Final Notice
On , the Financial Conduct Authority issued a Final Notice to ADM Investor Services International Limited
1
FINAL NOTICE
1.
ACTION
1.1.
For the reasons given in this Final Notice, the Financial Conduct Authority (“the
Authority”) hereby imposes on ADM Investor Services International Limited
(“ADMISI” or “the Firm”) a financial penalty of £6,470,600 pursuant to section 206
of the Financial Services and Markets Act 2000 (“the Act”).
1.2.
ADMISI agreed to resolve all issues of fact and liability and qualified for a 30%
discount under the Authority’s executive settlement procedures. Were it not for this
discount, the Authority would have imposed a financial penalty of £9,243,738 on
ADMISI.
2.
SUMMARY OF REASONS
2.1.
The Authority has the operational objective of protecting and enhancing the
integrity of the UK financial system. This includes reducing the risk that it will be
used for purposes connected to financial crime. Financial services firms, in turn, are
at risk of abuse by those seeking to launder criminal proceeds or to finance
terrorism.
2
2.2.
To mitigate such risks, authorised firms are required to implement suitable risk-
based anti-money laundering (“AML”) systems and controls. It is the Authority’s
expectation that firms will take reasonable steps to ensure that adequate AML
systems and controls are in place and are functioning effectively. Firms that fail to
implement adequate AML systems and controls are exposed to the risk of financial
crime and benefit from an unfair competitive advantage over compliant firms
because they save on the costs involved in implementing such systems and because
they are attractive to customers who wish to avoid customer due diligence (“CDD”)
and more rigorous enhanced due diligence (“EDD”) checks. Effective enforcement
action provides a significant disincentive to such non-compliance.
2.3.
ADMISI is an investment brokerage firm located in London. It has market coverage
extending, but not limited to, energy, base metals, foreign exchange, and cocoa.
Its clients are global and diverse and this, coupled with its extensive market
coverage, creates opportunities for those who seek to launder the proceeds of crime
or finance terrorism. During the period from 30 September 2014 to 31 October
2016 (“the Relevant Period”), ADMISI was obliged by both the Money Laundering
Regulations 2007 (“MLRs”) and the Authority’s rules to install an infrastructure of
AML systems and controls to mitigate the risk that it could be used to facilitate
financial crime and money laundering. ADMISI failed to discharge those
requirements and, in doing so, exposed itself to the risk that it could be used to
facilitate financial crime and money laundering.
2.4.
In February and March of 2014, the Authority conducted a Periodic Assessment of
ADMISI focussing on clients within its contracts for difference (“CFD”) business
(“2014 Assessment”). This included an assessment of ADMISI’s AML systems and
controls in relation to the CFD business and focussed on client “on-boarding” and
compliance monitoring. Following the 2014 Assessment, the FCA notified ADMISI
that it identified weaknesses which required improvement in its risk management
framework, compliance monitoring, and client risk assessment. The assessment
referred to a degree of ”informality” in its risk management processes and noted
that “ADMISI’s risk management framework and three-lines of defence model
appears to be ineffective.” A key issue was the absence of a formal process to
classify clients according to money laundering risk. Consequently, from that time,
ADMISI was on notice of the Authority’s concerns arising from the 2014
Assessment.
3
2.5.
As a result of the findings of the 2014 Assessment, ADMISI was required to
complete a Risk Mitigation Programme (“RMP”) which required the Firm to
(1)
A formalised AML client risk-rating procedure within the client onboarding
area of its business and use this to drive the intensity of AML checks and
frequency of reviews. This was to include maintaining a country risk list
which scored countries based upon relevant metrics. ADMISI attested, in
September 2014, that it had completed this action.
(2)
A compliance monitoring plan, the absence of which had made ADMISI an
“outlier” compared with its peers.
(3)
A risk management framework across the business which identified the
Firm’s risk appetite, included policies and procedures to manage the
identified risks to the business, provided for review of those policies and
procedures, and set the parameters for management information in relation
to risk management.
2.6.
The Authority visited ADMISI two years later, in May 2016 (“2016 Visit”). The
purpose of the 2016 Visit was to assess the adequacy of ADMISI’s AML systems
and controls. During the visit, the Authority conducted supervisory interviews with
seven ADMISI staff members and reviewed 14 customer files. In June 2016, the
Authority sent a letter to ADMISI setting out significant failings in ADMISI’s AML
systems and controls that, in the Authority’s view, exposed ADMISI to a high money
laundering risk.
2.7.
Of the weaknesses identified, some inadequacies remained from the 2014
Assessment and called into question the quality of the corrective work ADMISI had
undertaken. For example, the Authority noted during the 2016 Visit that whilst
ADMISI had introduced an AML client risk assessment following the 2014
Assessment, it was inadequate in design and implementation. The matrix used was
rudimentary and did not enable an assessment of a client’s financial crime risk.
The Firm confirmed in its attestation of September 2014 to the Authority that a risk
management framework was “formalised, effective and allowing the Board to
manage risk within the business”. Moreover, at that time it made the attestation,
it had not applied the AML client risk assessment to existing clients who were
onboarded before August 2014. The Authority also found little evidence of
adequate on-going monitoring in the form of periodic reviews. In particular, the
frequency of periodic reviews was not determined by the risk rating of a customer,
but rather by trigger events.
2.8.
The Authority also identified, in its 2016 Visit, new and more systemic, failings. For
example, it noted that ADMISI had not conducted a firm-wide money laundering
risk assessment and the policies were outdated and referred to repealed legislation.
The Authority also had significant concerns about the quality of EDD checks on the
client files it inspected. As a result of the Authority’s concerns, ADMISI was
required, within a month, to revise its deficient client risk assessment. In addition,
the Authority asked the Firm to enter into a Voluntary Requirement (“VREQ”). The
purpose of the VREQ was to limit ADMISI’s exposure to the risk of money laundering
and financial crime by limiting higher risk aspects of its business until its systems
and controls were adequate.
2.9.
The VREQ, effective from 23 August 2016, prohibited ADMISI from entering into
new business with new or existing customers who were (i) resident, domiciled or
incorporated in one of the 97 countries on the Firm’s High-Risk Country List; (ii)
Politically Exposed Persons (“PEPs”); or (iii) assessed as “high risk” in accordance
with the Firm’s revised client risk assessment matrix. The restrictions did not apply
to existing clients resident, domiciled, or incorporated in a list of 24 countries within
the High-Risk Country List on the condition that ADMISI undertook EDD reviews of
those clients within a specified period. The VREQ therefore required ADMISI to
undertake a substantial remediation exercise of its higher-risk clients.
2.10. By the end of October 2016, ADMISI promulgated a suite of AML policies and
procedures which were clear and covered the areas the FCA expected. This included
specific EDD and PEP policies.
2.11. Principle 3 of the Authority’s Principles for Businesses requires a firm to take
reasonable steps to ensure that it has organised its affairs responsibly and
effectively, with adequate risk management systems.
2.12. By failing to comply with applicable regulatory and legal AML requirements which
require firms to design, implement, and maintain adequate systems and controls
to mitigate its money laundering risks, and, by failing to conduct adequate
remediation of weaknesses the Authority identified during the 2014 Assessment,
ADMISI breached Principle 3.
5
2.13. Such weaknesses potentially undermine the integrity of the UK’s financial system
by unacceptably increasing the risk that ADMISI would be used for the purposes of
money laundering or terrorist financing.
2.14. The Authority therefore imposes a financial penalty on ADMISI of £6,470,600
(£9,243,738 before 30% discount) pursuant to section 206 of the Act.
2.15. The Authority acknowledges that the failings outlined in this Notice are historic and
that ADMISI has taken remedial action to address the issues identified including
retaining the services of external compliance consultants to assist the Firm in this
remedial work.
2.16. For the avoidance of doubt, this Notice makes no criticism of any person other than
ADMISI.
3.
DEFINITIONS
3.1.
The definitions below are used in this Notice:
“2014 Assessment” means the Authority’s periodic assessment of ADMISI in March
2014;
“2016 Visit” means the Authority’s visit to ADMISI in May 2016 during which it
assessed the Firm’s AML systems and controls;
“the Act” means the Financial Services and Markets Act 2000;
“ADMISI” or “the Firm” means ADM Investor Services International Limited;
“AML” means anti-money laundering;
“the Authority” means the Financial Conduct Authority;
“CDD” means customer due diligence, the measures a firm must take to identify
its customer and to obtain information on the purpose and intended nature of the
business relationship, as set out in regulation 5 of the MLRs;
“CFD” means a contract for differences, an agreement between a ‘buyer’ and a
‘seller’ to exchange the difference between the current price of an underlying asset
(such as shares, currencies, commodities and indices) and its price when the
contract is closed;
“CFT” means countering the financing of terrorism;
6
“CMS” means Compliance Monitoring System, a bespoke compliance system built
for ADMISI;
“Compliance Manual” means the manual in place from time to time at ADMISI;
“DEPP” means the Decision Procedures and Penalties Manual, part of the Handbook;
“EDD” means enhanced customer due diligence, the measures a firm must take in
certain situations, as set out in regulation 14 of the MLRs;
“FATF” means the Financial Action Task Force, an inter-governmental body
designed to promote a co-ordinated international response to money laundering;
“Handbook” means the Authority’s Handbook of rules and guidance;
“JMLSG” means the Joint Money Laundering Steering Group, a group made up of
the leading UK trade associations in the financial services industry with the aim of
promulgating good practice in countering money laundering;
“ML” means money laundering;
“MLRs” means the Money Laundering Regulations 2007, which were in force
between 15 December 2007 and 25 June 2017;
“MLRO” means the Money Laundering Reporting Officer;
“PEP” means politically exposed person, as defined in regulation 14(5) of the MLRs;
“POCA” means the Proceeds of Crime Act 2002;
“the RDC” means the Regulatory Decisions Committee of the Authority (see further
under Procedural Matters below);
“Relevant Period” means the period between 30 September 2014 and 31 October
2016;
“RMP” means Risk Mitigation Programme, which, in this matter, the Authority
required ADMISI to complete as a result of the findings the Authority made in its
2014 Assessment;
“SYSC” means the Senior Management Arrangement, Systems and Controls part
of the Handbook;
“the Tribunal” means the Upper Tribunal (Tax and Chancery Chamber);
7
“UBO” means ultimate beneficial owner, as defined in Regulation 6 of the MLRs;
and
“Warning Notice” means the Warning Notice issued to ADMISI on 7 March 2023.
4.
FACTS AND MATTERS
Overview of AML legal and regulatory obligations
4.1.
The UK is a major global financial hub which attracts investment activity from
across the world. This status can, however, attract criminals and terrorist
organisations seeking to hide the proceeds of crime among the huge volumes of
legitimate business conducted here. Criminals rely upon access to the legitimate
financial services sector to allow them to realise the value of property acquired
through the commission of crimes and to make it appear to have come from a
legitimate source. Preventing the use of the legitimate financial system to launder
the proceeds of crime in this way is a national and international priority. As a result,
the Authority requires all authorised firms to take appropriate steps to prevent
them from being used to facilitate money laundering.
4.2.
The Authority has published guidance on countering the risk of financial crime,
including money laundering, since 2011. That guidance makes clear the measures
firms should adopt to limit financial crime in addition to offering practical examples
of good and poor working practices. The importance of firms’ systems and controls
in preventing financial crime has featured as one of the Authority’s priorities in its
Business Plans throughout the Relevant Period.
4.3.
Many firms also have specific obligations under the MLRs, the Terrorism Act 2000,
and POCA. Since 1990, the JMLSG has published detailed written guidance on AML
controls with the aim of fostering good practice in countering money laundering
and giving practical assistance in interpreting the MLRs and the regulatory
requirements in the Handbook.
4.4.
Both the Authority’s rules and the MLRs require firms to adopt a risk-based
approach to the management of ML risk. This means that firms must identify and
understand the ML risks their business faces and design systems which mitigate
these risks and prioritise and allocate resources to those areas where the risks are
most acute. Firms must periodically review their systems and controls to take
proper account of emerging risks to the business and to ensure that they are
appropriate.
4.5.
When taking on a client, firms must conduct CDD to verify the client’s identity and
ensure that they understand the nature and purpose of the anticipated business
relationship. Firms must assess the potential ML risks presented by each client in
light of this information. Relevant factors may include the corporate structure of a
client, the identity of its UBO, or the fact that a client is a PEP. Where firms assess
clients as presenting a higher risk of money laundering, they are required to
conduct EDD which may involve ascertaining the source of a client’s funds or
wealth.
4.6.
Thereafter, firms must monitor the client’s activities to ensure that they are
consistent with their knowledge of the client. The frequency and intensity of the
monitoring should be driven by the firm’s assessment of the risks presented by the
client. Firms must periodically review their relationship with a client to make sure
that the ML risk the client presents has not changed.
ADMISI
4.7.
ADMISI is a “full service investment multi-asset brokerage company” based in
London which facilitates over 180 million derivatives contracts a year. Its market
coverage includes, but is not limited to, contracts relating to grains, energy, foreign
exchange, cocoa, and base metals. ADMISI’s clients include trade customers, asset
managers, institutional clients, and high net worth individuals. ADMISI has been
authorised and regulated by the Authority since 2001. In May 2016, ADMISI had
1,238 open corporate accounts and 1,034 open individual accounts.
4.8.
During the Relevant Period, the nature of ADMISI’s business and client base
presented potentially high levels of ML risk because, for among other reasons:
(1)
It acted as an investment brokerage, and therefore an intermediary, which
made it vulnerable to use as a vehicle for money laundering.
(2)
It had clients from over 70 different jurisdictions, some of whom were
resident, domiciled, or incorporated in jurisdictions that FATF identified as
having strategic weaknesses in their AML and CFT measures. ADMISI
maintained a “Jurisdiction Red List” which it compiled using information from
the FATF, among other sources. The text within the list said that ADMISI
“…should not be soliciting client[s]” from the countries contained within the
list. The Authority, during its 2016 Visit, found 37 open accounts relating to
clients who were resident, incorporated, or domiciled in countries on the list.
(3)
As of May 2016, ADMISI had 41 clients categorised as PEPs.
(4)
A significant proportion of its business derived from transactions involving
high-risk clients. As a percentage, 32% of its gross profit was generated by
high-risk clients during the Relevant Period.
(5)
A small number of its clients were principally concerned with extractive
industries and the economy that flows from those industries, notably the oil
business.
4.9.
In February and March of 2014, the Authority carried out the 2014 Assessment. It
focussed on clients within ADMISI’s CFD business and included a review of its AML
systems and controls in relation to client on-boarding and compliance monitoring.
4.10. The Authority provided detailed written comments to ADMISI on 16 April 2014. The
comments identified areas of its AML systems and controls that required
improvement. The Authority noted the absence of formal risk management
processes as a key issue and was particularly concerned that the Firm’s “risk
management framework and three-lines of defence model appears to be
ineffective.” In particular, the Authority found that:
(1)
ADMISI did not have a formal client risk classification process to determine
the intensity of AML checks that should be undertaken on prospective
clients, nor did the risk rating drive the frequency of ongoing KYC reviews.
(2)
ADMISI onboarded clients from a country on the AML country list, despite it
being a “blacklisted” country.
(3)
Records contained inadequate information about how ADMISI made
onboarding decisions.
4.11. The Authority stated that “ADMISI must adopt a formal and more thorough process
in order to identify the AML risk of a client.” As a result of the findings of the 2014
Assessment, the Authority required ADMISI to undertake the RMP which included
the requirement to implement a formalised AML client risk-rating process. This
required ADMISI to implement a process which:
(1)
classified clients according to risk;
(2)
by classification, determined the intensity of the CDD measures applied
when onboarding clients, as well as the intensity and frequency of on-going
monitoring of existing clients; and
(3)
included the application of a fully maintained country risk list, which scored
countries based on relevant metrics.
4.12. The Authority found that ADMISI’s client onboarding procedures were only
“generally stated, and more detailed procedures are not recorded, such as when
enhanced due diligence should be required for new clients.” The Authority
observed, in accordance with the MLRs, that where “higher risk clients are
identified, additional checks should be conducted, including, for example,
ascertaining the client’s source of funds.” It said that ADMISI should document this
process at all stages to reflect the rationale taken in the onboarding process.
4.13. The RMP also required ADMISI to implement a compliance monitoring programme,
across the business, including those relating to AML. The 2014 Assessment noted
that the absence of a compliance monitoring programme meant that ADMISI was
“unable to effectively plan the monitoring of the business’s systems and controls.”
4.14. Lastly, also as part of the RMP, ADMISI was required to implement a risk
management framework, of which AML systems and controls were components.
This work required multiple steps, culminating in an attestation from ADMISI that
a risk management framework was “formalised, effective and allowing the Board
to manage risk within the business.”
4.15. On 30 September 2014, ADMISI wrote to the Authority identifying the measures it
had taken to address the issues raised regarding its client risk assessments.
ADMISI explained that it:
(1)
had established and implemented a risk matrix to rate prospective clients
either “low”, “medium” or “high”;
(2)
was maintaining a “Country Risk List” and, that it incorporated that
information into the risk categorisation process; and
(3)
was identifying prospective clients as PEPs or subject to the sanctions regime
in a separate register in its Compliance Monitoring System.
4.16. Having taken those measures, ADMISI attested that the remedial work it had
undertaken properly addressed the issues the Authority raised.
4.17. ADMISI provided its revised risk management framework to the Authority in March
2015.
4.18. In February 2014, ADMISI received a report from its internal auditors, setting out
the findings of an assessment of its regulatory compliance systems and controls
that were in place at that time.
4.19. The report stated that, “there is no evidence that critical compliance program
policies and procedures have been reviewed and updated in a formal manner for
approval by management and/or the Board of Directors since 2008.” In response,
a senior compliance employee accepted that a more “formal” approach needed to
be evidenced and, to that end, ADMISI had engaged an external compliance
consultancy to undertake a thorough review of the Firm’s policies and procedures.
4.20. The Authority’s written feedback, coupled with the RMP which required AML
systems and controls improvements, and ADMISI’s internal audit report of February
2014, should have alerted ADMISI to the need to ensure that its AML systems and
controls were robust and compliant with the UK’s legal and regulatory
requirements.
Deficiencies in ADMISI’s AML systems and controls
4.21. During the Relevant Period, ADMISI failed to maintain adequate systems and
controls to manage the risk of money laundering and financial crime. These failings
occurred within the following areas:
(1)
Firm-wide financial crime risk assessments.
(2)
AML policies and procedures.
(3)
Client AML risk assessments.
(4)
PEPs.
(5)
On-going monitoring.
(6)
Higher risk client files.
(7)
MLRO reports.
(8)
AML training.
(9)
Internal Audit.
4.22. These failings are outlined in more detail below.
Firm-wide financial crime risk assessment
4.23. The assessment of the financial crime and ML risk faced by a firm is essential to
developing effective AML policies and procedures. The Authority issued guidance
for firms on this subject, in April 2013 and again in April 2015, and made clear that
a “thorough understanding of its financial crime risks is key if a firm is to apply
proportionate and effective systems and controls”.
4.24. The guidance also stated, “A firm should identify and assess the financial crime
risks to which it is exposed…” and “Firms can then target their financial crime
resources on the areas of greatest risk.”
4.25. By the time of the 2016 Visit, ADMISI had not conducted a firm-wide financial crime
risk assessment. By not conducting this risk assessment, ADMISI had missed a
critical step in properly implementing a robust framework of AML systems, because
it had failed to identify the risks it faced and, therefore, the measures it
implemented could not be aligned to the specific risks it faced, nor take account of
the higher risk ML factors the Firm had to mitigate.
4.26. The risk management framework which ADMISI adopted following the completion
of the RMP in March 2015 did not compensate, nor substitute, for the absence of a
firm-wide financial crime risk assessment. The document had a very short section
on financial crime and anti-money laundering, the chapter opened with the
sentence: “This is articulated in the Compliance Manual” and contained some
inaccurate reassurances, including that risks were mitigated by “policies and
procedures updated to incorporate lessons learned.”
4.27. It was not until July 2016 that ADMISI completed a firm-wide financial crime risk
assessment. This was in response to the Authority’s feedback letter, following the
2016 Visit, in which ADMISI was required to take “immediate action” to improve its
controls, including the completion of a firm-wide financial crime risk assessment.
AML policies and procedures
4.28. At different points during the Relevant Period, there were a number of policies and
procedures relevant to the Firm’s AML systems and controls, including:
(1)
The ADMISI AML Policy.
(2)
Chapter 11 of the Compliance Manual.
(3)
Account Opening Policies and Procedures.
(4)
CDD, EDD, and PEP Policies.
ADMISI’s AML Policies
4.29. Firms are required to maintain written documents which set out their policies and
procedures on ML and terrorist financing risk. During the Relevant Period, ADMISI
had an overall policy document entitled “ADM Investor Services International
Limited Anti-Money Laundering Policy.” Although the firm produced revised AML
policies in 2012 and 2013, they were identical to the 2003 policy despite changes
to AML legislation.
4.30. A number of the deficiencies in the policy are attributable to the fact it had not been
updated, by the time it was replaced in April 2016, for over a decade. The policy
was inadequate because:
(1)
It failed properly to ascribe the AML responsibilities between the MLRO,
compliance staff and front-line staff, as well as to identify the person with
overall responsibility for AML systems and controls, despite the policy
requirement to do this: “The Company is required to establish clear
responsibilities and accountabilities to ensure that policies, procedures and
controls are introduced and maintained which deter criminals from using
their facilities for money laundering.”
