The FCA has fined Canara Bank £896,100 for anti-money laundering systems failures and has imposed a restriction preventing it from accepting deposits from new customers for 147 days. Canara is the UK branch of the Indian state owned bank with branches in London and Leicester.
In November 2012 and March 2013, Canara was visited by the FCA which found serious weaknesses in its AML systems and controls. However, Canara then notified the FCA that it had taken steps to remedy the weaknesses identified.
In 2015 the FCA revisited Canara and discovered that remedial action by the bank was ineffective in a number of respects. Further significant weaknesses in systems and controls were identified and the PRA (in cooperation with the FCA) appointed a skilled person under s166 of the Financial Services and Markets Act 2000 to report on Canara. In January 2016 the skilled person provided a report setting out multiple failings. These failings were accepted by the bank and included the following:
- Canara did not have an adequately designed or effective three lines of defence structure – first and second line functions were performed by the same compliance staff and the third line internal audit function was largely limited to "a ‘tick box’ exercise of a checklist provided by Canara Bank Head Office."
- Canara’s documented risk assessment was not appropriately designed or effective including a lack of evidence or risk assessment across all customer types, including insufficient information on the purpose and intended nature of the business relationship.
- Canara’s AML manual 2015 was not fit for purpose in respect of ongoing transaction monitoring; “…they don’t provide clarity on the procedures to be undertaken by the user. The fragmented nature of the manual, vague language used, lack of supplementary guidance and formatting errors, detrimentally affects the usability of the manual.”
- There was a lack of detailed understanding of the AML requirements with an impact on Canara managing its AML risk at all levels, including significant gaps with respect to risk assessing customers, conducting customer due diligence and enhanced due diligence and on-going monitoring. Transaction monitoring was inadequate including an overreliance on sampling.
The FCA was particularly scathing of senior management who were unable to articulate the level of understanding expected of requirements in relation to AML. Canara’s senior management did not review or test the remediation action taken following the 2012/2013 visit in order to ensure that the required steps had been taken or to ensure that the remediation was effective.
The FCA found that a culture of minimal or non-compliance was allowed to persist within Canara. There was also no evidence that money laundering risks or adverse media related to its customers were considered by senior management of Canara during the on-boarding process or subsequently, even when identified. Senior management oversight of the Leicester branch was particularly deficient – for example it had taken almost four years for Canara to detect that sanctions screening of customers in Leicester had not been conducted.
A common approach of overseas banks is to second senior management from the home country to the UK for limited periods of time. For a global bank there are advantages in senior staff obtaining experience of different areas of the bank and ensuring consistency across the group. However, whilst not forbidding this practice, the FCA clearly does not like it and in the case of Canara found that this practice contributed to its failings. At the very least the FCA expects such executives to receive extensive training on UK regulation before they commence work and we are seeing the PRA and FCA being much more stringent in approving bank senior executives than previously.
A familiar pattern in FCA AML enforcement cases is firms receiving external feedback (from the FCA, auditors or others) on serious deficiencies in AML systems and controls but failing to remedy those identified problems. The FCA won't usually give firms a second chance and enforcement typically results, as it did with Canara.
A feature of this case is that following the FCA's notification to Canara in 2012/2013 of "serious weaknesses in its AML systems and controls" an internal report from the money laundering reporting function stated that "The initial feedback from the FSA at the end was positive highlighting some minor procedural deficiencies which have been set right". We have seen other occasions where firms have failed to appreciate the seriousness of AML failings identified in FCA feedback. This may be a feature of how the FCA tends to report back to firms – typically highlighting areas of good practice in firms before setting out areas for attention. This can have the effect of downplaying the failings. There may also be a tendency for those parts of a firm which do receive criticism from a regulator to downplay the findings. Where firms do receive notification of areas of concern from regulators, senior management needs to scrutinise the findings and seek an independent assessment if necessary.
Although this case predates the senior managers regime, the FCA notice focusses heavily on failings by senior management. Given the FCA's focus on individual responsibility it is likely that individuals at Canara will also be the subject of investigation and possible enforcement action.