Analysis and case study Habib Bank AG Zurich (“Habib”) = FSA fines bank and its former MLRO for failure to comply with anti-money laundering requirements – In May 2012 the FSA issued Final Notices fining Habib Bank AG Zurich (“Habib”) £525,000 for failure to take reasonable care to establish and maintain adequate anti-money laundering (“AML”) systems and controls and fining its former Money Laundering Reporting Officer (“MLRO”) Syed Hussain £17,500 for failure to take reasonable steps to ensure that Habib complied with relevant AML requirements. This e-bulletin summarises the decisions and identifies the key messages for MLROs.Context
This enforcement action comes in the wake of the FSA’s thematic review of banks’ management of higher money laundering risk situations, the findings of which were published on 22 June 2011, and is the second action arising out of that thematic review.
Prior to this recent enforcement activity, there had been relatively few fines imposed by the FSA for anti-money laundering failures in recent years, save for two actions against smaller firms and their MLROs: Alpari (UK) Ltd and its former MLRO in 2010 (see update here) and Sindicatum Holdings Ltd and its MLRO in 2008 (see update here).
Background
Habib is a privately owned Swiss bank.
In the period between 15 December 2007 and 15 November 2010, its operations consisted of twelve branches in the UK with a total of approximately 15,500 account holders and approximately 200 staff. Habib offered deposit products (including current accounts and term deposits), private banking, trade finance, correspondent banking, and other products (such as remittance services) to personal and corporate customers. Habib’s primary sources of new business were referrals from existing customers or from staff, existing customers referred from group overseas branches, and existing customers seeking new or additional products and services. Approximately 45% of Habib’s customers were based outside the UK and Habib’s target markets included East Africa and South Asia.
Findings in relation to Habib and Mr Hussain
The FSA found that:
Habib breached Principle 3 of the FSA’s Principles for Businesses (“A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”);
Habib also breached:
- SYSC 6.1.1R – the obligation to establish, implement and maintain adequate policies and procedures sufficient to ensure compliance with a firm’s regulatory obligations and for countering the risk that the firm might be used to further financial crime;
- SYSC 6.3.1R – the obligation to ensure that the policies and procedures in place enable the firm to identify, assess, monitor and manage money laundering risk;
- SYSC 6.3.3R – the obligation to carry out a regular assessment of the adequacy of a firm’s systems and controls; and, more unusually in this context;
- SYSC 9.1.1R – the obligation to keep orderly records which are sufficient to enable the FSA to monitor the firm’s compliance with the requirements under the regulatory system; and
- Mr Hussain failed to comply with Statement of Principle 7 of the FSA’s Statements of Principle and Code of Practice for Approved Persons (the obligation on approved persons to take reasonable steps to ensure the business of the firm complies with relevant requirements and standards).
The FSA found that, between 15 December 2007 and 15 November 2010, both Habib and Mr Hussain failed to take reasonable care to establish and maintain adequate AML systems and controls, thereby exposing Habib to an unacceptable risk of handling the proceeds of crime, and in particular failed to:
- establish and maintain an adequate procedure for assessing the level of money laundering risk posed by prospective and existing customers;
- conduct sufficient enhanced due diligence (“EDD”) in relation to higher risk customers;
- carry out adequate reviews of its AML systems and controls; and
- revise training adequately to address shortcomings in AML practice identified by the MLRO and to maintain sufficient records of staff completion of AML training and of all AML steps taken on individual customer accounts.
Enhanced Due Diligence – risk assessment
There were two elements of Habib’s EDD failings: the system for determining which customers should be regarded as high risk was flawed; and inadequate EDD was in any event carried out. The former issue is of particular interest, given the relative lack of clarity in the Money Laundering Regulations (the “Regulations”) and the JMLSG Guidance (the “Guidance”) as to what risk assessment systems may be appropriate.
Habib had adopted a system whereby (a) certain accounts were automatically higher risk (e.g. PEPs, unregistered charities and money service businesses) and (b) others accumulated points by reference to whether the customer or beneficial owner was a national of, or domiciled in, a high risk country, or based on volume of assets invested. The system was such that no customer could have been assessed as high risk (outside the ‘automatically high risk’ categories) without a jurisdictional risk element, and Habib’s High Risk Country List was used to assess jurisdictional risk. It is therefore perhaps not surprising that certain obvious flaws which the FSA found in the list featured prominently in the Notice.