(2)
It contained references to out-of-date legislation. For example, in the
“Requirements of the Regulations” section it referred to the Money
Laundering Regulations 1993 and the Money Laundering Regulations 2001.
Those regulations were replaced in March 2004 by the Money Laundering
Regulations 2003, which were themselves replaced in December 2007 by
the MLRs. This meant the policy referred to regulations which were around
12 years out-of-date and had since been replaced twice. This was important.
The MLRs implemented significant changes, introducing a legal requirement
to undertake a risk-based approach to the intensity of CDD measures and
introduced the concepts of EDD and PEPs.
(3)
It referred to “Know Your Client” under the heading “Identification
Procedures”, but did not refer to a client AML risk assessment or require a
risk-based approach, including requiring that the intensity and frequency of
CDD measures should vary depending on the client’s ML risk. Nor did the
policy refer to a requirement to obtain information on the purpose and
nature of the business relationship to enable ADMISI to assess, as part of
its on-going monitoring, whether the transactions and activities carried on
for a client were consistent with its expectations.
(4)
It failed to refer to EDD or PEPs, either in name or substance. The only
reference to source of funds came under assessing potentially suspicious
transactions. There was no reference to source of wealth.
(5)
It referred to matters which might generate money laundering suspicion,
including mention of a client’s corporate structure and the type of trading to
be undertaken, but the policy failed to highlight other obvious ML risks, for
example the risk presented by clients from certain jurisdictions. Passing
references to this issue were only made in the context of the annual MLRO
report and third-party payments.
(6)
The only mention it made of countering terrorist financing was in the context
of the narrative explanation for the offence of “Failure to report”.
(7)
It failed to refer to on-going monitoring, and the requirement to conduct
enhanced on-going monitoring in certain circumstances. There was no
reference to the relationship between the assessment of a client’s ML risk
and the intensity and frequency of on-going monitoring.
(8)
It referred to the “Money Laundering Sourcebook” which ceased to exist in
2006.
(9)
It set out the offences of “Assistance”, “Tipping Off” and “Failure to report”
but, inaccurately, suggested that these offences were set out in the Money
Laundering Regulations 1993 instead of POCA, legislation which came into
force in February 2003.
(10)
It failed to state that, where ADMISI was unable to apply CDD in accordance
with the MLRs, it was required to cease its business relationship with the
customer.
ADMISI’s AML Policy 2016
4.31. In April 2016, ADMISI introduced a new policy, combining two existing documents:
a chapter from ADMISI’s Compliance Manual and the AML policy, with some minor
amendments from the 2013 version. The amendments to the AML policy were minor
and the deficiencies identified above were not remedied.
4.32. A number of the deficiencies in ADMISI’s AML policy during the Relevant Period
were obvious and should have been identified by ADMISI because:
(1)
The policy, which had not been substantively updated in over a decade, was
not up to date. For example, it referred to the Money Laundering
Regulations 1993 even though those regulations were no longer in effect.
(2)
It should have understood that the Money Laundering Regulations 1993 had
been superseded by the MLRs. The absence of reference to the MLRs was
an obvious indicator that at least some aspects of the policy were out of
date.
(3)
Prior to October 2016, there was no policy that provided for how ADMISI
should manage its relationships with PEPs. The 2013 AML policy and 2016
AML policy were silent on the issue. Chapter 11 of the Compliance Manual,
which covered AML systems, also had no reference to PEPs. Consequently,
there was no formalised instruction, or guidance, for staff to understand the
risks presented or the connection between a PEP and the requirement to
undertake EDD. Equally, there was no formalised instruction or guidance to
enable staff to understand the necessity to increase the frequency of the
periodic reviews of a client who was a PEP.
ADMISI’s Compliance Manual
(4)
ADMISI maintained a Compliance Manual which was intended to cover all
compliance related subjects, effectively an “A to Z” and was not purely a
manual relating to AML. The manual was divided into different chapters
according to the subject matter and Chapter 11 concerned AML. The manual
was “aimed” at the front office staff.
(5)
During the Relevant Period, there were three versions of Chapter 11 of the
Compliance Manual: August 2013, February 2015, and December 2015. In
April 2016, what was previously Chapter 11 was merged into the AML Policy.
Between August 2013 and December 2015 there were only minor
amendments to Chapter 11, a change to the approval process for waivers
for “deviations from the Company’s Account Opening Procedures” and a
change as to whom employees should approach in the event of a query.
(6)
Chapter 11 of the Compliance Manual was deficient. It shared a number of
the shortcomings of the AML policies. Chapter 11:
(a)
made no reference to PEPs or countering the financing of terrorism;
(b)
made no reference to EDD; and
(c)
incorrectly suggested that the MLRs made it an offence to assist
money launderers, to “tip off” or to “fail to report”.
(7)
ADMISI ceased using the hardcopy version of the Compliance Manual in
favour of a firm intranet version that separated the content into separate
policies. This addressed the MLRO’s concerns that staff members would be
reluctant to use, what he described as, an “unmanageable” tome.
ADMISI’s Account Opening Procedures
4.33. During the Relevant Period, three versions of ADMISI’s Account Opening Procedures
were in force. The first was dated at the latest from March 2014. It was replaced
in January 2015, and then again in March 2016. The procedures were broken down
into different account types. The AML policy emphasised the importance of the
Account Opening Procedures and, under the heading of “Identification Procedures”,
stated that, “The Company’s comprehensive Account Opening Procedures provide
detailed and specific guidance in this regard.”
4.34. Chapter 11 of the Compliance Manual stated: “For your own protection, it is vitally
important that the Account Opening Procedure is adhered in its entirety to at all
times.”
4.35. The procedures provided detailed guidance on identifying individual and corporate
clients. However:
(1)
The 2014 procedure made no reference to assessing the ML risk of a client.
This was consistent with the absence of a formal AML client risk assessment
process generally at ADMISI at that time.
(2)
None of the Account Opening Procedures referred to or made provision for
aligning the level of due diligence to the level of ML risk a client posed.
Although the January 2015 procedures and the later version referred to
completing an AML Risk Matrix Score Sheet and a senior staff member
categorising the client, the remainder of the procedures remained largely
the same as the 2014 version, and the 2015 version did not explain what a
“high risk” rating or categorisation meant. There was no reference to the
need to conduct EDD.
(3)
The Account Opening Procedures made no reference to the circumstances
in which it would be appropriate to ascertain a client’s source of funds or
source of wealth. The procedures instructed front office staff to complete a
KYC form, but this was the only mention of the KYC form and there was no
instruction on how to interpret or act on the information provided within the
KYC form. The KYC form had a box for information about the “source/origin
of the funds the client will use”. However, the Account Opening Procedures
made no reference to those concepts in name or substance.
(4)
Further, under the “Source of Funds” box, the KYC form for individuals
(a)
“IF A CLIENT ELECTS NOT TO SUPPLY FINANCIAL INFORMATION WE
CANNOT BE HELD RESPONSIBLE FOR ERRORS IN CLASSIFICATION OR
SUITABILITY. YOU ARE DUTY BOUND TO ENSURE THE CLIENT IS
MADE AWARE OF THESE FACTS.”
(5)
Contrary to regulation 11 of the MLRs, this warning did not make it clear
that where ADMISI was unable to apply CDD measures (e.g. where a higher
risk client refused to provide details of its source of funds), it was required
not to enter into a business relationship. Nor did the Account Opening
Procedures make this clear.
(6)
The only reference to PEPs was that if, as a result of an AML risk assessment
and a World-Check, a client was identified as a PEP, the head of the team
should be consulted for advice. The procedures did not provide any
guidance on what further steps should be taken, including the mandatory
requirements of the MLRs.
(7)
There was an inconsistency between the corporate cash procedure and the
individual cash procedure until January 2015. The individual procedure
required checking the jurisdiction of the individual against ADMISI’s
“Jurisdiction Issues list to ensure we are OK to proceed”, whereas the
corporate cash procedure did not.
4.36. Prior to the 2016 Visit, ADMISI failed to conduct reviews to ensure that its AML
policies had been updated to comply with regulatory changes.
4.37. ADMISI’s internal auditors warned it, both before and during the Relevant Period,
that it was not updating its policies. In 2010 and 2012, the auditors observed that
there was not a formal periodic review and approval process “to provide evidence
of management’s ongoing assessment of policies and procedures in light of
significant regulatory...changes.” In February 2014, the auditors observed that
“critical compliance program policies and procedures” had not been updated in a
formal manner since 2008. The Firm replied that it had engaged external
compliance consultants to undertake a “thorough review” of the policies and
procedures by the end of June 2014. This did not occur.
4.38. In March 2015, the auditors wrote that “compliance policies are not updated and
approved annually to ensure accuracy and consistency with current laws and
regulations” and that the AML policy referred to the Money Laundering Regulations
1993 rather than the Money Laundering Regulations 2007. The same internal audit
report noted that the 2014 audit had previously identified this failure. Responding
to the auditor’s findings in the comments section, a compliance employee agreed
that, ”a more formal policy review process needs to be in place.”
4.39. In April 2016, the AML policy was updated, the first time a new version of the
document had been created since 2013. In any event, the 2016 AML policy was
substantively identical to the policy document that preceded it, which, in turn, was
virtually identical to the 2003 document (as explained above). In practice, the AML
policy had not substantively changed in approximately thirteen years.
Restructure of policies and procedures
4.40. ADMISI’s AML policies were subject to a thorough review following the 2016 Visit.
A number of new standalone policies and written procedures were introduced which
had not existed prior to the visit, namely:
(1)
ADMISI “Enhanced Due Diligence (EDD) Procedures for High Risk clients
including Politically Exposed Persons (PEPS)”, dated October 2016.
(2)
ADMISI “Customer Due Diligence (CDD) Procedures”, dated October 2016.
(3)
ADMISI “Enhanced Due Diligence (EDD) Policy”, dated October 2016.
(4)
ADMISI “Politically Exposed Person (PEP) Case Alert Procedure”, dated
October 2016.
4.41. ADMISI commissioned an external compliance consultancy to assist it in the
extensive re-drafting of the AML policies and procedures. These re-drafted policies
and procedures, which were put in place after the 2016 Visit, were adequate.
Client AML risk assessment
4.42. Prior to the 2014 Assessment, ADMISI did not have a documented risk assessment
process to determine the money laundering risks presented by each client.
4.43. Following the Authority’s 2014 feedback letter, ADMISI implemented a client AML
risk assessment matrix. ADMISI attested to the Authority that, following the
changes to its onboarding process (which included the implementation of the client
AML risk assessment matrix), it considered its new procedure to be “adequate and
appropriate to meet the Company’s legal and regulatory responsibilities in relation
to anti-money laundering.”
4.44. The AML risk assessment consisted of a score form to be completed for each
corporate and individual client, and an “AML Risk Assessment Matrix” a guidance
document which explained how to complete the score form. The document
identified three “risk types” scored 1 to 3 corresponding to the level of risk with a
potential total score of 9. High risk clients were deemed to be those who scored
between 7 and 9.
4.45. The AML Risk Assessment Matrix that ADMISI adopted in 2014 did not produce a
rounded assessment of the financial crime risks associated with a client. More
specifically, the matrix was deficient because:
(1)
It referred to the assessment of jurisdictional risk, but did not identify which
jurisdictions were relevant, i.e. the country of incorporation, residence,
and/or domicile.
(2)
It made no mention of product risk, activity risk, or corporate structure.
While it did refer to “adverse/speculative information”, this was not one of
the three criteria that was scored.
(3)
It allowed clients who were identified as PEPs at the time the risk assessment
was conducted to be rated “medium risk” if they scored lower on other
financial crime risk factors and thereby bypass EDD. EDD of PEPs, however,
was a requirement under regulation 14(4) of the MLRs.
4.46. The absence of a client AML risk assessment matrix meant that clients onboarded
before the date the firm started using it (1 November 2014) were never subject to
any formal risk assessment process during the Relevant Period. ADMISI did not
retrospectively apply the AML client risk assessment matrix to clients onboarded
before 2014, and ADMISI did not take into account the AML risks presented by
those clients at least until 30 June 2016.
4.47. Following the 2016 Visit, the Authority wrote to ADMISI and required it to complete
a revised customer risk assessment that would allow ADMISI to take account of the
“full picture of financial crime risks associated with a customer”. ADMISI was also
required to apply the revised customer risk assessment to the entire customer
base.
4.48. A revised client AML risk assessment matrix and guidance notes were constructed
by ADMISI in July 2016, and further revised in August 2016, called the “Anti-Money
Laundering (AML) and Counter Terrorism Financing (CTF) Risk Assessment Matrix,
Internal Procedures and Guidance Notes”.
4.49. During the onboarding process, firms must identify clients who are PEPs. By the
very nature of the prominent public functions they hold, PEPs occupy positions that
can, according to FATF, “be abused for the purpose of committing money laundering
(ML) offences and related predicate offences, including corruption and bribery, as
well as conducting activity related to terrorist financing (TF).”
4.50. Consequently, EDD must be applied to all clients identified as PEPs to address the
heightened risk that these clients present.
4.51. ADMISI did require account opening staff to complete a check to determine if a
prospective client was a PEP. If a positive match occurred, rather than setting out
a specific formal process, the procedure required staff to refer to management for
further advice and sign-off.
4.52. Once a client who was a PEP was onboarded, ADMISI maintained no accurate record
of the PEPs with whom it had an open business relationship. While the CMS kept a
record of PEPs, it was not kept up to date.
4.53. In March 2016, it was noted by a senior member of the compliance team that
ADMISI did not have an EDD process in place for PEPs but, despite this, no new
policy or procedure was implemented until after the 2016 Visit.
4.54. In October 2016, ADMISI introduced a new policy and procedure that applied to
Client file review – Enhanced Due Diligence
4.55. Where firms identify a client who presents a higher level of money laundering risk,
they are obliged by the MLRs to conduct EDD. Depending on the level of risk, this
may include obtaining evidence of the source of a client’s wealth or of the funds
used to conduct a transaction. Obtaining this information about PEPS is a
requirement. Firms must document the nature of any checks conducted and retain
any evidence obtained to ensure that they can demonstrate that their decisions
were appropriate.
4.56. During the 2016 Visit, the Authority reviewed a sample of 14 client files and
concluded that there were significant shortcomings in the EDD applied to those
files. In particular, the Authority found:
(1)
No evidence of source of wealth or source of funds on a PEP file.
(2)
Limited EDD on a high-risk file.
(3)
No evidence that adverse media checks had been conducted.
(4)
The UBO of a corporate account was a PEP, but ADMISI had not identified
this fact.
On-going monitoring of CDD/EDD
4.57. To ensure that the ML risks associated with clients are kept up-to-date, the MLRs
require firms to conduct regular reviews of their clients. Regular reviews help firms
to ensure that the information they collect as part of the CDD and EDD process
remains accurate and that the operation of the client’s account is consistent with
the business activity expected. The frequency and focus of such reviews should be
determined by the perceived risk posed by each client with a greater level of on-
going monitoring required for higher-risk customers, products, and services.
4.58. ADMISI used a system called CMS to help it monitor its client relationships. CMS
did this in two principal ways. First, it generated alerts on an account if a
transaction appeared suspicious. The information underlying the alerts could then
be checked to make sure it was consistent with expected activity on the account.
Second, CMS would generate an open review case when the client’s CDD was due
for review. CMS was programmed to deliver this functionality using a series of rules.
4.59. The open review cases generated by CMS were not dealt with promptly and this
resulted in an “enormous backlog.” By March 2016, an internal audit report said
that there were 3,500 open KYC review cases on CMS. This number included 300
cases which were still open from 2013 and had not been reviewed, and 1,300 from
2014. This issue had previously been identified in the audit findings reported in
2014 and 2015.
4.60. The poor quality of client information held on CMS compounded the problem. At
the time of the March 2016 internal audit, ADMISI had 3,500 open KYC cases. Of
the 3,500 open KYC review cases, ADMISI closed 1,400 on the basis that they
related to closed client accounts, administrative type accounts and sub-accounts
without undertaking a retrospective review of those files.
4.61. Following the report of the internal auditors in March 2016, ADMISI responded by
adopting a new procedure to deal with the backlog in periodic reviews. Periodic
reviews of clients’ KYC information became a daily activity as of March 2016.
4.62. The failure to implement effective AML systems and controls meant that ADMISI
failed to conduct appropriate on-going monitoring of its clients. This was clearly in
evidence as the Authority discovered when it reviewed customer files as part of its
2016 Visit.
4.63. ADMISI maintained a “Jurisdiction red list” that identified countries where it should
not “be soliciting clients”. On one file for a client who resided in a country on
ADMISI’s “Jurisdiction red list”, there was no evidence of any review having been
conducted since the file had been opened 12 years before.
4.64. On another client file, there was no evidence that the file had been subject to any
on-going monitoring since the file had been opened 15 years before.
4.65. A senior compliance employee accepted that while some reviews were taking place,
they were not sufficient.
PEP file
4.66. In May 2016, ADMISI provided the Authority with its PEP register. An individual
client, on-boarded in 2010, was included in the list and classified as a PEP.
4.67. The Authority reviewed the client’s file and found that the 2014 AML client risk
assessment matrix had not been retrospectively applied to the client. A risk
assessment document and a KYC form were completed, but after the 2016 Visit.
4.68. At the point of onboarding, ADMISI had obtained appropriate due diligence
documents: a certified copy of the client’s passport; a bank statement; and a
telephone bill. However, the Authority found that this CDD was not refreshed and
the passport expired in 2013. There was no evidence of a periodic review of the
client’s CDD information despite evidence that CMS had generated alerts on the
client’s account. CMS recorded a last review date of 17 September 2014 but, if
there was a review on that date, it was plainly inadequate because it failed to note
the client was a PEP and required EDD. In addition, the expiry date of the client’s
passport was neither identified nor remediated. ADMISI did obtain an updated
passport, but this did not occur until after the 2016 Visit.
4.69. In respect of EDD, the Authority found that the client file contained no evidence of
the source of the client’s funds, or wealth, at the point the client was onboarded, a
legal requirement under the MLRs.
4.70. A “Know Your Client Form – Individual” had been completed and was present on
the file when inspected. The form contained a box entitled “Source of Funds” and
had been populated, but it contained only one word “earnings.” No further
information was given or documented on the file regarding the client’s source of
funds, their wealth or how they proposed to fund the account. There was no
evidence at all regarding the legitimacy of the client’s funds.
4.71. The funds proposed to be invested, and that were invested when the account was
opened, were significant (€300,000).
4.72. Following the 2016 Visit, the Authority required ADMISI to provide evidence of the
source of wealth and source of funds for this client within one calendar month of
the requirement.
4.73. ADMISI held a telephone call with the client in August 2016 and, following that,
told the Authority that the source of wealth for the client derived from earnings
over a number of years. The Authority responded that the feedback letter requested
evidence of the source funds and wealth for the client and asked ADMISI to obtain
it.
4.74. ADMISI agreed to obtain further evidence to adduce the client’s source of wealth.
It also confirmed that additional due diligence had been carried out on the client’s
employment.
4.75. Following this, a senior compliance employee emailed a contractor asking for advice
on the “optimal way” to evidence source of wealth for this client.
4.76. ADMISI subsequently issued an instruction to close the account, allowing the
unwinding of positions only. This was because the client had failed to provide
ADMISI with the evidence that it had requested. ADMISI ultimately obtained
evidence for the source of income for the client in 2014 and 2015 and provided this
to the Authority.
High-risk corporate client file
4.77. The Authority also identified significant EDD failings in relation to another high-risk
client file it reviewed. In March 2015, ADMISI onboarded a corporate client that
had a number of high-risk factors obvious from the file:
(1)
The corporate structure was opaque and complex. The company was
registered in the British Virgin Islands, used another company, also
registered in the British Virgin Islands, as its corporate director and its
shares were divided between two companies. The companies, in turn, had
two Russian UBOs, resident in Russia, each of whom owned one of the
companies.
(2)
The company had a “yahoo” email address.
(3)
There was an unexplained inconsistency between the Customer Information
Disclosure Form completed on behalf of the client which stated the
company’s principal business was “investment risk management”, whereas
the KYC Form completed by the trader said it was a “UBO trading vehicle”,
and that the principal business of the customer was “oil trading.”
(4)
The company used a British Virgin Islands PO Box as its registered address.
(5)
The company used a bank account based in Switzerland.
(6)
A reference was provided for the entity which claimed to know of the client
since 2012, which was impossible because it was only incorporated in 2014.
If this reference was intended to relate to a person connected to the entity,
this was not made clear.
(7)
According to the Customer Information Disclosure Form, the share capital
of the company was $50,000. The net assets of the company were
$150,000, yet the initial monies used to trade through ADMISI were
$3,000,000.
4.78. ADMISI had appropriately classified the client as high-risk, but the client was still
seen as fit to be reviewed periodically two years after the account was opened.
