The drafting of the penalty leaves something to be desired. For a start, it is a decision notice and not a final notice; when asked to explain this oddity, an FCA insider said that “being money-laundering, it is a non-Financial Services and Markets Act outcome, for which there is a two-stage process, I am told.” Secondly, on page 16 it says that the FCA reached this 'decision' in accordance with Money Laundering Regulation 42(7) which, according tolegislation.gov.uk, the United Kingdom's legislative website, does not exist. Nor is there anything but a blank space next to the '42(7)' slot on page 23 of the notice, where the rest of the regulation (which empowers 'designated authorities' to fine those they regulate for breaking the regulations) is explained.

Those 'dodges' in full – or perhaps only in part

Then there are the FCA's less-than-enlightening depictions of the 'dodges' with which the bank carried on business without the proper 'extra/enhanced due diligence' or EDD during the period in question (2007-11). The Joint Money Laundering Steering Group's guidelines state that whenever a customer-firm is known to be linked to a 'politically-exposed person' or PEP, perhaps when the PEP is a director or a shareholder, it is likely that this will put the customer into a 'higher risk category,' so EDD is vital.

The 'dodges' tended to revolve around the practice of mis-categorising the risks inherent in each jurisdiction, or in the presence of a PEP or, failing that, the accurate allocation of risk categories but a subsequent failure to allocate EDD accordingly. In 2009 Standard Bank undertook a massive re-categorisation of its corporate customers into high, medium and low risk. Maddeningly, the FCA does not tell us what categories it was using between 2007 and 2009. If it was following the example of some private banks of the time, it might have simply had two categories – standard risk and high risk – but this remains speculation.

The regulator does, however, list the four areas into which the bank divided its risk factors for the exercise. These were (i) relating to each customer's profile, i.e. whether he was a PEP or not; (ii) relating to the jurisdiction in which he operated, i.e. country risk; (iii) his business activities, e.g. business channels and source of funds; and (iv) the products and services the bank was offering him, i.e. product risk.

One example of a 'dodge' was of two customers classified as medium risk. Both were involved in the mining of precious metals (an industry thatStandard Bank had classified as highly risky), both were incorporated in jurisdictions that Standard Bank had classified as highly risky and both were connected to PEPs. Despite these 'red flags,' the bank had giventhem a 'medium risk' tag because their parent companies were listed on recognised investment exchanges. The FCA was not fooled. In its decision notice, however, it does not say whether these RIEs (of which the UK has seven) were in the UK.

In another 'dodge', the customer was a listed company in a highly risky jurisdiction whose ultimate beneficial owner – obviously some high-net-worth individual or other – was hidden from view, although the bank thought it knew who it was. Someone at the bank asked the compliance department to sign a waiver, which it did with the following obscure phrase.

em> other existing banks.”

The FCA does not explain what this loosely assembled collection of words – probably written by someone whose first language was not English – was supposed to mean or what the compliance department thought it meant. In doing so, it missed an opportunity to warn compliance departments in detail about the kinds of pretext that relationship managers and salespeople use in their quest to cast EDD aside.

A shortage of detail

No actual money-laundering is alleged to have taken place at the bank, making the FCA's need to justify its fine in detail all the more urgent. It does nothing of the kind, however. In note 4.27 it lists some 'high risk customers' that the bank had identified as such, noting that it then failed to monitor them in accordance with its policy of six-monthly reviews for that category (in one case, the checks only happened twice in nearly seven years). Then, in 4.28 it states, quite baldly and without a further word of explanation: “This failing was systemic across Standard Bank, impacting 4,300 of its 5,339 customers (80%).” This is a stunning revelation that is surely worthy of more comment, but that is where the matter ends.

The FCA is very vague in other areas, for instance in its descriptions on page 7 of the bank 'taking some steps towards applying EDD' or 'attempting to apply EDD' in some cases. What do these phrases mean? In view of its heavy price tag, the decision notice ought to be brimming with detailed explanations of how someone can 'try' to monitor something but fail.

On page 9 the FCA finds no fault with Standard Bank's revised set of classifications but, frustratingly, stops short of telling the public why (or whether) it thinks that the bank had managed to get them broadly right. Under the new (and present) rubric, highly risky customer relationships were to be reviewed annually; those that posed medium risk were to be reviewed biennially; and those that posed low risk were to be reviewed every three years.

