In March 2012, the UK Financial Services Authority (FSA) fined Coutts & Company (Coutts) £8.75 million for failing to establish and maintain effective AML systems and controls relating to high-risk customers. These failings, according to the FSA's press release, were "serious, systemic and were allowed to persist for almost three years. They resulted in an unacceptable risk of Coutts handling the proceeds of crime." The acting director of enforcement and financial crime, Tracey McDermott, said "Coutts' failings were significant, widespread and unacceptable. Its conduct fell well below the standards we expect and the size of the financial penalty demonstrates how seriously we view its failures."
This is the largest AML fine levied to date by the FSA. Further, in its report, the FSA did not note that they detected actual money laundering, but rather stressed that there was an unacceptable risk that crime may have occurred. Because Coutts agreed to settle at an early stage, they qualified for a 30 percent discount on the total fine, which would have been £12.5 million. The FSA also recognized that Coutts has implemented a number of improvements and recommendations, including significant remediation of customer files for Politically Exposed Persons (PEPs) and other high-risk customers.
Coming in the wake of a thematic review into banks' management of high-risk money laundering situations which focused, among other things, on the control weaknesses in place to mitigate the risks of PEPs, the penalty shows that the FSA intends to rigorously protect the British financial system while it is still the cop on the beat.
So what can we learn from this penalty and more important, what can financial institutions do to prevent similar events in their own firms? A review of the Final Notice (available at http://www.fsa.gov.uk/static/pubs/final/coutts-mar12.pdf) shows several key areas of concern, many of which relate to specific breaches of the Money Laundering Regulations and Joint Money Laundering Steering Group (JMLSG) Guidelines.
Background on Coutts
Coutts is a wholly owned subsidiary of the Royal Bank of Scotland (RBS), providing private bank services primarily to high-net-worth individuals and businesses. In 2010, the FSA conducted a thematic review of how banks address the risks posed by high-risk customers, including PEPs. As a result of this review, the FSA returned to do additional sampling of high-risk customers at Coutts, looking at 103 files comprising 55 PEPs and 48 other high-risk customers. The relevant period covered by the exam spanned three years, from December 2007 to November 2010.
PEP Identification in Prospective and Existing Customers
At Coutts, new customers were assigned a private banker who would manage the relationship. The private banker was responsible for initial identification of whether a prospective customer was a PEP based on information obtained from the customer and by using PEP identification software. Those identified as PEPs were then referred to the AML team for approval. However, Coutts identified in 2011 — after the relevant period—that approximately 20 percent of its high-risk customer population had not been correctly assessed or recorded as PEPs. Coutts identified 233 additional customers and beneficial owners who were PEPs by Coutts definition, 93 of whom were included in the 2007 Regulations' definition of PEP, 41 of whom established new relationships during the relevant period.
Coutts also created a new business team that served as a quality assurance group, checking the documents gathered during the account opening process. This check was in addition to the review by the AML team. While the new business team had some training on AML matters, they did not have formal AML expertise. This lack of expertise led to a failure of the team to detect flaws that were later uncovered in the FSA's file review.
Coutts' assessment and detection processes were flawed. A solid quality assurance process done by knowledgeable staff could have prevented a significant portion of this issue, as could have enhanced independent screening of PEPs. Since PEPs are high-risk customers who require additional due diligence, the private banker who identifies a PEP creates more work for himself. Thus, it is in the private banker's interest, given the general industry trend to have aggressive sales goals, to do the minimum amount of work necessary to bring a customer into the firm; having the private banker serve as his or her own reviewer does not provide for a strong independent control. Given the current leaning of regulators toward stronger controls for higher risk customers, it seems to make sense that, when dealing with high-risk customers, additional controls, and in particular, clearly independent approval or review of the customers is required. Although Coutts had some of this in place, additional independent controls and a stronger quality assurance process could have helped.
Due Diligence on Customers
Private bankers were responsible for collecting the due diligence on all customers, and Coutts had several controls in place to review this information. High-risk customers were subject to approval by the AML team. However, in the FSA's file review, they identified failures in the due diligence obtained on 62 percent of the 61 customers established during the relevant period. These failures did not allow Coutts to fully understand the money laundering risks associated with these customers and assess and address the risks appropriately.
