Two of our biggest sanctions in the last 12 months related to failures to address financial crime and anti-money laundering (AML) risks.
- We currently have 42 investigations ongoing into firms and individuals involving, for example, systems and controls over politically exposed persons, customers with significant cash intensive operations, correspondent banking and trade finance, and transaction monitoring.
- AML investigations are often complex because they are rarely
transactional and require a systemic understanding of how a firm
operates, its governance controls, its cultural habits, and the nuts and
bolts of sometimes opaque systems.
- In the last 12 months, we have increased our surveillance of online
investment promotions targeting offers from unauthorised firms,
potential investment scams and other too good to be true promotions,
including lead generation sites.
Detection,
investigation and prosecution, where necessary, – either civilly or
criminally – of breaches of the Money Laundering Regulations, SYSC 6.3
and/or the Principles for Business are key priorities for the FCA.
Recently we commenced
our first criminal proceeding against a bank under the Money Laundering
Regulations 2007. As has been widely reported, the case is concerned
with the bank’s systems and controls to monitor and scrutinise
significant levels of cash deposited by a UK incorporated customer. As
the case is before the court, it is not appropriate to say anything
further at this stage about the prosecution.
And over the last 12 months, two of the biggest sanctions we imposed
related to failures to address financial crime and AML risks. Both cases
highlight inadequate systems and controls where one could be forgiven
for thinking the true function and meaning of the controls had become
lost in elaborate processes leading to failure.
Systems and controls that are purposeful, efficient and courageous in
identifying suspicious activity are vitally important; system and
control failures, on the other hand, provide an invisible, illicit cover
for criminals and criminal activity that affects the whole community,
not only in this country but also beyond, and can erode confidence in
the financial system.
Systems and controls that are purposeful,
efficient and courageous in identifying suspicious activity are vitally
important; system and control failures, on the other hand, provide an
invisible, illicit cover for criminals and criminal activity that
affects the whole community, not only in this country but also beyond,
and can erode confidence in the financial system.
Recent action
In the first action, which we took last summer against Commerzbank
AG’s London branch, we imposed a fine of £37.8 million. Commerzbank
London provided products and transaction platforms for many of the
bank’s global customers. It was also a hub for sales, trading and due
diligence processes for many of the bank’s global customers. We found
that for over 5 years the bank failed to have effective policies and
procedures in place to identify, assess, monitor and manage money
laundering risks. In particular, we found:
- some parts of the bank’s operations failed to verify beneficial
ownership details, including in relation to high risk clients, from a
reliable source
- processes for identifying risks with politically exposed persons were inadequate
- there was no clear process or criteria for terminating a relationship with a customer based on financial crime risks; and
- there were substantial and unjustifiable backlogs in conducting
refreshed know your client checks. In October 2016, 1,720 new clients
were in a 'huge backlog' awaiting to be onboarded. At this point the
bank had only three staff engaged in this task. By February 2017, the
backlogs had increased, and 2,226 existing clients were overdue
refreshed KYC checks.
These failings contributed to additional problems because
automated systems lacked up to date information which in turn meant they
became less reliable and effective. The catalogue of failures meant
investment in systems and controls was wasted on measures that were
unable to function as they had been designed or purposed.
In the second case, together with the PRA, we imposed a fine of £96.6
million on Goldman Sachs International (Goldman Sachs) in relation to
three bond transactions which Goldman Sachs arranged for 1MDB, a
Malaysian state-owned entity associated with serious embezzlement
allegations. Goldman Sachs was the primary booking entity for these
transactions which were negotiated by a deal team based in Asia. The
bond issuances had several red flags, none of which were especially hard
to spot:
- They were very large transactions compressed into tight timetables.
- They involved jurisdictions which Goldman Sachs already considered had high risks.
- Goldman Sachs possessed information about a third party whom they
considered was high risk and who was said to be closely associated with
the transactions.
The FCA found these risks were not adequately explored or considered holistically when approving the bond transactions.
Instead, overreliance was placed on statements of the deal team, who
had an evident interest in proceeding with the transactions, to the
effect that the third party had no role, despite inconsistent accounts
being provided by a senior member of the deal team about the third
party’s involvement in the first 1MDB bond transaction. The risk of the
third party’s involvement was not even raised in the documentation that
went before the committees approving the 1MDB Transactions.
Moreover, the approving committees failed to assess the relevant
risks factors either individually or in aggregate when approving the
transactions or they were not provided with all the information that was
available to enable that to happen. This meant significant reputational
and financial crime risks were effectively ignored or censored from the
approval process.
A significant failure in this case involved the absence of proper
record keeping of the identification, management and assessment of the
substantial and evident risks involved in the transaction.
Record-keeping is a vitally important part of effective governance. It
is more than just a minuting of what has happened or being decided but
helps to ensure there is an effective and purposeful discipline over the
decision-making process.
Consequences
Both cases illustrate well how systems and controls failures in London can have consequences outside the UK.
One of the dilemmas of white-collar crime is the victim is too often
either invisible or, in some cases, like insider dealing, believed,
wrongly, not to really exist, which means the wrongdoer is more easily
able to commit a crime in which real harm is never felt, seen or
experienced directly. So too if the potential impact is not on ‘your
street’ or in ‘your country’.
