All the time, private bankers encounter the wealth of 'politically-exposed persons' or PEPs in corporate form. Instead of dealing in cash resources, they find themselves having to deal with wealth that is tied up in special purpose vehicles or other corporate structures.

All
the time, private bankers encounter the wealth of
'politically-exposed persons' or PEPs in corporate form. Instead of
dealing in cash resources, they find themselves having to deal with
wealth that is tied up in special purpose vehicles or other corporate
structures. With this in mind, readers will be interested in the
reasons why the Financial Conduct Authority recently fined Standard
Bank ÂŁ7 million for lax money-laundering controls.

The
drafting of the penalty leaves something to be desired. For a start,
it is a decision notice and not a final notice; when asked to explain
this oddity, an FCA insider said that “being money-laundering, it
is a non-Financial Services and Markets Act outcome, for which
there is a two-stage process, I am told.” Secondly, on page 16 it
says that the FCA reached this 'decision' in accordance with Money
Laundering Regulation 42(7) which, according tolegislation.gov.uk, the United Kingdom's legislative website,
does not exist. Nor is there anything but a blank space next to the
'42(7)' slot on page 23 of the notice, where the rest of the
regulation (which empowers 'designated authorities' to fine those
they regulate for breaking the regulations) is explained.

Those
'dodges' in full – or perhaps only in part

Then
there are the FCA's less-than-enlightening depictions of the 'dodges'
with which the bank carried on business without the proper
'extra/enhanced due diligence' or EDD during
the period in question (2007-11). The
Joint Money Laundering Steering Group's guidelines state that
whenever a customer-firm is known to be linked to a
'politically-exposed person' or PEP, perhaps when the PEP is a
director or a shareholder, it is likely that this will put the
customer into a 'higher risk category,' so EDD is vital.

The
'dodges' tended to revolve around the practice of mis-categorising
the risks inherent in each jurisdiction, or in the presence of a PEP
or, failing that, the accurate allocation of risk categories but a
subsequent failure to allocate EDD accordingly. In 2009 Standard Bank
undertook a massive re-categorisation of its corporate customers into
high, medium and low risk. Maddeningly, the FCA does not tell us what
categories it was using between 2007 and 2009. If it was following
the example of some private banks of the time, it might have simply
had two categories – standard risk and high risk – but this
remains speculation.

The
regulator does, however, list the four areas into which the bank
divided its risk factors for the exercise. These were (i) relating to
each customer's profile, i.e. whether he was a PEP or not; (ii)
relating to the jurisdiction in which he operated, i.e. country risk;
(iii) his business activities, e.g. business channels and source of
funds; and (iv) the products and services the bank was offering him,
i.e. product risk.

One
example of a 'dodge' was of two customers
classified as medium risk. Both were involved in the mining of
precious metals (an industry thatStandard Bank had
classified as highly risky), both were
incorporated in jurisdictions that Standard Bank had classified as
highly risky and both were connected to PEPs. Despite these 'red
flags,' the bank had giventhem a
'medium risk' tag because their parent companies were listed on
recognised investment exchanges. The FCA was not fooled. In
its decision notice, however, it does not say
whether these RIEs (of which the UK has seven) were in the UK.

In
another 'dodge', the customer was a listed company in a highly risky
jurisdiction whose ultimate beneficial owner – obviously some
high-net-worth individual or other – was hidden from view, although
the bank thought it knew who it was. Someone at the bank asked the
compliance department to sign a waiver,
which it did with the following obscure
phrase.

em>[The company] is a well-established, managed and listed company in [highlyriskyjurisdiction]. Although, we do not have all the details of single largest shareholder of the company, the founder and his brother remained the key men of the company. Lacking of such information would not have a significant negative impact on our bank’s position as compared with [Company’s] other existing banks.”

The
FCA does not explain what this loosely assembled collection of words
– probably written by someone whose first language was not English
– was supposed to mean or what the compliance department thought it
meant. In doing so, it missed an opportunity to warn compliance
departments in detail about the kinds of pretext that relationship
managers and salespeople use in their quest to cast EDD aside.

A shortage of detail

No
actual money-laundering is alleged to have taken place at the bank,
making the FCA's need to justify its fine in detail all the more
urgent. It does nothing of the kind, however. In note 4.27 it lists
some 'high risk customers' that the bank had identified as such,
noting that it then failed to monitor them in accordance with its
policy of six-monthly reviews for that category (in one case, the
checks only happened twice in nearly seven years). Then, in 4.28 it
states, quite baldly and without a further word of explanation: “This
failing was systemic across Standard Bank, impacting 4,300 of its
5,339 customers (80%).” This is a stunning revelation that is
surely worthy of more comment, but that is where the matter ends.

The
FCA is very vague in other areas, for instance in its descriptions on
page 7 of the bank 'taking some steps towards applying EDD' or
'attempting to apply EDD' in some cases. What do these phrases mean?
In view of its heavy price tag, the decision notice ought to be
brimming with detailed explanations of how someone can 'try' to
monitor something but fail.

