FCA sanctions bank and its MLRO for anti-money laundering systems failings

Sonali Bank

Sonali Bank is a UK subsidiary of Sonali Bank Ltd, which is based in Bangladesh and is ultimately owned by the Bangladesh government.

Bangladesh is regarded as a higher risk jurisdiction for AML risks. In July 2009, a Mutual Evaluation Report of the Asia/Pacific Group on Money Laundering (APG) assessed that Bangladesh "faces significant risks of money laundering (ML) and some risks of terrorism financing. The authorities readily acknowledge the prevalence of corruption, narcotics trafficking and human trafficking". In October 2010, the Financial Action Task Force (FATF) identified strategic deficiencies in Bangladesh’s AML regime, resulting in it monitoring the country’s ongoing AML compliance process. In February 2014, the FATF reported that Bangladesh is no longer subject to this monitoring process. However, the country and relevant government bodies continue to work with the APG to address the full range of AML issues identified in the July 2009 Mutual Evaluation Report.

Steven Smith

Steven Smith was appointed as the MLRO and compliance officer for Sonali Bank in February 2011 and held the CF10 (compliance oversight) and CF11 (money laundering reporting) roles.

Mr Smith held a number of responsibilities within Sonali Bank in his capacities as MLRO and compliance officer.

For example, as MLRO, Mr Smith was responsible for:

− Developing, documenting and maintaining Sonali Bank’s AML policies and procedures, including risk management policies, assessments and processes.

− Supporting and co-ordinating the focus of Sonali Bank’s senior management on AML risk in individual business areas.

− Assisting Sonali Bank’s senior management to develop and maintain an effective AML compliance culture.

− Ensuring that Sonali Bank’s employees were trained in relation to, and complied with, AML policies.

− Undertaking annual money laundering compliance reviews and providing senior management with additional management information, if necessary.

Making any recommendations required for action to remedy any deficiencies in AML policies, procedures, systems or controls and following up on those recommendations.

− In addition to these MLRO responsibilities, Mr Smith had various responsibilities in his capacity as compliance officer for Sonali Bank, including:

− Designing and monitoring systems to ensure that Sonali Bank’s business operated in accordance with the FCA’s rules.

− Supervising appropriate training programs for Sonali Bank’s employees.

− Registering (and, if required, notifying the FCA of) rule breaches and taking appropriate remedial action.

− Registering details of customer complaints and ensuring that such complaints were resolved efficiently and effectively.

FSA and FCA visits

In July 2010, as part of thematic review work considering financial crime controls at smaller firms, the FSA (as it then was) visited Sonali Bank in order to assess its AML systems and controls. Following this visit, in August 2010, the FSA notified Sonali Bank of a number of serious concerns it had about its AML systems and controls.

Sonali Bank put in place a remediation plan and took a number of steps to rectify the issues that the FSA had identified in relation to its AML systems and controls. For example, Sonali Bank re-drafted its Anti-Money Laundering Staff Handbook and upgraded its AML processes. Sonali Bank’s senior management committed to ensuring that financial crime issues would be given closer attention in the future.

In January 2014, just less than four years after the FSA’s original visit, the FCA visited Sonali Bank as part of follow-up thematic work to assess AML controls in small banks. Notwithstanding the steps that Sonali Bank had taken after the FSA’s visit in 2010, the FCA identified serious AML failings.

The FCA requested that Sonali Bank take a number of immediate actions to address the risks posed by its AML control weaknesses. These included lowering the remittance threshold for obtaining source of funds information, screening its customers to identify politically exposed persons (PEPs), conducting enhanced due diligence (EDD) on all PEPs and high risk customers and carrying out visits to its UK branches to assess their AML systems and controls.

Following the FCA’s visit, a skilled person was appointed under section 166 of the Financial Services and Markets Act 2000 (FSMA) to assess and report on Sonali Bank’s AML systems and controls. On 21 July 2014, the skilled person reported its findings to the FCA. It concluded that there were "systemic" AML control failings arising from "a lack of understanding and implementation of systems and controls throughout the Bank". Following the skilled person’s report, the FCA took the decision to refer Sonali Bank to enforcement for investigation.

Findings: Sonali Bank

The FCA found that Sonali Bank had breached Principles 3 and 11 of the FCA’s Principles for Businesses.

