On 25 August 2022, the Financial Services Regulatory Authority ("FSRA") of the Abu Dhabi Global Market ("ADGM") issued a final notice (the "Final Notice") imposing a penalty of US$360,000 on Wise Nuqud Ltd ("Wise"), a provider of money transfer services, for failures in its anti‑money laundering and counter terrorist financing ("AML") policies, procedures, and controls.
While the Final Notice will be of particular interest to other money services providers, it may also provide useful insights for a broader range of financial service providers and other entities that are subject to AML regulation (together, "Relevant Persons"), whether within the ADGM, the wider UAE, or beyond. The action forms part of a trend of increased AML enforcement action across the UAE, and internationally, making the lessons that can be taken from such insights increasingly valuable when fed into a Relevant Person's ongoing assessment of its own AML systems and controls.
In the UAE, the recent uptick in AML enforcement is explained in no small part by the UAE's commitment, as part of its Financial Action Task Force ("FATF") action plan, to demonstrate a sustained increase in effective investigations and prosecutions of different types of money laundering cases, consistent with the UAE's risk profile. That upward trend is very likely to continue and provides increased impetus for Relevant Persons operating in the UAE to pay careful attention to their own AML obligations.
This enhanced UAE focus is mirrored internationally in the AML enforcement action taken by regulators against both traditional retail banks and newer market entrants (typically those using digital channels), evidencing a clear ambition to drive improvements in AML compliance globally. With that in mind, this Briefing Note sets out some key lessons that can be taken from the Final Notice that other Relevant Persons, both within the UAE and internationally, may find of interest.
Summary of the action taken against Wise
Wise was granted an FSRA licence in July 2019, permitting it to provide money services in or from the ADGM. Wise's primary business is the provision of cross border money transfers for personal and small business customers.
The FSRA determined that Wise had failed to establish and maintain adequate AML policies, procedures, systems, and controls to ensure compliance with the AML regulations applicable in the ADGM. Those failings persisted for more than two years; from around the time Wise was granted its FSRA licence, through to September 2021.
In particular, the FSRA found that Wise had failed to take sufficient steps to:
- Complete enhanced due diligence ("EDD") on customers Wise had assessed as being high risk ("Assessed High Risk Customers"), which should have involved identifying and verifying the source of funds and source of wealth for each of those customers, prior to undertaking any transactions for them;
- Obtain the approval of senior management before establishing a business relationship with Assessed High Risk Customers. Wise had outsourced that approval decision to another group entity. While that can be appropriate, Wise had done so without implementing adequate governance of that outsourcing arrangement;
- Assess and consider a customer's nationality as part of the risk-based assessment of that customer; and
- Obtain and assess expected payment volumes when conducting risk assessment and customer due diligence ("CDD") checks that should have allowed it to understand the intended nature of the customer's relationship.
As a result of those failings, the FSRA imposed a financial penalty of US$360,000, which reflected a 20% discount in recognition of Wise's agreement to settle the matter at an early stage. In determining the level of the penalty, the FSRA also took into account, as mitigating factors, that Wise acknowledged the FSRA's concerns at an early stage and was open and co-operative in taking significant steps to remediate those concerns.
Key lessons from the Final Notice
1. Where EDD is required, it must be completed in full prior to undertaking a transaction for a customer. That requirement cannot be offset by introducing volume-based thresholds or other risk controls.
Wise was required to fulfil all its EDD requirements for Assessed High Risk Customers, including identifying and verifying their source of funds and source of wealth, prior to undertaking any transaction for them. Rather than doing so in all cases, the FSRA found that Wise had implemented a process whereby it would only identify and verify the source of funds and source of wealth for Assessed High Risk Customers once their payments met a certain threshold over a rolling 28-day period. The result was that Wise breached the requirement to complete EDD on approximately 1,532 Assessed High Risk Customers, prior to allowing them to conduct transactions.
2. In circumstances where it is appropriate to introduce volume-based thresholds, those thresholds should be set at an appropriate level.
While it was not appropriate for Wise to introduce transaction thresholds as a hurdle to completing EDD, the FSRA noted that, in any event, it considered the thresholds Wise used to be inadequate to serve as an effective risk mitigant. The FSRA considered the threshold used to be too high compared to the average transaction value, which meant that it was rarely triggered in practice.
