Transaction Monitoring and Governance: A Cautionary Tale
" I see you have the machine that goes ‘ping’ “
~ Monty Python, The Meaning of Life
In early August the Financial Intelligence Analysis Unit (“FIAU”) of Malta issued an administrative penalty of €168,943 against the FIMBAnk Plc, a Malta-based bank for its violation of the Prevention of Money Laundering Act.
Two key deficiencies found by the FIAU were in how the bank applied its transaction monitoring controls. In the first instance, the bank had transaction monitoring (“TM”) measures in place, such measures were not commensurate to the size and nature of its activities. The second problem was in how the bank reviewed transactions.
The regulator’s findings in this case are unfortunately not new. The findings made earlier this year by the Swedish regulator of Swedbank’s subsidiaries in Estonia and Latvia, also noted the bank’s failure to ensure that its TM system was effective and was informed by how they expect the customer to use its account.
In the Swedbank case, the reasons why the failures occurred were explored. They were identified as including poor governance and insufficient oversight, senior management accountability and AML/CFT compliance resourcing.
Responsibility of AML/CFT Oversight – Things are Getting Serious
The recently proposed amendments to the European Banking Authority’s guidelines on internal governance, make it clear that Boards and their oversight bodies are accountable for ensuring the effectiveness of their controls in detecting and preventing financial crime. This means that firms’ directors and senior executive teams need to be AML/CFT literate, tech-savvy and have a clear understanding about the information they need in order to decide whether the firm’s AML/CFT compliance programme is working as intended.
These days, Boards are increasingly expected to demonstrate to both regulators and their shareholders their grasp of financial crime risks and how the firm addresses them. They need to demonstrate to AML/CFT supervisors that they acted at the earliest opportunity when the firm’s AML/CFT programmes are not working as expected. This is especially the case when it comes to TM controls. A decision in 2020 provides a helpful illustration of what can happen when the governance around AML/CFT controls fail.
Tucker, the Bank and the Payday Loans Case – 2018
In January 2018, the U.S. Attorney’s Office for the Southern District of New York issued a press release announcing that Scott Tucker had been sentenced to 200 months in prison. Tucker was found guilty of operating an illegal internet payday lending company and laundering billions of dollars with a co-conspirator.
Tucker and his co-conspirator formed sham relationships with Native American tribes and laundered the funds through nominal tribal bank accounts to hide the true ownership and control of the business.
In 2018, the bank where Tucker opened these accounts (“Bank”), was fined by a US regulator $75m and agreed to forfeit $528m. Tucker had used the accounts to launder more than $2 billion dollars. The Bank entered a deferred prosecution agreement with a US regulator, whose conditions it fulfilled in February 2020.
Upon first read of this case, you’d be forgiven for thinking that Tucker‘s misuse of the bank was solely down to his having evaded its KYC or TM controls. But, in actual fact, the control shortcomings were a consequence of some serious AML/CFT governance failings.
Tucker and the Transaction Monitoring System
Tucker’s scheme generated more than $2 billion dollars in revenues and hundreds of millions of dollars in profits. Most of the money flowed through accounts that Tucker opened at the Bank.
Some of these accounts were described as operating accounts. These were used to pay business expenses for the scheme. Other accounts had been in play for some time. Tucker had opened them with banks who were later acquired by the Bank. Tucker opened other accounts in the names of companies described as being controlled by local tribal councils (“Tribal Companies”). He also opened accounts using Shellcos, again using different names.
Throughout this period, the Bank’s staff were unclear what the relationship was between Tucker and these companies. They were also not clear what his relationship was with the tribal councils and why he was operating the accounts for the Tribal Companies.
The outflows from the Tribal Company accounts showed that Tucker used the proceeds to finance the purchase of a vacation home worth tens of millions of dollars, luxury vehicles and the financing of a professional Ferrari racing team.
Sometimes, Tucker would layer the proceeds by routing payments for personal expenses from Tribal Companies’ accounts through other accounts he owned and controlled at the Bank before he made the payments for these items. These were not small transfers. At least some of them should have triggered an alert on the Bank’s TM system.
The Bank’s Transaction Monitoring System – Set-Up
The bank had set up its TM system to cap or limit the number of alerts generated on a monthly basis. The sole factor that informed it in making this decision was to minimise the number of alerts raised by the TM system.
The Bank’s Transaction Monitoring System – Investigation
The Bank had a “triage” process to decide which alerts to investigate. However, it had not formalised the procedure that was being followed until well after Tucker’s laundering activities were done. The Bank also did not have enough staff to work through the alerts to be triaged.