Breach of Principle 3

The FCA found that, during the period 20 August 2010 to 21 July 2014, Sonali Bank breached Principle 3 of the FCA’s Principles for Businesses, which requires firms to "take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems". The basis for this finding was that Sonali Bank had failed to maintain adequate systems and controls to manage the risk of money laundering and financial crime. The FCA described these failings as "systemic" and noted that they "affected almost all levels of its business and governance structure".

In particular, the FCA identified the following failings in relation to Sonali Bank:

− Culture. The FCA found that Sonali Bank had failed to take adequate steps to ensure that the importance of the AML compliance was "ingrained throughout the business", despite it receiving "clear warnings of a culture of non-compliance". The FCA highlighted the role that senior management at Sonali Bank played in relation to this failing.

− Senior management oversight. The FCA also noted a number of failings in relation to the oversight of Sonali Bank’s senior management in relation to AML issues. For example, the FCA found that Sonali Bank’s board and senior management were not provided with sufficiently clear information to ensure that they were adequately aware of the AML risks faced by the business and able to address how they were being addressed. Although the board received regular financial crime reports, the FCA found that it had raised insufficient challenge to the conclusions reached and failed to make enquiries into the contents of those reports. The FCA also noted that Sonali Bank’s board lacked experience and expertise in relation to regulatory and compliance matters and had ‘manifest differences in opinion and approach to complying with regulatory requirements which affected the board’s ability to operate effectively as a collective unit’.

− Internal audit. The FCA found that Sonali Bank ignored warnings from its internal audit function (which was staffed with auditors from an external firm) about weaknesses in its governance systems and controls. The internal audit function graded the risks and controls associated with Sonali Bank’s governance and regulation activities as "actual/potential serious implications" (the most serious grade available to them) and also noted that these failings persisted despite the assurances of senior management that they would be remediated. Notwithstanding the findings of internal audit, the number of days they were allocated to focus on governance and regulation matters was significantly reduced in 2013.

− MLRO department. The FCA also found that Sonali Bank’s MLRO department was not adequately resourced and that there was insufficient senior management oversight of the MLRO department. In particular, the FCA noted that the remit of Sonali Bank’s MLRO (who, as is detailed below in Findings: Steven Smith, was also the subject of a separate enforcement action) was required to perform a significant amount of work in excess of what would traditionally fall to the MLRO. The FCA also found that Sonali Bank failed to implement updates to software that would have assisted the MLRO function in a timely manner.

− Policies and procedures. Sonali Bank’s policies relating to AML compliance were found to provide inadequate practical guidance to its employees. For example, they specified that "sufficient" due diligence should be undertaken, but gave no guidance as to what "sufficient" meant in this context. Employees were also required to obtain "evidence" of source of funds for cash remittances over a certain threshold, but were given no guidance on what form this "evidence" should take. In addition, the FCA found that Sonali Bank’s policy relating to the risk assessment of customers was "unclear and contradictory".

− Due diligence. The FCA found that both the customer due diligence (CDD) and EDD carried out by Sonali Bank when establishing new business relationships was inadequate, and that Sonali Bank took inadequate steps to identify PEPs and apply EDD measures to those PEPs. Each of the 2,457 customer files that were reviewed by the skilled person was found to contain insufficient documentation.

− Monitoring. Sonali Bank failed to conduct ongoing monitoring of some of its client relationships, including PEPs, until 2014. In addition, the monitoring that it did conduct was undertaken on a sample basis, the rationale for which was unclear, insufficiently documented and omitted to consider some transactions. As an example, the FCA noted that one of Sonali Bank’s customers had listed their annual income in 2007 as being £20,000. Despite the fact that they had made a number of significant cash and cheque deposits after that time, Sonali Bank failed to consider whether these deposits were commensurate with the customer’s earnings and whether the account activity posed increased AML risks.

− Branch management. The FCA identified weaknesses in Sonali Bank’s oversight of its UK branches. For example, it found that reporting lines for these branches were unclear and that employees working in those branches had a very limited understanding of AML issues and processes. The FCA found that these issues were exacerbated by the inadequate resourcing of the MLRO Department.

− Reporting suspicious activity. The FCA found that Sonali Bank’s employees failed to identify and report suspicious activity. Although Sonali Bank was warned that it submitted a "surprisingly low" number of suspicious activity reports (SARs) to the National Crime Agency (NCA), Sonali Bank nonetheless failed to take any steps to ascertain the reason for this and, as a result, failed to identify that its employees were not escalating suspicious activity and submitting SARs in appropriate circumstances. Following the skilled person’s review, Sonali Bank submitted an additional 243 SARs to the NCA in relation to historic issues.

