Lessons learnt from the recent financial crime fines issued by the FCA

It has been noted, that in 2022 the number of regulatory enforcement powers exercised by the UK’s Financial Conduct Authority (FCA) increased.

Fines issued by the FCA were more than doubled compared to 2021, where only 10 financial crime related fines were issued in 2021, to 26 fines issued in 2022.

It is important that regulated firms pay attention to the issues recognised by the FCA and learn lessons from these regulatory enforcements.

Neopay prepared a summary of the main enforcement actions from 2022, with a focus on highlighting the issues and deficiencies, as well as providing guidance for regulated firms to enhance their frameworks through both preventative and corrective measures.

1. Governance and Senior Management Arrangements

Santander UK PLC (Santander) – Final Notice 2022: Santander UK Plc (fca.org.uk)

Santander UK departments were operating in isolation and not effectively sharing information. Each area concentrated on performing its own functions and there was a lack of understanding how this impacted the overall business. There was a lack of information flows between the departments. The FCA discovered that the management information (MI), such as reports provided to the Senior Management, were lacking some key financial crime information. For example, there was evidence that senior divisional managers were not appropriately involved in committee meetings where financial crime topics and risks were raised.

Gatehouse Bank PLC (Gatehouse) – Decision Notice 2022: Gatehouse Bank plc (fca.org.uk)

Gatehouse were found to have insufficient resources in their compliance function and not operating an effective three lines of defence model. This meant that the compliance department were involved and overwhelmed with activities that were falling under the first line of defence responsibilities, which then meant lack of resources focused on monitoring and oversight of the business. For example, it was identified that second line of defence was in charge of onboarding and customer due diligence on an ongoing basis. The issue identified by the FCA was unclear allocations of responsibilities between first and second line of defence, which meant that second line of defence were unable to effectively monitor and oversee any potential financial crime risks.

Lessons learnt

• Ensure you operate an effective three lines of defence model with clear division of responsibilities and no overlap of activities between first and second line of defence.
• Ensure you have appropriate resources in your compliance function to effectively oversee and monitor the activities performed by first line of defence.
• Ensure you review your operating activities, including interactions and information flows between different departments, to ensure that each department understand how their own activities connect and impact other business areas.

2. Customer Due Diligence and Customer Risk Assessment

Santander UK PLC (Santander)

The FCA identified that Santander did not sufficiently understand or verify customers nature of business, which meant that the customer risk assessment was not performed appropriately or adequately recorded. Santander did not request from its customer a confirmation on nature of a business and therefore was unable to assess or record potentially high risk associated with the customer’s business activities. Santander also failed in providing consistent, up to date and readily available records.

Specifically, Santander failed to identify if a customer was in a money service business (MSB) at the onboarding stage, as that type of a customer would fall outside of the customer’s risk appetite. There were several ‘red flags’ present during the onboarding which Santander failed to recognised, such as:

• Customer was operating the account at a regional branch located approximately forty miles from the business trading address and the home address of the sole director. Considering both were large cities, there was no investigation by Santander as to why the customer opened the account from a branch that is located distantly.
• The part of the application form asking for a declaration of MSB activities was crossed out.
• There was a discrepancy between the information declared by the customer as their nature of business, stating ‘translation service’ and information available on the Companies House stating ‘ providing financial intermediation not elsewhere classified’ and ‘other financial service activities except insurance and pension funding (not including security dealing on own account and factoring)’. Additionally, an insurance document obtained during the onboarding stated nature of the business as ‘travel agency’.
• Customer’s business website had reference to the term ‘FX’, suggesting some form of training in, or transmitting foreign currencies.

Despite multiple discrepancies, Santander failed to identify, evaluate and investigate these red flags, which meant that the real nature of the business was never confirmed or verified. As a result, the customer was captured under the standard due diligence procedures, as the high-risk element of this business (MSB) was never identified, and in fact outside of Santander’s risk appetite.

Gatehouse Bank PLC (Gatehouse)

Gatehouse business operations are typically associated with high-risk jurisdictions, in respect of financial crime risks, including relationships with politically exposed persons (PEPs), or businesses with a complex ownership structure.