Habib compiled its High Risk Country List by reference to the prevailing Transparency International Corruptions Perception Index (the “CP Index”) and included all countries with a score below three. However, it excluded any country in which it had an office, namely Pakistan and Kenya. The FSA found this policy to be seriously misconceived, as the higher risk of money laundering presented by these jurisdictions was not negated by Habib’s physical presence in those countries or any specialist knowledge of them. Furthermore, Habib was unable to provide any explanation for its selection of a score of three on the CP Index and, given Habib’s customer base and product range, the FSA found this to be too low a threshold for determining which countries were high risk.
Perhaps more pertinently, the FSA pointed out that Habib should not have used the CP Index as its only source for determining which countries presented a high money laundering risk. Habib’s approach is indeed surprising; whilst some elements of country risk assessment remain controversial, it is clear that, at the very least, an MLRO should ensure that a firm obtains and makes appropriate use of any government or Financial Action Task Force (“FATF”) findings concerning the approach to money laundering prevention in particular countries or jurisdictions. The CP Index measures perceptions of corruption, not money laundering. A procedure that contains reference to advisories issued by HM Treasury (“HMT”) and FATF is therefore likely to be a better starting point than a procedure that relies on the CP Index alone (albeit that the CP Index may also be a useful input, given the number of countries which do not appear on the FATF/HMT advisories, where risk assessment is inevitably more judgmental).
Habib was also criticised for failing to consider and assess whether a number of specific types of customer, including, for example, beneficial owners with a significant interest in a corporate customer who are resident in a high risk jurisdiction, should be regarded as higher risk. This is more surprising. The JMLSG does list the potential risk factors referred to by the FSA as examples of potential high risk scenarios, but the relevant guidance is in the Retail Banking section of Part II of the Guidance, and is provided by way of example only. The Guidance itself states that firms should have a degree of discretion in the procedures they put in place to comply with AML requirements and that it is not intended to be applied as a checklist of steps to take. There must be some concern, therefore, that this is indicative of a move by the FSA towards using the Guidance as a checklist for enforcement purposes.
Perhaps one should not read too much into a single instance of the Guidance being used in this way, particularly in circumstances where there were a number of issues which, on any view, would have merited enforcement action. Further, the FSA’s stated criticism was that Habib “failed to consider and assess” the JMLSG’s higher risk examples, rather than that it failed to treat customers within those categories as higher risk. In conclusion, whilst it is to be hoped that the Guidance can be preserved as guidance, it appears that firms should be prepared to justify departures even from indicative recommendations in JMLSG Part II.
Enhanced Due Diligence – evidence gathered
In relation to the adequacy of Habib’s EDD arrangements, the FSA found that:
- Habib’s procedures failed to require that customers who were not physically present for identification purposes were to be classified as higher risk and accordingly needed to be subject to EDD and enhanced ongoing monitoring;
- in 21 of the 34 files reviewed by the FSA the information gathered by Habib during the EDD process was found to be either insufficient (particularly regarding the customer or beneficial owner’s source of wealth and source of funds) and/or not supported by appropriate evidence.
For example,
- where a customer’s source of wealth or funds was stated to be the proceeds of a property sale, Habib did not obtain any evidence of the ownership of the property, the occurrence of a sale or the arising proceeds; and
- in some cases, EDD had not been conducted prior to transactions occurring on the account.
It is notable that the FSA appears to have adopted a blanket assumption that EDD must in all cases include the same sort of EDD, i.e. including obtaining information on source of wealth or funds.
This is, in fact, a regulatory requirement only in relation to politically exposed persons (“PEPs”). Under the Regulations, EDD measures must be applied where the customer has not been physically present for identification purposes; in respect of a business relationship or occasional transaction with a PEP; and in other specific scenarios.
However, the EDD measures which will be required will be different in each case, to reflect the risk that each scenario poses. For example, in relation to customers who are not physically present, the main risk is of identity fraud and the Regulations suggest measures such as ensuring that the customer’s identity is established by additional documents, data or information.