− Remediation. After the FSA and FCA visits in 2010 and 2014, Sonali Bank had the opportunity to remediate the AML systems and controls failings that were identified. However, the FCA found that Sonali Bank failed to ensure the "ongoing effectiveness" of remediation measures that were implemented, including at senior management levels.

Breach of Principle 11

The FCA also found that Sonali Bank breached Principle 11 of the FCA’s Principles for Businesses in relation to this matter, which requires firms like Sonali Bank to "deal with its regulators in an open and cooperative way, and [to] disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice".

The basis for the FCA’s finding was that in March 2015 (at which point Sonali Bank was under investigation by the FCA) Sonali Bank received a complaint from a customer that £23,000 was missing from his bank account. Towards the end of March 2015, the customer had alleged that the missing money had been misappropriated by a senior employee of Sonali Bank and that withdrawal documentation was missing. Sonali Bank did not notify the FCA of this matter until almost two months later, in mid-May 2015. In the light of these facts, the FCA found that:

− In accordance with the FCA's Supervision manual (SUP 15.3.17R), Sonali Bank should have notified the FCA of this matter immediately given that it appeared that an employee may have committed fraud against one of its customers and the event was significant.

− Given Sonali Bank was under investigation by the FCA for failings in its AML and financial crime systems and controls at the time of the incident, it should have in any event have notified the FCA of this matter.

− When Sonali Bank did notify the FCA of this matter, it acknowledged in its notification that it considered the matter to be significant in view of the amount of the fraud and the potential reputational risk and loss to Sonali Bank.

Sanctions

Sonali Bank was fined £3,250,600 (after a 30% early settlement discount). £140,000 of that sum was attributable to Sonali Bank’s breach of Principle 11.

The part of the financial penalty that was imposed on Sonali Bank as a result of its breach of Principle 3 was increased by 20% due to aggravating factors, namely that Sonali Bank had been on notice of various weaknesses in its AML systems and controls since 2010 and that Sonali Bank had access to a considerable amount of public guidance relating to AML regulatory requirements.

In addition to the financial penalty, the FCA imposed business restrictions on Sonali Bank using its powers under section of 206A FSMA. These restrictions prevent Sonali Bank from accepting deposits from customers who do not hold a deposit account with Sonali Bank as at the date of the final notice for a period of 168 days (reduced from 240 days before an early settlement discount was applied). The following factors contributed to the FCA’s decision to impose business restrictions in this case:

− The FCA has previously taken enforcement action against other firms due to their failure to put in place adequate AML systems and controls.

− The FCA believes that, notwithstanding their previous enforcement activity in this area, industry standards require improvement, especially within smaller banks.

− Sonali Bank’s failings appear to have been widespread, involving a number of individuals across a number of its business areas.
In the light of these factors, the FCA decided that imposing a business restriction on Sonali Bank would act as "a more effective and persuasive deterrent than the imposition of a financial penalty alone".

Findings: Steven Smith

The FCA found that Mr Smith has breached Principle 6 of the FCA’s Statements of Principle and Code of Practice for Approved Persons (APER) and that he was also knowingly concerned in Sonali Bank’s breach of Principle 3 of the FCA’s Principles for Businesses.

Breach of APER Principle 6

Mr Smith was appointed as MLRO and compliance officer in February 2011, shortly after the FSA’s visit to Sonali Bank in 2010, after which it highlighted a number of serious concerns it had with Sonali Bank’s AML systems and controls. As a result, Mr Smith was on notice of the FSA’s findings, as well as the remediation steps that Sonali Bank had agreed to take in order to address the FSA’s concerns about its AML systems and controls.

APER Principle 6 requires an individual holding a significant influence function (such as the CF11 (money laundering) role) to "exercise due skill, care and diligence in managing the business of the firm for which he is responsible". In the light of Mr Smith’s responsibilities as MLRO, and the failings that the FCA had identified in relation to Sonali Bank’s AML systems and controls, the FCA found that Mr Smith had breached APER Principle 6. The basis for the FCA’s finding was as follows. Mr Smith:

− Failed to ensure that Sonali Bank’s board and senior management were sufficiently aware of the weaknesses in its AML systems and controls, including the lack of resourcing in its MLRO Department.