4.79. Although EDD is a legal requirement for clients identified as high-risk, no EDD was
completed. Moreover, the file contained no evidence regarding the source of the
company’s funds, how the company made its money, or how it would fund the three
million US dollar opening balance to the account. The KYC form, under “Source of
Funds” stated simply “UBO”. It did not specify which of the two UBOs was the
source of the funds or where they came from.
4.80. ADMISI failed properly to document the rationale to onboard this client and why
this was commensurate with its risk appetite.
4.81. On 24 May 2016, the day before the 2016 Visit, a senior compliance employee sent
an internal email advising that this client was viewed, at that time, as “very high
risk”, and that the client should not be allowed to trade any new products. This did
not, however, prompt ADMISI to conduct a periodic review of the client.
4.82. In September 2016, ADMISI was sent material by a law firm based in Russia in
relation to the client. The material included information that, a week before it was
sent, the ownership of the client had changed to a single UBO. Also included was a
letter relating to source of funds, which stated that “source of wealth… as well as
the source of funds…has the form of loans from its UBO”. That answer was clearly
inadequate because, until a week earlier, there had been two UBOs and the
information provided failed to specify which one of the UBOs remained involved in
the company.
4.83. On 7 November 2016, an ADMISI employee sent an internal email advising that
this client file had been “fully remediated” and that a decision had been taken that
the account should be closed. ADMISI also closed a linked corporate account, under
the same beneficial ownership, because it “no longer fits the risk profile of ADMISI”.
Management Information – MLRO reports
4.84. The Authority expects senior management to take responsibility for managing
financial crime risks and to be actively engaged in a firm’s approach to addressing
the risks identified. Senior management should therefore rely on accurate
information, sufficient to enable them to meet their AML obligations. The Authority’s
rules and guidance require firms to provide to its governing body and senior
management, a “report at least annually by that firm’s money laundering reporting
officer on the operation and effectiveness” of the firm’s systems and controls.
4.85. During the Relevant Period, ADMISI’s senior management was provided with an
annual MLRO report. However, the content of the MLRO reports was unsuitable
because it did not give ADMISI the information it needed to assess the adequacy
of its systems and controls and thereby to enable it to identify, monitor and manage
its financial crime risks.
4.86. The AML policy, during the Relevant Period, said that the MLRO reports “must”:
(1)
assess whether the Firm had complied with the Regulations;
(2)
address changes made or recommended in respect of new legislation, rules,
or industry guidance; and
(3)
address any serious compliance deficiencies that had been identified in the
Firm’s policies and procedures.
2014 MLRO report
4.87. The 2014 MLRO report covered the calendar year 1 January to 31 December 2014.
The 2014 MLRO report was inadequate because:
(1)
It contained no comments on the 2014 Assessment.
(2)
It did not include references to the issues that the Authority had identified;
that the RMP had been issued to the Firm; the remediation exercise
undertaken; or about the Firm’s attestation to the Authority that the
remediated client AML risk assessment was now compliant.
(3)
It contained no substantive reference to, or assessment of systems and
controls, including those in place for PEPs. The only reference to PEPs was
implicit, that the “implementation of WorldCheck continues to improve the
effectiveness of the Company’s Anti Money Laundering Procedures”. The
report did not identify the fact that there was no mention of PEPs within the
AML policy, nor the Compliance Manual, and that there was no written
procedure for EDD to be completed on PEPs or high-risk clients.
(4)
The only reference to the policies and procedures was in the context of third
party payments”, where policies and procedures were referred to as
“robust”. The report did not identify the weaknesses in the policies and
procedures. This was despite the criticisms in the 2014 internal audit report
that there was no evidence that critical compliance policies had been
formally reviewed and updated since 2008.
(5)
There was only one sentence addressing the issue of AML training and it
failed to document, specifically, what the training entailed.
(6)
It incorrectly referred to SYSC 3.2.6G(2) which applies to insurers,
managing agents and the Society of Lloyd's instead of SYSC 6.3.7G(2).
The 2015 MLRO report
4.88. Some of the passages within the 2015 MLRO report were so similar to the 2014
MLRO report that it suggests that they were simply copied from one report to the
other. In particular:
(1)
The wording relating to policies and procedures, in the context of “third party
payments” is identical in both the 2014 and 2015 MLRO reports.
(2)
The wording of the section relating to the CMS is almost exactly the same
in the 2014 and 2015 MLRO reports. Moreover, there is a direct similarity
between the CMS section not just between the 2014 and 2015 MLRO reports
but dating back to every MLRO report from 2012 to 2015.
(3)
The erroneous reference to the Authority’s rules relating to SYSC 3.2.6G,
was identical in the introductory section of the 2014 and 2015 MLRO reports.
4.89. In failing to substantively assess its AML controls and failing to note compliance
deficiencies, ADMISI’s MLRO reports of 2014 and 2015 did not satisfy ADMISI’s own
AML policy. The reports failed to provide ADMISI’s board and senior management
with any indication of the shortcomings in the Firm’s AML controls.
4.90. In 2016, ADMISI’s MLRO report was an improvement, but this report was prepared
after the Authority’s 2016 Visit and, notably, after the Authority had provided
comments on the quality of the 2015 MLRO reports.
AML training
4.91. For an AML control framework to be effective firms must adequately train their staff
so that they are suitably skilled, able to recognise ML and terrorist financing risks
and understand their legal duties. Equally, staff need to be properly trained so that
they can implement the AML control framework designed to mitigate the risks
presented. Not all staff will have the same training requirements. For instance,
those in the front office of a firm will have different training requirements to those
in Compliance. Firms were obliged under the MLRs and advised under the
Authority’s guidance to deliver training on ML and terrorist financing. To assist
firms, the Authority has issued financial crime guidance on AML training. The
guidance asks firms to consider if their AML training is suitably tailored to particular
roles. It also asks firms to consider how they assess the effectiveness of the training
delivered.
4.92. ADMISI provided records demonstrating that some AML training had been delivered
during the Relevant Period. The MLRO attended AML training in 2014 and 2015.
However, ADMISI did not provide any record of AML training being delivered more
broadly to staff in 2014. The 2014 MLRO report did say that all staff had been
trained on AML, but the Authority has been unable to verify the effectiveness of the
training delivered, as there was no record provided of the training materials nor
any record of the assessments of those who took part. The Authority was also
unable, without the underlying training materials, to establish if the training was
tailored to particular roles.
4.93. In July 2015, training was delivered to all staff titled “Anti Money Laundering
(Overview) Training”. ADMISI, in response to a request by the Authority, provided
a register of staff who had completed the course. The register was extensive and
encompassed a large number of staff, from senior management to front office staff.
The MLRO report for 2015 remarked that “…all staff attended/participated in an in-
house training course which includes AML training”. ADMISI did not provide the
Authority with a record of the training package that was delivered, so in keeping
with the records provided for 2014, it was not possible for the Authority to assess
if the training was tailored to particular roles and whether it included appropriate
content.
4.94. In June 2016, following the 2016 Visit, ADMISI delivered further AML training
entitled “Anti-Money Laundering: An Introduction to Money Laundering”. This
training package was of an adequate standard taking into account the need to
ensure that the relevant staff were able to recognise and deal with transactions and
other activities that may be related to ML or terrorist financing.
4.95. The 2016 MLRO report contained significantly greater comment on AML training
than either the 2015 or 2014 MLRO reports. It was acknowledged in the 2016 MLRO
report that adequately training ADMISI’s staff was one of the Firm’s “challenging
risks in relation to money laundering and financial crime.”
4.96. The Authority found it difficult to assess the suitability of the AML training delivered
by ADMISI during the Relevant Period. This was because the records of the training
provided were inadequate. A firm cannot be assured that it has properly met its
legal and regulatory obligations to deliver training on ML and terrorist financing
unless it maintains adequate records.
4.97. Prior to internal audit reports being issued, senior managers were shown the
content of the report and invited to comment on any issues identified. Each internal
audit report was distributed to the senior managers who worked in the relevant
business area and was copied to the Board.
4.98. Each internal audit report was marked with an overall audit rating, which was
accompanied by a narrative explanation for the rating. The body of the report
identified issues which needed addressing. Those issues were numbered and the
number was assigned a colour on a traffic light basis, namely green, amber and
red, to identify the seriousness of the issue.
4.99. The 2014, 2015, and 2016 internal audit reports identified to senior management
issues that needed to be rectified. The issues identified included deficiencies with
the AML policy. To that extent therefore, the internal audit report identified relevant
concerns.
4.100. The internal audit report failed however to classify correctly the failings identified
or to assign to particular issues an appropriate colour code.
30
4.101. For example, one issue dealt with in the 2015 internal audit report was “Annual
Policy Review and Approval”. The auditors highlighted the following errors within
ADMISI’s AML policy:
(1)
the policy referred to “the Financial Services Authority (FSA), which was
replaced by the Financial Conduct Authority (FCA) in April 2013”; and
(2)
the policy referred to “the Money Laundering Regulations 1993 rather than
the Money Laundering regulations 2007.”
4.102. This was a repeat failure. The auditors suggested incorporating elements of the
JMLSG recommendations. However, the report did not identify that the reference
to outdated legislation was not simply indicative of a failure to update its policies
but of a failure by ADMISI to follow and implement the significantly updated
requirements of the MLRs. Despite the legal and regulatory requirements to
maintain suitable AML policies and procedures, and notwithstanding that this
repeated the failure identified during the 2014 internal audit, this issue was colour
coded green.
4.103. This gave misplaced assurance to senior management. One board member took
comfort in the ratings and colour classifications assigned to the issues.
4.104. This was not an isolated failing. In the 2016 internal audit report, the first issue
identified and reported, related to the “Know Your Client Process”. The report
stated, “At the audit date, 3,500 KYC review cases were still open in CMS, including
300 from 2013 and 1,300 from 2014”. Open KYC cases in CMS was an issue that
had been identified in both the 2014 and 2015 internal audit reports.
4.105. In spite of this, this issue was assigned an amber colour in the 2016 internal audit
report and the overall report was graded “satisfactory”. The on-going monitoring
of a client’s file to ensure that the information obtained for the purposes of CDD is
up to date is a legal requirement under the MLRs. The characterisation of this repeat
issue, in such a way, was misleading as to the seriousness of the situation and gave
misplaced comfort to senior management.
ADMISI’s response to the failings identified
4.106. Following the 2016 Visit, ADMISI invested significant resources in improving its AML
systems and controls, including retaining the services of external compliance
consultants to assist in the remediation work at significant expense.
4.107. ADMISI also materially changed the way that it conducted internal audits. In 2017,
ADMISI outsourced its internal audit function in respect of regulatory compliance
to an independent third party, and which would conduct its reviews on a bi-annual
basis.
4.108. Senior management at ADMISI has co-operated and engaged with the Authority
during its investigation.
5.
FAILINGS
5.1.
The regulatory provisions relating to this Notice are referred to in Annex A.
5.2.
Principle 3 requires that a firm take reasonable steps to ensure that it has organised
its affairs responsibly and effectively with adequate risk management systems.
ADMISI breached this requirement because, during the Relevant Period:
(1)
It failed to implement a firm-wide financial crime risk assessment.
(2)
Its AML policies failed to provide for it to comply with its obligations under
the MLRs and the Authority’s rules.
(3)
Its client AML risk assessment was insufficiently detailed and failed to take
account of relevant factors to allow an accurate assessment of risk to be
made.
(4)
Its client AML risk assessment was not applied to customers onboarded
before 2014.
(5)
It had no procedure in place to conduct EDD on PEPs and there was an
inaccurate record kept of the PEPs with whom the Firm maintained an on-
going relationship.
(6)
It failed to conduct sufficient on-going monitoring of clients’ CDD
information.
(7)
It failed to conduct adequate EDD and on-going monitoring for some higher
risk clients.
(8)
It failed to prepare MLRO reports that:
(a)
assessed the AML systems and controls; and
(b)
identified the weaknesses in them.
(9)
It failed to keep adequate records of AML training.
(10)
Its internal audit function did not identify relevant AML and financial crime
failings within the Firm and failed to alert senior management and/or the
board to matters which needed their attention.
6.
SANCTION
Financial penalty – breach of Principle 3
6.1.
The Authority’s policy for imposing a financial penalty is set out in Chapter 6 of
DEPP. In respect of conduct occurring on or after 6 March 2010, the Authority
applies a five-step framework to determine the appropriate level of financial
penalty. DEPP 6.5A sets out the details of the five-step framework that applies in
respect of financial penalties imposed on firms.
Step 1: disgorgement
6.2.
Pursuant to DEPP 6.5A.1G, at Step 1 the Authority seeks to deprive a firm of the
financial benefit derived directly from the breach, where it is practicable to quantify
this.
6.3.
The Authority has not identified any financial benefit that ADMISI derived from the
breach.
6.4.
Step 1 is therefore nil.
Step 2: the seriousness of the breach
6.5.
Pursuant to DEPP 6.5A.2G, at Step 2 the Authority determines a figure that reflects
the seriousness of the breach. Where the amount of revenue generated by a firm
from a particular product line or business area is indicative of the harm or potential
harm that its breach may cause, that figure will be based on a percentage of the
firm’s revenue from the relevant products or business area.
6.6.
The Authority considers that the revenue generated by ADMISI is indicative of the
harm or potential harm caused by its breach. The Authority has therefore
determined a figure based on a percentage of ADMISI’s relevant revenue. ADMISI’s
relevant revenue is the revenue derived by ADMISI during the period of the breach.
The period of ADMISI’s breach was from 30 September 2014 to 31 October 2016.
The Authority considers ADMISI’s relevant revenue for this period to be
£112,045,314.
6.7.
In deciding the percentage of the relevant revenue that forms the basis of the Step
2 figure, the Authority considers the seriousness of the breach and chooses a
percentage between 0% and 20%. This range is divided into five fixed levels which
represent, on a sliding scale, the seriousness of the breach: the more serious the
breach, the higher the level. For penalties imposed on firms there are the following
five levels:
(1)
Level 1 – 0%
(2)
Level 2 – 5%
(3)
Level 3 – 10%
(4)
Level 4 – 15%
(5)
Level 5 – 20%
6.8.
In assessing the seriousness level, the Authority takes into account various factors
which reflect the impact and nature of the breach, and whether it was committed
deliberately or recklessly. DEPP 6.5A.2G(6) lists factors relevant to the impact of
the breach. The Authority considers that the following factor is relevant:
(1)
There is a benefit to be gained from not implementing a suitable AML control
framework, both in terms of time and costs saved, but it is not quantifiable.
6.9.
DEPP 6.5A.2G(7) lists factors relating to the nature of the breach. The Authority
considers that the following factors are relevant:
(1)
The rules and requirements breached are designed to limit, so far as is
possible, money laundering through a firm. Breaches of these requirements
are therefore considered particularly serious.
(2)
The breach persisted for a period of over two years and were preceded by
the Authority's identification of associated concerns.
(a)
On 16 April 2014, the Authority issued a letter to ADMISI which
explained that that Firm needed to formalise and enhance its risk
management framework and, in particular, improve its client risk
classification process, its identification of AML risks and its checks on
higher-risk clients.
(b)
On 30 September 2014, the Firm executed an attestation to the
Authority concerning the improvement of its AML controls, including
its client risk assessment and identification of PEPs.
(c)
On 30 June 2016, the Authority issued a letter to ADMISI outlining
significant failings which the Authority believed may expose ADMISI
to high money laundering risk. The Authority’s key findings included
failings in:
(i)
ADMISI’s customer risk assessments which failed to inform
the level of due diligence, EDD, and enhanced on-going
monitoring undertaken for high-risk customers; and
(ii)
the effectiveness of ADMISI’s AML policies and procedures.
(d)
The serious and on-going concerns led the FCA to invite the Firm to
enter into a VREQ which it did on 23 August 2016. The Authority lifted
the VREQ after the end of the Relevant Period.
(3)
The breach revealed serious and systemic weaknesses in the Firm’s AML
systems and controls.
(4)
There was scope for financial crime to be facilitated or occasioned as a result
of the breach.
6.10. DEPP 6.5A.2G(11) lists factors which are likely to be considered “level 4 factors” or
“level 5 factors”. The Authority considers the following factors to be relevant:
(1)
The breach revealed serious or systemic weaknesses in the Firm’s
procedures or in the management systems or internal controls relating to all
or part of the Firm’s business.
(2)
The breach created a significant risk that financial crime would be facilitated,
occasioned or otherwise occur.
6.11. DEPP 6.5A.2G(12) sets out a number of factors that should be considered level 1,
level 2 and level 3 factors. The case team consider the following factor to be
relevant:
(1)
The breach was committed negligently.
6.12. Taking all these factors into account, the Authority considers that the seriousness
of the breach to be level 4 and the Step 2 figure is therefore 15% of relevant
revenue, being £16,806,797.
6.13. As set out at DEPP 6.5.3(3)G, the Authority recognises that a penalty must be
proportionate to the breach. The Authority may decrease the level of penalty
arrived at after applying Step 2 of the framework if it considers that the penalty is
disproportionately high for the breach concerned. Notwithstanding the serious and
long-running nature of the breach in this Notice, the Authority considers that the
level of penalty after applying Step 2 of the framework would nonetheless be
disproportionate if it were not decreased.
6.14. In order to achieve a penalty that (at Step 2) is proportionate to the breach, and
having had regard to all relevant factors and taking into account previous cases,
the Step 2 figure is reduced by 50% to £8,403,398.
Step 3: mitigating and aggravating factors
6.15. Pursuant to DEPP 6.5A.3G, at Step 3 the Authority may increase or decrease the
amount of the financial penalty arrived at after Step 2 to take into account factors
which aggravate or mitigate the breach.
6.16. The Authority considers that the following factors aggravate the breach:
(1)
ADMISI had previously been put on notice about the Authority’s concerns in
relation to its client AML risk assessment process and also the connection
between this and the frequency of on-going monitoring of clients.
(2)
The Authority had published guidance and various other materials raising
relevant concerns about AML and AML systems and controls, all of which
was in the public domain and available to ADMISI.
(3)
The Authority had also publicly called for an improvement in standards in
relation to AML and AML systems and controls before and during the
occurrence of the breach.
6.17. The Authority considers that there are no factors which mitigate the breach.
6.18. The Authority considers that, as a result of these aggravating factors, the Step 2
figure should be increased by 10%, meaning the Step 3 figure is £9,243,738.
36
Step 4: adjustment for deterrence
6.19. Pursuant to DEPP 6.5A.4G if the Authority considers the figure arrived at after Step
3 is insufficient to deter the firm who committed the breach, or others, from
committing further or similar breaches, then the Authority may increase the
penalty.
6.20. The Authority considers that the Step 3 figure of £9,243,738 represents a sufficient
deterrent and so has not increased the penalty at Step 4.
6.21. The Step 4 figure is therefore £9,243,738.
Step 5: settlement discount
6.22. Pursuant to DEPP 6.5A.5G, if the Authority and the firm on whom a penalty is to be
imposed agree the amount of the financial penalty and other terms, DEPP 6.7
provides that the amount of the financial penalty which might otherwise have been
payable will be reduced to reflect the stage at which the Authority and the firm
reached agreement.
6.23. The Authority and ADMISI reached agreement at Stage 1 and so a 30% discount
applies to the Step 4 figure.
6.24. The Step 5 figure is therefore £6,470,600 (rounded down to the nearest £100 in
accordance with the Authority’s usual practice).
6.25. The Authority therefore imposes a total financial penalty of £6,470,600 on ADMISI
for breaching Principle 3.
7.
REPRESENTATIONS
7.1.
Annex B contains a brief summary of the key representations made by ADMISI in
response to the Warning Notice and how they have been dealt with. As ADMISI
agreed to resolve all issues of fact and liability, ADMISI only made representations
on the proposed financial penalty. In making the decision which gave rise to the
obligation to give this Notice, the Authority has taken into account all of the
representations made, whether or not set out in Annex B.
8.
PROCEDURAL MATTERS
8.1
This Notice is given under and in accordance with section 390 of the Act.
8.2
The following statutory rights are important.
Decision maker
8.3
The decision which gave rise to the obligation to give this Notice was made by the
RDC. The RDC is a committee of the Authority which takes certain decisions on
behalf of the Authority. The members of the RDC are separate to the Authority staff
involved in conducting investigations and recommending action against firms and
individuals. Further information about the RDC can be found on the Authority’s
committee
Manner and time for payment
8.4
The financial penalty must be paid in full by ADMISI to the Authority no later than
13 October 2023.
If the financial penalty is not paid
8.5
If all or any of the financial penalty is outstanding after 13 October 2023, the
Authority may recover the outstanding amount as a debt owed by ADMISI and due
to the Authority.
8.6
Sections 391(4), 391(6) and 391(7) of the Act apply to the publication of
information about the matter to which this Notice relates. Under those provisions,
the Authority must publish such information about the matter to which this Notice
relates as the Authority considers appropriate. The information may be published
in such manner as the Authority considers appropriate. However, the Authority may
not publish information if such publication would, in the opinion of the Authority,
be unfair to ADMISI or prejudicial to the interests of consumers or detrimental to
the stability of the UK financial system.
8.7
The Authority intends to publish such information about the matter to which this
Final Notice relates as it considers appropriate.
38
Authority contacts
8.8
For more information concerning this matter generally, please contact Steve Page
at the Authority (020 7066 1420).
Financial Conduct Authority, Enforcement and Market Oversight Division
ANNEX A
RELEVANT STATUTORY AND REGULATORY PROVISIONS
1.