Considering the nature of customers Gatehouse were dealing with, they failed to implement adequate processes for identifying PEPs, establishing their source of funds and source of wealth and conducting enhanced due diligence (EDD) as required by the Money Laundering Regulations.  The FCA deemed that Gatehouse’s documented policies and procedures did not provide sufficient guidance on how to identify source of funds or wealth, or how to appropriately verify it, through different types of documents depending on the declared source.

Lessons learnt

• Ensure your onboarding processes are set up and reviewed regularly, to capture key information about your customers that could impact your assessment of financial crime risks associated with your customers.
• Ensure that your onboarding documentation provides appropriate guidance on how nature of the business should be evaluated and verified, and what potential red flags may indicate incorrect or misleading nature of customer activities.
• Review and update your process in respect of managing high-risk relationships, such as those that involve PEPs, to ensure that clear processes are embedded to identify PEPs (or other high-risk customers). Apply appropriate level of due diligence (EDD), such as source of funds or source of wealth establishment and verifications, as well as impose enhanced monitoring of the business relationship.
• Ensure that your customer risk assessment, whether in manual or automated form, is clearly captured within the customer risk profile, including a clear audit trail to any changes to the risk rating associated with the customer.

3. Ongoing Account Monitoring

Santander UK PLC (Santander)

The FCA’s expectations is for firms to perform regular monitoring, to ensure their records are up to date and that information obtained during onboarding is accurate. This is typically achieved through periodic reviews scheduled in accordance with the assigned customer risk level, as well as ad-hoc reviews triggered by various events. It was found that Santander did not conduct periodic reviews to ensure that they understand the current risk profile of its customers and financial crime risks associated with the relationship. It was only in 2016, where Santander launched periodic reviews for its high risk customers, however no ongoing reviews were implemented for low or medium risk customers

Gatehouse Bank PLC (Gatehouse)

In addition to weak onboarding systems at controls by Gatehouse, the FCA also identified failures in performing regular reviews. Gatehouse were found to not be performing periodic reviews since 2011, despite its high-risk customer base, linked to PEPs or business from high-risk jurisdictions, or those with a complex ownership structure.  It appeared that the reasons for not performing the reviews on a scheduled basis was due to resources capacity, lack of appropriate financial crime training for customer facing employees and the poor customer diligence practices at the onboarding.

The final noticed stated:

“In January 2012, Gatehouse agreed to act as a fund adviser and sponsor to a US based SPV [special purpose vehicle] which had been set up to facilitate various real estate investments. Gatehouse did not undertake a risk review of the US based SPV until almost two years later, in December 2014. Gatehouse took limited and incomplete steps to verify the identity of the investors until the customer file was reviewed in connection with Compliance Review in August 2016. This was despite the fact that Gatehouse had been in possession of information since October 2012 which showed that one of the beneficial owners of the US based SPV was a PEP. Gatehouse further missed an opportunity to identify and mitigate potential money laundering risk in December 2014, when it carried out a risk assessment based on an outdated list of investors. During this assessment, it only identified one PEP, and failed to identify that there were six further PEPs amongst the underlying shareholders at the time.”

Ghana International Bank PLC (GIB)

Due to the high-risk nature of its activities (correspondent banking activities), GIB are required to apply customer due diligence and enhanced ongoing monitoring to manage the increased financial crime risks.

The FCA’s decision notice states that GIB failed to implement systems and controls, by creating procedures that “clearly explained to staff how to conduct enhanced due diligence on respondents during their onboarding process, and subsequent ongoing onboarding”. Additional in the final notice the FCA stated that staff needed to review “several fragmented, confusing and overlapping policies, manuals, frameworks and forms, where correspondent banking was either insufficiently considered or not at all”.

GIB failed to perform periodic reviews despite its own internal requirements. Furthermore, trigger events such as the FCA’s publications, feedback from external experts and Ghana being subject to FATF Public Statement, which required the gaps in the EDD to be filled, meant in some cases slow contact with respondents and fragmented follow-up requests.