Indeed, the recent report from the European Commission to the European Parliament and Council on the application of the Third AML Directive noted that a number of stakeholders had suggested a more flexible approach to when and which EDD measures need to be applied, commensurate to the risks that are being addressed, and that some Member States had asked for re-consideration of the approach whereby non face-to-face situations are automatically classed as high risk.
The short point is that, at least whilst the non-face-to-face restrictions remain, firms must do something to demonstrate that they have complied with their obligation to conduct EDD. Where these steps are not the same as the type of EDD that is applied in other high risk cases, it would be prudent for the firm to have a documentary justification of why, on a risk based approach, its procedures were thought to be appropriate. Such a record would perhaps have assisted Habib in this case – albeit that, in circumstances where customers posed a high risk for other reasons, and Habib failed to comply with its own procedures, an adverse finding would appear inevitable.
Training and assessment of AML arrangements
This enforcement action serves as a reminder that a firm must carry out regular assessments of the adequacy of its AML systems and controls to ensure that they continue to enable it to identify, assess, monitor and manage money laundering risk adequately, and are comprehensive and proportionate to the nature, scale and complexity of its activities. Senior management should receive appropriate information on the operation and effectiveness of the AML systems and controls. Training should be recorded and should take account of identified weaknesses in staff practices.
The following points are indicated by the FSA’s findings in the Habib case and other enforcement action arising from its thematic review:
- AML records should include records of all steps taken, including whether identification took place on a face-to-face basis;
- PEP and related high risk relationships should be periodically reviewed and information kept up to date:
- this may include contacting the customer or seeking information in the public domain;
the review should be documented: where there is no new information, this should be noted so that there is evidence of the review undertaken.
- Reviews of risk classification should be documented;
- adverse intelligence should be followed up;
- identified gaps in information should be followed up;
- systems should be adequate to enable information to be joined up;
- where reviews are conducted by or involve the business, training or guidance may be necessary to ensure they can conduct the review effectively;
- senior management reviews of PEPs should include substantive consideration of EDD or adverse intelligence, not merely administrative matters;
- transaction monitoring should be able to identify whether transactions are outside customers’ expected activity;
- reports from the MLRO to senior management should, amongst other matters:
- assess the adequacy and effectiveness of arrangements, rather than simply describing policies and procedures;
- justify the adequacy and effectiveness of arrangements relating to transaction monitoring and risk scoring/risk assessment;
- any identified deficiencies (e.g. raised through the internal audit procedures) should be addressed andreflected in AML training for staff where indicative of training needs; and
- accurate training records must be kept.
Specific findings against Mr Hussain
In addition to the above, the FSA found that Mr Hussain:
- was aware of the shortcomings of relying solely on the CP Index as a basis for Habib’s High Risk Country List but nonetheless approved this approach; and
- failed to ensure that Habib’s senior management received appropriate information and analysis on the operation and effectiveness of its AML systems and controls (in relation to which see the checklist above).
One feature of this case was the fact that Mr Hussain, as Habib’s MLRO, had retrospectively checked customer accounts and reviewed EDD forms during his branch audit visits, but failed to detect the shortcomings identified by the FSA.
The fact that action was taken against Mr Hussain personally is, therefore, perhaps not surprising.
In three out of the five AML/sanctions enforcement actions in recent years, the FSA has taken action against the MLRO as well as the firm, but these three actions all involved smaller regulated institutions.
It is likely that we will continue to see enforcement actions against individuals for systems and controls failings, although it is evident that this will not automatically follow from a finding of failure by the firm. It must be hoped that this does not prove an undue disincentive for individuals to take on what is a challenging role.
The recent case of Shah v HSBC [2012] EWHC 1283 (QB) in which an MLRO was required to give evidence for over six days and was the subject of extensive cross examination (with the bank ultimately being vindicated in all respects), highlights the challenges that MLROs and nominated officers can face even when performing their role entirely properly.
Conclusion
The FSA’s thematic review originally indicated that two banks had been referred to enforcement as a result of the FSA’s findings, with further regulatory action and referrals to enforcement being considered in relation to a number of others. It therefore remains to be seen whether there will be further activity coming out of the thematic review but, in any event, AML and other financial crime issues remain an enforcement priority for the FSA. Firms would be well advised to ensure that their risk based approaches are justifiable and adequately evidenced, that their procedures are implemented in practice, and that senior management oversight is adequate and evidenced.