RELEVANT STATUTORY PROVISIONS
1.1
The Authority has the power to impose an appropriate penalty on an authorised
person if the Authority considers that an authorised person has contravened a
relevant requirement (section 206 of the Act).
1.2
In discharging its general functions, the Authority must, so far as reasonably
possible, act in a way which is compatible with its strategic objective and advances
one or more of its operational objectives (section 1B(1) of the Act). The Authority’s
strategic objective is ensuring that the relevant markets function well (section
1B(2) of the Act). The Authority has three operational objectives (section 1B(3) of
the Act). Protecting and enhancing the integrity of the UK financial system, the
integrity objective, is the operational objective relevant to this matter (section 1D
of the Act).
2.
RELEVANT REGULATORY PROVISIONS
2.1
In exercising its powers to impose a financial penalty, the Authority has had regard
to the relevant regulatory provisions published in the Authority’s Handbook. The
Handbook provisions relevant in this matter are the Principles for Businesses
(“Principles”); the Senior Management Arrangements, Systems and Controls
Sourcebook (“SYSC”); the Decision Procedures and Penalties Manual (“DEPP”); and
the Enforcement Guide (“EG”).
Principles for Businesses
2.2
The Principles are a general statement of the fundamental obligations of firms
under the regulatory system. They derive their authority from the Authority’s rule-
making powers set out in the Act. The relevant Principle in this matter is Principle
3 which provides that:
“A firm must take reasonable care to organise and control its affairs
responsibly and effectively, with adequate risk management systems”.
Senior Management Arrangements, Systems and Controls
2.3
SYSC 6.1.1R provides:
“A firm must establish, implement and maintain adequate policies and
procedures sufficient to ensure compliance of the firm including its
managers, employees and appointed representatives (or where applicable,
tied agents) with its obligations under the regulatory system and for
countering the risk that the firm might be used to further financial crime.”
2.4
SYSC 6.3.1R provides:
“A firm must ensure the policies and procedures established under SYSC
6.1.1R include systems and controls that:
(1) enable it to identify, assess, monitor and manage money laundering
risk; and
(2) are comprehensive and proportionate to the nature, scale and
complexity of its activities.”
Decision Procedure and Penalties Manual
2.5
Chapter 6 of DEPP sets out the Authority’s statement of policy for imposing financial
penalties under the Act. DEPP 6.5A sets out the five-step framework the Authority
uses to determine the appropriate level of financial penalty imposed on firms.
2.6
EG sets out the Authority’s approach to taking disciplinary action. The Authority’s
approach to financial penalties is set out in Chapter 7 of the Enforcement Guide.
ANNEX B
REPRESENTATIONS
A summary of the key representations made by ADMISI in respect of the penalty aspects
of this matter, and the Authority’s conclusions in respect of them (in bold), is set out
below.
Penalty Step 2: Seriousness of the breach
The seriousness assessment
1. The Authority’s conclusion that the seriousness of the breach is level 4, with the Step
2 figure being 15% of the relevant revenue (£16,806,797) is incorrect. The penalty
calculation is based on the assessment that ADMISI had only high-risk clients, which
has resulted in an overstated seriousness level and relevant revenue which does not
take into account the reality of ADMISI’s business as a whole. The extent of the money
laundering risk presented by ADMISI’s business as a whole varied across its client
base and needs to be recognised in the penalty calculation.
2. During the Relevant Period, the client base could be characterised as split between
commercial hedgers, aiming to manage the inherent commercial risk of their
operations, and speculators aiming to make a profit based on movement in the
markets. There was little real scope for actual money laundering. Only 15% of the
total client population was high-risk. The turnover attributable to this client population
was 38% of ADMISI’s total turnover during the Relevant Period.
3. Following a further file remediation exercise in 2017, ADMISI’s high-risk clients
represented 8% of the firm’s total client population. The impact of the breach in reality
only affected a small proportion of ADMISI’s high-risk client base. The penalty
calculation should reflect the varying degrees of risk across the Firm’s client base as
the scope for financial crime to be occasioned, or facilitated, by the breach was in
reality less serious than portrayed by the Authority. The relevant revenue figure
should take into account the turnover attributable to low and medium money
laundering risk clients during the Relevant Period. When considering DEPP
6.5A.2G(11)(d)1 the Authority has not acknowledged the factual reality that the
1 Factors which are likely to be considered ‘level 4 factors’ or ‘level 5 factors’ include: (d) the breach created a
significant risk that financial crime would be facilitated, occasioned or otherwise occur.
breach only created a significant risk that money laundering would be facilitated,
occasioned or otherwise occur, in relation to its relatively small high-risk client pool.
4. The Authority has not crystallised the actual scope for financial crime to be facilitated
or occasioned by the breach when considering DEPP 6.5A.2G(7)(f)2. ADMISI’s services
were inherently unsuitable to any form of layering of the proceeds of crime, as ADMISI
did not accept cash deposits; it brokered trades on highly regulated, monitored and
liquid markets which meant trading through ADMISI would be an ill-suited means of
transferring funds from one person or account to another person or account; ADMISI
had a strict policy of not making third party payments; and it did not facilitate physical
trading.
5. The extent of the money laundering risk presented by ADMISI’s business as a whole
varied significantly across its client base. Whilst the Firm accepts that its breach in
respect of its business with its high-risk clients can be assessed at seriousness level
4, its breach in respect of the rest of the business should be assessed at level 2. The
Authority has also failed to acknowledge the level 1–3 factors set out in DEPP
6.5A.2G(12) that no profits were made or losses avoided; there was no loss or risk of
loss to consumers; and there was no actual or potential effect on the orderliness of,
or confidence in, markets as a result of that breach. As 32% of ADMISI’s gross profit
during the Relevant Period was generated by its high-risk clients, the seriousness of
the breach should be no higher than level 3, consistent with the reasoning in
Gatehouse Bank plc3 where seriousness was assessed as level 3 when its core
underlying business activities carried an inherently greater money laundering risk than
ADMISI’s.
6. The vast majority of the Final Notices detailing AML systems and controls failures have
related to retail banks. The seriousness of ADMISI’s conduct should not be assessed
as if it were a retail bank. ADMISI operates in the capital markets sector; its business
model and customer base carry a lower risk for actual money laundering than for a
retail bank due to the nature of the sector, and the products and services offered by
ADMISI. This reduced risk level for actual money laundering should result in a lower
seriousness level at Step 2.
2 Factors relating to the nature of a breach by a firm include: (f) the scope for any potential financial crime to be
facilitated, occasioned or otherwise occur as a result of the breach.
3 Gatehouse Bank plc Decision Notice 12 October 2022:
https://www.fca.org.uk/publication/decision-notices/gatehouse-bank-plc-2022.pdf
7. The Authority considers that assessing the money laundering risk level
and/or legitimacy of a high-risk client’s business requires a firm to have
adequate EDD and enhanced monitoring on an ongoing basis. ADMISI has
accepted the failings in section 5 of this Notice, namely that it breached the
requirement during the Relevant Period that it take reasonable steps to
ensure that it has organised its affairs responsibly and effectively with
adequate risk management systems, which includes a failure to conduct
adequate EDD and enhanced monitoring on an ongoing basis for some higher
risk clients. Without adequate risk management systems, there is scope for
significant money laundering even from a small proportion of ADMISI’s
clients. As ADMISI could not adequately assess the risk levels of its clients in
light of the failings, the Authority considers that the seriousness of the
misconduct should not be restricted to the suggested smaller high-risk client
base.
8. The Authority considers that the absence of identifying actual money
laundering being facilitated does not mean that ADMISI’s failings were not
serious. DEPP 6.5A.2G requires the Authority to conduct an overall
assessment of the seriousness of the breach with regard to all relevant
factors with such weight paid to any particular factor as is merited by the
facts of the case at Step 2 of the penalty calculation. The Authority has had
regard to DEPP 6.5A.2G(7)(f) which is concerned with a firm’s systems and
the overall risks which those systems may fail to mitigate. The Authority
considers that ADMISI’s deficient AML systems means that money laundering
is less likely to have been identified and stopped. Relying on other market
participants to regulate and monitor its services does not absolve ADMISI of
its own obligation to comply with the Authority’s particular rules and
regulations surrounding AML.
9. The Authority considers that, as a capital markets participant, ADMISI should
have maintained controls that are effective in identifying and preventing
money laundering, as there would otherwise be a significant risk that weak
systems and controls could be abused by money launderers. Persistent
failures by firms to maintain effective AML systems are of particular
seriousness, especially where they provide the scope for financial crime to
be facilitated. The extent and duration of weaknesses in a firm’s AML systems
are relevant contributing factors to an overall assessment of the nature and
seriousness of a breach, as they reflect the weaknesses in the firm’s
management systems and may have increased the money laundering risks
being taken by a firm. The Authority considers that, although AML risks in the
capital markets sector may be less well known, or easy to identify, than in
direct transfers of money in banking and payment systems, there remains a
significant risk if there are no adequate AML systems and controls in place
across the entire client base.
10. Of the level 1 – 3 factors outlined in DEPP 6.5A.2G(12), the Authority
considers it relevant that ADMISI committed the breaches negligently.
However, the Authority considers that this factor is outweighed by the level
4 or 5 factors identified in DEPP 6.5A2G(11) that are relevant to ADMISI,
namely that the breaches revealed serious or systemic weaknesses in
ADMISI’s procedures or in the management systems or internal controls
relating to all or part of the Firm’s business, and that the breach created a
significant risk that financial crime would be facilitated, occasioned or
otherwise occur. Taking all relevant factors into account, the Authority
considers that ADMISI’s deficiencies in its AML systems were serious, firm-
wide, and persistent, which facilitated an overall risk for potential crime to
have been facilitated or occasioned as a result. In the circumstances, the
Authority considers that the appropriate level of seriousness is level 4,
meaning that 15% of the relevant revenue figure is £16,806,797.
Penalty Step 2: Proportionality - Exchange and clearing fees
11. DEPP 6.5.3G(3)4 requires the Authority to consider proportionality of the figure
reached at Step 2 of the calculation to ensure that a dispassionate check is placed on
the exercise of the Authority’s powers and enabling a degree of flexibility to avoid a
disproportionate outcome.
12. The Authority’s relevant revenue calculation on ADMISI’s declared turnover includes
£35,796,926 in exchange and clearing fees due to exchanges and Central
Counterparties (“CCPs”). ADMISI charged these fees to its clients on top of, and
separate to, its own fees, and these correspond exactly to the fees due to be paid to
CCPs by ADMISI when acting as a clearing member, or indirectly via third party
brokers when ADMISI was not acting as a member. Although ADMISI has historically
reported its exchange and clearing fees as part of its annual turnover, subject to a
4 (3) The FCA recognises that a penalty must be proportionate to the breach. The FCA may decrease the level of
the penalty arrived at after applying Step 2 of the framework if it considers that the penalty is disproportionately
high for the breach concerned.
corresponding deduction in its costs of sales, this does not reflect the revenue earned
or retained by ADMISI itself.
13. The case of Linear Investments Limited v Financial Conduct Authority5 supports an
“appropriate control on the bluntness of using gross revenue as a starting point”6. The
exchange and clearing fees ADMISI charged to its clients should properly be analysed
from an economic standpoint as representing the revenue of the exchanges and CCPs,
and not ADMISI (or intermediate brokers). UK accounting practice allows for multi-
asset brokerages such as ADMISI to include these fees in their turnover figures and
still comply with UK accounting standards. If ADMISI had adopted a different
accounting practice, the Authority’s approach would have led to a significantly lower
relevant revenue figure. As ADMISI’s liability for the fees payable (which it charged
back to its clients) was the consequence of a choice between different business
models, those fees should be deducted from the relevant revenue figure, and ADMISI
should not be penalised for electing an accounting practice unrelated to the Firm’s
regulatory obligations and money laundering systems.
14. Further, the exchange and clearing fees are not revenue generated by ADMISI under
DEPP 6.5A.2G(2) as they are not monies earned or derived by ADMISI. These fees
should be deducted from the relevant revenue figure on the grounds of proportionality.
15. Any financial penalty imposed should be proportionate to the breach. DEPP
6.5.3G(3) states that the Authority may reduce the level of the penalty
arrived at after applying Step 2 of the framework if it considers that the
penalty is disproportionately high for the breach concerned. The Authority
considers that this “proportionality override” allows for sufficient flexibility
to reduce a penalty if it would otherwise result in disproportionality.
16. The Authority does not consider that ADMISI’s exchange and clearing fees
were collected by ADMISI as agent, either for its clients or the exchanges.
Those fees were contractually payable by clients to ADMISI and contractually
payable by ADMISI to the various exchanges to which they related and did
not apply to all of the firm’s business. The Authority considers that these fees
were a direct cost of sales in certain transactions.
5
Linear
Investments
Limited
v
Financial
Conduct
Authority
[2019]
UKUT
0115
(TCC)
https://assets.publishing.service.gov.uk/media/5cac6ef3e5274a42a5619fcf/Linear__Investements_Ltd_v_FCA.
pdf
6 Paragraph 21.
17. The Tribunal in Linear7 rejected arguments that certain costs should be
deducted from the gross revenue to calculate relevant revenue. The Authority
considers that the same point applies for the use of the proportionality
override and the deduction of these same costs. An overly nuanced approach
to proportionality would diminish the transparency of the Step 2 process, and
factoring reductions to take into account these costs would involve
complexities that would reduce the usefulness of adopting relevant revenue
as a starting point. The Authority does not consider that ADMISI’s choice of
accounting methodology sufficiently justifies a departure from the Tribunal’s
decision in Linear to reject deducting costs from relevant revenue, and
considers that exchange and clearing fees should not be deducted from the
Step 2 figure on the grounds of proportionality.
Penalty Step 2: Proportionality - ADMISI’s high-risk clients
18. Whilst ADMISI accepts that its breach in relation to its high-risk clients was at
seriousness level 4, it is only the institutional commodity hedging clients within that
cohort, and that aspect of ADMISI’s business alone, that can be said to be at
seriousness level 4. The actual money laundering risk of a large proportion of ADMISI’s
high-risk clients was equivalent to medium or even low risk clients. Accordingly,
ADMISI’s breach should be assessed as no higher than level 3. Further, the standard
10% of the relevant revenue associated with level 3 seriousness is overstated when
referencing the Firm’s business as a whole. Proportionality requires the level 3
percentage (10%) to be adjusted down to 8%.
19. For the same reasons given in the section on seriousness of misconduct set
out in paragraphs 9 and 10 above, the Authority considers the breach to be
level 4 seriousness, and does not consider that the penalty should be reduced
to reflect the number of ADMISI’s high-risk clients on grounds of
proportionality. The Authority does not consider it appropriate to assess
ADMISI’s money laundering risk solely on the proportion of its high-risk
clients as this would not accurately reflect the wide-reaching nature of its
breaches which are attributed to its persistent failure to maintain effective
AML systems. Further, the percentages attributable to each level of
seriousness at Step 2 in DEPP 6.5A.2 (3) are intended to be a clear and
predictable method for calculating the Step 2 penalty figure. Accordingly,
7 Ibid.
the Authority does not consider that the seriousness level percentage should
be adjusted downwards on the grounds of proportionality.
Penalty Step 2: Proportionality override
20. The proportionality override at Step 2 of the penalty calculation permits the Authority
to take into account any factors relevant to its assessment of the proportionality of the
Step 2 figure. The proportionality override is intended to provide the Authority with
latitude in its decision-making so as to ensure that the Step 2 figure is not
disproportionately high for the breach concerned. The Authority is obliged to consider
the proportionality of the Step 2 figure8. The application of the proportionality override
needs to be reasonable, taking into account relevant factors and disregarding irrelevant
factors9. The Authority may take into account all the circumstances, evidence,
inferences and submissions made, and identify other additional or relevant factors
which render the Step 2 figure disproportionate to the admitted breach.
21. Once the Authority has identified such factors, it may, depending on the circumstances,
be unreasonable and therefore a public law error for the Authority not to give them
due weight in its decision-making. The Authority may take into account other or
additional relevant factors to the specific exchange and clearing fees and ADMISI’s
high risk clients factors referenced from paragraphs 11 - 19 above. Its discretion is not
fettered. This would include factors inherent in the nature or effect of the breach. It
would be wrong in principle for the Authority to disregard any factor which it considers
relevant to the question of whether the Step 2 figure is disproportionate to ADMISI’s
admitted breach.
22. Taking into account all the circumstances of the admitted breach, the Step 2 figure
should be reduced on grounds of proportionality.
23. As mentioned above, the Authority recognises that the penalty must be
proportionate to the breach and it considers that the “proportionality
override” at DEPP 6.5.3G(3) should be used as a broad tool to mitigate the
effect of any manifestly disproportionate figure being produced at Step 2 of
the penalty calculation. Its appropriate application involves an overall
8 Oxton Farm v Harrogate BC [2020] EWCA Civ 805, at paragraph 8.
9 Oxton Farm v Harrogate BC; In Re Duffy [2008] UKHL 4 at paragraph 53.
consideration of whether the size of the penalty assessed is disproportionate
to the seriousness of the misconduct.
24. Notwithstanding the serious and wide-reaching nature of the breach, and the
need to deter the Firm, and others, from committing further or similar
breaches, the Authority considers that the level of penalty would nonetheless
be disproportionate to the seriousness of the breach if it were not reduced
and so should be adjusted. In order to achieve a penalty that is proportionate
to the breach, and having regard to all relevant factors in this matter and
taking into account previous cases, the Step 2 figure is therefore reduced by
50% to £8,403,398.
Penalty Step 3: mitigating and aggravating factors
25. The Authority’s 16 April 2014 letter to the Firm10 arose out of a standard periodic
assessment focussing only on ADMISI’s equity CFD business, and whilst highlighting
deficiencies in ADMISI’s client money laundering risk assessment procedures, these
deficiencies did not warrant any change to the scheduled four-year supervision cycle,
with the next periodic assessment still due in 2018. The 2016 Visit focussing on AML
systems and controls was unrelated to the limited AML concerns raised in 2014. It was
not until June 2016 that the Authority raised its concerns about ADMISI’s AML systems
and controls as a whole, and those deficiencies were largely remedied by the firm
within four months. Accordingly, this should not be considered to be an aggravating
factor.
26. The Authority should take into account the following mitigating factors.
27. There is no evidence that any actual money laundering or financial crime resulted from
ADMISI’s breach, and the Authority should not consider ADMISI’s failure to put in
place adequate risk management systems and governance in the same way as a
failure to eradicate risk.
28. There has been significant delay in the Authority’s investigation, particularly as failings
were identified by the Authority in June 2016, which is necessarily prejudicial to
ADMISI because of the uncertainty of the outcome and penalty. The Relevant Period
ended in October 2016, and ended four months after the Authority’s feedback letter
10 Referred to at paragraph 4.10 and paragraph 6.9 of this Notice.
of 30 June 2016, in which the specific concerns constituting the bases of the breach
were first highlighted.
29. Meanwhile, ADMISI has fully co-operated with a lengthy investigation lasting over six
years, which is a mitigating factor consistent with DEPP 6.5A.3G(2)(b).
30. ADMISI actively took remedial steps to address its deficiencies and especially so after
the Authority raised its concerns in June 2016. ADMISI applied for a VREQ in August
2016 which reduced its turnover from high-risk customers by approximately £2
million. The Authority should acknowledge as a mitigating factor ADMISI’s decision to
agree to a VREQ while seeking to remedy the breach. ADMISI has spent more than
£2.8 million on remedial work, which is a major undertaking for which credit should
be given in accordance with DEPP 6.5A.3G(2)(d).
31. Because of these mitigating factors, it would not be appropriate to uplift the penalty
at Step 3.
32. DEPP 6.5A.3G(1) permits the Authority to take into account factors which
aggravate or mitigate the breach when considering whether to increase or
decrease the Step 2 figure of the penalty calculation.
33. Although not the focus of either the 16 April 2014 letter or the 2016 Visit, the
Authority considers that ADMISI’s AML systems were nonetheless still
considered by the Authority in 2014 as being deficient as the AML Risk
Assessment Matrix did not produce a rounded assessment of the financial
crime risks associated with a client (see paragraph 4.45 in the Notice).
Accordingly, the Authority does consider it an aggravating factor that ADMISI
was previously put on notice about the Authority’s concerns, as set out in
paragraph 6.16(1) in the Notice.
34. Whether crystallised money laundering has been identified is a factor that
may be relevant to an assessment of seriousness of the breach at Step 2 of
the penalty calculation in accordance with DEPP 6.5A.2G(7)(e). However, the
Authority does not consider that the absence of identified crystallised money
laundering should amount to a mitigating factor for the purposes of Step 3 of
the penalty calculation, as systemically deficient AML systems carry the
inherent risk of failing to identify money laundering activity sufficiently or at
all.
35. The Authority acknowledges the length of time that has passed since the
identification of ADMISI’s breach and the length of time of the Authority’s
investigation, but does not consider that this in itself detracts from ADMISI’s
failings or amounts to a mitigating factor, particularly when the impact on
the proceedings has not been ascertained. Any concerns that ADMISI has
about the Authority’s conduct may be pursued by referring the matter to the
Authority’s Complaints Scheme established under the Financial Services Act
2012.