Some of the failings resulted from inadequately questioning complex or opaque ownership structures and not gathering enough information on the business activities or intended purpose of the relationship with Coutts. Further, Coutts' procedures required enhanced due diligence for high-risk customers, but did not provide any guidance to the private banker about the steps to take in these situations. While the process did involve a checklist created by the AML team to facilitate due diligence on customers, it did not provide guidance to help the private banker determine a customer's source of wealth and funds. As a result, 57 percent of the customer files opened during the relevant period that were reviewed by the FSA were found to have enhanced due diligence flaws.
Private bankers are primarily salespeople, not compliance experts; the above results should not be a surprise given that the bankers were left to their own devices to determine what was appropriate "enhanced" due diligence. To address these failings, Coutts should have provided additional training and guidance. One of the cornerstones of an AML program is provision of adequate training, particularly so that employees know what they need to do and how to do it. By clearly articulating what is expected, it would have been very clear what was necessary — even if the guidance was to contact the AML team for additional instructions. Here again, an independent quality assurance program could have helped prevent a significant portion of these issues.
Effectiveness of AML Team Reviews
The AML team reviewed 5 percent of new customer files to determine whether customers were appropriately assessed as PEPs or high risk. The AML team detected no incorrect categorizations of customers. During the relevant period, the AML team declined only 35 of 700 formal requests from private bankers (approximately five percent); although a number of other informal requests were declined before they became formal requests. However, the FSA deemed the AML team to be overly reliant on the reputation and experience of the private bankers in their assessment of customers, which led to an ineffective control over the private bankers. This led to situations where the AML team relied on the private bankers who failed to collect sufficient information that would otherwise have led to the identification of serious criminal allegations against the customers. These allegations were brought to light when the customers applied for services within RBS outside of Coutts. There were even some instances where credible adverse intelligence alleging criminal activity was found, but the customers were approved without proper consideration of further risk-mitigating steps.
In addition, Coutts decreased the required levels of approval of high-risk customers in 2009, going from requiring a Risk department above the AML team approving them to just requiring approval by the AML team. The FSA noted this as a "diminution in the rigour of the AML approval and control process…despite the fact that… [Coutts] aimed to expand its international customer base, including in jurisdictions which posed increased risks of money laundering and corruption." This is of particular concern given Coutts' primary business of private banking, generally regarded as a high risk product in its own right.
Although the FSA ruling does not specifically indicate this, it appears that the AML team may not have been sufficiently independent of the line of business they were supposed to oversee. This is an increasingly prominent theme in enforcement actions, stressing the importance of compliance and risk management. Generally, the fact that a company's AML compliance function does not challenge adverse information linking customers to criminal activity indicates that the company values profits over risk mitigation or has not sufficiently empowered the compliance function. In addition to stressing the need for independent compliance staff, regulators are increasing stressing that management must set the tone at the institution that compliance is important — even if it means losing some business. Having a stronger compliance culture would have significantly decreased the risk to Coutts.
Coutts was found to have serious shortcomings with regard to the ongoing monitoring of 49 percent of the customer files reviewed by the FSA, primarily a failure to keep information up-to-date. This happened even where specific periodic reviews of PEPs and other high-risk customer files were implemented. This led to a failure to adequately assess the risks of customers and to take appropriate steps to mitigate those risks. Some of this stemmed from an inability by the FSA to detect whether or not any changes had occurred, sometimes for years, in customer files. Whether this is a matter of a failure by Coutts to properly update records or simply an inability to show when changes were made is not clear from the ruling, but it does demonstrate that the FSA expects to be able to see evidence that a review did occur (even if no changes were made). The FSA found a number of cases where no changes were noted in the file, but, in fact, the private bankers had not even requested updated information. In some cases, the private banker even reviewed the customer information, noted there were gaps, but no steps were taken to rectify the gap. Compounding the problem, the annual review process for PEPs did not contain sufficient guidance to private bankers on how to perform the annual review properly. In addition, Coutts had semi-annual senior management meetings involving the private banking team, AML team, risk and the senior executive of the firm to review PEP customers. However, the minutes of these meetings seem to indicate that most of the time was spent addressing administrative matters, not whether customer due diligence deficiencies or other adverse information had been identified and what steps should be taken.
