By Prof Keith Stanton, Professor of Law (University of Bristol Law School).
It has not been a good few weeks for the banking industry. In America Wells Fargo has been rocked by a scandal in which staff have been found to have fraudulently opened accounts for customers as a way of meeting sales targets. Deutsche Bank has teetered on the brink of disaster as a result of the size of the penalty it is facing in the US for misselling mortgage bonds. In Singapore the Monetary Authority has penalised two banks for anti-money laundering failures and control lapses and has withdrawn the license of a third bank for such failures. For once, the major UK based banks have been out of the headlines. However, the Financial Conduct Authority has added to the picture by penalising the Bangladeshi Sonali Bank (UK) Ltd £3.11 million and Steven Smith, the bank’s Compliance Officer and Money Laundering Reporting Officer (MLRO) a further £17,900 for anti money laundering (AML) failures. The bank was also prohibited from accepting deposits from new customers for a period of 168 days and Smith prohibited from performing a range of functions in the industry.
The Sonali Bank decisions are further examples of the FCA using its enforcement powers to send messages to the industry. It is part of the attempt to change the culture in banking and to reduce, if not eliminate, risk which might threaten the integrity of the banking system as a whole. It is widely accepted that money laundering poses a significant threat to the integrity of the financial system. As a result, firms are required to adopt rigorous controls aimed at minimising the risk of money laundering occurring. The facts of Sonali concerned these AML obligations. The case is a good example of the fact that the criminal offences which are commonly said to place banks under a stringent obligation to guard against money laundering are, in practice, of much less significance than regulatory action concerning failures taken by the FCA.
The FCA had first identified weaknesses in the firm’s AML procedures in 2010 when visiting it in the course of its thematic review of the subject. Follow up work in January 2014 subsequently revealed that adequate remedial measures had not been taken. A ‘Skilled Person’ was appointed to review the situation. Enforcement action was commenced when the ‘Skilled Person’ reported in July 2014 that there were systemic AML failings resulting from poor systems and controls throughout the bank.
The penalties imposed on Sonali Bank were based on a finding that it had breached Principle 3 of the FCA’s Principles for Businesses. This is a wide, catch all, provision which requires a bank to ‘take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.’ The FCA in its Final Notice to Sonali made only passing reference to the detailed AML obligations laid down in the Money Laundering Regulations 2007. The breach was found to follow from a failure to respond to warnings from the FCA, board members and the firm’s Internal Auditors. The firm had failed to give adequate oversight to the AML function which had been under resourced. The result was that: staff had received inadequate training and guidance; the due diligence procedures applied to new customers were inadequate and that the low level of suspicious activity reports (SARs) being made by staff was not questioned. Underpinning all of this was a failure of senior management to focus their attention on the issue and to encourage a culture of compliance with the regulations.
The additional penalty of a limited ban on receiving deposits from new customers is an interesting development which has not been seen before in this area. The FCA justified doing this as a ‘more effective and persuasive deterrent than the imposition of a financial penalty alone.’ The failings had occurred in spite of the Authority’s previously expressed concerns and the problem had been widespread across the bank. Smith’s personal liability was established in two familiar ways. First, he was held to be in breach of Statement of Principle 6 of the FCA’s Statements of Principle and Code of Practice for Approved Persons (which has now been replaced, in similar terms by provisions of the new Individual Conduct Rules). This required that an approved person performing an accountable higher management function exercise due skill, care and diligence in managing the business of the firm for which he was responsible in performing that function. Secondly, he was held liable under section 66A(3) of the Financial Services and Markets Act 2000 for having been knowingly concerned in the bank’s breach of Principle 3.
It is clear that Smith faced a difficult situation when he took on the MLRO role at the bank and that he was given too much work to do and insufficient resources with which to do it. Nonetheless, the FCA held that his performance did not come up to the required standard. He was held to have failed to put adequate AML controls in place in spite of the concerns raised by the FCA and the internal auditors and had actually reassured the board and senior management that the controls in place were working effectively. He had failed to ensure that the firm’s compliance was monitored adequately with the result that staff were left with an inadequate understanding of their AML responsibilities. He had failed to investigate the reason for the ‘surprising’ lack of SARs. Significantly, the authority listed a number of measures which had been open to him to counter the lack of support which his function was getting from the firm’s senior management. The prohibition from conducting equivalent roles in the industry in the future which was imposed on him was justified by the serious lack of competence and capability which he had shown in his role at Sonali.
The action taken against Smith is an example of the FCA’s policy of taking enforcement action against individuals as well as against firms. It is part of its ‘credible deterrence’ approach to regulatory enforcement. However, there is no evidence that anyone else at the bank is facing personal liability. If this is the case, we have a further example of an ‘HBOS’ problem. Those at the top of the bank escape liability because of the difficulty of attributing ‘personal culpability’ to any individual senior manager, whereas those further down the management chain are subject to financial penalties and prohibition orders. If this is the case, it is ironic that the FCA states in its findings that senior management must give a lead to staff in demonstrating a culture supporting effective regulation. However, it is possible that some matters concerning this case are not yet in the public domain.
The rules on the personal liability of senior managers were tightened up with the introduction of the new Senior Managers Regime earlier this year. Under the new regime in order to establish liability at the highest level of the bank it would need to be proved (under section 66A(5)(d) of the revised Financial Services and Markets Act 2000), the burden of proof being on the regulator, that an individual ‘did not take such steps as a person in the senior manager’s position could reasonably be expected to take to avoid the contravention occurring (or continuing).’ Given the quantity of information which had reached the board and senior management of Sonali Bank about the problems concerning AML processes, it seems possible that this burden would have been satisfied.
In summary, this decision is a good example of the way in which the FCA is taking the lead role in the enforcement of the AML requirements. More generally, it shows how senior management are expected by the FCA to take responsibility for the culture within their firms and that compliance with regulatory requirements, such as those relating to money laundering, is a central part of that culture.