36. DEPP 6.5A.3G(2)(b) states that the degree of co-operation shown during an
investigation of the breach may constitute a mitigating factor. The Authority
considers that a reduction at Step 3 should only occur if the degree of co-
operation went above and beyond what would be expected of a firm subject
to a statutory investigation. Whilst the Authority acknowledges that ADMISI
has co-operated with its investigation, it does not consider that it has co-
operated any further than would normally be expected in all the
circumstances; and accordingly, it does not consider that the Firm’s co-
operation should in this case amount to a mitigating factor.
37. Although taking remedial steps following the identification of a breach may
constitute a mitigating factor in accordance with DEPP 6.5A.3G(2)(d), this is
usually when a firm takes such steps of its own volition, or went considerably
further than remediating its systems to an acceptable level. Notwithstanding
the costs implications for ADMISI for agreeing to a VREQ, it was upon the
Authority’s invitation that ADMISI agreed to the VREQ, which was a
necessary minimum measure to manage money laundering risks to an
acceptable standard. The Authority considers that ADMISI commenced its
remediation exercise only after it was alerted to wide-ranging issues
identified by the Authority in the 2016 Visit, the remediation exercise itself
did no more than establish AML systems which complied with regulatory
requirements, and there were significant issues with its implementation. The
Authority does not consider that the steps taken by ADMISI to remedy the
breaches to be a mitigating factor for the purposes of Step 3 of the penalty
calculation.
38. The Authority considers that the aggravating factors identified in paragraph
6.16 of this Notice merit a 10% uplift in the penalty.
FINAL NOTICE
1.
ACTION
1.1.
For the reasons given in this Final Notice, the Financial Conduct Authority (“the
Authority”) hereby imposes on ADM Investor Services International Limited
(“ADMISI” or “the Firm”) a financial penalty of £6,470,600 pursuant to section 206
of the Financial Services and Markets Act 2000 (“the Act”).
1.2.
ADMISI agreed to resolve all issues of fact and liability and qualified for a 30%
discount under the Authority’s executive settlement procedures. Were it not for this
discount, the Authority would have imposed a financial penalty of £9,243,738 on
ADMISI.
2.
SUMMARY OF REASONS
2.1.
The Authority has the operational objective of protecting and enhancing the
integrity of the UK financial system. This includes reducing the risk that it will be
used for purposes connected to financial crime. Financial services firms, in turn, are
at risk of abuse by those seeking to launder criminal proceeds or to finance
terrorism.
2
2.2.
To mitigate such risks, authorised firms are required to implement suitable risk-
based anti-money laundering (“AML”) systems and controls. It is the Authority’s
expectation that firms will take reasonable steps to ensure that adequate AML
systems and controls are in place and are functioning effectively. Firms that fail to
implement adequate AML systems and controls are exposed to the risk of financial
crime and benefit from an unfair competitive advantage over compliant firms
because they save on the costs involved in implementing such systems and because
they are attractive to customers who wish to avoid customer due diligence (“CDD”)
and more rigorous enhanced due diligence (“EDD”) checks. Effective enforcement
action provides a significant disincentive to such non-compliance.
2.3.
ADMISI is an investment brokerage firm located in London. It has market coverage
extending, but not limited to, energy, base metals, foreign exchange, and cocoa.
Its clients are global and diverse and this, coupled with its extensive market
coverage, creates opportunities for those who seek to launder the proceeds of crime
or finance terrorism. During the period from 30 September 2014 to 31 October
2016 (“the Relevant Period”), ADMISI was obliged by both the Money Laundering
Regulations 2007 (“MLRs”) and the Authority’s rules to install an infrastructure of
AML systems and controls to mitigate the risk that it could be used to facilitate
financial crime and money laundering. ADMISI failed to discharge those
requirements and, in doing so, exposed itself to the risk that it could be used to
facilitate financial crime and money laundering.
2.4.
In February and March of 2014, the Authority conducted a Periodic Assessment of
ADMISI focussing on clients within its contracts for difference (“CFD”) business
(“2014 Assessment”). This included an assessment of ADMISI’s AML systems and
controls in relation to the CFD business and focussed on client “on-boarding” and
compliance monitoring. Following the 2014 Assessment, the FCA notified ADMISI
that it identified weaknesses which required improvement in its risk management
framework, compliance monitoring, and client risk assessment. The assessment
referred to a degree of ”informality” in its risk management processes and noted
that “ADMISI’s risk management framework and three-lines of defence model
appears to be ineffective.” A key issue was the absence of a formal process to
classify clients according to money laundering risk. Consequently, from that time,
ADMISI was on notice of the Authority’s concerns arising from the 2014
Assessment.
3
2.5.
As a result of the findings of the 2014 Assessment, ADMISI was required to
complete a Risk Mitigation Programme (“RMP”) which required the Firm to
(1)
A formalised AML client risk-rating procedure within the client onboarding
area of its business and use this to drive the intensity of AML checks and
frequency of reviews. This was to include maintaining a country risk list
which scored countries based upon relevant metrics. ADMISI attested, in
September 2014, that it had completed this action.
(2)
A compliance monitoring plan, the absence of which had made ADMISI an
“outlier” compared with its peers.
(3)
A risk management framework across the business which identified the
Firm’s risk appetite, included policies and procedures to manage the
identified risks to the business, provided for review of those policies and
procedures, and set the parameters for management information in relation
to risk management.
2.6.
The Authority visited ADMISI two years later, in May 2016 (“2016 Visit”). The
purpose of the 2016 Visit was to assess the adequacy of ADMISI’s AML systems
and controls. During the visit, the Authority conducted supervisory interviews with
seven ADMISI staff members and reviewed 14 customer files. In June 2016, the
Authority sent a letter to ADMISI setting out significant failings in ADMISI’s AML
systems and controls that, in the Authority’s view, exposed ADMISI to a high money
laundering risk.
2.7.
Of the weaknesses identified, some inadequacies remained from the 2014
Assessment and called into question the quality of the corrective work ADMISI had
undertaken. For example, the Authority noted during the 2016 Visit that whilst
ADMISI had introduced an AML client risk assessment following the 2014
Assessment, it was inadequate in design and implementation. The matrix used was
rudimentary and did not enable an assessment of a client’s financial crime risk.
The Firm confirmed in its attestation of September 2014 to the Authority that a risk
management framework was “formalised, effective and allowing the Board to
manage risk within the business”. Moreover, at that time it made the attestation,
it had not applied the AML client risk assessment to existing clients who were
onboarded before August 2014. The Authority also found little evidence of
adequate on-going monitoring in the form of periodic reviews. In particular, the
frequency of periodic reviews was not determined by the risk rating of a customer,
but rather by trigger events.
2.8.
The Authority also identified, in its 2016 Visit, new and more systemic, failings. For
example, it noted that ADMISI had not conducted a firm-wide money laundering
risk assessment and the policies were outdated and referred to repealed legislation.
The Authority also had significant concerns about the quality of EDD checks on the
client files it inspected. As a result of the Authority’s concerns, ADMISI was
required, within a month, to revise its deficient client risk assessment. In addition,
the Authority asked the Firm to enter into a Voluntary Requirement (“VREQ”). The
purpose of the VREQ was to limit ADMISI’s exposure to the risk of money laundering
and financial crime by limiting higher risk aspects of its business until its systems
and controls were adequate.
2.9.
The VREQ, effective from 23 August 2016, prohibited ADMISI from entering into
new business with new or existing customers who were (i) resident, domiciled or
incorporated in one of the 97 countries on the Firm’s High-Risk Country List; (ii)
Politically Exposed Persons (“PEPs”); or (iii) assessed as “high risk” in accordance
with the Firm’s revised client risk assessment matrix. The restrictions did not apply
to existing clients resident, domiciled, or incorporated in a list of 24 countries within
the High-Risk Country List on the condition that ADMISI undertook EDD reviews of
those clients within a specified period. The VREQ therefore required ADMISI to
undertake a substantial remediation exercise of its higher-risk clients.
2.10. By the end of October 2016, ADMISI promulgated a suite of AML policies and
procedures which were clear and covered the areas the FCA expected. This included
specific EDD and PEP policies.
2.11. Principle 3 of the Authority’s Principles for Businesses requires a firm to take
reasonable steps to ensure that it has organised its affairs responsibly and
effectively, with adequate risk management systems.
2.12. By failing to comply with applicable regulatory and legal AML requirements which
require firms to design, implement, and maintain adequate systems and controls
to mitigate its money laundering risks, and, by failing to conduct adequate
remediation of weaknesses the Authority identified during the 2014 Assessment,
ADMISI breached Principle 3.
5
2.13. Such weaknesses potentially undermine the integrity of the UK’s financial system
by unacceptably increasing the risk that ADMISI would be used for the purposes of
money laundering or terrorist financing.
2.14. The Authority therefore imposes a financial penalty on ADMISI of £6,470,600
(£9,243,738 before 30% discount) pursuant to section 206 of the Act.
2.15. The Authority acknowledges that the failings outlined in this Notice are historic and
that ADMISI has taken remedial action to address the issues identified including
retaining the services of external compliance consultants to assist the Firm in this
remedial work.
2.16. For the avoidance of doubt, this Notice makes no criticism of any person other than
ADMISI.
3.
DEFINITIONS
3.1.
The definitions below are used in this Notice:
“2014 Assessment” means the Authority’s periodic assessment of ADMISI in March
2014;
“2016 Visit” means the Authority’s visit to ADMISI in May 2016 during which it
assessed the Firm’s AML systems and controls;
“the Act” means the Financial Services and Markets Act 2000;
“ADMISI” or “the Firm” means ADM Investor Services International Limited;
“AML” means anti-money laundering;
“the Authority” means the Financial Conduct Authority;
“CDD” means customer due diligence, the measures a firm must take to identify
its customer and to obtain information on the purpose and intended nature of the
business relationship, as set out in regulation 5 of the MLRs;
“CFD” means a contract for differences, an agreement between a ‘buyer’ and a
‘seller’ to exchange the difference between the current price of an underlying asset
(such as shares, currencies, commodities and indices) and its price when the
contract is closed;
“CFT” means countering the financing of terrorism;
6
“CMS” means Compliance Monitoring System, a bespoke compliance system built
for ADMISI;
“Compliance Manual” means the manual in place from time to time at ADMISI;
“DEPP” means the Decision Procedures and Penalties Manual, part of the Handbook;
“EDD” means enhanced customer due diligence, the measures a firm must take in
certain situations, as set out in regulation 14 of the MLRs;
“FATF” means the Financial Action Task Force, an inter-governmental body
designed to promote a co-ordinated international response to money laundering;
“Handbook” means the Authority’s Handbook of rules and guidance;
“JMLSG” means the Joint Money Laundering Steering Group, a group made up of
the leading UK trade associations in the financial services industry with the aim of
promulgating good practice in countering money laundering;
“ML” means money laundering;
“MLRs” means the Money Laundering Regulations 2007, which were in force
between 15 December 2007 and 25 June 2017;
“MLRO” means the Money Laundering Reporting Officer;
“PEP” means politically exposed person, as defined in regulation 14(5) of the MLRs;
“POCA” means the Proceeds of Crime Act 2002;
“the RDC” means the Regulatory Decisions Committee of the Authority (see further
under Procedural Matters below);
“Relevant Period” means the period between 30 September 2014 and 31 October
2016;
“RMP” means Risk Mitigation Programme, which, in this matter, the Authority
required ADMISI to complete as a result of the findings the Authority made in its
2014 Assessment;
“SYSC” means the Senior Management Arrangement, Systems and Controls part
of the Handbook;
“the Tribunal” means the Upper Tribunal (Tax and Chancery Chamber);
7
“UBO” means ultimate beneficial owner, as defined in Regulation 6 of the MLRs;
and
“Warning Notice” means the Warning Notice issued to ADMISI on 7 March 2023.
4.
FACTS AND MATTERS
Overview of AML legal and regulatory obligations
4.1.
The UK is a major global financial hub which attracts investment activity from
across the world. This status can, however, attract criminals and terrorist
organisations seeking to hide the proceeds of crime among the huge volumes of
legitimate business conducted here. Criminals rely upon access to the legitimate
financial services sector to allow them to realise the value of property acquired
through the commission of crimes and to make it appear to have come from a
legitimate source. Preventing the use of the legitimate financial system to launder
the proceeds of crime in this way is a national and international priority. As a result,
the Authority requires all authorised firms to take appropriate steps to prevent
them from being used to facilitate money laundering.
4.2.
The Authority has published guidance on countering the risk of financial crime,
including money laundering, since 2011. That guidance makes clear the measures
firms should adopt to limit financial crime in addition to offering practical examples
of good and poor working practices. The importance of firms’ systems and controls
in preventing financial crime has featured as one of the Authority’s priorities in its
Business Plans throughout the Relevant Period.
4.3.
Many firms also have specific obligations under the MLRs, the Terrorism Act 2000,
and POCA. Since 1990, the JMLSG has published detailed written guidance on AML
controls with the aim of fostering good practice in countering money laundering
and giving practical assistance in interpreting the MLRs and the regulatory
requirements in the Handbook.
4.4.
Both the Authority’s rules and the MLRs require firms to adopt a risk-based
approach to the management of ML risk. This means that firms must identify and
understand the ML risks their business faces and design systems which mitigate
these risks and prioritise and allocate resources to those areas where the risks are
most acute. Firms must periodically review their systems and controls to take
proper account of emerging risks to the business and to ensure that they are
appropriate.
4.5.
When taking on a client, firms must conduct CDD to verify the client’s identity and
ensure that they understand the nature and purpose of the anticipated business
relationship. Firms must assess the potential ML risks presented by each client in
light of this information. Relevant factors may include the corporate structure of a
client, the identity of its UBO, or the fact that a client is a PEP. Where firms assess
clients as presenting a higher risk of money laundering, they are required to
conduct EDD which may involve ascertaining the source of a client’s funds or
wealth.
4.6.
Thereafter, firms must monitor the client’s activities to ensure that they are
consistent with their knowledge of the client. The frequency and intensity of the
monitoring should be driven by the firm’s assessment of the risks presented by the
client. Firms must periodically review their relationship with a client to make sure
that the ML risk the client presents has not changed.
ADMISI
4.7.
ADMISI is a “full service investment multi-asset brokerage company” based in
London which facilitates over 180 million derivatives contracts a year. Its market
coverage includes, but is not limited to, contracts relating to grains, energy, foreign
exchange, cocoa, and base metals. ADMISI’s clients include trade customers, asset
managers, institutional clients, and high net worth individuals. ADMISI has been
authorised and regulated by the Authority since 2001. In May 2016, ADMISI had
1,238 open corporate accounts and 1,034 open individual accounts.
4.8.
During the Relevant Period, the nature of ADMISI’s business and client base
presented potentially high levels of ML risk because, for among other reasons:
(1)
It acted as an investment brokerage, and therefore an intermediary, which
made it vulnerable to use as a vehicle for money laundering.
(2)
It had clients from over 70 different jurisdictions, some of whom were
resident, domiciled, or incorporated in jurisdictions that FATF identified as
having strategic weaknesses in their AML and CFT measures. ADMISI
maintained a “Jurisdiction Red List” which it compiled using information from
the FATF, among other sources. The text within the list said that ADMISI
“…should not be soliciting client[s]” from the countries contained within the
list. The Authority, during its 2016 Visit, found 37 open accounts relating to
clients who were resident, incorporated, or domiciled in countries on the list.
(3)
As of May 2016, ADMISI had 41 clients categorised as PEPs.
(4)
A significant proportion of its business derived from transactions involving
high-risk clients. As a percentage, 32% of its gross profit was generated by
high-risk clients during the Relevant Period.
(5)
A small number of its clients were principally concerned with extractive
industries and the economy that flows from those industries, notably the oil
business.
4.9.
In February and March of 2014, the Authority carried out the 2014 Assessment. It
focussed on clients within ADMISI’s CFD business and included a review of its AML
systems and controls in relation to client on-boarding and compliance monitoring.
4.10. The Authority provided detailed written comments to ADMISI on 16 April 2014. The
comments identified areas of its AML systems and controls that required
improvement. The Authority noted the absence of formal risk management
processes as a key issue and was particularly concerned that the Firm’s “risk
management framework and three-lines of defence model appears to be
ineffective.” In particular, the Authority found that:
(1)
ADMISI did not have a formal client risk classification process to determine
the intensity of AML checks that should be undertaken on prospective
clients, nor did the risk rating drive the frequency of ongoing KYC reviews.
(2)
ADMISI onboarded clients from a country on the AML country list, despite it
being a “blacklisted” country.
(3)
Records contained inadequate information about how ADMISI made
onboarding decisions.
4.11. The Authority stated that “ADMISI must adopt a formal and more thorough process
in order to identify the AML risk of a client.” As a result of the findings of the 2014
Assessment, the Authority required ADMISI to undertake the RMP which included
the requirement to implement a formalised AML client risk-rating process. This
required ADMISI to implement a process which:
(1)
classified clients according to risk;
(2)
by classification, determined the intensity of the CDD measures applied
when onboarding clients, as well as the intensity and frequency of on-going
monitoring of existing clients; and
(3)
included the application of a fully maintained country risk list, which scored
countries based on relevant metrics.
4.12. The Authority found that ADMISI’s client onboarding procedures were only
“generally stated, and more detailed procedures are not recorded, such as when
enhanced due diligence should be required for new clients.” The Authority
observed, in accordance with the MLRs, that where “higher risk clients are
identified, additional checks should be conducted, including, for example,
ascertaining the client’s source of funds.” It said that ADMISI should document this
process at all stages to reflect the rationale taken in the onboarding process.
4.13. The RMP also required ADMISI to implement a compliance monitoring programme,
across the business, including those relating to AML. The 2014 Assessment noted
that the absence of a compliance monitoring programme meant that ADMISI was
“unable to effectively plan the monitoring of the business’s systems and controls.”
4.14. Lastly, also as part of the RMP, ADMISI was required to implement a risk
management framework, of which AML systems and controls were components.
This work required multiple steps, culminating in an attestation from ADMISI that
a risk management framework was “formalised, effective and allowing the Board
to manage risk within the business.”
4.15. On 30 September 2014, ADMISI wrote to the Authority identifying the measures it
had taken to address the issues raised regarding its client risk assessments.
ADMISI explained that it:
(1)
had established and implemented a risk matrix to rate prospective clients
either “low”, “medium” or “high”;
(2)
was maintaining a “Country Risk List” and, that it incorporated that
information into the risk categorisation process; and
(3)
was identifying prospective clients as PEPs or subject to the sanctions regime
in a separate register in its Compliance Monitoring System.
4.16. Having taken those measures, ADMISI attested that the remedial work it had
undertaken properly addressed the issues the Authority raised.
4.17. ADMISI provided its revised risk management framework to the Authority in March
2015.
4.18. In February 2014, ADMISI received a report from its internal auditors, setting out
the findings of an assessment of its regulatory compliance systems and controls
that were in place at that time.
4.19. The report stated that, “there is no evidence that critical compliance program
policies and procedures have been reviewed and updated in a formal manner for
approval by management and/or the Board of Directors since 2008.” In response,
a senior compliance employee accepted that a more “formal” approach needed to
be evidenced and, to that end, ADMISI had engaged an external compliance
consultancy to undertake a thorough review of the Firm’s policies and procedures.
4.20. The Authority’s written feedback, coupled with the RMP which required AML
systems and controls improvements, and ADMISI’s internal audit report of February
2014, should have alerted ADMISI to the need to ensure that its AML systems and
controls were robust and compliant with the UK’s legal and regulatory
requirements.
Deficiencies in ADMISI’s AML systems and controls
4.21. During the Relevant Period, ADMISI failed to maintain adequate systems and
controls to manage the risk of money laundering and financial crime. These failings
occurred within the following areas:
(1)
Firm-wide financial crime risk assessments.
(2)
AML policies and procedures.
(3)
Client AML risk assessments.
(4)
PEPs.
(5)
On-going monitoring.
(6)
Higher risk client files.
(7)
MLRO reports.
(8)
AML training.
(9)
Internal Audit.
4.22. These failings are outlined in more detail below.
Firm-wide financial crime risk assessment
4.23. The assessment of the financial crime and ML risk faced by a firm is essential to
developing effective AML policies and procedures. The Authority issued guidance
for firms on this subject, in April 2013 and again in April 2015, and made clear that
a “thorough understanding of its financial crime risks is key if a firm is to apply
proportionate and effective systems and controls”.
4.24. The guidance also stated, “A firm should identify and assess the financial crime
risks to which it is exposed…” and “Firms can then target their financial crime
resources on the areas of greatest risk.”
4.25. By the time of the 2016 Visit, ADMISI had not conducted a firm-wide financial crime
risk assessment. By not conducting this risk assessment, ADMISI had missed a
critical step in properly implementing a robust framework of AML systems, because
it had failed to identify the risks it faced and, therefore, the measures it
implemented could not be aligned to the specific risks it faced, nor take account of
the higher risk ML factors the Firm had to mitigate.
4.26. The risk management framework which ADMISI adopted following the completion
of the RMP in March 2015 did not compensate, nor substitute, for the absence of a
firm-wide financial crime risk assessment. The document had a very short section
on financial crime and anti-money laundering, the chapter opened with the
sentence: “This is articulated in the Compliance Manual” and contained some
inaccurate reassurances, including that risks were mitigated by “policies and
procedures updated to incorporate lessons learned.”