Another key issue was that there was no central location for customer information that would provide the private banker with a consolidated view of the customer and his associated risks. This information was contained on a number of separate systems, making it difficult for the private banker to develop a clear picture of the overall risk. Although Coutts did begin to develop a new system to consolidate this information, it did not provide guidance to private bankers to check all relevant systems to develop a consolidated view of the customer.
Coutts also conducted both automated and manual monitoring of its PEPs' activities. The manual monitoring included both having the private banker assess the details of large transactions against the customer due diligence information as well as certifying annually that they had reviewed all transactions for the previous year and had found no suspicions of money laundering. However, the FSA found a number of cases where transactions exceeded the expected activity and these were not detected by Coutts' processes.
Clearly, the regulatory expectation is enhanced monitoring for higher risk customers. While Coutts tried to do this with a mix of both manual and automated systems, it was not sufficient. In many cases, manual transaction monitoring can only supplement automated monitoring, especially on the scale of an institution as large as Coutts. Here, proper identification of the customers and escalation to a more focused form of monitoring would be the most effective way to treat this on an automated basis. This would require careful analysis and calibration of systems to address the particular risks presented in the population of higher risk customers. Further, providing a consolidated view of customer information across the enterprise is a key way to develop a true picture of the entire customer relationship and the risks posed to the larger enterprise as a whole, not just to the component parts.
Failure to Detect the Issues
Coutts conducted gap analyses of its AML procedures in 2007, 2008 and 2009, identifying gaps in keeping information up-to-date for some low-risk customers. However, they did not do the same for high-risk customers, despite the issuance of the 2007 Regulation which required it. The ruling also indicates that the failings noted by the FSA persisted for a period of almost three years and were not identified by Coutts.
Institutions are expected to be able to identify compliance issues before the regulators do. As noted earlier, effective independent quality assurance, also known as monitoring and/or testing, is a key aspect of this, as is an independent audit function, generally seen as one of the four pillars of an AML program. A stronger compliance culture would have included more of this type of independent testing to detect this type of issue. While dealing with internal second-guessing of decisions may be somewhat troublesome, it is certainly better than having an external authority do the same — and hand down a multi-million dollar fine and a very public notice about it too.
Many of the FSA's expectations of Coutts mirror the United States' Federal Reserve Board's Supervision and Regulation Letter 08-08, which stresses an enterprise culture of compliance, governance, the independence of compliance, and monitoring and testing of compliance. These principles are becoming increasingly important as institutions get larger and more complex and as more attention gets focused on higher risk AML areas and appropriate risk mitigation. As acting director McDermott said, "it is…particularly disappointing that Coutts failed to take appropriate steps to manage its AML risks. This penalty should serve as a warning to other firms that, not only should they ensure they constantly review and adapt their controls to changing financial crime risks within their businesses, but that they must also make changes to reflect changing regulatory or other legal standards." All institutions should take heed of this and implement effective risk-assessment steps, particularly as they relate to high-risk clients.
Regulators continue to raise the bar regarding compliance and institutions need to take appropriate steps to mitigate the risks. In particular, regulators expect to see more comprehensive views of customers across the entire organization as opposed to just taking a limited view by line of business, legal entity or jurisdiction. However, there are a number of customer privacy data protection rules that limit financial institutions' abilities to effectively manage this risk. Without clear guidance and harmonized regulations around these concepts, financial institutions will have to do the best they can with their limited budgets to mitigate these risks. The financial and regulatory communities should have open discussions to discuss significant concerns such as this to come to a mutual understanding of the challenges facing each side and to work together to develop practical solutions.
In the meantime, managing high-risk customers may result in a change in risk appetite, as the controls may become more costly than the relationships are profitable. However, as financial institutions are in the business of managing risk, this comes with the territory.