On
page 9 the FCA finds no fault with Standard Bank's revised set of
classifications but, frustratingly, stops short of telling the public
why (or whether) it thinks that the bank had managed to get them
broadly right. Under the new (and present) rubric, highly risky
customer relationships were to be reviewed annually; those that posed
medium risk were to be reviewed biennially; and those that posed low
risk were to be reviewed every three years.

When
the FCA tackles the task of summing up the bank's offences over the
five-year period, it either overshoots its brief by using wide
catch-all terms or falls short of meaningful description. One of the
offences it lists is that of failing to come up with risk-ratings at
the start of business relationships, not noting the fact that
risk-ratings can change during such relationships and, over a 5-year
period, probably did in this case. It uses 'value-judgement' words
when it accuses the bank of not consistently demonstrating its
taking-into-account of 'relevant' risk factors, or 'appropriate' risk
ratings, or 'adequate' EDD measure or 'appropriate' monitoring.

Despite
the FCA's shortcomings in describing the 'dodges' that it wants other
banks to eschew, the tenor of Standard Bank's approach to EDD is
clear. The bank followed a consistent policy of going selectively
through some of the motions while the money kept rolling through its
portals.

What
were the high-risk jurisdictions?

In
2007-11 Standard Bank conducted
business relationships with 282 corporate customers thatwere linked to one or more PEPs. No
jurisdictions are mentioned, but as Standard Bank is a wholly-owned
subsidiary of SBG, South Africa’s largest banking group, we can
assume that they came from all over the
continent of Africa. Precious stones and
mineral extraction figured prominently in their business, as
one might expect.

The
top ten diamond-producing countries in the world, incidentally, are:
Brazil (½% of total production), Ghana, Namibia (1.3%), Angola,
Canada, South Africa, Australia (13%), the Democratic Republic of the
Congo (19%), Botswana (20%), and Russia (22%).

The
way the penalties are spread

The
fine is a landmark in the sense that it is the first major
money-laundering fine that straddles the dividing line between the
old Financial Services Authority's penal regime (DEPP) and the new
one. The switch-over happened on 6 March 2010. In previous judgements
the FCA has decided to apply the less stringent earlier requirements;
not so here. For the earlier period, the FCA looked at (i) the
likelihood of deterrence; (ii) the seriousness of the bank's failings
– it decided that they were “of a serious nature”; (iii) the
extent to which the failings were deliberate – it states that they
were not, although others might disagree; (iv) the firm's resources,
which are considerable; (v) previous disciplinary history – the
bank has none; (vi) conduct following the beginning of the
regulator's investigation; (vii) other action that the old FSA took
in similar cases; and (viii) how closely the bank followed the JMLSG
notes. With little further explanation, for example with no mention
of how previous failings at and punishments for other banks
influenced its decision, the FCA said that for this period it would
fine the bank ÂŁ3 million. For the next period it fined it ÂŁ4,640,400
on top of that.

It
did so according to its so-called 'scientific method' of fining which
the Dubai Financial Services Authority is planning to clone (perhaps
with some minor tweaks) from its British counterpart. The first of
the five 'steps' in the process is that of 'disgorgement', an
American regulatory term for divesting oneself of one's ill-gotten
gains. As no actual money-laundering had been proven, this figure was
zero. Some might argue that this is rather lenient, as the onus must
surely be on the recalcitrant bank to show that it would have
retained all the business that occurred if it had applied EDD as it
should have. Money-launderers are opportunistic and shy away from
banks that apply rigorous EDD. At 6.21
the FCA states that its investigation did not assess whether any of
Standard Bank’s clients were involved in criminal activity, so even
if money-laundering did take place in the period, regulator would
have been oblivious.

Step
2 was the stage at which the extra charge really occurred. Within
this step there is a sliding scale of severity; the FCA plumped for
state 4, which necessitated a charge of 15% of the bank's 'relevant
revenue' for the period. This was ÂŁ50,253,520, making the step 2
charge 15% of that, namely ÂŁ7,538, 028.

For
step 3, the FCA thinks that the findings
are 'aggravated' by the fact that it "has previously brought
action against a number of firms for AML deficiencies and has
stressed to the industry the importance of compliance with AML
requirements." This, when one dissects it, suggests
that firms can expect steeper penalties
than they would otherwise incur if they break
rules in a very wide area of activity
(perhaps suitability or systems and
controls) where the FCA and its
predecessor have happened to discipline people before (which
presumably is the explanation for the phrase 'bringing action'). If
it transgresses against other parts of the rulebook where
disciplinary action has not happened yet, it can expect relative
leniency. Sadly, this was not one of
those moments and the FCA bumped the post-2010 charge up 5% to
ÂŁ7,914,929. Against
the 'aggravating factor' of the offences not happening in virgin
territory the FCA added the 'mitigating factor' of the bank
co-operating with its investigation. The FCA did not take step 4. In
taking step 5 – chopping 30% off the total fine of £10,914,929
(which included the pre-2010 £3 million) – the FCA rewarded the
bank for reaching an agreement to pay at the earliest moment.

*The
Compliance Register is holding an AML
and financial crime conference
on 27th March
in London. Br ochure is
available at http://www.compliancer.com/2014_mlros_conference1.pdf