4.27. It was not until July 2016 that ADMISI completed a firm-wide financial crime risk
assessment. This was in response to the Authority’s feedback letter, following the
2016 Visit, in which ADMISI was required to take “immediate action” to improve its
controls, including the completion of a firm-wide financial crime risk assessment.
AML policies and procedures
4.28. At different points during the Relevant Period, there were a number of policies and
procedures relevant to the Firm’s AML systems and controls, including:
(1)
The ADMISI AML Policy.
(2)
Chapter 11 of the Compliance Manual.
(3)
Account Opening Policies and Procedures.
(4)
CDD, EDD, and PEP Policies.
ADMISI’s AML Policies
4.29. Firms are required to maintain written documents which set out their policies and
procedures on ML and terrorist financing risk. During the Relevant Period, ADMISI
had an overall policy document entitled “ADM Investor Services International
Limited Anti-Money Laundering Policy.” Although the firm produced revised AML
policies in 2012 and 2013, they were identical to the 2003 policy despite changes
to AML legislation.
4.30. A number of the deficiencies in the policy are attributable to the fact it had not been
updated, by the time it was replaced in April 2016, for over a decade. The policy
was inadequate because:
(1)
It failed properly to ascribe the AML responsibilities between the MLRO,
compliance staff and front-line staff, as well as to identify the person with
overall responsibility for AML systems and controls, despite the policy
requirement to do this: “The Company is required to establish clear
responsibilities and accountabilities to ensure that policies, procedures and
controls are introduced and maintained which deter criminals from using
their facilities for money laundering.”
(2)
It contained references to out-of-date legislation. For example, in the
“Requirements of the Regulations” section it referred to the Money
Laundering Regulations 1993 and the Money Laundering Regulations 2001.
Those regulations were replaced in March 2004 by the Money Laundering
Regulations 2003, which were themselves replaced in December 2007 by
the MLRs. This meant the policy referred to regulations which were around
12 years out-of-date and had since been replaced twice. This was important.
The MLRs implemented significant changes, introducing a legal requirement
to undertake a risk-based approach to the intensity of CDD measures and
introduced the concepts of EDD and PEPs.
(3)
It referred to “Know Your Client” under the heading “Identification
Procedures”, but did not refer to a client AML risk assessment or require a
risk-based approach, including requiring that the intensity and frequency of
CDD measures should vary depending on the client’s ML risk. Nor did the
policy refer to a requirement to obtain information on the purpose and
nature of the business relationship to enable ADMISI to assess, as part of
its on-going monitoring, whether the transactions and activities carried on
for a client were consistent with its expectations.
(4)
It failed to refer to EDD or PEPs, either in name or substance. The only
reference to source of funds came under assessing potentially suspicious
transactions. There was no reference to source of wealth.
(5)
It referred to matters which might generate money laundering suspicion,
including mention of a client’s corporate structure and the type of trading to
be undertaken, but the policy failed to highlight other obvious ML risks, for
example the risk presented by clients from certain jurisdictions. Passing
references to this issue were only made in the context of the annual MLRO
report and third-party payments.
(6)
The only mention it made of countering terrorist financing was in the context
of the narrative explanation for the offence of “Failure to report”.
(7)
It failed to refer to on-going monitoring, and the requirement to conduct
enhanced on-going monitoring in certain circumstances. There was no
reference to the relationship between the assessment of a client’s ML risk
and the intensity and frequency of on-going monitoring.
(8)
It referred to the “Money Laundering Sourcebook” which ceased to exist in
2006.
(9)
It set out the offences of “Assistance”, “Tipping Off” and “Failure to report”
but, inaccurately, suggested that these offences were set out in the Money
Laundering Regulations 1993 instead of POCA, legislation which came into
force in February 2003.
(10)
It failed to state that, where ADMISI was unable to apply CDD in accordance
with the MLRs, it was required to cease its business relationship with the
customer.
ADMISI’s AML Policy 2016
4.31. In April 2016, ADMISI introduced a new policy, combining two existing documents:
a chapter from ADMISI’s Compliance Manual and the AML policy, with some minor
amendments from the 2013 version. The amendments to the AML policy were minor
and the deficiencies identified above were not remedied.
4.32. A number of the deficiencies in ADMISI’s AML policy during the Relevant Period
were obvious and should have been identified by ADMISI because:
(1)
The policy, which had not been substantively updated in over a decade, was
not up to date. For example, it referred to the Money Laundering
Regulations 1993 even though those regulations were no longer in effect.
(2)
It should have understood that the Money Laundering Regulations 1993 had
been superseded by the MLRs. The absence of reference to the MLRs was
an obvious indicator that at least some aspects of the policy were out of
date.
(3)
Prior to October 2016, there was no policy that provided for how ADMISI
should manage its relationships with PEPs. The 2013 AML policy and 2016
AML policy were silent on the issue. Chapter 11 of the Compliance Manual,
which covered AML systems, also had no reference to PEPs. Consequently,
there was no formalised instruction, or guidance, for staff to understand the
risks presented or the connection between a PEP and the requirement to
undertake EDD. Equally, there was no formalised instruction or guidance to
enable staff to understand the necessity to increase the frequency of the
periodic reviews of a client who was a PEP.
ADMISI’s Compliance Manual
(4)
ADMISI maintained a Compliance Manual which was intended to cover all
compliance related subjects, effectively an “A to Z” and was not purely a
manual relating to AML. The manual was divided into different chapters
according to the subject matter and Chapter 11 concerned AML. The manual
was “aimed” at the front office staff.
(5)
During the Relevant Period, there were three versions of Chapter 11 of the
Compliance Manual: August 2013, February 2015, and December 2015. In
April 2016, what was previously Chapter 11 was merged into the AML Policy.
Between August 2013 and December 2015 there were only minor
amendments to Chapter 11, a change to the approval process for waivers
for “deviations from the Company’s Account Opening Procedures” and a
change as to whom employees should approach in the event of a query.
(6)
Chapter 11 of the Compliance Manual was deficient. It shared a number of
the shortcomings of the AML policies. Chapter 11:
(a)
made no reference to PEPs or countering the financing of terrorism;
(b)
made no reference to EDD; and
(c)
incorrectly suggested that the MLRs made it an offence to assist
money launderers, to “tip off” or to “fail to report”.
(7)
ADMISI ceased using the hardcopy version of the Compliance Manual in
favour of a firm intranet version that separated the content into separate
policies. This addressed the MLRO’s concerns that staff members would be
reluctant to use, what he described as, an “unmanageable” tome.
ADMISI’s Account Opening Procedures
4.33. During the Relevant Period, three versions of ADMISI’s Account Opening Procedures
were in force. The first was dated at the latest from March 2014. It was replaced
in January 2015, and then again in March 2016. The procedures were broken down
into different account types. The AML policy emphasised the importance of the
Account Opening Procedures and, under the heading of “Identification Procedures”,
stated that, “The Company’s comprehensive Account Opening Procedures provide
detailed and specific guidance in this regard.”
4.34. Chapter 11 of the Compliance Manual stated: “For your own protection, it is vitally
important that the Account Opening Procedure is adhered in its entirety to at all
times.”
4.35. The procedures provided detailed guidance on identifying individual and corporate
clients. However:
(1)
The 2014 procedure made no reference to assessing the ML risk of a client.
This was consistent with the absence of a formal AML client risk assessment
process generally at ADMISI at that time.
(2)
None of the Account Opening Procedures referred to or made provision for
aligning the level of due diligence to the level of ML risk a client posed.
Although the January 2015 procedures and the later version referred to
completing an AML Risk Matrix Score Sheet and a senior staff member
categorising the client, the remainder of the procedures remained largely
the same as the 2014 version, and the 2015 version did not explain what a
“high risk” rating or categorisation meant. There was no reference to the
need to conduct EDD.
(3)
The Account Opening Procedures made no reference to the circumstances
in which it would be appropriate to ascertain a client’s source of funds or
source of wealth. The procedures instructed front office staff to complete a
KYC form, but this was the only mention of the KYC form and there was no
instruction on how to interpret or act on the information provided within the
KYC form. The KYC form had a box for information about the “source/origin
of the funds the client will use”. However, the Account Opening Procedures
made no reference to those concepts in name or substance.
(4)
Further, under the “Source of Funds” box, the KYC form for individuals
(a)
“IF A CLIENT ELECTS NOT TO SUPPLY FINANCIAL INFORMATION WE
CANNOT BE HELD RESPONSIBLE FOR ERRORS IN CLASSIFICATION OR
SUITABILITY. YOU ARE DUTY BOUND TO ENSURE THE CLIENT IS
MADE AWARE OF THESE FACTS.”
(5)
Contrary to regulation 11 of the MLRs, this warning did not make it clear
that where ADMISI was unable to apply CDD measures (e.g. where a higher
risk client refused to provide details of its source of funds), it was required
not to enter into a business relationship. Nor did the Account Opening
Procedures make this clear.
(6)
The only reference to PEPs was that if, as a result of an AML risk assessment
and a World-Check, a client was identified as a PEP, the head of the team
should be consulted for advice. The procedures did not provide any
guidance on what further steps should be taken, including the mandatory
requirements of the MLRs.
(7)
There was an inconsistency between the corporate cash procedure and the
individual cash procedure until January 2015. The individual procedure
required checking the jurisdiction of the individual against ADMISI’s
“Jurisdiction Issues list to ensure we are OK to proceed”, whereas the
corporate cash procedure did not.
4.36. Prior to the 2016 Visit, ADMISI failed to conduct reviews to ensure that its AML
policies had been updated to comply with regulatory changes.
4.37. ADMISI’s internal auditors warned it, both before and during the Relevant Period,
that it was not updating its policies. In 2010 and 2012, the auditors observed that
there was not a formal periodic review and approval process “to provide evidence
of management’s ongoing assessment of policies and procedures in light of
significant regulatory...changes.” In February 2014, the auditors observed that
“critical compliance program policies and procedures” had not been updated in a
formal manner since 2008. The Firm replied that it had engaged external
compliance consultants to undertake a “thorough review” of the policies and
procedures by the end of June 2014. This did not occur.
4.38. In March 2015, the auditors wrote that “compliance policies are not updated and
approved annually to ensure accuracy and consistency with current laws and
regulations” and that the AML policy referred to the Money Laundering Regulations
1993 rather than the Money Laundering Regulations 2007. The same internal audit
report noted that the 2014 audit had previously identified this failure. Responding
to the auditor’s findings in the comments section, a compliance employee agreed
that, ”a more formal policy review process needs to be in place.”
4.39. In April 2016, the AML policy was updated, the first time a new version of the
document had been created since 2013. In any event, the 2016 AML policy was
substantively identical to the policy document that preceded it, which, in turn, was
virtually identical to the 2003 document (as explained above). In practice, the AML
policy had not substantively changed in approximately thirteen years.
Restructure of policies and procedures
4.40. ADMISI’s AML policies were subject to a thorough review following the 2016 Visit.
A number of new standalone policies and written procedures were introduced which
had not existed prior to the visit, namely:
(1)
ADMISI “Enhanced Due Diligence (EDD) Procedures for High Risk clients
including Politically Exposed Persons (PEPS)”, dated October 2016.
(2)
ADMISI “Customer Due Diligence (CDD) Procedures”, dated October 2016.
(3)
ADMISI “Enhanced Due Diligence (EDD) Policy”, dated October 2016.
(4)
ADMISI “Politically Exposed Person (PEP) Case Alert Procedure”, dated
October 2016.
4.41. ADMISI commissioned an external compliance consultancy to assist it in the
extensive re-drafting of the AML policies and procedures. These re-drafted policies
and procedures, which were put in place after the 2016 Visit, were adequate.
Client AML risk assessment
4.42. Prior to the 2014 Assessment, ADMISI did not have a documented risk assessment
process to determine the money laundering risks presented by each client.
4.43. Following the Authority’s 2014 feedback letter, ADMISI implemented a client AML
risk assessment matrix. ADMISI attested to the Authority that, following the
changes to its onboarding process (which included the implementation of the client
AML risk assessment matrix), it considered its new procedure to be “adequate and
appropriate to meet the Company’s legal and regulatory responsibilities in relation
to anti-money laundering.”
4.44. The AML risk assessment consisted of a score form to be completed for each
corporate and individual client, and an “AML Risk Assessment Matrix” a guidance
document which explained how to complete the score form. The document
identified three “risk types” scored 1 to 3 corresponding to the level of risk with a
potential total score of 9. High risk clients were deemed to be those who scored
between 7 and 9.
4.45. The AML Risk Assessment Matrix that ADMISI adopted in 2014 did not produce a
rounded assessment of the financial crime risks associated with a client. More
specifically, the matrix was deficient because:
(1)
It referred to the assessment of jurisdictional risk, but did not identify which
jurisdictions were relevant, i.e. the country of incorporation, residence,
and/or domicile.
(2)
It made no mention of product risk, activity risk, or corporate structure.
While it did refer to “adverse/speculative information”, this was not one of
the three criteria that was scored.
(3)
It allowed clients who were identified as PEPs at the time the risk assessment
was conducted to be rated “medium risk” if they scored lower on other
financial crime risk factors and thereby bypass EDD. EDD of PEPs, however,
was a requirement under regulation 14(4) of the MLRs.
4.46. The absence of a client AML risk assessment matrix meant that clients onboarded
before the date the firm started using it (1 November 2014) were never subject to
any formal risk assessment process during the Relevant Period. ADMISI did not
retrospectively apply the AML client risk assessment matrix to clients onboarded
before 2014, and ADMISI did not take into account the AML risks presented by
those clients at least until 30 June 2016.
4.47. Following the 2016 Visit, the Authority wrote to ADMISI and required it to complete
a revised customer risk assessment that would allow ADMISI to take account of the
“full picture of financial crime risks associated with a customer”. ADMISI was also
required to apply the revised customer risk assessment to the entire customer
base.
4.48. A revised client AML risk assessment matrix and guidance notes were constructed
by ADMISI in July 2016, and further revised in August 2016, called the “Anti-Money
Laundering (AML) and Counter Terrorism Financing (CTF) Risk Assessment Matrix,
Internal Procedures and Guidance Notes”.
4.49. During the onboarding process, firms must identify clients who are PEPs. By the
very nature of the prominent public functions they hold, PEPs occupy positions that
can, according to FATF, “be abused for the purpose of committing money laundering
(ML) offences and related predicate offences, including corruption and bribery, as
well as conducting activity related to terrorist financing (TF).”
4.50. Consequently, EDD must be applied to all clients identified as PEPs to address the
heightened risk that these clients present.
4.51. ADMISI did require account opening staff to complete a check to determine if a
prospective client was a PEP. If a positive match occurred, rather than setting out
a specific formal process, the procedure required staff to refer to management for
further advice and sign-off.
4.52. Once a client who was a PEP was onboarded, ADMISI maintained no accurate record
of the PEPs with whom it had an open business relationship. While the CMS kept a
record of PEPs, it was not kept up to date.
4.53. In March 2016, it was noted by a senior member of the compliance team that
ADMISI did not have an EDD process in place for PEPs but, despite this, no new
policy or procedure was implemented until after the 2016 Visit.
4.54. In October 2016, ADMISI introduced a new policy and procedure that applied to
Client file review – Enhanced Due Diligence
4.55. Where firms identify a client who presents a higher level of money laundering risk,
they are obliged by the MLRs to conduct EDD. Depending on the level of risk, this
may include obtaining evidence of the source of a client’s wealth or of the funds
used to conduct a transaction. Obtaining this information about PEPS is a
requirement. Firms must document the nature of any checks conducted and retain
any evidence obtained to ensure that they can demonstrate that their decisions
were appropriate.
4.56. During the 2016 Visit, the Authority reviewed a sample of 14 client files and
concluded that there were significant shortcomings in the EDD applied to those
files. In particular, the Authority found:
(1)
No evidence of source of wealth or source of funds on a PEP file.
(2)
Limited EDD on a high-risk file.
(3)
No evidence that adverse media checks had been conducted.
(4)
The UBO of a corporate account was a PEP, but ADMISI had not identified
this fact.
On-going monitoring of CDD/EDD
4.57. To ensure that the ML risks associated with clients are kept up-to-date, the MLRs
require firms to conduct regular reviews of their clients. Regular reviews help firms
to ensure that the information they collect as part of the CDD and EDD process
remains accurate and that the operation of the client’s account is consistent with
the business activity expected. The frequency and focus of such reviews should be
determined by the perceived risk posed by each client with a greater level of on-
going monitoring required for higher-risk customers, products, and services.
4.58. ADMISI used a system called CMS to help it monitor its client relationships. CMS
did this in two principal ways. First, it generated alerts on an account if a
transaction appeared suspicious. The information underlying the alerts could then
be checked to make sure it was consistent with expected activity on the account.
Second, CMS would generate an open review case when the client’s CDD was due
for review. CMS was programmed to deliver this functionality using a series of rules.
4.59. The open review cases generated by CMS were not dealt with promptly and this
resulted in an “enormous backlog.” By March 2016, an internal audit report said
that there were 3,500 open KYC review cases on CMS. This number included 300
cases which were still open from 2013 and had not been reviewed, and 1,300 from
2014. This issue had previously been identified in the audit findings reported in
2014 and 2015.
4.60. The poor quality of client information held on CMS compounded the problem. At
the time of the March 2016 internal audit, ADMISI had 3,500 open KYC cases. Of
the 3,500 open KYC review cases, ADMISI closed 1,400 on the basis that they
related to closed client accounts, administrative type accounts and sub-accounts
without undertaking a retrospective review of those files.
4.61. Following the report of the internal auditors in March 2016, ADMISI responded by
adopting a new procedure to deal with the backlog in periodic reviews. Periodic
reviews of clients’ KYC information became a daily activity as of March 2016.
4.62. The failure to implement effective AML systems and controls meant that ADMISI
failed to conduct appropriate on-going monitoring of its clients. This was clearly in
evidence as the Authority discovered when it reviewed customer files as part of its
2016 Visit.
4.63. ADMISI maintained a “Jurisdiction red list” that identified countries where it should
not “be soliciting clients”. On one file for a client who resided in a country on
ADMISI’s “Jurisdiction red list”, there was no evidence of any review having been
conducted since the file had been opened 12 years before.
4.64. On another client file, there was no evidence that the file had been subject to any
on-going monitoring since the file had been opened 15 years before.
4.65. A senior compliance employee accepted that while some reviews were taking place,
they were not sufficient.
PEP file
4.66. In May 2016, ADMISI provided the Authority with its PEP register. An individual
client, on-boarded in 2010, was included in the list and classified as a PEP.
4.67. The Authority reviewed the client’s file and found that the 2014 AML client risk
assessment matrix had not been retrospectively applied to the client. A risk
assessment document and a KYC form were completed, but after the 2016 Visit.
4.68. At the point of onboarding, ADMISI had obtained appropriate due diligence
documents: a certified copy of the client’s passport; a bank statement; and a
telephone bill. However, the Authority found that this CDD was not refreshed and
the passport expired in 2013. There was no evidence of a periodic review of the
client’s CDD information despite evidence that CMS had generated alerts on the
client’s account. CMS recorded a last review date of 17 September 2014 but, if
there was a review on that date, it was plainly inadequate because it failed to note
the client was a PEP and required EDD. In addition, the expiry date of the client’s
passport was neither identified nor remediated. ADMISI did obtain an updated
passport, but this did not occur until after the 2016 Visit.
4.69. In respect of EDD, the Authority found that the client file contained no evidence of
the source of the client’s funds, or wealth, at the point the client was onboarded, a
legal requirement under the MLRs.
4.70. A “Know Your Client Form – Individual” had been completed and was present on
the file when inspected. The form contained a box entitled “Source of Funds” and
had been populated, but it contained only one word “earnings.” No further
information was given or documented on the file regarding the client’s source of
funds, their wealth or how they proposed to fund the account. There was no
evidence at all regarding the legitimacy of the client’s funds.
4.71. The funds proposed to be invested, and that were invested when the account was
opened, were significant (€300,000).
4.72. Following the 2016 Visit, the Authority required ADMISI to provide evidence of the
source of wealth and source of funds for this client within one calendar month of
the requirement.
4.73. ADMISI held a telephone call with the client in August 2016 and, following that,
told the Authority that the source of wealth for the client derived from earnings
over a number of years. The Authority responded that the feedback letter requested
evidence of the source funds and wealth for the client and asked ADMISI to obtain
it.
4.74. ADMISI agreed to obtain further evidence to adduce the client’s source of wealth.
It also confirmed that additional due diligence had been carried out on the client’s
employment.
4.75. Following this, a senior compliance employee emailed a contractor asking for advice
on the “optimal way” to evidence source of wealth for this client.
4.76. ADMISI subsequently issued an instruction to close the account, allowing the
unwinding of positions only. This was because the client had failed to provide
ADMISI with the evidence that it had requested. ADMISI ultimately obtained
evidence for the source of income for the client in 2014 and 2015 and provided this
to the Authority.