That serves as a reminder to all Relevant Persons to consider whether any similar thresholds they apply in appropriate circumstances are calibrated to reflect the nature, scale, risk and complexity of the transactions they are used to monitor and their overall business.
3. Allowing transactions to be funded only through regulated bank accounts and debit cards is an effective risk mitigant, but does not excuse breaching applicable rules.
The Final Notice explicitly acknowledges that Wise's process of only allowing its customers to fund transactions through regulated bank accounts or debit cards, and not allowing them to maintain account balances, did serve to mitigate in part the risk or impact associated with its EDD failings. While that acknowledgement did not excuse the failings, it is always helpful for a Relevant Person to be able to identify and highlight the mitigating effect other systems and controls have had where a breach is discovered.
4. It can be permissible for senior management to outsource or delegate decisions on accepting high risk customers, but only where adequate governance of that arrangement is in place.
The FSRA found that Wise had failed to ensure that senior management approval was obtained, prior to Wise commencing a business relationship with an Assessed High Risk Customer. Instead, it outsourced that approval to an EDD team elsewhere in the Wise group. The FSRA recognised that Wise was permitted to outsource those decisions to a suitably qualified individual or committee within its group, but took issue with the governance around that arrangement. In particular, the FSRA highlighted that, while a written outsourcing agreement was in place for the Wise group EDD team to undertake EDD on Assessed High Risk Customers, it did not specifically cover that team granting the required senior management approval for the business relationship to commence.
This is an area that has been considered in several jurisdictions. As with all outsourcing arrangements, it is important to keep in mind that it comprises the delegation of a role not the abdication of responsibility. Having clear, recorded and monitored boundaries to the role(s) outsourced is critical.
5. The nationality of customers must factor into the risk assessment process, even when similar information is being considered.
The FSRA's AML rules explicitly require Relevant Persons to identify and assess the nationality of a customer and any beneficial owners when undertaking a risk-based assessment of that customer (reflecting an overarching requirement contained in the UAE's Federal AML regulations). While the FSRA recognised that Wise's failing was mitigated to an extent by the consideration of other related risk factors, such as a customer's residence, address and IP location, the failure to specifically consider nationality was still sufficient to constitute a breach.
6. Consideration of the intended nature of a customer's relationship must be sufficient to establish a baseline against which transactions can be monitored.
Wise was required to assess, understand, and consider the purpose and intended nature of the business relationship with a customer as part of its risk assessment and CDD measures. While Wise did obtain information on the purpose of a customer's account as part of its onboarding process, the FSRA found that Wise did not adequately consider the intended nature of the business relationship for personal customers, as it did not obtain information on the expected volumes of business the customer would conduct. The consequence of that failing was to hamper the benefit of the processes that Wise had in place to monitor the volume of transactions conducted by a customer, as there was no baseline of expected activity against which to consider that transaction volume.
Internationally, there is a pattern of regulators taking issue with poor practice in transaction monitoring. In August 2022, the Monetary Authority of Singapore ("MAS") published an information paper (available here) based on thematic inspections and aimed at strengthening AML practices among external asset managers ("EAMs"). In a list of inadequacies MAS observed in transaction monitoring frameworks, it called out as poor practice that some EAMs did not establish any parameters, thresholds and/or tailor the frequency of review to different customer risk profiles, hampering their ability to identify suspicious, complex or unusual transactions or patterns of transactions.
The UK Financial Conduct Authority ("FCA") addressed a similar issue, the failure to conduct continuous monitoring of overseas banks, in a Final Notice, issued against Ghana International Bank Plc ("GIB") in June 2022. GIB was fined close to GBP 6,000,000 for poor anti-money laundering and counter-terrorist financing controls in relation to its correspondent banking activities. In turn that decision mirrored similar failings identified in the criminal sentencing of NatWest Bank Plc on 13 December 2021 and in the FCA imposing a fine (the next day) of close to GBP 64 million on HSBC Bank Plc.
