Banks' anti-money laundering failures targeted by the UK FCA in New Year clamp down

The Financial Conduct Authority (FCA) has started 2023 with a bang, issuing two final notices against banks for money laundering failures in as many weeks. 

This follows a series of decisions by the FCA last year to impose fines for breaches relating to anti-money laundering (AML) systems and controls, indicating that the UK financial regulator is taking its promise seriously to reduce and prevent financial crime in its strategy for 2022-2025 and business plan for 2022-2023 . 

The level of fines imposed by the FCA in these cases vary, not least because of the size of the bank, but range from the not insignificant sum of £1.5m to nearly £108m.

FCA enforcement powers

The FCA has a range of disciplinary and enforcement powers available to use against firms that breach its rules or the money laundering regulations. Importantly, the financial regulator can also sanction a firm for failings under its Principles for Businesses without needing to identify a breach of a more specific rule or other regulation.

In the two most recent decisions, the FCA relied purely on the firm's failure "to take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems" in breach of its Principle 3. Furthermore, the FCA does not need to determine that actual money laundering has occurred – and did not do so in any of these decisions. Instead, the FCA's focus was on the risk of money laundering taking place.

There are a number of common failings in the FCA's recent final notices. 

Insufficient 'onboarding' information

There was a failure to obtain sufficient information from the customer at the "onboarding" stage; this allows the firm to understand who the customer is, the nature of their business or use of the account, and their source of wealth or source of funds. 

In one example, the bank relied on customer due diligence carried out by non-European Economic Area (EEA) third-party banks even though the bank knew this would not meet the UK standards in the money laundering regulations or its own policies. 

In another example, the bank opened an account for a company for the purposes of pooling funds from its real estate investor customers. Although the bank undertook customer due diligence (CDD) on its customer, it failed to obtain sufficient information about the underlying investors and their source of wealth and source of funds.  This led to the bank accepting US$62m into the account without properly vetting the funds for money laundering risk.

Another bank onboarded respondent banks without obtaining sufficient information about the purpose and intended nature of their business relationship and without doing sufficient due diligence on their AML compliance. During the relevant period, the bank onboarded 14 respondent banks in non-EEA jurisdictions.

Firms must apply appropriate CDD measures when establishing a business relationship or carrying out a transaction for a customer. CDD and enhanced due diligence (EDD) information provided by customers must not be taken at face value by firms. It should be challenged or verified as appropriate; in one case, the FCA criticised the bank for onboarding a customer who had told the bank that it provided translation services with an estimated £5,000 a month account turnover, when it was actually a money service business and its account turnover was more than £1.5m a month. 

Lack of ongoing monitoring 

Another common failure is not monitoring the activity of the customer on a regular basis or conducting timely periodic reviews to ensure that the actual activity of the business is consistent with the bank's understanding of the nature of the customer's business.

In one example, the bank requested information from its customers about their anticipated account turnover and number of transactions a month; the bank did not record the information on its systems, so it could not compare the actual and the expected account activity.

In an example referred to above, the bank failed to regularly monitor the activity of a customer who opened an account with expected monthly deposits of £5,000 but was within six months of opening the account, receiving millions in deposits and swiftly transferring the money to separate accounts. In a yet further another example, the bank failed to scrutinise transactions undertaken through the course of its customer relationship specifically in relation to the receipt of large cash deposits.

Firms must scrutinise customer transactions throughout the course of their relationship with customers.  This requires firms to keep documents, data or information obtained for the purposes of applying CDD measures up to date.

Inadequate EDD

Not undertaking adequate EDD on high-risk customers is another common failure.

In one example, the bank failed to gather independent documentary evidence to verify its high-risk customers’ source of wealth and source of funds and frequently relied on information provided by the customer itself and high-level information from non-EEA third-party banks.

In another example, where a bank's second line of defence indicated that EDD was required, EDD was not undertaken and there was no framework in place to ensure that concerns were addressed. Firms must apply EDD measures and enhanced ongoing monitoring in any situation which by its nature may present a higher risk of money laundering or terrorist financing.

Out-of-date information

Another failure is not ensuring that CDD and EDD information has been kept up to date and reflects each customer's level of financial risk.

For example, one bank had a significant backlog of over 300 existing high-risk and politically exposed persons – these were customers whose know your client (KYC) periodic reviews had not been carried out during the relevant period.