High-risk corporate client file
4.77. The Authority also identified significant EDD failings in relation to another high-risk
client file it reviewed. In March 2015, ADMISI onboarded a corporate client that
had a number of high-risk factors obvious from the file:
(1)
The corporate structure was opaque and complex. The company was
registered in the British Virgin Islands, used another company, also
registered in the British Virgin Islands, as its corporate director and its
shares were divided between two companies. The companies, in turn, had
two Russian UBOs, resident in Russia, each of whom owned one of the
companies.
(2)
The company had a “yahoo” email address.
(3)
There was an unexplained inconsistency between the Customer Information
Disclosure Form completed on behalf of the client which stated the
company’s principal business was “investment risk management”, whereas
the KYC Form completed by the trader said it was a “UBO trading vehicle”,
and that the principal business of the customer was “oil trading.”
(4)
The company used a British Virgin Islands PO Box as its registered address.
(5)
The company used a bank account based in Switzerland.
(6)
A reference was provided for the entity which claimed to know of the client
since 2012, which was impossible because it was only incorporated in 2014.
If this reference was intended to relate to a person connected to the entity,
this was not made clear.
(7)
According to the Customer Information Disclosure Form, the share capital
of the company was $50,000. The net assets of the company were
$150,000, yet the initial monies used to trade through ADMISI were
$3,000,000.
4.78. ADMISI had appropriately classified the client as high-risk, but the client was still
seen as fit to be reviewed periodically two years after the account was opened.
4.79. Although EDD is a legal requirement for clients identified as high-risk, no EDD was
completed. Moreover, the file contained no evidence regarding the source of the
company’s funds, how the company made its money, or how it would fund the three
million US dollar opening balance to the account. The KYC form, under “Source of
Funds” stated simply “UBO”. It did not specify which of the two UBOs was the
source of the funds or where they came from.
4.80. ADMISI failed properly to document the rationale to onboard this client and why
this was commensurate with its risk appetite.
4.81. On 24 May 2016, the day before the 2016 Visit, a senior compliance employee sent
an internal email advising that this client was viewed, at that time, as “very high
risk”, and that the client should not be allowed to trade any new products. This did
not, however, prompt ADMISI to conduct a periodic review of the client.
4.82. In September 2016, ADMISI was sent material by a law firm based in Russia in
relation to the client. The material included information that, a week before it was
sent, the ownership of the client had changed to a single UBO. Also included was a
letter relating to source of funds, which stated that “source of wealth… as well as
the source of funds…has the form of loans from its UBO”. That answer was clearly
inadequate because, until a week earlier, there had been two UBOs and the
information provided failed to specify which one of the UBOs remained involved in
the company.
4.83. On 7 November 2016, an ADMISI employee sent an internal email advising that
this client file had been “fully remediated” and that a decision had been taken that
the account should be closed. ADMISI also closed a linked corporate account, under
the same beneficial ownership, because it “no longer fits the risk profile of ADMISI”.
Management Information – MLRO reports
4.84. The Authority expects senior management to take responsibility for managing
financial crime risks and to be actively engaged in a firm’s approach to addressing
the risks identified. Senior management should therefore rely on accurate
information, sufficient to enable them to meet their AML obligations. The Authority’s
rules and guidance require firms to provide to its governing body and senior
management, a “report at least annually by that firm’s money laundering reporting
officer on the operation and effectiveness” of the firm’s systems and controls.
4.85. During the Relevant Period, ADMISI’s senior management was provided with an
annual MLRO report. However, the content of the MLRO reports was unsuitable
because it did not give ADMISI the information it needed to assess the adequacy
of its systems and controls and thereby to enable it to identify, monitor and manage
its financial crime risks.
4.86. The AML policy, during the Relevant Period, said that the MLRO reports “must”:
(1)
assess whether the Firm had complied with the Regulations;
(2)
address changes made or recommended in respect of new legislation, rules,
or industry guidance; and
(3)
address any serious compliance deficiencies that had been identified in the
Firm’s policies and procedures.
2014 MLRO report
4.87. The 2014 MLRO report covered the calendar year 1 January to 31 December 2014.
The 2014 MLRO report was inadequate because:
(1)
It contained no comments on the 2014 Assessment.
(2)
It did not include references to the issues that the Authority had identified;
that the RMP had been issued to the Firm; the remediation exercise
undertaken; or about the Firm’s attestation to the Authority that the
remediated client AML risk assessment was now compliant.
(3)
It contained no substantive reference to, or assessment of systems and
controls, including those in place for PEPs. The only reference to PEPs was
implicit, that the “implementation of WorldCheck continues to improve the
effectiveness of the Company’s Anti Money Laundering Procedures”. The
report did not identify the fact that there was no mention of PEPs within the
AML policy, nor the Compliance Manual, and that there was no written
procedure for EDD to be completed on PEPs or high-risk clients.
(4)
The only reference to the policies and procedures was in the context of third
party payments”, where policies and procedures were referred to as
“robust”. The report did not identify the weaknesses in the policies and
procedures. This was despite the criticisms in the 2014 internal audit report
that there was no evidence that critical compliance policies had been
formally reviewed and updated since 2008.
(5)
There was only one sentence addressing the issue of AML training and it
failed to document, specifically, what the training entailed.
(6)
It incorrectly referred to SYSC 3.2.6G(2) which applies to insurers,
managing agents and the Society of Lloyd's instead of SYSC 6.3.7G(2).
The 2015 MLRO report
4.88. Some of the passages within the 2015 MLRO report were so similar to the 2014
MLRO report that it suggests that they were simply copied from one report to the
other. In particular:
(1)
The wording relating to policies and procedures, in the context of “third party
payments” is identical in both the 2014 and 2015 MLRO reports.
(2)
The wording of the section relating to the CMS is almost exactly the same
in the 2014 and 2015 MLRO reports. Moreover, there is a direct similarity
between the CMS section not just between the 2014 and 2015 MLRO reports
but dating back to every MLRO report from 2012 to 2015.
(3)
The erroneous reference to the Authority’s rules relating to SYSC 3.2.6G,
was identical in the introductory section of the 2014 and 2015 MLRO reports.
4.89. In failing to substantively assess its AML controls and failing to note compliance
deficiencies, ADMISI’s MLRO reports of 2014 and 2015 did not satisfy ADMISI’s own
AML policy. The reports failed to provide ADMISI’s board and senior management
with any indication of the shortcomings in the Firm’s AML controls.
4.90. In 2016, ADMISI’s MLRO report was an improvement, but this report was prepared
after the Authority’s 2016 Visit and, notably, after the Authority had provided
comments on the quality of the 2015 MLRO reports.
AML training
4.91. For an AML control framework to be effective firms must adequately train their staff
so that they are suitably skilled, able to recognise ML and terrorist financing risks
and understand their legal duties. Equally, staff need to be properly trained so that
they can implement the AML control framework designed to mitigate the risks
presented. Not all staff will have the same training requirements. For instance,
those in the front office of a firm will have different training requirements to those
in Compliance. Firms were obliged under the MLRs and advised under the
Authority’s guidance to deliver training on ML and terrorist financing. To assist
firms, the Authority has issued financial crime guidance on AML training. The
guidance asks firms to consider if their AML training is suitably tailored to particular
roles. It also asks firms to consider how they assess the effectiveness of the training
delivered.
4.92. ADMISI provided records demonstrating that some AML training had been delivered
during the Relevant Period. The MLRO attended AML training in 2014 and 2015.
However, ADMISI did not provide any record of AML training being delivered more
broadly to staff in 2014. The 2014 MLRO report did say that all staff had been
trained on AML, but the Authority has been unable to verify the effectiveness of the
training delivered, as there was no record provided of the training materials nor
any record of the assessments of those who took part. The Authority was also
unable, without the underlying training materials, to establish if the training was
tailored to particular roles.
4.93. In July 2015, training was delivered to all staff titled “Anti Money Laundering
(Overview) Training”. ADMISI, in response to a request by the Authority, provided
a register of staff who had completed the course. The register was extensive and
encompassed a large number of staff, from senior management to front office staff.
The MLRO report for 2015 remarked that “…all staff attended/participated in an in-
house training course which includes AML training”. ADMISI did not provide the
Authority with a record of the training package that was delivered, so in keeping
with the records provided for 2014, it was not possible for the Authority to assess
if the training was tailored to particular roles and whether it included appropriate
content.
4.94. In June 2016, following the 2016 Visit, ADMISI delivered further AML training
entitled “Anti-Money Laundering: An Introduction to Money Laundering”. This
training package was of an adequate standard taking into account the need to
ensure that the relevant staff were able to recognise and deal with transactions and
other activities that may be related to ML or terrorist financing.
4.95. The 2016 MLRO report contained significantly greater comment on AML training
than either the 2015 or 2014 MLRO reports. It was acknowledged in the 2016 MLRO
report that adequately training ADMISI’s staff was one of the Firm’s “challenging
risks in relation to money laundering and financial crime.”
4.96. The Authority found it difficult to assess the suitability of the AML training delivered
by ADMISI during the Relevant Period. This was because the records of the training
provided were inadequate. A firm cannot be assured that it has properly met its
legal and regulatory obligations to deliver training on ML and terrorist financing
unless it maintains adequate records.
4.97. Prior to internal audit reports being issued, senior managers were shown the
content of the report and invited to comment on any issues identified. Each internal
audit report was distributed to the senior managers who worked in the relevant
business area and was copied to the Board.
4.98. Each internal audit report was marked with an overall audit rating, which was
accompanied by a narrative explanation for the rating. The body of the report
identified issues which needed addressing. Those issues were numbered and the
number was assigned a colour on a traffic light basis, namely green, amber and
red, to identify the seriousness of the issue.
4.99. The 2014, 2015, and 2016 internal audit reports identified to senior management
issues that needed to be rectified. The issues identified included deficiencies with
the AML policy. To that extent therefore, the internal audit report identified relevant
concerns.
4.100. The internal audit report failed however to classify correctly the failings identified
or to assign to particular issues an appropriate colour code.
30
4.101. For example, one issue dealt with in the 2015 internal audit report was “Annual
Policy Review and Approval”. The auditors highlighted the following errors within
ADMISI’s AML policy:
(1)
the policy referred to “the Financial Services Authority (FSA), which was
replaced by the Financial Conduct Authority (FCA) in April 2013”; and
(2)
the policy referred to “the Money Laundering Regulations 1993 rather than
the Money Laundering regulations 2007.”
4.102. This was a repeat failure. The auditors suggested incorporating elements of the
JMLSG recommendations. However, the report did not identify that the reference
to outdated legislation was not simply indicative of a failure to update its policies
but of a failure by ADMISI to follow and implement the significantly updated
requirements of the MLRs. Despite the legal and regulatory requirements to
maintain suitable AML policies and procedures, and notwithstanding that this
repeated the failure identified during the 2014 internal audit, this issue was colour
coded green.
4.103. This gave misplaced assurance to senior management. One board member took
comfort in the ratings and colour classifications assigned to the issues.
4.104. This was not an isolated failing. In the 2016 internal audit report, the first issue
identified and reported, related to the “Know Your Client Process”. The report
stated, “At the audit date, 3,500 KYC review cases were still open in CMS, including
300 from 2013 and 1,300 from 2014”. Open KYC cases in CMS was an issue that
had been identified in both the 2014 and 2015 internal audit reports.
4.105. In spite of this, this issue was assigned an amber colour in the 2016 internal audit
report and the overall report was graded “satisfactory”. The on-going monitoring
of a client’s file to ensure that the information obtained for the purposes of CDD is
up to date is a legal requirement under the MLRs. The characterisation of this repeat
issue, in such a way, was misleading as to the seriousness of the situation and gave
misplaced comfort to senior management.
ADMISI’s response to the failings identified
4.106. Following the 2016 Visit, ADMISI invested significant resources in improving its AML
systems and controls, including retaining the services of external compliance
consultants to assist in the remediation work at significant expense.
4.107. ADMISI also materially changed the way that it conducted internal audits. In 2017,
ADMISI outsourced its internal audit function in respect of regulatory compliance
to an independent third party, and which would conduct its reviews on a bi-annual
basis.
4.108. Senior management at ADMISI has co-operated and engaged with the Authority
during its investigation.
5.
FAILINGS
5.1.
The regulatory provisions relating to this Notice are referred to in Annex A.
5.2.
Principle 3 requires that a firm take reasonable steps to ensure that it has organised
its affairs responsibly and effectively with adequate risk management systems.
ADMISI breached this requirement because, during the Relevant Period:
(1)
It failed to implement a firm-wide financial crime risk assessment.
(2)
Its AML policies failed to provide for it to comply with its obligations under
the MLRs and the Authority’s rules.
(3)
Its client AML risk assessment was insufficiently detailed and failed to take
account of relevant factors to allow an accurate assessment of risk to be
made.
(4)
Its client AML risk assessment was not applied to customers onboarded
before 2014.
(5)
It had no procedure in place to conduct EDD on PEPs and there was an
inaccurate record kept of the PEPs with whom the Firm maintained an on-
going relationship.
(6)
It failed to conduct sufficient on-going monitoring of clients’ CDD
information.
(7)
It failed to conduct adequate EDD and on-going monitoring for some higher
risk clients.
(8)
It failed to prepare MLRO reports that:
(a)
assessed the AML systems and controls; and
(b)
identified the weaknesses in them.
(9)
It failed to keep adequate records of AML training.
(10)
Its internal audit function did not identify relevant AML and financial crime
failings within the Firm and failed to alert senior management and/or the
board to matters which needed their attention.
6.
SANCTION
Financial penalty – breach of Principle 3
6.1.
The Authority’s policy for imposing a financial penalty is set out in Chapter 6 of
DEPP. In respect of conduct occurring on or after 6 March 2010, the Authority
applies a five-step framework to determine the appropriate level of financial
penalty. DEPP 6.5A sets out the details of the five-step framework that applies in
respect of financial penalties imposed on firms.
Step 1: disgorgement
6.2.
Pursuant to DEPP 6.5A.1G, at Step 1 the Authority seeks to deprive a firm of the
financial benefit derived directly from the breach, where it is practicable to quantify
this.
6.3.
The Authority has not identified any financial benefit that ADMISI derived from the
breach.
6.4.
Step 1 is therefore nil.
Step 2: the seriousness of the breach
6.5.
Pursuant to DEPP 6.5A.2G, at Step 2 the Authority determines a figure that reflects
the seriousness of the breach. Where the amount of revenue generated by a firm
from a particular product line or business area is indicative of the harm or potential
harm that its breach may cause, that figure will be based on a percentage of the
firm’s revenue from the relevant products or business area.
6.6.
The Authority considers that the revenue generated by ADMISI is indicative of the
harm or potential harm caused by its breach. The Authority has therefore
determined a figure based on a percentage of ADMISI’s relevant revenue. ADMISI’s
relevant revenue is the revenue derived by ADMISI during the period of the breach.
The period of ADMISI’s breach was from 30 September 2014 to 31 October 2016.
The Authority considers ADMISI’s relevant revenue for this period to be
£112,045,314.
6.7.
In deciding the percentage of the relevant revenue that forms the basis of the Step
2 figure, the Authority considers the seriousness of the breach and chooses a
percentage between 0% and 20%. This range is divided into five fixed levels which
represent, on a sliding scale, the seriousness of the breach: the more serious the
breach, the higher the level. For penalties imposed on firms there are the following
five levels:
(1)
Level 1 – 0%
(2)
Level 2 – 5%
(3)
Level 3 – 10%
(4)
Level 4 – 15%
(5)
Level 5 – 20%
6.8.
In assessing the seriousness level, the Authority takes into account various factors
which reflect the impact and nature of the breach, and whether it was committed
deliberately or recklessly. DEPP 6.5A.2G(6) lists factors relevant to the impact of
the breach. The Authority considers that the following factor is relevant:
(1)
There is a benefit to be gained from not implementing a suitable AML control
framework, both in terms of time and costs saved, but it is not quantifiable.
6.9.
DEPP 6.5A.2G(7) lists factors relating to the nature of the breach. The Authority
considers that the following factors are relevant:
(1)
The rules and requirements breached are designed to limit, so far as is
possible, money laundering through a firm. Breaches of these requirements
are therefore considered particularly serious.
(2)
The breach persisted for a period of over two years and were preceded by
the Authority's identification of associated concerns.
(a)
On 16 April 2014, the Authority issued a letter to ADMISI which
explained that that Firm needed to formalise and enhance its risk
management framework and, in particular, improve its client risk
classification process, its identification of AML risks and its checks on
higher-risk clients.
(b)
On 30 September 2014, the Firm executed an attestation to the
Authority concerning the improvement of its AML controls, including
its client risk assessment and identification of PEPs.
(c)
On 30 June 2016, the Authority issued a letter to ADMISI outlining
significant failings which the Authority believed may expose ADMISI
to high money laundering risk. The Authority’s key findings included
failings in:
(i)
ADMISI’s customer risk assessments which failed to inform
the level of due diligence, EDD, and enhanced on-going
monitoring undertaken for high-risk customers; and
(ii)
the effectiveness of ADMISI’s AML policies and procedures.
(d)
The serious and on-going concerns led the FCA to invite the Firm to
enter into a VREQ which it did on 23 August 2016. The Authority lifted
the VREQ after the end of the Relevant Period.
(3)
The breach revealed serious and systemic weaknesses in the Firm’s AML
systems and controls.
(4)
There was scope for financial crime to be facilitated or occasioned as a result
of the breach.
6.10. DEPP 6.5A.2G(11) lists factors which are likely to be considered “level 4 factors” or
“level 5 factors”. The Authority considers the following factors to be relevant:
(1)
The breach revealed serious or systemic weaknesses in the Firm’s
procedures or in the management systems or internal controls relating to all
or part of the Firm’s business.
(2)
The breach created a significant risk that financial crime would be facilitated,
occasioned or otherwise occur.
6.11. DEPP 6.5A.2G(12) sets out a number of factors that should be considered level 1,
level 2 and level 3 factors. The case team consider the following factor to be
relevant:
(1)
The breach was committed negligently.
6.12. Taking all these factors into account, the Authority considers that the seriousness
of the breach to be level 4 and the Step 2 figure is therefore 15% of relevant
revenue, being £16,806,797.
6.13. As set out at DEPP 6.5.3(3)G, the Authority recognises that a penalty must be
proportionate to the breach. The Authority may decrease the level of penalty
arrived at after applying Step 2 of the framework if it considers that the penalty is
disproportionately high for the breach concerned. Notwithstanding the serious and
long-running nature of the breach in this Notice, the Authority considers that the
level of penalty after applying Step 2 of the framework would nonetheless be
disproportionate if it were not decreased.
6.14. In order to achieve a penalty that (at Step 2) is proportionate to the breach, and
having had regard to all relevant factors and taking into account previous cases,
the Step 2 figure is reduced by 50% to £8,403,398.
Step 3: mitigating and aggravating factors
6.15. Pursuant to DEPP 6.5A.3G, at Step 3 the Authority may increase or decrease the
amount of the financial penalty arrived at after Step 2 to take into account factors
which aggravate or mitigate the breach.
6.16. The Authority considers that the following factors aggravate the breach:
(1)
ADMISI had previously been put on notice about the Authority’s concerns in
relation to its client AML risk assessment process and also the connection
between this and the frequency of on-going monitoring of clients.
(2)
The Authority had published guidance and various other materials raising
relevant concerns about AML and AML systems and controls, all of which
was in the public domain and available to ADMISI.
(3)
The Authority had also publicly called for an improvement in standards in
relation to AML and AML systems and controls before and during the
occurrence of the breach.
6.17. The Authority considers that there are no factors which mitigate the breach.
6.18. The Authority considers that, as a result of these aggravating factors, the Step 2
figure should be increased by 10%, meaning the Step 3 figure is £9,243,738.
36
Step 4: adjustment for deterrence
6.19. Pursuant to DEPP 6.5A.4G if the Authority considers the figure arrived at after Step
3 is insufficient to deter the firm who committed the breach, or others, from
committing further or similar breaches, then the Authority may increase the
penalty.
6.20. The Authority considers that the Step 3 figure of £9,243,738 represents a sufficient
deterrent and so has not increased the penalty at Step 4.
6.21. The Step 4 figure is therefore £9,243,738.
Step 5: settlement discount
6.22. Pursuant to DEPP 6.5A.5G, if the Authority and the firm on whom a penalty is to be
imposed agree the amount of the financial penalty and other terms, DEPP 6.7
provides that the amount of the financial penalty which might otherwise have been
payable will be reduced to reflect the stage at which the Authority and the firm
reached agreement.
6.23. The Authority and ADMISI reached agreement at Stage 1 and so a 30% discount
applies to the Step 4 figure.
6.24. The Step 5 figure is therefore £6,470,600 (rounded down to the nearest £100 in
accordance with the Authority’s usual practice).
6.25. The Authority therefore imposes a total financial penalty of £6,470,600 on ADMISI
for breaching Principle 3.
7.
REPRESENTATIONS
7.1.
Annex B contains a brief summary of the key representations made by ADMISI in
response to the Warning Notice and how they have been dealt with. As ADMISI
agreed to resolve all issues of fact and liability, ADMISI only made representations
on the proposed financial penalty. In making the decision which gave rise to the
obligation to give this Notice, the Authority has taken into account all of the
representations made, whether or not set out in Annex B.
8.
PROCEDURAL MATTERS
8.1
This Notice is given under and in accordance with section 390 of the Act.
8.2
The following statutory rights are important.