When the FCA tackles the task of summing up the bank's offences over the five-year period, it either overshoots its brief by using wide catch-all terms or falls short of meaningful description. One of the offences it lists is that of failing to come up with risk-ratings at the start of business relationships, not noting the fact that risk-ratings can change during such relationships and, over a 5-year period, probably did in this case. It uses 'value-judgement' words when it accuses the bank of not consistently demonstrating its taking-into-account of 'relevant' risk factors, or 'appropriate' risk ratings, or 'adequate' EDD measure or 'appropriate' monitoring.

Despite the FCA's shortcomings in describing the 'dodges' that it wants other banks to eschew, the tenor of Standard Bank's approach to EDD is clear. The bank followed a consistent policy of going selectively through some of the motions while the money kept rolling through its portals.

What were the high-risk jurisdictions?

In 2007-11 Standard Bank conducted business relationships with 282 corporate customers thatwere linked to one or more PEPs. No jurisdictions are mentioned, but as Standard Bank is a wholly-owned subsidiary of SBG, South Africa’s largest banking group, we can assume that they came from all over the continent of Africa. Precious stones and mineral extraction figured prominently in their business, as one might expect.

The top ten diamond-producing countries in the world, incidentally, are: Brazil (½% of total production), Ghana, Namibia (1.3%), Angola, Canada, South Africa, Australia (13%), the Democratic Republic of the Congo (19%), Botswana (20%), and Russia (22%).

The way the penalties are spread

The fine is a landmark in the sense that it is the first major money-laundering fine that straddles the dividing line between the old Financial Services Authority's penal regime (DEPP) and the new one. The switch-over happened on 6 March 2010. In previous judgements the FCA has decided to apply the less stringent earlier requirements; not so here. For the earlier period, the FCA looked at (i) the likelihood of deterrence; (ii) the seriousness of the bank's failings – it decided that they were “of a serious nature”; (iii) the extent to which the failings were deliberate – it states that they were not, although others might disagree; (iv) the firm's resources, which are considerable; (v) previous disciplinary history – the bank has none; (vi) conduct following the beginning of the regulator's investigation; (vii) other action that the old FSA took in similar cases; and (viii) how closely the bank followed the JMLSG notes. With little further explanation, for example with no mention of how previous failings at and punishments for other banks influenced its decision, the FCA said that for this period it would fine the bank £3 million. For the next period it fined it £4,640,400 on top of that.

It did so according to its so-called 'scientific method' of fining which the Dubai Financial Services Authority is planning to clone (perhaps with some minor tweaks) from its British counterpart. The first of the five 'steps' in the process is that of 'disgorgement', an American regulatory term for divesting oneself of one's ill-gotten gains. As no actual money-laundering had been proven, this figure was zero. Some might argue that this is rather lenient, as the onus must surely be on the recalcitrant bank to show that it would have retained all the business that occurred if it had applied EDD as it should have. Money-launderers are opportunistic and shy away from banks that apply rigorous EDD. At 6.21 the FCA states that its investigation did not assess whether any of Standard Bank’s clients were involved in criminal activity, so even if money-laundering did take place in the period, regulator would have been oblivious.

Step 2 was the stage at which the extra charge really occurred. Within this step there is a sliding scale of severity; the FCA plumped for state 4, which necessitated a charge of 15% of the bank's 'relevant revenue' for the period. This was £50,253,520, making the step 2 charge 15% of that, namely £7,538, 028.

For step 3, the FCA thinks that the findings are 'aggravated' by the fact that it "has previously brought action against a number of firms for AML deficiencies and has stressed to the industry the importance of compliance with AML requirements." This, when one dissects it, suggests that firms can expect steeper penalties than they would otherwise incur if they break rules in a very wide area of activity (perhaps suitability or systems and controls) where the FCA and its predecessor have happened to discipline people before (which presumably is the explanation for the phrase 'bringing action'). If it transgresses against other parts of the rulebook where disciplinary action has not happened yet, it can expect relative leniency. Sadly, this was not one of those moments and the FCA bumped the post-2010 charge up 5% to £7,914,929. Against the 'aggravating factor' of the offences not happening in virgin territory the FCA added the 'mitigating factor' of the bank co-operating with its investigation. The FCA did not take step 4. In taking step 5 – chopping 30% off the total fine of £10,914,929 (which included the pre-2010 £3 million) – the FCA rewarded the bank for reaching an agreement to pay at the earliest moment.

*The Compliance Register is holding an AML and financial crime conference on 27th March in London. Br ochure is available at http://www.compliancer.com/2014_mlros_conference1.pdf