On 8 December 2022 the FCA confirmed in a Final Notice that it was fining Santander UK £107,793,300 for failing to effectively manage money laundering risks, affecting the oversight of its Business Banking portfolio. The fine related to a near five-year period, between 31 December 2012 and 18 October 2017, in respect of which the FCA uncovered "serious and persistent gaps and deficiencies" in the bank's anti-money laundering ('AML') control framework for Business Banking. The penalty reflects a settlement discount of 30%.
The FCA's examination of the Bank's dealings with six customers identified a number of failings. These customers operated money services businesses ('MSB') but were not correctly identified as such at the time of onboarding. MSBs are companies that receive and make payments on behalf of their own customers. Because a bank does not typically have access to an MSB's customers nor its rationale for underlying transactions, it is heavily reliant on the MSB having complied with its own financial crime obligations. Owing to the opaqueness with which the parties transact and the vulnerabilities of the MSB sector to financial crime, banks are generally cognisant of the enhanced risks of dealing with MSBs. For example, by a Santander internal policy, proposed accounts in respect of MSBs were supposed to be referred to senior financial crime staff for approval.
The FCA concluded that the bank had ineffective systems in respect of: (1) adequately verifying information provided by customers at onboarding in respect of their nature of business; and (2) properly monitoring the amount of money deposited in accounts versus original expectations. The bank also failed to respond promptly to numerous "red flags" detected by its inadequate automated transaction monitoring alert system.
Systemic flaws were epitomised by the bank's treatment of one particular customer, "Customer A". Customer A opened an account with Santander UK in May 2013, masquerading as a translation service provider when it was in fact an MSB. Despite early indications that it specialised in foreign currencies, the bank failed to verify its nature of business. The bank knew of the enhanced money laundering risks presented by MSBs and in line with its risk appetite, was only offering limited services to existing customers and not onboarding any others. However, owing to the bank's weak systems and controls, Customer A proceeded on the basis that it was a standard risk client. This meant that: (1) no verification as to its nature of business was carried out; (2) no enhanced checks were conducted; and (3) no periodic reviews were scheduled. This enabled some £269 million to pass through its accounts before eventually being closed.
The FCA fined the bank for breach of Principle 3 (failing to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems).
Some examples of the bank's failings are listed below:
- Its processes failed to ensure that staff onboarding business banking customers obtained sufficient information to understand the nature of a customer's business, therefore it was unable to accurately assess the money laundering risks involved in transacting with them;
- Its automated transaction monitoring alert system lacked sophistication and failed to account for important information such as anticipated turnover of a business banking customer;
- Its processes and systems did not enable other teams which received relevant information for risk assessments or ongoing monitoring of customers to disseminate information appropriately; and
- Processes for terminating relationships with customers did not ensure that terminations were always progressed promptly, and that ongoing activity ceased (for example, whilst the bank flagged Customer A's account for closure in March 2014, inadequate processes meant it was not acted upon until September 2015).
The FCA continues to be very active in taking enforcement action against firms for failure to implement adequate AML controls. It is noteworthy that despite undertaking a programme of self-improvements to its AML processes for much of the relevant period, the bank was unable to address its structural faults and thereby discharge its regulatory obligations. The case acts as a reminder that conscientiousness alone is not enough for the regulator in the financial services space. Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA stated that "Santander's poor management of their anti-money laundering systems and their inadequate attempts to address the problems created a prolonged and severe risk of money laundering and financial crime."
To effectively manage financial crime risks, firms must deploy effective onboarding systems and controls. Information obtained from customers needs to be reviewed and assessed in light of subsequent account activity. In relation to the specific risks MSBs present for banks, firms should consult the Joint Money Laundering Steering Group's "MSB Guidance" and be prepared to explain the rationale for any divergence from that guidance.