FSA he failed to act promptly to remedy problems with the firm’s management structure and composition;
Kumagai was also found to have breached APER Principle 7 in failing to take reasonable steps to ensure the business he was responsible for in his controlled functions complied with relevant regulatory requirements. In particular, he:
- failed to ensure Mitsui’s corporate governance was effectively reviewed (despite this issue being repeatedly brought to his attention by FSA and internal reports);
- permitted expansion of the European business without implementing controls and oversight to support it – he was aware that control and oversight was inadequate but did not devote adequate resource to address this;
- failed to ensure the IT system was implemented timely and effectively;
- failed to take reasonable steps to ensure Mitsui managed its capital adequately.
FSA considered Mitsui’s and Kumagai’s failings were serious and this was reflected in the penalties imposed. It noted in particular that their actions put policyholders, and therefore market confidence, at risk and arose despite warnings from FSA and internal reports about governance issues.
In mitigation, significant remediation was undertaken by Mitsui, helped by its parent company which commissioned an independent review and provided two capital injections (totalling £94 million) to address Mitsui’s ICG shortfall. In addition, it voluntarily ceased writing new business, co-operated with FSA and took substantial steps including the appointment of new management. Kumagai also co-operated and FSA noted that he had voluntarily resigned and had no previous disciplinary history.
Lessons to learn
The key message from these Final Notices is that FSA requires all firms to comply with FSA requirements and have effective corporate governance and controls. Where business or the environment in which it operates shifts, governance and control procedures must be assessed and adapted to reflect changes in risk. The Mitsui case serves as a warning of the risks associated with expanding into new markets without investing enough in compliance with local regulatory requirements. The Habib case is a reminder of the nuanced and evolving approach which must be taken to assessing money laundering risk to adapt to the changing risks of financial crime. This is timely given the Greece’s debt crisis and possible departure from the Eurozone. Officials have warned that the instability created by panic withdrawals of deposits in Greek may give provide a cover for money-laundering and firms will need to be especially vigilant to this risk.
Additional points to bear in mind include:
- Setting up financial crime systems and controls involves significant thought, and risk matrices should be constructed to reflect various risks and combinations of risks. No risk assessment should be based on one factor alone, and firms should be alert to potential factors that would turn an otherwise low risk relationship into a high risk one.
- Where a firm’s AML controls have failed, there is a high risk the MLRO will be found to be culpable. This is not the first time a MLRO has been disciplined alongside his firm (see for example the cases of Alpari (UK) Ltd).
- When FSA makes recommendations, regardless of their form, it expects firms to take them seriously and review their systems, controls and procedures against them. FSA was vocal in setting out its expectations of firms in relation to the prevention of financial crime; firms cannot afford to ignore those messages.
- Assessing whether staff rotation policies are appropriate. FSA noted that Mitsui’s policy of rotating senior management from the parent company to Europe led to a loss of corporate memory and lack of relevant skills and experience. Although there is nothing wrong with a rotation policy in principle, firms would be wise to consider whether their particular policy ensures staff have sufficient time and training to take over new roles without putting the firm (and the individuals) at risk of breaching regulatory requirements.
- Failing to devote sufficient resource to compliance with overseas regulation can be extremely costly. Mitsui’s Japanese parent company had to inject £94 million into the firm to recapitalise it. Mitsui itself has faced costly remedial action, appointment of a substantially new board and been given a new (higher) ICG by FSA, including extra “loading” for management issues.
- Ignore FSA warnings at your peril. In this case, the firm failed to act on points specifically identified to it by the FSA and later, even when it agreed to take action, this was repeatedly postponed. Firms should prioritise meeting FSA deadlines and, if they cannot be met, be careful to keep the regulator informed.
- Kumagai’s substantial individual fine and ban makes it “crystal clear” that senior management responsibility is still high on FSA’s agenda. This is particularly timely should the recent successful challenge by UBS’s John Pottage of his individual fine of £100,000 in the Upper Tribunal have suggested that FSA might shy away from holding senior management to account.
Where does this leave approved persons?
There are many high profile examples of FSA action against firms that have implemented inadequate systems and controls. Until recently, FSA-action against approved persons for the same failings was reserved for those instances involving a degree of intent to breach the rules by the approved person, whereas in both of these cases there was no suggestion of any bad faith on the part of the individuals. In the Habib case, although the bank had AML procedures, and the MLRO was aware of those procedures and identified flaws in them, this was not enough. It was judged that he needed to go further to satisfy the regulatory obligations his controlled function placed on him. The Mitsui case is perhaps even more worrying as it punished an individual put in an invidious position by his firm, who was perhaps not sufficiently knowledgeable to recognise his own shortcomings.
So what lessons can approved persons learn? It seems likely that FSA will continue to take action against individuals for systems and controls failings. Therefore, the main lesson must surely be to look after number one – approved persons must prioritise identifying what they are responsible for and then ensure they are appropriately trained and have the necessary support to carry out that role. They should also document and action (or document the inability to action) any compliance failings they perceive and raise them with senior management. Merely acting in good faith is not enough where that action is ineffectual. They need to have appropriate knowledge and understanding combined with the strength of character to use that to ensure effective action is taken even on matters which the firm may not perceive as being that important to its main business.
In terms of practical steps, approved persons would be advised to take time to familiarise themselves with the requirements relevant to their role and take steps to ensure they stay up-to-date with any changes. Where the firm’s procedures depart from FSA guidance, they should consider whether that departure is justified; if it is, they would be advised to document that justification; if it is not then they must consider whether that procedure should be changed. They should undertake periodic reviews of the adequacy of the systems and controls relevant to the part of the business they are responsible for; the findings of these reviews should be documented. They should also ensure that minutes from meetings document any concerns raised about matters within their control.
Approved persons who act accordingly are less likely to be found personally at fault in the event that systems and controls failings are identified in their firm. Whilst this may seem single-minded, if all approved persons take these steps it should also significantly reduce the likelihood of their firm being found to have such failings in the first place. This is surely the objective FSA is seeking to accomplish.