NatWest: A case of ignoring the obvious
The NatWest case marks the first instance the Financial Conduct Authority (the “FCA”) has pursued criminal charges for money laundering failures.
NatWest’s (the “Bank”) AML problems arose when one of its customers, a jeweller who’s company was called Fowler Oldfield (“Fowler”) was the subject of a money laundering investigation, from which it unravelled that the jeweller was running a multimillion-pound money laundering scheme.
Where does the Bank fit into the equation? The Customer held several accounts with Bank. Throughout the business relationship (between 2012 and 2016), the Bank failed to adhere to AML requirements in relation to the accounts held by the Customer, the activity of which was significant. Deposits of around £365 million over five years were made, £264 million of which were cash deposits.
Notwithstanding the large amount of cash, and the fact that at time of account opening, the Customer initially stated that their expected turnover was to be £15million per year for its sales, the banks staff still failed to report it as suspicious.
NatWest pleaded guilty to its AML control failures
So, What Were the Red Flags?
1. Know your client: and keep on knowing your client
“Know your client” should not just be a buzz phrase thrown around at random, neither should it be a one-off-task which terminates soon after inception. A lot of us speak about “knowing our client” and its importance without properly understanding, or, to avoid sounding naïve, without properly “practicing what we preach”. The NatWest failure is a prime example of this.
The Bank initially consented to on-board Fowler as their client, on condition that the Bank would not handle any cash for Fowler and that its future sales were predicated to be £15 million a year (such condition was imposed after the Bank accurately recognised the high-risk industry in which the company operated).
The issue arose when progressively, Fowler’s activities grew, and the parameters changed, considerably. Gold started to be sold in exchange for cash, and the Bank overall, accepted £264 million deposits, in cash, from Fowler.
Red flag? One would (or should) ask. Yes, at that point the Bank was expected to reconsider the initial KYC information and documentation which they had obtained from their client, to ascertain whether they still knew their client (a concept which many seem to forget, or rather, choose to ignore).
From this moment onwards, the domino effect began. The Bank could no longer state that they “knew their client” as at that point in time.
2. Risk Assessments: The wrong time to turn a blind eye
Risk Assessments are not static. Undertaking a risk assessment at inception and stopping there, or, undertaking a risk assessment with a “tick-the-box” approach, is often futile. Periodic reviews need to be undertaken to ensure that the subject person is properly assessing their clients and the risks which they may pose. An objective approach needs to be adopted when completing a customer risk assessment, to eliminate “human errors” from arising.
The purpose of collecting information, documentation and preparing a customer risk assessment is not meant to be a robotic, “tick-the-box” exercise. The risk relevant to the customer needs to be assessed taking into account the risks identified at the inception of the relationship. Risk assessments drawn up at onboarding stage are to be used as a foundation against which further developments made to the client’s business operations may be assessed.
At inception, the Bank risk rated Fowler as a high-risk customer (particularly since the company dealt in gold and precious metals), following this, the Bank, for reasons which it failed to explain, decreased the risk rating of the company to low, and later pushed this back up to medium.
The fact that Fowler’s risk rating was lowered, despite knowing that the preconditions implemented by the Bank (at inception) were no longer being adhered to, and notwithstanding the fact that deposits made by Fowler increased significantly between November 2013 to April 2014, erroneously resulted in less stringent measures being applied.
Evidently, the Bank failed to recognise this as a red flag. At that point, one would have expected that the Bank would have either:
- Revised the customer risk assessment (and hence applied more enhanced due diligence / ongoing monitoring measures), or
- if the risk which the company posed was no longer within the risk threshold of the Bank, additional mitigating measures should have been put into place (if possible), or
- if neither of the above were possible, the business relationship should have been terminated.
Naturally, with an incorrect risk rating it is easier for things to go “unnoticed”, given that the client would be subject to less stringent monitoring. In this case, the relationship manager, despite receiving numerous internal reports, appears to have chosen to ignore the obvious.
3.Ongoing Monitoring and automated systems: A time to be alert
When carrying out ongoing monitoring one would expect that issues which may prompt one to think / question certain things, are investigated and analysed in the correct manner. This is not a time to turn a blind eye, but that’s exactly what the Bank did.
Should the fact that a customer was initially on-boarded as a high-risk customer, as well as the fact that a drastic change occurred in the expected business activity of a customer, as well as the fact that the risk score of the client was decreased (for no apparent reason), trigger further questioning / warrant the need to apply enhanced due diligence measures? Indeed, this should.
Proper ongoing monitoring systems would have alerted this, and the Bank would have been in a better position to assess and address the situation in a more pragmatic manner (hence, ask further questions and carry out more enhanced due diligence).
Here is where common sense should prevail. Automation is risky, it is not fool proof. If you are witnessing one thing happening (cash being deposited) and are mindful of that fact that such cash is being “misread” as cheque deposits via the automated transaction monitoring system, as was done in this case, the logical thing to do would be to flag this inaccuracy and update the relevant systems to ensure that they are reflective of the situation at hand.
Regardless, whether due to human error, or failure in the Banks automated systems, ongoing monitoring was not properly undertaken, and concerns fell beneath the radar. The domino effect continues.
The crux of the matter is that blindly trusting your client, weak internal controls, lack of human oversight and failure to question red flags will all play a part in actively enabling money laundering to take place.
Interestingly, although the topic of anti-money laundering has been the talk of the town, and although we have recently witnessed a record number of fines being issued (both by the FCA and the FIAU), this was the first time a subject person faced criminal charges, enforced by the FCA, for breaches of money laundering regulations.
This landmark judgment is also a reminder that simply employing a “tick the box” approach and relying solely on automated systems is not going to be sufficient. We are expected to apply our minds, questioning our internal systems, apply a risk-based approach in the correct manner, remain alert and attentive, and truly monitor business relationships with our clients.