− Did not act on the warnings Sonali Bank had received about its AML systems and controls, both from the FSA/FCA and its internal audit function.

− Failed to identify a serious lack of knowledge and understanding of AML issues among Sonali Bank’s employees and failure to ensure that they were aware of their AML responsibilities.

− Did not implement any effective process for the ongoing assessment of AML risks posted by individual customers of Sonali Bank.
− Failed to ensure that Sonali Bank operated an effective system for identifying PEPs and undertaking adequate EDD in respect of those customers identified as PEPs.

− Did not investigate or enquire into an apparently low level of SAR submissions by Sonali Bank.

− Suggested that recommendations made by Sonali Bank’s internal auditors about its transaction monitoring systems should be reviewed without conducting an analysis of the effectiveness of the systems.

In coming to these findings, the FCA did acknowledge that Mr Smith faced "significant challenges in conducting his work as MLRO in that he received inadequate support from senior management and faced a working environment throughout [Sonali Bank] which failed to pay sufficient heed to the importance of complying with AML requirements".

Notwithstanding these "significant challenges" and the lack of support from Sonali Bank’s senior management, the FCA found that Mr Smith could have still taken a number of steps, including keeping records of issues that were escalated to senior management, highlighting concerns to internal and external auditors and requesting external advice on certain points. In addition, the FCA noted that Mr Smith could have blown the whistle and reported his concerns about Sonali Bank to the FCA. This guidance is reminiscent of the guidance set out by the FCA in its final notice issued to Peter Johnson, the former compliance officer for Keydata Investment Services Ltd (see Legal update, A&O decision report: Latest Keydata enforcement action sets out valuable lessons for compliance officers).

Knowingly concerned in Sonali Bank’s breach of Principle 3

Under section 66 of FSMA, the FCA has the power take enforcement action against an approved person if they are found to have been knowingly concerned in a breach of a regulatory requirement by their firm. To establish that an approved person was "knowingly concerned" in a breach of a regulatory requirement by their firm, the FCA has stated that it considers that it must establish that the individual in question had knowledge of the facts that caused the breach, but not that he or she had knowledge that a breach had actually occurred. In addition, the FCA does not consider that it is necessary for it to prove that the approved person had acted dishonestly to find that they had been knowingly concerned in a breach of regulatory requirements.

In this case, the FCA used its power under section 66 of FSMA to find that Mr Smith had been knowingly concerned in Sonali Bank’s breach of Principle 3 (see Breach of Principle 3 above). The FCA came to this conclusion as a result of Mr Smith’s responsibility for the areas in relation to which the FCA had identified failings (see above).

Sanctions

Mr Smith was fined £17,900 (after a 30% early settlement discount). This amount reflected a 10% uplift which was applied as an aggravating factor given that Mr Smith was aware of the feedback given by the FSA following its visit to Sonali Bank in 2010 and that the FSA and FCA have both issued guidance (including in the form of other enforcement cases) about AML systems and controls.
Mr Smith was also prohibited from performing the CF10 (compliance oversight) and CF11 (money laundering reporting) controlled functions on the basis that he had "demonstrated a serious lack of competence and capability". For the avoidance of doubt, the FCA expressly stated that this prohibition extended to Mr Smith carrying out the equivalent functions under the senior managers regime (SMR) (namely the SMF16 (compliance oversight) and SMF17 (money laundering reporting) senior manager functions).

Comment

Taking enforcement action against firms that are found to have poor AML systems and controls has been one of the FCA’s priority areas over the past few years. In particular, in the last two FCA Business Plans, tackling financial crime has been listed as one of the FCA’s seven key forward looking areas of focus. However, notwithstanding this stated focus on the part of the FCA, the FCA has only concluded a relatively modest number of financial crime systems and controls cases over the past few years.

However, the number of enforcement cases concluded against compliance professionals is on the rise. Since 2008, the FSA and FCA have concluded 14 enforcement cases against compliance officers, four of whom were MLROs. Six of these cases (including this one concerning Mr Smith) have been concluded since 2015. The message from all of these cases is clear. Compliance professionals or "gatekeepers" are expected to show backbone and take a robust approach to challenging colleagues when necessary. If they are not taken seriously they can blow the whistle to the FCA or the PRA, or alternatively consider stopping performing some of their duties or resigning. The trend of bringing more cases against "gatekeepers" is also emerging outside of the UK. For example, it is gaining momentum in the United States, courtesy of the Securities and Exchange Commission (SEC).