7. Where material issues are identified by a regulator, cooperation and prompt remediation are often the best approach to mitigation
It is clear from the Final Notice that, once the FSRA raised issues with Wise's AML systems and controls, Wise engaged with its regulator in an open and cooperative manner and took significant action to remediate those issues. Importantly, Wise also ceased onboarding new business customers whilst its remedial action was ongoing to mitigate ongoing risk while it put its house in order. That approach was explicitly recognised as a mitigating factor that reduced the penalty imposed by the FSRA.
Where clear and material issues are identified within a Relevant Person's systems and controls, it is often well served by taking a similar approach to preventing any ongoing harm while working cooperatively with the regulator to scope and action a thorough remediation exercise. Not only does that factor positively into any assessment of a financial penalty, but also assists in mitigating the extent of any reputational impact, while offering the relevant regulator reassurance of ongoing fitness and propriety.
Wider sector and international significance
The focus on AML enforcement involving financial services provided through digital channels has become an increasingly common area of focus for regulators internationally.
In the UK, the FCA have been particularly alive to instances of AML failings across the banking sector. In 2020, the UK National Risk Assessment of Money Laundering and Terrorist Financing ("UK NRA") raised concerns that the fast onboarding processes offered by challenger banks make them attractive to criminals, especially those conducting money mule networks. Challenger banks are generally those established with the aim of winning market share from traditional high street retail banks, through the use of technology and more up-to-date IT systems. The concerns raised in the UK NRA prompted an FCA review of the financial crime controls at six challenger banks (the "CB Review"), which was published in April of this year. The CB review also identified weaknesses relating to EDD. The FCA found the banks had been inconsistent in the application of their EDD processes and lacked a formal, documented procedure to apply in higher risk circumstances, for example when dealing with politically exposed persons.
In addition, the CB Review identified weaknesses in the conduct of CDD, where most of the banks reviewed did not obtain details about customer income and occupation, reminiscent of key lessons five and six above. In the FCA's view, these weaknesses resulted in an incomplete picture of the purpose and intended nature of the customer relationship. The FCA has said that it will continue to monitor compliance in this area and consider appropriate next steps, including enforcement, as necessary.
In France, most enforcement proceedings on AML issues by the Autorité de Contrôle Prudentiel et de Résolution (“ACPR”) still target traditional players such as banks (including French branches of foreign banks) and insurance companies, but over the last few years payment and electronic money institutions have drawn increasing attention from the regulator. Examples include the ACPR Enforcement Committee’s decision against W-HA dated 1 March 2022, imposing a reprimand and €700,000 fine; and a decision dated 22 December 2020 against Mangopay, imposing a reprimand and €150,000 fine.
The ACPR pays close attention to how payment and electronic money service providers comply with CDD requirements (e.g. by gathering information on the client’s income, financial situation and occupation), in light of their fast onboarding of clients, which usually takes place online. The ACPR considers failures in this regard to impact the ability of those entities to monitor accounts properly and identify unusual transactions. Other more formal pillars of the entities' AML systems and controls, such as internal procedures and risk classification, are also examined to ensure their suitability for the activity concerned (taking into account the nature of the products or services offered, the proposed conditions for the transactions, the distribution channels used, the type of clients and the country of origin or destination of the funds). The ACPR may challenge the effectiveness of the relevant monitoring systems and tools, where it considers that parameters, thresholds or scenarios have been set at levels that are inappropriate in light of the specific activities being conducted. Finally, the ACPR takes a detailed and practical approach to analysing potential failures to report suspicious transactions or to carry out enhanced due diligence, on a case-by-case basis. This generally involves the ACPR scrutinising relatively large samples of client files or transactions in such proceedings.
Elsewhere globally, Japan's Kanto Local Finance Bureau issued a business improvement order against the Japanese subsidiary of Revolut, citing "serious problems" in the firm's controls. Those problems included undeveloped money laundering and terrorist financing checks and risk management. The subsidiary has been ordered to report its progress quarterly to the regulator until those issues have been remediated.
Conclusion
We hope this briefing note serves as a helpful digest of key lessons that regulated entities can take away from recent enforcement action. If you would like to discuss how those lessons might usefully read across to your own business, your approach to regulatory interactions, or AML related matters generally, please reach out to your usual contact at Stephenson Harwood, or any of the key contacts listed for this particular article.