Introduction
If you work for a regulated firm in the UK and other parts of Europe, you may have been part of discussions last year on whether to migrate some customers or even lines of business to one of your group’s businesses based in the European Union (“EU”), to maintain access to the EU market. These types of movements can also happen for other reasons – a parent company may decide to consolidate its operations and close-down regional offices or a business might decide to expand its customer base by purchasing a book of business from an existing company.
Law firms performing due diligence on these transactions will often investigate the level of regulatory risk involved. In some cases, a deal can mean that the company who assumes the acquired business also “inherits” its regulatory history – so if the business has failed to comply with its regulatory obligations in the past, those become the problem and liability of the business taking them on.
So, when it comes to financial crime risks, what should a regulated firm be thinking about from an AML/CFT compliance perspective? In one recent case, one bank’s failure to find out and act on those risks quickly, resulted in not one but TWO different jurisdictions fining them.
The Global Bank Gets Burnt Twice
Our case begins with a global bank (“Bank”) with operations in the Bailiwick of Guernsey. Sometime in 2012, a decision was made by the Bank to close a sister company which had been providing trust and company formation services for overseas high net worth customers (“HNWs”). The customers were then transferred to the Bank’s trust and company formation business in Guernsey (“Guernsey business”).
Two years after the transfer took place, the local regulator conducted a site examination of the Guernsey branch, and expressed its concern over the KYC held for the transferred customers, specifically their compliance with the local AML/CFT regulations.
Over the next two years, the branch was made the subject of enhanced supervision by the regulator, had conditions placed on its licence and eventually received a remediation order in 2016 compelling it to sort out the KYC held for the transferred customers.
Eventually, the Bank decided the Guernsey business should transfer the customers, this time to another group entity in Singapore.
In April 2021, the Bank was fined by the Guernsey regulator for a variety of AML/CFT failures related to those customers. A detailed public statement was published describing those failures.
The “Too Hot to Handle” Book of Business
So, what went so wrong that the Bank was fined not once, but twice (see the end of this article) for the same AML/CFT problems?
To understand what happened in this case, it’s first helpful to review the guidance offered by the UK’s Joint Money Laundering Steering Group (“JMLSG”). Although it does not apply to firms in Guernsey, it gives some insight as to what a firm should consider doing when it plans to acquire a business or a block of customers from an existing firm.
UK Guidance on Acquired Customers and KYC
In general, firms are not required to re-verify the identity of customers acquired in a business transaction if either (a) all underlying customer records are acquired with the business; or (b) the firm handing over the customers gives a warranty promising that everyone’s identity has been verified.
Even if either (a) or (b) is provided, the acquiring firm is still expected to try and test some of the customer files and assess the KYC undertaken and whether it would meet the UK’s Money Laundering Regulations (“MLRs”).[1]
If testing can’t be conducted or the testing results show the KYC falls short of the MLR’s requirements, steps should be taken, on a risk-basis, to resolve this. But, depending on the number of customers and the extent to which the KYC is vastly different from local requirements, this exercise could take months or even years to complete.
Bank Takes a Shortcut on Fireproofing Customer Files
Several months before the transfer occurred, a review of the Guernsey business showed that its compliance function was not sufficiently resourced, which was concerning because most of the business’ existing customers were rated high risk and required enhanced due diligence and monitoring on an ongoing basis.
Nonetheless at the end of 2012, the transfer proceeded. To try and cope with the resourcing challenges, the Bank instructed the Guernsey Operations to postpone any onboarding review of the customers for well over a year, into 2014. No consideration had been given to the AML policies and procedures that the business who’d originally onboarded the customers applied for KYC purposes. The Guernsey Operations’ compliance function was not included in the discussions that led to this decision.
The Too Hot to Handle Book of Business Catches Fire
The first error made was in trying to “guestimate” the time and effort involved in reviewing and remediating the customer files, without taking account of existing resourcing constraints the Operations Compliant function had been experiencing.