These two factors meant that the triage process resulted in only a small number of investigations. For example, in June 2013 over 57,000 customers’ transactions raised alerts on the TM system. Less than 100 of those customers were investigated. Other alerts were not prioritised on a risk-basis. This led to a significant backlog of alerts needing to be investigated.
At the same time, the Bank’s KYC information about Tucker and the entities for whom he opened accounts was a problem. The Bank’s staff did not have a clear idea about the relationship between the entities nor that Tucker was one of the controllers of all of them.
The Bank’s Transaction Monitoring System –Assurance
As part of its second line activities, the Bank undertook sample testing on transactions that fell below the TM’s alert threshold, to see whether any of them had signs of suspicious activity.
Over several years, the testing showed that a worrying number of these transactions had elements of suspicious activity that would have warranted the filing of a Suspicious Activity Report (“SAR”). The results of one sampling show that 26% of the transactions reviewed resulted in a SAR being filed.
The sample testing over the years found that the number of alerts below the threshold found to result in SARs was ranging between 30 – 80%. That is about 4 out of 5 sampled transactions not being picked up because of the way the alert threshold had been set up.
To solve the problem the Bank, via an TM oversight body called the “tuning” committee, decided the assurance testing should be ceased altogether. Similar to the “no testing = no bad results” rationale, the decision meant that the problem continued without resolution.
The Cause of the Non-Compliance by the Bank
It would be easy in this case to blame the way the TM system had been configured, to explain how Tucker was able to misuse the accounts he had at the Bank. But the real cause of the problem was the Bank’s governance of the TM system in the oversight of its AML/CFT compliance programme.
As the old saying goes, ‘the fish first starts to rot from the head’. Here are the key failings that led to a confluence of AML/CFT risks, that in part allowed Mr Tucker to launder money without detection:
A report prepared for the Chief Executive Officer was sanitised by the Chief Compliance Officer (“CCO”) to take out all the information about the problems with the TM set-up and replaced it with positive and praiseworthy information.
The number of staff investigating the alerts was insufficient given the Bank’s size and customer base, despite numerous reports, comments and even pleas from compliance staff about a lack of capacity to the CCO.
The compliance department did not receive adequate funding for computers needed to support the TM system. It was forced to delay upgrades to the TM system until after the versions being used had become obsolete.
The committee did not actually oversee the use of the TM system. Instead, it validated its use despite knowing its many problems.
Staff ignored an order by a new MLRO to change the TM alert set-up. Instead, fixed score thresholds were added that replicated the alert limits previously in place.
The Bank was told it needed to have its TM system independently validated but repeatedly made excuses and lied to the regulator to avoid doing so.
The Penny Finally Drops…
Some five years after Tucker started laundering proceeds through the Bank, a new MLRO raised concerns about the TM system with a newly appointed Chief Risk Officer (the “CRO”). In response, the CRO arranged for an external party to conduct an internal review. As a result of that review, the CCO was removed from having oversight over Corporate AML and offered a lesser position. He left the Bank. Other senior management also left.
The Damage Done
The Bank entered into a consent order with the regulator. As part of that order it undertook a “look back” review of its TM system. The look-back analysis of past transactions that had fallen below the TM system’s alert threshold generated an additional 24,179 alerts. These resulted in the filing of 2,121 SARs. The value of the transactions reported in these SARs was $719,465,772. Ouch.
The investigation into Tucker disclosed that the Bank had “allowed” Tucker to transfer almost $230 million from his criminal scheme into the Bank after the bank had decided that it needed to close the Tribal Company accounts, three years before the scam was revealed.
The Bank ended up spending more than $200 million in enhancements to its AML program, including software, technology and increased staffing. It increased its AML and related compliance staff by 156%.
Concluding Thoughts – Governance, TM Activity and Acting Quickly
The Tucker case is a cautionary tale. It reminds us about the importance of governance in an effective AML/CFT compliance programme. It also highlights that ensuring controls are effective should not be left to the business alone. Regulators expect that firms’ leadership make themselves aware of how its AML/CFT compliance programme is operating and where problems might be developing.
Essential, above all else, is acting quickly to react to potential control failures. Sometimes, as in this case, a problem is compounded so that additional support or assistance is needed to clear a backlog of reviews, be they KYC reviews or TM alerts. This might be combined with decisions about the suitability of the technology being used or the processes used when analysing the information generated by the system.
Whatever the combination of responses needed, the importance of governance should not be underestimated, no matter how much or how little you understand about the TM technology used by your firm. It’s the glue that can either make for a well-functioning AML/CFT compliance programme or, in its absence, putting a firm into a very sticky situation indeed.
If you want to read more about this case you can find it here.