One of the dilemmas of white-collar crime is the
victim is too often either invisible or, in some cases, like insider
dealing, believed, wrongly, not to really exist, which means the
wrongdoer is more easily able to commit a crime in which real harm is
never felt, seen or experienced directly. So too if the potential impact
is not on ‘your street’ or in ‘your country’.
There is a version of this in relation to systems and controls,
especially if they become a bureaucratic insulation, attenuating the
system from the gritty reality of the predicate criminality that needs
to be inhibited.
And, for the purposes of AML controls, the risks are not limited to
white collar crime, extending to the proceeds of all criminal proceeds,
from drug trafficking to terrorist financing. While the harm from such
crimes may be difficult to feel or appreciate, because the distance
between fund flows and the scene of the crime is so attenuated, the
consequences of AML failures may well be a life and death matter.
These cases demonstrate both the value and challenge of systems and
controls. On one hand, effective AML systems create a control
environment that is able to identify valuable signals in complex data,
with repeatable interrogations geared to specific and reasonably
foreseeable crime risks, to ensure decision-making is calibrated to
those risks and to record accurately how those risks have been
addressed.
On the other hand, systems can become overly complicated,
bureaucratised, vulnerable to gaming by less scrupulous players, and
expensive.
There is an inherent risk that complex systems lose a sense of what
they exist for, where the management challenge to maintain the system,
becomes an end in itself, rather than the system or control acting as
radar to identify and manage the actual risks facing financial services
firms.
AML systems and controls must be focussed explicitly on the
activating purpose and function of those controls, to ensure the system
is not just a bureaucratic process and to ensure it cannot be gamed.
AML systems and controls must be focussed
explicitly on the activating purpose and function of those controls, to
ensure the system is not just a bureaucratic process and to ensure it
cannot be gamed.
We currently we have 42 AML investigations ongoing into firms and
individuals (25 are investigations into firms and 17 are investigations
into individuals), involving, for example, systems and controls over
politically exposed persons, customers with significant cash intensive
operations, correspondent banking and trade finance, and transaction
monitoring.
These are often complex investigations because they are rarely
transactional; they require a systemic understanding of how a firm
operates, its governance controls, its cultural habits – all of which
can generate terabytes of data and information - as well as the nuts and
bolts of sometimes opaque systems.
Emerging risks
Let me now turn to a couple of specific AML risks that have arisen over the last 12 months.
First, as has been reported elsewhere, we have increased our
surveillance of online investment promotions targeting offers from
unauthorised issuers without FSMA approvals, potential investment scams
and other too good to be true promotions, including lead generation
sites.
A number of these sites are under investigation or have become the subject of proceedings.
We have also issued alerts on our Warning List concerning well over 1,000 firms, an increase of over 100% on 2019.
The Warning List is designed to prevent consumers dealing with firms
that appear they should be authorised by us but are not or falling for
investment scams without undertaking proper checks. We are now able to
detect these sites, check them out and issue warnings, where
appropriate, much more quickly than before.
While the aim is to provide a means for consumers to protect
themselves, the same list should also be used by firms. How many firms
on our Warning List have bank accounts? How many are the subject of
suspicious activity reports?
We would like to see our Warning List actively used, not only by
consumers, but also by authorised firms seeking to ensure any
transactions or transfers of funds by or to such firms are properly
scrutinised and, where applicable, the subject of suspicious activity
reports or other reports to the NCA and the FCA.
We would like to see our Warning List actively
used, not only by consumers, but also by authorised firms seeking to
ensure any transactions or transfers of funds by or to such firms are
properly scrutinised and, where applicable, the subject of suspicious
activity reports or other reports to the NCA and the FCA.
The second area of risk relates to cryptocurrency firms. As from 10
January 2021, the FCA is the AML supervisor of cryptocurrency
firms. While we do not regulate or supervise the cryptocurrency
business, these firms are required to be registered with the FCA and
they are required to comply with the Money Laundering Regulations.
We have now developed a version of the Warning List, called the
Unregistered Cryptocurrency Businesses List, to help consumers and FCA
authorised firms identify cryptocurrency firms that appear to be
carrying on business in the UK but are not registered with the FCA or
sought such registration.
We placed the first names on the Unregistered Cryptocurrency
Businesses List earlier this month, all crypto ATM firms, and we have
just added 29 crypto custodian wallet providers to the list.
Without commenting on what other steps may be taken to enforce the
new obligations, appearing on the list should be a warning for FCA
authorised firms, including any banks who may be providing banking
services to these firms, as well as consumers.
We would like to see the Unregistered Cryptocurrency Businesses List
used in the same way as the Warning List, to safeguard consumers, as
well as to ensure any transactions or transfers of funds by or to such
firms are properly scrutinised and, where applicable, the subject of
suspicious activity reports or other reports to the NCA and the FCA.
We know much of the industry is devoted to strong systems and
controls in relation to AML. Indeed, the aim of AML regulation is not to
catch anyone out but to set high standards of probity and scrutiny to
inhibit illicit money flows in the financial system and to encourage
participants in the system to behave as custodians and guardians of the
public interest in preventing money laundering.
FCA
© FCA - Financial Conduct Authority