The Guernsey business, having no idea what was – or was not – in the customer files, began planning for these reviews at the start of 2014. They presumed that it would take them approximately three weeks to complete those reviews and get the KYC up to the standard required under the Guernsey AML/CFT regulations.
Three weeks? Given the deficiencies found, it took the Guernsey business three years to undertake and even then, were not able to fully break the back of the work required.
Why? It turned out that most of the customer files had serious financial crime and AML/CFT regulatory compliance problems. Approximately 97% of the customers’ KYC was not compliant with the Guernsey AML/CFT regulations.
“As part of its remediation of its whole client base, the Licensee [Guernsey business] identified that source of wealth/funds for $1.1billion of assets was not corroborated to a satisfactory standard reflective of the risks of those relationships.”Guernsey Financial Services Commission – Public Statement
These included customers who were family members of both former and current leaders of their home countries not being identified as politically exposed persons (“PEPs”) and whose source of wealth had not been established.
In another case, a HNW customer with an annual income of $400k/ year that was supposedly earned from working in the diamond trade, was subsequently identified several years later as having criminal connections.
The Book of Business is Passed on Like a Hot Potato
Several years after the transfer took place, the Guernsey business received a notice from most of the customers that they now wished for certain structures to be either closed or transferred to the Bank’s HNW business in Singapore.
In 2018, almost $1.4 BILLION in assets controlled by these customers were transferred. Staff at the Guernsey business raised concerns about the requested transfers and identified several reasons for them to be treated as suspicious, including reasons customers were giving for the transfers.
”The rationales given for some of the transfers were “undoubtedly implausible (in some cases there was no rationale whatsoever”), coupled with the “undue haste with which the clients wanted to transfer.”Public Statement – Guernsey Financial Services Commission
Despite this, no further action was taken to try and understand the rationale for the true motive behind the transfer requests, and instead the focus was on effecting the transfers as quickly as possible out of Guernsey and into Singapore.
“However, despite numerous red flags raised regarding the transfer of the clients, the Licensee then engaged in an unbalanced process to expedite the transfers”
Too Hot to Handle Book of Business Burnt a Second Time
In 2018, shortly after the transfers from Guernsey took place, the Monetary Authority of Singapore (“MAS”) issued a public statement announcing that it had imposed a fine of $5.2m on the Bank and its Singapore branch where the customers had been transferred. That statement stated the fine had been imposed related to the branch’s failure to comply with Singapore’s AML/CFT Regulations relating to the transferred customers.
MAS noted that the Bank’s Singapore branch had failed to raise questions about the timing of the transfers and how they related to the global implementation of the Common Reporting Standards (CRS) for the Automatic Exchange of Financial Account Information in Tax Matters.
To the Singapore branch’s credit, it did self-report the KYC deficiencies in these customer files once they had been transferred and had begun to take the necessary remedial action to resolve them.
Concluding Remarks
This case raises several interesting points for AML/CFT compliance functions to consider who may find themselves in a similar situation:
Don’t assume that internal reorganisation or business restructuring has fully taken account of possible AML/CFT risks. The onus is on the local compliance function to inform itself about the nature of the transaction and the level of transparency into the AML/CFT risks that might be present.
Set realistic targets for reviews. Is a root and branch review of every customer file warranted? Do you really have the time and resources to do this and does it reflect a “risk-based” approach?
Seek out help early. Financial crime risks do not go on “hold” because reviews run late, staff resign or BAU overtakes review work. If the deficiencies discovered suggest a systemic problem well beyond what was anticipated, consider enlisting additional specialist help so that the risks present can be quickly identified, addressed and controls properly applied.
Keep an eye out in the near future where we’ll dive a little deeper into this case and my friend and professional colleague, Jayne Newton, Head of Regulatory Affairs, will reveal more about what motivated these customers to move jurisdictions, not once but twice, over a 4 year period.
[1] JMLSG, Part I paragraph 5.3.21 [Accessed July 2021 at: https://jmlsg.org.uk/guidance/current-guidance/