On 12 October 2016 the Financial Conduct Authority (FCA) issued a Final Notice against Sonali Bank (UK) Limited (SBUK), the UK subsidiary of Bangladesh-based Sonali Bank Limited. The Notice is a timely reminder for authorised firms that weak financial crime controls, in the FCA's view, strike at the heart of the UK's financial services sector.
While the financial penalty (£3,250,600) is relatively substantial, it is the FCA's decision to impose a 168-day ban on accepting deposits from new customers which stands out. The FCA believes that this restriction on SBUK's ability to conduct the regulated activity of accepting deposits "will be a more effective and persuasive deterrent than a financial penalty alone." Given the severity of the sanction, which will undoubtedly impair SBUK's day-to-day operations, it certainly should give the entire sector pause for reflection.
So what did SBUK do wrong?
Financial crime controls ought to be integral to any financial institution's governance structure. And yet, the FCA found that between August 2010 and July 2014 SBUK failed to ensure that robust AML controls were embedded at all levels of its business.
Of particular note:
- The board ignored repeated warnings from board members and internal auditors that the systems were inadequate.
- The MLRO function was under-resourced, undermining its ability to exercise effective oversight of the business.
- Reporting lines were unclear, procedures high-level and training deficient.
- Front-line staff responsible for conducting client due diligence (standard and enhanced), monitoring transactions and customer relationships, and escalating suspicious activity reports, did not therefore execute their duties adequately.
The Notice states that the FCA visited SBUK in 2010 and 2014 in connection with thematic work into financial crime controls. In the course of its earlier visit the FCA informed SBUK of its "serious concerns" with its AML systems. Although SBUK subsequently implemented a remediation plan, it was far from adequate. So much so, when the FCA returned in 2014 it again found "serious AML failings".
A Skilled Person was subsequently appointed to run the rule over SBUK's AML systems. Its report concluded that failings were "systemic" and that there was a "lack of understanding and implementation of systems and controls throughout the Bank".
These deficiencies contributed to a breach of Principle 3 of the FCA's Principles for Businesses (PRIN) i.e. a failure to take reasonable care to organise and control the firm's affairs responsibly and effectively, with adequate risk management systems.
Compounding this breach, the Notice also criticises SBUK for failing to notify the FCA of a potential fraud in a timely manner (in contravention of Principle 11 of PRIN).
What about you?
Aon, Willis, Besso, Barclays, SBUK…each case is proof positive that the FCA places a premium on robust financial crime controls. Indeed, the first substantive paragraph of SBUK's Final Notice begins with "Financial services firms are at risk of being abused by those seeking to launder the proceeds of crime or to finance terrorism. This undermines the integrity of the UK financial services sector." (Our emphasis)
The FCA does not, therefore, see your firm in isolation. Quite the contrary; it sees your business as part of the complex and intricate network that is the UK's financial services sector. You are inextricably linked to the sector's integrity.
This being the case, it is not surprising that the FCA should focus so much on preventing the spread of financial crime through firms which operate shoddy controls. And it is not as if the FCA need wait for the SFO or other authority to prove that financial crime took place. The failure effectively to manage the risk is sufficient.
As the SBUK Final Notice makes clear, the FCA expects firms to sit up and take note. Failure to do so could result not only in financial penalties and damaging PR, but severe disruption to your day-to-day operations.