A recent final notice issued to Canara Bank reinforces the FCA’s expectations of the standard of AML compliance for London branches or subsidiaries of foreign banks.
In our earlier note (Branch AML systems and controls in the spotlight here) we identified the FCA’s key themes when assessing the financial crime systems and controls of London branches of subsidiaries of EEA and non-EEA headquartered financial institutions. These themes were borne out by the recent enforcement action taken against the Indian state-owned Canara Bank (Canara).
The Canara Final Notice
Canara’s AML systems and controls were assessed by the FCA through firm visits in November 2012, March 2013 and April 2015 and the appointment of a skilled person in late 2015.
The June 2018 Final Notice found that from 2012 to 2016 Canara had failed to implement adequate AML systems and controls and further failed to address weaknesses that the FCA had previously identified in its AML systems and controls. The FCA found that these amount to a breach of Principle 3 (the duty on firms to take reasonable care to organise and control its affairs responsibly and effectively). The FCA agreed a fine of £896,100 with Canara and imposed a restriction on accepting deposits from new customers for a period of 147 days.
Governance and senior management responsibility
In our previous note we summarised the FCA’s expectations of senior management regarding:
- understanding and managing financial crime risk
- implementing appropriate procedures for the UK market, and
- where necessary, providing challenge to and independence from head office.
The FCA found that Canara’s senior management had failed to create a culture within Canara which ensured that the importance of AML issues was embedded at all levels of the UK business and failed to ensure that adequate AML systems and controls were in place. This was particularly serious given earlier criticisms made by the FCA of the bank during previous visits.
More specifically, the FCA cited the following factors as contributing to the action taken against Canara:
- Canara’s practice of seconding staff from its Head Office in India to fill senior management positions in the UK resulted in senior management having an insufficient understanding of the UK’s legal and regulatory AML environment.
- Senior management reporting lines were unclear and allocated areas of responsibility contradicted what happened in practice.
- There was no forum in which issues of compliance with financial crime regulation was formally discussed.
Enhanced Due Diligence (EDD)
The FCA identified significant shortcomings in Canara’s application of EDD to its high-risk customer files. The FCA found that Canara’s AML Manual 2014 was silent on the EDD to be conducted for buyer’s credit customers and did not require UBOs to be checked for sanction compliance or establish a process by which PEPs and sanction alerts were to be investigated.
A file review which the FCA conducted during a visit revealed eight “high risk” files which had been originally on-boarded as “standard risk”. However, the FCA said that it was unclear on the face of the files why the risk rating had been re-classified. Further, the skilled person found that Canara was not applying EDD to files classified as high risk.
- Consistent with the Sonali Bank Final Notice here, the Canara Final Notice shows the FCA’s willingness to impose restrictions on business activities (in addition to financial penalties) where a firm’s failure to implement adequate financial crime systems and controls is considered particularly serious. The Final Notice makes clear that Canara had been given ample opportunity to effect enhancements.
- The Final Notices again signals that senior management are responsible for embedding a culture of compliance with financial crime regulation. This gives rise to considerations around the design of a firm’s corporate governance structure, such as the need to establish an appropriate forum in which AML legal and regulatory issues can be discussed with the Branch Senior Manager Function holder (SMF21).
- Where senior managers are seconded into the jurisdiction, often from the head office, it is important that they are given training to ensure that they have a sufficient understanding of the UK’s legal and regulatory AML environment and appreciate the importance of independence from, and challenge to, head office.
- EDD procedures must be appropriate to the operations and risks of the UK business and implemented. EDD steps and the rationale for classifying customers as high risk (particularly if an event gives rise to that decision being re-evaluated) should be documented and readily available. High risk customer files should be well organised so that the FCA can understand the steps taken by the firm to identify a customer’s source of wealth, source of funds and any financial crime red flags.
- The FCA will continue to come down hard on firms which fail to respond, in order to remediate matters identified by the FCA during firm visits. In order to avoid enforcement action, firms which are the subject of FCA scrutiny and criticism need to develop and implement effective programs to remediate issues identified during FCA visits, or during the ordinary course of supervision.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.