The FCA’s approach to taking enforcement action against both Sonali Bank and Mr Smith in this case raises a number of interesting points:

− Imposition of business restrictions: This is the fourth time that the FCA has used its power to impose business restrictions on a firm. Prior to this case, the longest period of business restrictions imposed by the FCA was 126 days (see Legal updates, A&O decision report: FCA fines bank, compliance officer and internal auditor for providing misleading information to the FCA). As a result, the length of business restriction imposed on Sonali Bank (168 days reduced from 240 days due to early settlement discount) is by far the longest business restriction imposed on a firm to date. In its latest Business Plan for 2016/17, the FCA noted that it would specifically consider imposing business restrictions on firms that are found to have poor financial crime controls. The rationale for the FCA choosing to impose business restrictions appears to be that it considers that financial penalties alone do not represent a sufficient deterrent in certain cases.

− Lessons learned from Principle 11 breach: The FCA has shown a greater appetite over the past few years to take enforcement action against firms for Principle 11 breaches, especially in conjunction with other breaches of the FCA’s Principles for Businesses. These cases often involve allegations that firms failed to provide or provided misleading information to the FCA in relation to specific events that the FCA was investigating. The FCA’s finding against Sonali Bank in this case is slightly different to those cases. Although the FCA was investigating Sonali Bank’s AML systems and controls more generally, it appears to have attached significant weight to the fact that Sonali Bank failed to notify it promptly of a specific incident involving suspected fraud that occurred during the FCA’s investigation. The FCA’s action serves as a valuable reminder to firms not only of their obligations under Principle 11 of the FCA’s Principles for Businesses, but also for firms to take particular care when notifying the FCA of incidents or issues that are connected (even at a general level) to matters that the FCA is investigating.

− Approach to handling of third party rights: The topic of third party rights under section 393 of FSMA is one that has received a considerable amount of attention over the past few years. The Supreme Court has heard the FCA’s appeal from the Court of Appeal’s decision in FCA v Macris [2015] EWCA Civ 490 and judgment is expected next year. In the final notice issued to Sonali Bank, the FCA makes a number of express statements that can be construed as criticisms of Sonali Bank’s board and senior management. Notwithstanding these statements, the final notice also includes the following wording:

"For the sake of clarity, any criticisms of the board, senior management, MLRO department, Audit Committee, or any other body referred to using a collective term (including any variation of any preceding collective terms) are not criticisms of all, nor even necessarily any particular, individuals who may have been a part of any of these bodies."
It is possible that the FCA included this wording in the final notice in an attempt to avoid having to grant any current or former Sonali Bank employees who fall within the categories listed above third party rights under section 393 of FSMA. This is because the FCA’s statement quoted above could be a way of the FCA claiming that no criticisms in the final notice can be attributed to any specific person. Alternatively, it may be that Sonali Bank requested this wording to be added to the final notice in order to help preserve the reputations of certain current or former employees. Either way, we may see this wording used in more final notices in the future.

− Finding of "knowingly concerned": There has been a steady trickle of cases concluded by the FCA and the PRA over the past few years where approved persons have been found to have been "knowingly concerned" in a breach of regulatory requirements by their firms. Although Mr Smith was found to have been knowingly concerned in Sonali Bank’s breach of Principle 3, he was not found to have been knowingly concerned in Sonali Bank’s breach of Principle 11. The FCA does not provide any rationale for this approach, but it is nonetheless an interesting one given that one of Mr Smith’s responsibilities as Sonali Bank’s compliance officer was to notify the FCA of any rule breaches, if such a notification was required.

− Prohibition order: Mr Smith’s failings related to the performance of his MLRO responsibilities. Notwithstanding this, Mr Smith’s prohibition order covered both the CF11/SMF16 (money laundering oversight) and CF10/SMF16 (compliance oversight) roles. This approach is similar to the one that the FCA has recently taken in relation to Tariq Carrimjee who has been banned from performing the same functions, even though his misconduct only related to the CF10 (compliance oversight) role (see Legal update, A&O decision report: fund manager challenges FCA's decision to impose prohibition order).

Final notices

This article first appeared in Practical Law and is published with the permission of the publishers.

For information and commentary on the latest trends, risks and developments in financial services investigations, please see Allen & Overy's Investigations Insight blog.