Another bank carried out exercises to seek to fill gaps in its EDD, but was slow to contact customers and follow up with those who failed to reply.  The bank routinely allowed months to pass before repeating its requests and in the interim period failed to place restrictions on the customers' accounts.

Lack of prompt action

There is also a failure by some to take action promptly after red flags have been raised about individual customers.

In one example, a transaction monitoring alert was only  triggered six months after the bank's customer was onboarded, by which time more than 300 times the initial estimated monthly account turnover had passed through the account. Despite this and due to resourcing pressures, it was a further six months before the bank's suspicious activity report unit recommended closure of the account, by which point around £26m had gone through and a further two years passed before the account was actually closed, by which time around £269m had gone through. 

Structural and resource shortcomings

There is also the failure to structure, own and sufficiently resource AML risk so that nothing falls between the gaps.

In one example, the bank's first line of defence was insufficiently trained and, while they obtained KYC information, they did not conduct AML risk assessments for customers. The review of onboarding documentation was outsourced to the second line of defence, but they were subject to processing deadline service-level assessments rather than qualitative service-level assessments; and the third line of defence was under-resourced and not involved in ongoing monitoring, relying on red flags being triggered only. The three different teams did not fully share all relevant information. 

Another bank had a three line of defence model but it did not operate effectively. The frontline relationship managers did not appropriately screen customers and an overburdened compliance function was left to remedy deficiencies in the quality of due diligence information collected.

One bank failed to establish, implement and maintain appropriate and risk-sensitive policies and procedures on handling cash deposits, including whether they should be accepted or rejected if adequate source of funds information was not provided or when there was a suspicious transaction. As a result the  bank accepted £22.74 million in cash deposits of over £10,000 during the relevant period.

The recent FCA notices heavily criticise teams for being under-resourced and therefore not able to conduct their roles in a timely and effective way. They also heavily criticise senior management who do not effectively fix resourcing concerns. Staff should be provided with sufficient and tailored training that is sufficient for their particular roles. In one example, a lack of knowledge of customer-facing staff in a bank's main branch of the "tipping off" offence created a fear of committing this offence to the extent that branch staff were discouraged from rejecting cash deposits even when they had concerns.  

A firm's systems must be operated by sufficiently resourced and trained staff, and overseen and monitored by senior managers who have sufficient understanding of their regulatory responsibilities. The identity of the "risk and issue" owners  should be clearly articulated and understood within the firm, with clear lines of responsibility and accountability.

Rectify weaknesses and align processes to policies

There is a need to rectify comprehensively and promptly any weaknesses in AML systems. 

For example, despite receiving a fine in 2013, a bank failed to act quickly to improve AML controls. This led to a prolonged period of time where the bank was exposed to financial crime risks. As a result the FCA applied a 40% increase to the bank's fine.

The bank's processes also need to match their policies.  

In one example, the bank was criticised not because it failed to do certain things in themselves or within a certain time frame as required by the FCA's rules or the money laundering regulations, but because the bank's policies said that it should have done those things and within certain timeframes. 

Osborne Clarke comment

The FCA has made clear that there is no excuse for a firm's failure to comply with the money laundering regulations and the FCA's rules. The requirements relating to AML have been key features in the regulator's fight against financial crime for over 25 years. 

Similarly, the FCA expects firms to be aware of the numerous well-publicised final notices in recent years for AML systems and controls weaknesses. 

While these recent final notices relate to historic events and weaknesses identified (as far back as 2012), as we continue to see the same common themes appearing in requirement notices to appoint skilled persons and requests for information by the FCA, we can expect to see further notices of a similar vein.

Fines are not the only potential consequences of getting things wrong.  In three of the recent examples, the FCA also obtained voluntary restrictions from those banks for onboarding new customers while remediation was ongoing. Two of those banks were also required to appoint a skilled person under section 166 of the Financial Services and Markets Act 2000 to review their AML processes, systems and controls. From our work on such reports, appointing a skilled person can be a lengthy and very expensive process. 

The FCA must be able to rely on the leadership within a firm to take on the responsibility of ensuring that everyone in the firm is aware of the role they have to play in ensuring financial crime controls are adequate and effective in mitigating against the risk of financial crime. We anticipate that the FCA will also publicly censure or impose financial penalties on senior managers when it identifies serious failings by a firm's leadership.

If you are interested in discussing these issues further, please get in touch with your usual Osborne Clarke contact, or one of our experts listed below.

This Insight was produced with the assistance of George Elliston, Trainee Solicitor