Bank’s Alleged “Tick Box” Approach Failed to Attain Substantive AML Compliance
Late last week, the Financial Conduct Authority (“FCA”), the United Kingdom’s financial services regulator, imposed a $1.2 million (896,100 pound) fine on the UK division of India’s Canara Bank, an Indian state-owned bank, and ordered a moratorium on new deposits for nearly five months. The cause—according to Reuters—was Canara’s systemic anti-money laundering (“AML”) failures.
A 44-page final notice published by the FCA explains the multi-year regulatory process that led to a finding of systemic failures and the imposition of penalties. The FCA’s investigation began in late 2012 and early 2013 with assessments of Canara’s AML systems. Upon inspection, the FCA “notified Canara of a number of serious weaknesses in its AML systems and controls.” After promises of remedial action by Canara, an April 2015 visit revealed that the AML systems had not been fixed. The investigation ended with a final report from a “skilled person,” an expert brought in by the FCA to assess Canara’s AML policies and procedures, completed in January 2016. Settlement followed, resulting in sanctions and the FCA’s published final notice.
These three visits from the FCA generated a laundry list of Canara’s AML shortcomings. This enforcement action reflects three main take-aways: (i) the potential risks faced by banks operating in foreign countries in which they have limited AML experience; (ii) the need for swift remedial action after the firstexamination finding AML deficiencies; and (iii) the need for a substantive AML policy implemented in a substantive way, rather than through a rote reliance on AML-related checklists.
In general, the FCA found that the AML weaknesses stemmed from Canara’s practice of seconding staff from its headquarters in India. According to the FCA, some of these staff did not understand the UK’s regulatory framework and AML-compliance obligations. This resulted in a lack of senior management oversight and focus on AML issues and a general misunderstanding at all levels of the rigorous requirements of the UK’s AML regulations.
Specifically, the FCA found that:
- Canara’s UK staff lacked “an understanding and appreciation of the AML risks and regulatory requirements to which Canara was exposed”;
- Canara’s senior UK staff failed to imbue the bank with a culture of compliance;
- Canara’s corporate governance did not allow for formal escalation of AML issues;
- Canara’s front-line staff did not complete formal AML compliance and sanctions screenings, and neither the compliance department, nor internal auditors, monitored whether these tasks were performed correctly;
- Checklists used by Canara by their compliance department were “an inadequate ‘tick box’ approach to compliance monitoring” that was not in-line with UK regulations;
- No AML training had been given to staff since late 2012;
- The AML Manual, drafted by a third-party consultant, did not contain any procedures for customer due diligence and ongoing monitoring, customer risk assessment, and monitoring of compliance nor did it adequately provide guidance on sanctions screenings.
What actions could have averted these sanctions? First, banks should take AML compliance, especially in foreign countries in which they have limited experience, seriously. Here, the FCA’s final notice is striking in its exclusive focus on the lack of a serious culture of compliance at Canara. The FCA is sending a message with this final notice: compliance is not merely a box to be checked, it is a cornerstone of doing business in the UK. All employees, from the C-suite to the front-lines must be well-versed in AML compliance.
Second, swift, remedial action is needed when regulators come knocking. It appears that Canara had a few chances to right their wayward course, but they did not take the regulators suggestions seriously. If Canara would have acted in 2013, it might have been able to avoid sanctions. While regulators may be relatively understanding the first time, they are not the second time.
Third, AML policies must be robust, detailed, and substantive. The FCA specifically found here that the policy was vague, incomplete, and had formatting errors. Those mistakes further solidified the FCA’s belief that Canara was not seriously focused on compliance. The AML policy the FCA wanted was one that addressed all aspects of AML compliance, from customer due diligence to risk assessments to suspicious activity reporting, and that did so in a detailed, substantive way.