Banking & Finance Further News and Updates
For a summary of other recent updates including: the new director of SFO, Investigations of Lloyds bank and KPMG over HBOS fraud, additional charges against two individuals in Unaoil…
Published 11 October 2018
On 6 June 2018, the FCA published its Final Notice explaining the grounds upon which it fined Canara Bank £896,100 and imposed a restriction on it accepting deposits from new customers for 147 days as a result of long term serious AML failings.
Canara is the UK branch of the Indian state owned bank. Canara has branches in London and Leicester and offers a wide range of regulated and unregulated financial products and services in the UK, including current accounts, term deposits, remittances and corporate banking services. It operates on a relatively small scale in the UK with just in excess of 1000 customers between 2012 and 2016.
In November 2012 and March 2013, Canara was visited by the FCA as part of the FCA's Trade Finance Thematic Project, aimed at assessing the adequacy of controls designed to contain the risk of money laundering, terrorist financing and sanctions breaches in regulated banks' trade finance operations. The FCA found serious AML failings, namely that Canara provided limited evidence to suggest that money laundering risks were being taken into account when processing trade finance transactions, that there was no evidence that risk assessments or sanctions checks had been carried out for trade finance customers and that there was limited evidence that trade based money laundering risks were being considered or documented. The FCA told Canara to remedy the findings and specifically recommended Canara conduct risk assessment remediation exercises for all clients, ensuring money laundering risk considerations were taken into account, confirm to the FCA that sanctions checks were conducted for all parties to transactions and ensure details of potential matches were kept on file and show in their files where AML red flags had been considered and the rationale for proceeding with a transaction where red flags were prevalent, use open source research for conducting PEP checks, seek clarification and request from customers a more detailed description of the types of goods for which Canara was facilitating payments and make clear which staff were signing off on transactions.
In May 2013, Canara wrote to the FCA to confirm it had taken remedial action to address all the points raised by the FCA. Specifically, Canara confirmed that any client on-boarded since July 2012 had been given an appropriate risk rating, which would be re-assessed after 6 months and that a remediation exercise to risk rate all existing customers on-boarded prior to July 2012 was in progress.
In April 2015, the FCA visited Canara as part of the FCA's pro-active AML programme which reviewed and tested the adequacy of the systems and controls in place to manage the AML and sanction risks. The FCA, once again, found myriad AML failings. There was no evidence that AML risks were being taken into account and managed at any level within Canara. There was an ineffective 3 lines of defence model. There was a failure to implement adequate AML controls in relation to identifying higher risk customers, conducting EDD on higher risk customers and conducting enhanced on-going monitoring for these accounts. File testing conducted by the FCA highlighted numerous significant control gaps including failure to implement a documented customer risk assessment, inconsistent quality of customer screening, a lack of on-going monitoring, limited evidence of transaction monitoring and inadequate consideration of unusual transactional activity. There was no evidence that money laundering risks or adverse media related to its customers were considered by senior management during the on-boarding process or subsequently, even where it was identified. There had been no AML/financial crime training since 2012. There was an overall lack of an effective risk management framework for AML and sanctions. Further, the FCA noted there had been a lack of remediation of the findings from the 2012/2013 visits and that despite assurances given in May 2013 by Canara that all existing customers on boarded prior to July 2012 were being risk rated, 2 years on, the remedial exercise had not been completed.
As a result, the FCA appointed a skilled person under s.166 FSMA to report on Canara's AML and sanctions systems and controls. The Skilled Person reported in January 2016 that Canara's systems and controls were not effective, "to the extent that the Bank's AML risk management framework is not fit for purpose". The report found that Canara did not have an adequately designed or effective 3 lines of defence structure, its documented risk assessment was not appropriately designed or effective, its AML manual was not fit for purpose in respect of ongoing transaction monitoring and there was a lack of detailed understanding of the AML requirements and the impact this had on Canara managing its AML risk at all levels. Somewhat damningly, the Skilled Person concluded that Canara, "…has fundamentally not understood the issues highlighted by the FCA or remediated them adequately…Ultimately, the Bank has an AML Framework that has fundamental shortcomings and is not fit for purpose.".
The FCA fined Canara £896,100, reduced from £1,280,175 (30% reduction) to reflect the fact that Canara agreed to settle at an early stage of the FCA's investigation. It was also made subject to a restriction that for 147 days from the date of the Final Notice, in respect of its regulated activities, it shall not accept deposits from customers who do not already hold a deposit account with Canara at the date of the Final Notice (reduced from 210 days for early settlement).
Principle 3 of the FCA Handbook requires that, "a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems." Further, SYSC requires firms to have in place adequate policies and procedures to ensure compliance with obligations to counter the risk of financial crime, have in place an appropriate internal audit function separate and independent from the other functions and activities of the firm and that its systems and controls enable it to identify money laundering risk. SYSC also requires firms to conduct regular assessment of the adequacy of these systems and controls and that it must train its staff in relation to money laundering. Last, but certainly not least, SYSC required firms to have in place appropriate risk management policies and procedures, which identify the risks relating to the firm's activities. The breaches of these principles identified by the FCA quite clearly demonstrate the extent and seriousness of Canara's conduct:
There can be little doubt that the FCA must have put very serious consideration to withdrawing Canara's relevant permissions to conduct regulated activity in the UK as a result of these serious AML failings. This is not a case of a one off or isolated incident or a mistaken interpretation of the rules. This is a case of fundamental failings over a 4 year period, having failed to act on remediation requirements issued by the FCA and having misled the FCA as to the state of remediation being undertaken. It is clear that after the Skilled Person's Report, Canara took steps, formally, to address the problem. Indeed, the FCA acknowledges in the Final Notice that Canara has completed an overhaul of its systems and controls, invested significant resources to improving its oversight function, including the appointment of a new MLRO with previous AML experience, implemented training and retained external consultants to assist in remediation work. It is further acknowledged that senior management have fully co-operated and engaged with the FCA's investigation.
There is no suggestion that Canara's AML failings led to any instances of money laundering being allowed to take place in the UK. Perhaps that, and the fact Canara finally sat up and took notice, is what ultimately saved Canara from closure. The fact that the bank is a UK branch of a foreign state owned bank and that its operations in the UK were discrete may also be factors which influenced the outcome.
The FCA certainly cannot be criticised for having given Canara every opportunity to remediate the issues itself. However, the upshot of this is that an obviously non-compliant financial institution was allowed to expose the UK to the risk of money laundering for over 4 years and that it was, perhaps, simply a case of luck that an instance of money laundering did not take place during this time. That is not to say the bank would be implicated, simply that it was in no position to identify the risk and could have been targeted by criminals in view of its lax approach. The FCA does not lack the power to act in a more interventionist way. However, the time it has taken to resolve the issue with Canara does raise an eye-brow. It is difficult to see on what basis, allowing the risk to subsist for this length of time where the firm's failings were so clear, it is right to allow that risk to remain, "on the books".
This is certainly an instance where a more probing approach in 2013 would have led to a quicker resolution and removal of the risk at an earlier date.