Lessons learnt

• Create a formal risk-based process for conducting periodic reviews to ensure that customer’s information remains up to date and is reviewed at appropriate intervals, depending on the risk profile.
• Identify and document potential trigger events, under which you should conduct a review of a customer.

4. Transaction Monitoring and Suspicious Activity Reporting (SAR)

Santander UK PLC (Santander)

It was found by the FCA that the SAR division were understaffed and existing staff were under pressure. As a result, a number of alerts were queued to be reviewed, which caused delays before the investigations took place and created a back log. Santander were able to resolve the backlog, however the underlying resourcing issue was not addressed and occasional delays with transaction alerts investigations continued. Furthermore, the FCA discovered that Santander did not provide role-specific training for employees on their duties under the Money Laundering Regulations.

Danske Bank A/S (Danske) – Enforcement action notice

The bank was fined by the Central Bank of Ireland for multiple deficiencies in their transaction monitoring systems and controls. Danske failed to incorporate the requirements of the Criminal Justice Act 2010 (Money Laundering and Terrorist Financing) and implement appropriate transaction monitoring rules and filters. As a result, an erroneous filter excluded entire groups of customers, including some medium and high risk customers.

Danske identified this issue during their internal audit in 2015, but failed to notify the Central Bank (or its Irish branch) that approximately one in forty transactions was not monitored for financial crime aspects between 31 August 2015 and 31 March 2019.

Lessons learnt

• Implement a robust, fit for purpose transaction monitoring systems with rules and alerts designed to capture all customer types and behaviours.
• Regularly review outputs of transaction monitoring results to ensure the mechanism and logic are calibrated correctly.
• Design effective monitoring and testing of transaction monitoring systems.
• Review performance and results of transaction monitoring systems provided by third parties.
• Provide tailored financial crime training to the relevant employees, consider their specific roles in preventing financial crime.
• Develop effective and robust processes for employees to report any suspicious activity.

5. Customer Terminations and Closure

Santander UK PLC (Santander)

Whilst financial crime prevention is mainly focused on processes associated with onboarding and ongoing monitoring, there are also requirements on firms having an effective and streamlined customer termination and closure strategy and process.

The FCA discovered that Santander did not have clear processes for customer exit and closure. It was found that different teams had different views on the process which caused an inconsistent approach, operational issues and delays in actioning the terminations or closures.

For example, Santander’s customer opened an account with Santander UK in May 2013, under the premise that it provided translation services with an estimated monthly account turnover of £5,000. It was incorrectly assessed as a standard risk customer. From October 2013, large payments were made in and out of the customer’s account. In November 2013 a transaction monitoring alert was triggered because transactions exceeded £1.5 million per month. This was not investigated until 3 March 2014, by which time approximately £26 million had passed through the account. On investigation, the SAR Unit identified that the customer had misrepresented the true nature of its business and appeared to be operating an MSB. The SAR Unit suspected that funds had derived from criminal activity and recommended closure of the account. However, this recommendation was not actioned and the account continued to operate. A further investigation in September 2014, by which time over £86 million had passed through the account, reached the same conclusion but no further action was taken to progress the closure and no steps were taken to enhance the monitoring of the customer.

Lessons learnt

• Provide clear guidelines on potential financial crime related scenarios that could lead to account termination or closure.
• Ensure employees receive adequate training on a regular basis on how to review potential suspicious activity, as well as how to act on these through suspicious activity reporting and account terminations.
• Implement clear processes for customer termination and ensure these are understood by all the relevant departments.
• Ensure that appropriate monitoring and oversight arrangements are in place to detect any non-compliance, such as those related to failing to close accounts following a suspicious activity or any other financial crime concern.

How we can help

Looking at the recent enforcement action by the FCA, as well as other regulators, it has become evident that firms have weakness in their financial crime systems and controls. Neopay can help you identify these gaps and provide remediation steps to resolve any areas of non-compliance, through our range of targeted audits.

If you’d like to know more about how we can assist you with your policies and procedures and ensure your framework is compliant, or any other regulatory compliance matters, please contact our specialist team here.