The FCA has issued a Final Notice to Steven Smith, the former MLRO of Sonali Bank (UK) Limited ("SBUK"). Smith was fined £17,900 and prohibited from performing compliance oversight functions and the MLRO role in regulated firms in future. In a related Final Notice, the FCA fined SBUK £3,250,600 and restricted it from accepting deposits from new customers for 168 days.
In August 2010, the FCA notified SBUK that it had serious concerns regarding its AML systems and controls. In response, the bank established a Remediation Plan. Smith was appointed MLRO in February 2011, with all that brought, including responsibility for implementing the outstanding items of the Remediation Plan. The FCA re-visited SBUK in January 2014 and identified serious AML failings. A Skilled Person was then appointed, who found that there were “systemic” AML failings arising from “a lack of understanding and implementation of systems and controls throughout the Bank”. This led to an FCA investigation, which ultimately concluded that there was a systemic failure to maintain adequate systems and controls to manage the risk of money laundering and financial crime.
Despite his knowledge of the FCA's previous feedback to SBUK and the internal audit warnings he had received in relation to certain AML controls, Smith had failed to identify, investigate or address the issues the FCA had identified. This included a failure to report to the Board either the resourcing issues that impacted the effectiveness of the MLRO function or the issues that had been raised by the internal audit committee. This inaction deprived management of the opportunity to take appropriate action.
In terms of breaches, the FCA found that Smith was:
- In breach of Principle 6 (due skill, care and diligence in managing the business of the firm for which he was responsible); and
- Knowingly concerned in breaches by SBUK of Principle 3 (management and control).
Broadly speaking, this related to:
- Lack of reporting areas of risk, weakness and concern to the SBUK Board and senior management about its systems and controls, the general compliance and monitoring programs and MLRO resourcing issues. This inaction, in turn, meant the relevant management was unable to understand the risks, assess and supervise its adherence to relevant regulatory standards and enforce a culture of compliance;
- Failure to identify SBUK employees demonstrating a lack of knowledge and understanding of their AML responsibilities and to ensure staff had sufficient guidance and training to allow adequate performance of their functions;
- Failure to implement effective processes for identifying, monitoring and assessing AML risks posed by individuals (including politically exposed persons), customer due diligence measures and guidance for staff responsible for implementing such procedures;
- Lack of investigation into and monitoring of issues brought to his attention, such as suspicious activity reporting, transaction monitoring programs (including remittance systems) and progress of the Remediation Plan.
In assessing financial penalty, the FCA concluded that it was a level 4 breach (where level 5 is the most serious), although it reduced the amount of the fine on grounds of proportionality. The figure was then increased by 10%, taking into account aggravating factors regarding Smith's knowledge of FCA concerns and his subsequent failure to use "widely available" AML guidance to address the issues and improve SBUK's systems generally. After applying the early settlement 30% discount, the final penalty was reduced from £25,662 to £17,900.
In light of its findings, the FCA found that Smith demonstrated a serious lack of competence and capability. It made a prohibition order on the basis that he was not fit and proper to perform compliance oversight or money laundering reporting controlled functions.
As is well known, the FCA places a high importance on preventing financial crime. Given its findings regarding the systemic and extensive regulatory breaches, neither the level 4 seriousness of the penalty nor the prohibition is unexpected. What is particularly interesting about the Notice, however, is the discussion of resourcing.
As in many corporates, Smith was responsible for performing a number of functions in addition to his MLRO and Compliance Officer functions. These included as line manager, trainer, data protection officer and company secretarial work. Whilst the FCA accepted that Smith was overworked and lacked resources, and that this impacted his ability to discharge his regulatory obligations, it unsurprisingly considered that Smith ought to have accurately informed senior management of the resourcing issues and the risks it created to the compliance programme. (As it happens, when he was given permission to recruit further resource, Smith failed to take adequate steps to ensure that it was obtained in a timely way.) Interestingly, the Notice sets out a list of all those steps an MLRO might take if not given the support he or she needs or has concerns about the operations or effectiveness of the AML controls within a firm. With the increased emphasis on individual accountability and the introduction of the SMR, resourcing may be an issue that individuals find themselves focussing on more than ever.