Decision maker
8.3
The decision which gave rise to the obligation to give this Notice was made by the
RDC. The RDC is a committee of the Authority which takes certain decisions on
behalf of the Authority. The members of the RDC are separate to the Authority staff
involved in conducting investigations and recommending action against firms and
individuals. Further information about the RDC can be found on the Authority’s
committee
Manner and time for payment
8.4
The financial penalty must be paid in full by ADMISI to the Authority no later than
13 October 2023.
If the financial penalty is not paid
8.5
If all or any of the financial penalty is outstanding after 13 October 2023, the
Authority may recover the outstanding amount as a debt owed by ADMISI and due
to the Authority.
8.6
Sections 391(4), 391(6) and 391(7) of the Act apply to the publication of
information about the matter to which this Notice relates. Under those provisions,
the Authority must publish such information about the matter to which this Notice
relates as the Authority considers appropriate. The information may be published
in such manner as the Authority considers appropriate. However, the Authority may
not publish information if such publication would, in the opinion of the Authority,
be unfair to ADMISI or prejudicial to the interests of consumers or detrimental to
the stability of the UK financial system.
8.7
The Authority intends to publish such information about the matter to which this
Final Notice relates as it considers appropriate.
38
Authority contacts
8.8
For more information concerning this matter generally, please contact Steve Page
at the Authority (020 7066 1420).
Financial Conduct Authority, Enforcement and Market Oversight Division
ANNEX A
RELEVANT STATUTORY AND REGULATORY PROVISIONS
1.
RELEVANT STATUTORY PROVISIONS
1.1
The Authority has the power to impose an appropriate penalty on an authorised
person if the Authority considers that an authorised person has contravened a
relevant requirement (section 206 of the Act).
1.2
In discharging its general functions, the Authority must, so far as reasonably
possible, act in a way which is compatible with its strategic objective and advances
one or more of its operational objectives (section 1B(1) of the Act). The Authority’s
strategic objective is ensuring that the relevant markets function well (section
1B(2) of the Act). The Authority has three operational objectives (section 1B(3) of
the Act). Protecting and enhancing the integrity of the UK financial system, the
integrity objective, is the operational objective relevant to this matter (section 1D
of the Act).
2.
RELEVANT REGULATORY PROVISIONS
2.1
In exercising its powers to impose a financial penalty, the Authority has had regard
to the relevant regulatory provisions published in the Authority’s Handbook. The
Handbook provisions relevant in this matter are the Principles for Businesses
(“Principles”); the Senior Management Arrangements, Systems and Controls
Sourcebook (“SYSC”); the Decision Procedures and Penalties Manual (“DEPP”); and
the Enforcement Guide (“EG”).
Principles for Businesses
2.2
The Principles are a general statement of the fundamental obligations of firms
under the regulatory system. They derive their authority from the Authority’s rule-
making powers set out in the Act. The relevant Principle in this matter is Principle
3 which provides that:
“A firm must take reasonable care to organise and control its affairs
responsibly and effectively, with adequate risk management systems”.
Senior Management Arrangements, Systems and Controls
2.3
SYSC 6.1.1R provides:
“A firm must establish, implement and maintain adequate policies and
procedures sufficient to ensure compliance of the firm including its
managers, employees and appointed representatives (or where applicable,
tied agents) with its obligations under the regulatory system and for
countering the risk that the firm might be used to further financial crime.”
2.4
SYSC 6.3.1R provides:
“A firm must ensure the policies and procedures established under SYSC
6.1.1R include systems and controls that:
(1) enable it to identify, assess, monitor and manage money laundering
risk; and
(2) are comprehensive and proportionate to the nature, scale and
complexity of its activities.”
Decision Procedure and Penalties Manual
2.5
Chapter 6 of DEPP sets out the Authority’s statement of policy for imposing financial
penalties under the Act. DEPP 6.5A sets out the five-step framework the Authority
uses to determine the appropriate level of financial penalty imposed on firms.
2.6
EG sets out the Authority’s approach to taking disciplinary action. The Authority’s
approach to financial penalties is set out in Chapter 7 of the Enforcement Guide.
ANNEX B
REPRESENTATIONS
A summary of the key representations made by ADMISI in respect of the penalty aspects
of this matter, and the Authority’s conclusions in respect of them (in bold), is set out
below.
Penalty Step 2: Seriousness of the breach
The seriousness assessment
1. The Authority’s conclusion that the seriousness of the breach is level 4, with the Step
2 figure being 15% of the relevant revenue (£16,806,797) is incorrect. The penalty
calculation is based on the assessment that ADMISI had only high-risk clients, which
has resulted in an overstated seriousness level and relevant revenue which does not
take into account the reality of ADMISI’s business as a whole. The extent of the money
laundering risk presented by ADMISI’s business as a whole varied across its client
base and needs to be recognised in the penalty calculation.
2. During the Relevant Period, the client base could be characterised as split between
commercial hedgers, aiming to manage the inherent commercial risk of their
operations, and speculators aiming to make a profit based on movement in the
markets. There was little real scope for actual money laundering. Only 15% of the
total client population was high-risk. The turnover attributable to this client population
was 38% of ADMISI’s total turnover during the Relevant Period.
3. Following a further file remediation exercise in 2017, ADMISI’s high-risk clients
represented 8% of the firm’s total client population. The impact of the breach in reality
only affected a small proportion of ADMISI’s high-risk client base. The penalty
calculation should reflect the varying degrees of risk across the Firm’s client base as
the scope for financial crime to be occasioned, or facilitated, by the breach was in
reality less serious than portrayed by the Authority. The relevant revenue figure
should take into account the turnover attributable to low and medium money
laundering risk clients during the Relevant Period. When considering DEPP
6.5A.2G(11)(d)1 the Authority has not acknowledged the factual reality that the
1 Factors which are likely to be considered ‘level 4 factors’ or ‘level 5 factors’ include: (d) the breach created a
significant risk that financial crime would be facilitated, occasioned or otherwise occur.
breach only created a significant risk that money laundering would be facilitated,
occasioned or otherwise occur, in relation to its relatively small high-risk client pool.
4. The Authority has not crystallised the actual scope for financial crime to be facilitated
or occasioned by the breach when considering DEPP 6.5A.2G(7)(f)2. ADMISI’s services
were inherently unsuitable to any form of layering of the proceeds of crime, as ADMISI
did not accept cash deposits; it brokered trades on highly regulated, monitored and
liquid markets which meant trading through ADMISI would be an ill-suited means of
transferring funds from one person or account to another person or account; ADMISI
had a strict policy of not making third party payments; and it did not facilitate physical
trading.
5. The extent of the money laundering risk presented by ADMISI’s business as a whole
varied significantly across its client base. Whilst the Firm accepts that its breach in
respect of its business with its high-risk clients can be assessed at seriousness level
4, its breach in respect of the rest of the business should be assessed at level 2. The
Authority has also failed to acknowledge the level 1–3 factors set out in DEPP
6.5A.2G(12) that no profits were made or losses avoided; there was no loss or risk of
loss to consumers; and there was no actual or potential effect on the orderliness of,
or confidence in, markets as a result of that breach. As 32% of ADMISI’s gross profit
during the Relevant Period was generated by its high-risk clients, the seriousness of
the breach should be no higher than level 3, consistent with the reasoning in
Gatehouse Bank plc3 where seriousness was assessed as level 3 when its core
underlying business activities carried an inherently greater money laundering risk than
ADMISI’s.
6. The vast majority of the Final Notices detailing AML systems and controls failures have
related to retail banks. The seriousness of ADMISI’s conduct should not be assessed
as if it were a retail bank. ADMISI operates in the capital markets sector; its business
model and customer base carry a lower risk for actual money laundering than for a
retail bank due to the nature of the sector, and the products and services offered by
ADMISI. This reduced risk level for actual money laundering should result in a lower
seriousness level at Step 2.
2 Factors relating to the nature of a breach by a firm include: (f) the scope for any potential financial crime to be
facilitated, occasioned or otherwise occur as a result of the breach.
3 Gatehouse Bank plc Decision Notice 12 October 2022:
https://www.fca.org.uk/publication/decision-notices/gatehouse-bank-plc-2022.pdf
7. The Authority considers that assessing the money laundering risk level
and/or legitimacy of a high-risk client’s business requires a firm to have
adequate EDD and enhanced monitoring on an ongoing basis. ADMISI has
accepted the failings in section 5 of this Notice, namely that it breached the
requirement during the Relevant Period that it take reasonable steps to
ensure that it has organised its affairs responsibly and effectively with
adequate risk management systems, which includes a failure to conduct
adequate EDD and enhanced monitoring on an ongoing basis for some higher
risk clients. Without adequate risk management systems, there is scope for
significant money laundering even from a small proportion of ADMISI’s
clients. As ADMISI could not adequately assess the risk levels of its clients in
light of the failings, the Authority considers that the seriousness of the
misconduct should not be restricted to the suggested smaller high-risk client
base.
8. The Authority considers that the absence of identifying actual money
laundering being facilitated does not mean that ADMISI’s failings were not
serious. DEPP 6.5A.2G requires the Authority to conduct an overall
assessment of the seriousness of the breach with regard to all relevant
factors with such weight paid to any particular factor as is merited by the
facts of the case at Step 2 of the penalty calculation. The Authority has had
regard to DEPP 6.5A.2G(7)(f) which is concerned with a firm’s systems and
the overall risks which those systems may fail to mitigate. The Authority
considers that ADMISI’s deficient AML systems means that money laundering
is less likely to have been identified and stopped. Relying on other market
participants to regulate and monitor its services does not absolve ADMISI of
its own obligation to comply with the Authority’s particular rules and
regulations surrounding AML.
9. The Authority considers that, as a capital markets participant, ADMISI should
have maintained controls that are effective in identifying and preventing
money laundering, as there would otherwise be a significant risk that weak
systems and controls could be abused by money launderers. Persistent
failures by firms to maintain effective AML systems are of particular
seriousness, especially where they provide the scope for financial crime to
be facilitated. The extent and duration of weaknesses in a firm’s AML systems
are relevant contributing factors to an overall assessment of the nature and
seriousness of a breach, as they reflect the weaknesses in the firm’s
management systems and may have increased the money laundering risks
being taken by a firm. The Authority considers that, although AML risks in the
capital markets sector may be less well known, or easy to identify, than in
direct transfers of money in banking and payment systems, there remains a
significant risk if there are no adequate AML systems and controls in place
across the entire client base.
10. Of the level 1 – 3 factors outlined in DEPP 6.5A.2G(12), the Authority
considers it relevant that ADMISI committed the breaches negligently.
However, the Authority considers that this factor is outweighed by the level
4 or 5 factors identified in DEPP 6.5A2G(11) that are relevant to ADMISI,
namely that the breaches revealed serious or systemic weaknesses in
ADMISI’s procedures or in the management systems or internal controls
relating to all or part of the Firm’s business, and that the breach created a
significant risk that financial crime would be facilitated, occasioned or
otherwise occur. Taking all relevant factors into account, the Authority
considers that ADMISI’s deficiencies in its AML systems were serious, firm-
wide, and persistent, which facilitated an overall risk for potential crime to
have been facilitated or occasioned as a result. In the circumstances, the
Authority considers that the appropriate level of seriousness is level 4,
meaning that 15% of the relevant revenue figure is £16,806,797.
Penalty Step 2: Proportionality - Exchange and clearing fees
11. DEPP 6.5.3G(3)4 requires the Authority to consider proportionality of the figure
reached at Step 2 of the calculation to ensure that a dispassionate check is placed on
the exercise of the Authority’s powers and enabling a degree of flexibility to avoid a
disproportionate outcome.
12. The Authority’s relevant revenue calculation on ADMISI’s declared turnover includes
£35,796,926 in exchange and clearing fees due to exchanges and Central
Counterparties (“CCPs”). ADMISI charged these fees to its clients on top of, and
separate to, its own fees, and these correspond exactly to the fees due to be paid to
CCPs by ADMISI when acting as a clearing member, or indirectly via third party
brokers when ADMISI was not acting as a member. Although ADMISI has historically
reported its exchange and clearing fees as part of its annual turnover, subject to a
4 (3) The FCA recognises that a penalty must be proportionate to the breach. The FCA may decrease the level of
the penalty arrived at after applying Step 2 of the framework if it considers that the penalty is disproportionately
high for the breach concerned.
corresponding deduction in its costs of sales, this does not reflect the revenue earned
or retained by ADMISI itself.
13. The case of Linear Investments Limited v Financial Conduct Authority5 supports an
“appropriate control on the bluntness of using gross revenue as a starting point”6. The
exchange and clearing fees ADMISI charged to its clients should properly be analysed
from an economic standpoint as representing the revenue of the exchanges and CCPs,
and not ADMISI (or intermediate brokers). UK accounting practice allows for multi-
asset brokerages such as ADMISI to include these fees in their turnover figures and
still comply with UK accounting standards. If ADMISI had adopted a different
accounting practice, the Authority’s approach would have led to a significantly lower
relevant revenue figure. As ADMISI’s liability for the fees payable (which it charged
back to its clients) was the consequence of a choice between different business
models, those fees should be deducted from the relevant revenue figure, and ADMISI
should not be penalised for electing an accounting practice unrelated to the Firm’s
regulatory obligations and money laundering systems.
14. Further, the exchange and clearing fees are not revenue generated by ADMISI under
DEPP 6.5A.2G(2) as they are not monies earned or derived by ADMISI. These fees
should be deducted from the relevant revenue figure on the grounds of proportionality.
15. Any financial penalty imposed should be proportionate to the breach. DEPP
6.5.3G(3) states that the Authority may reduce the level of the penalty
arrived at after applying Step 2 of the framework if it considers that the
penalty is disproportionately high for the breach concerned. The Authority
considers that this “proportionality override” allows for sufficient flexibility
to reduce a penalty if it would otherwise result in disproportionality.
16. The Authority does not consider that ADMISI’s exchange and clearing fees
were collected by ADMISI as agent, either for its clients or the exchanges.
Those fees were contractually payable by clients to ADMISI and contractually
payable by ADMISI to the various exchanges to which they related and did
not apply to all of the firm’s business. The Authority considers that these fees
were a direct cost of sales in certain transactions.
5
Linear
Investments
Limited
v
Financial
Conduct
Authority
[2019]
UKUT
0115
(TCC)
https://assets.publishing.service.gov.uk/media/5cac6ef3e5274a42a5619fcf/Linear__Investements_Ltd_v_FCA.
6 Paragraph 21.
17. The Tribunal in Linear7 rejected arguments that certain costs should be
deducted from the gross revenue to calculate relevant revenue. The Authority
considers that the same point applies for the use of the proportionality
override and the deduction of these same costs. An overly nuanced approach
to proportionality would diminish the transparency of the Step 2 process, and
factoring reductions to take into account these costs would involve
complexities that would reduce the usefulness of adopting relevant revenue
as a starting point. The Authority does not consider that ADMISI’s choice of
accounting methodology sufficiently justifies a departure from the Tribunal’s
decision in Linear to reject deducting costs from relevant revenue, and
considers that exchange and clearing fees should not be deducted from the
Step 2 figure on the grounds of proportionality.
Penalty Step 2: Proportionality - ADMISI’s high-risk clients
18. Whilst ADMISI accepts that its breach in relation to its high-risk clients was at
seriousness level 4, it is only the institutional commodity hedging clients within that
cohort, and that aspect of ADMISI’s business alone, that can be said to be at
seriousness level 4. The actual money laundering risk of a large proportion of ADMISI’s
high-risk clients was equivalent to medium or even low risk clients. Accordingly,
ADMISI’s breach should be assessed as no higher than level 3. Further, the standard
10% of the relevant revenue associated with level 3 seriousness is overstated when
referencing the Firm’s business as a whole. Proportionality requires the level 3
percentage (10%) to be adjusted down to 8%.
19. For the same reasons given in the section on seriousness of misconduct set
out in paragraphs 9 and 10 above, the Authority considers the breach to be
level 4 seriousness, and does not consider that the penalty should be reduced
to reflect the number of ADMISI’s high-risk clients on grounds of
proportionality. The Authority does not consider it appropriate to assess
ADMISI’s money laundering risk solely on the proportion of its high-risk
clients as this would not accurately reflect the wide-reaching nature of its
breaches which are attributed to its persistent failure to maintain effective
AML systems. Further, the percentages attributable to each level of
seriousness at Step 2 in DEPP 6.5A.2 (3) are intended to be a clear and
predictable method for calculating the Step 2 penalty figure. Accordingly,
7 Ibid.
the Authority does not consider that the seriousness level percentage should
be adjusted downwards on the grounds of proportionality.
Penalty Step 2: Proportionality override
20. The proportionality override at Step 2 of the penalty calculation permits the Authority
to take into account any factors relevant to its assessment of the proportionality of the
Step 2 figure. The proportionality override is intended to provide the Authority with
latitude in its decision-making so as to ensure that the Step 2 figure is not
disproportionately high for the breach concerned. The Authority is obliged to consider
the proportionality of the Step 2 figure8. The application of the proportionality override
needs to be reasonable, taking into account relevant factors and disregarding irrelevant
factors9. The Authority may take into account all the circumstances, evidence,
inferences and submissions made, and identify other additional or relevant factors
which render the Step 2 figure disproportionate to the admitted breach.
21. Once the Authority has identified such factors, it may, depending on the circumstances,
be unreasonable and therefore a public law error for the Authority not to give them
due weight in its decision-making. The Authority may take into account other or
additional relevant factors to the specific exchange and clearing fees and ADMISI’s
high risk clients factors referenced from paragraphs 11 - 19 above. Its discretion is not
fettered. This would include factors inherent in the nature or effect of the breach. It
would be wrong in principle for the Authority to disregard any factor which it considers
relevant to the question of whether the Step 2 figure is disproportionate to ADMISI’s
admitted breach.
22. Taking into account all the circumstances of the admitted breach, the Step 2 figure
should be reduced on grounds of proportionality.
23. As mentioned above, the Authority recognises that the penalty must be
proportionate to the breach and it considers that the “proportionality
override” at DEPP 6.5.3G(3) should be used as a broad tool to mitigate the
effect of any manifestly disproportionate figure being produced at Step 2 of
the penalty calculation. Its appropriate application involves an overall
8 Oxton Farm v Harrogate BC [2020] EWCA Civ 805, at paragraph 8.
9 Oxton Farm v Harrogate BC; In Re Duffy [2008] UKHL 4 at paragraph 53.
consideration of whether the size of the penalty assessed is disproportionate
to the seriousness of the misconduct.
24. Notwithstanding the serious and wide-reaching nature of the breach, and the
need to deter the Firm, and others, from committing further or similar
breaches, the Authority considers that the level of penalty would nonetheless
be disproportionate to the seriousness of the breach if it were not reduced
and so should be adjusted. In order to achieve a penalty that is proportionate
to the breach, and having regard to all relevant factors in this matter and
taking into account previous cases, the Step 2 figure is therefore reduced by
50% to £8,403,398.
Penalty Step 3: mitigating and aggravating factors
25. The Authority’s 16 April 2014 letter to the Firm10 arose out of a standard periodic
assessment focussing only on ADMISI’s equity CFD business, and whilst highlighting
deficiencies in ADMISI’s client money laundering risk assessment procedures, these
deficiencies did not warrant any change to the scheduled four-year supervision cycle,
with the next periodic assessment still due in 2018. The 2016 Visit focussing on AML
systems and controls was unrelated to the limited AML concerns raised in 2014. It was
not until June 2016 that the Authority raised its concerns about ADMISI’s AML systems
and controls as a whole, and those deficiencies were largely remedied by the firm
within four months. Accordingly, this should not be considered to be an aggravating
factor.
26. The Authority should take into account the following mitigating factors.
27. There is no evidence that any actual money laundering or financial crime resulted from
ADMISI’s breach, and the Authority should not consider ADMISI’s failure to put in
place adequate risk management systems and governance in the same way as a
failure to eradicate risk.
28. There has been significant delay in the Authority’s investigation, particularly as failings
were identified by the Authority in June 2016, which is necessarily prejudicial to
ADMISI because of the uncertainty of the outcome and penalty. The Relevant Period
ended in October 2016, and ended four months after the Authority’s feedback letter
10 Referred to at paragraph 4.10 and paragraph 6.9 of this Notice.
of 30 June 2016, in which the specific concerns constituting the bases of the breach
were first highlighted.
29. Meanwhile, ADMISI has fully co-operated with a lengthy investigation lasting over six
years, which is a mitigating factor consistent with DEPP 6.5A.3G(2)(b).
30. ADMISI actively took remedial steps to address its deficiencies and especially so after
the Authority raised its concerns in June 2016. ADMISI applied for a VREQ in August
2016 which reduced its turnover from high-risk customers by approximately £2
million. The Authority should acknowledge as a mitigating factor ADMISI’s decision to
agree to a VREQ while seeking to remedy the breach. ADMISI has spent more than
£2.8 million on remedial work, which is a major undertaking for which credit should
be given in accordance with DEPP 6.5A.3G(2)(d).
31. Because of these mitigating factors, it would not be appropriate to uplift the penalty
at Step 3.
32. DEPP 6.5A.3G(1) permits the Authority to take into account factors which
aggravate or mitigate the breach when considering whether to increase or
decrease the Step 2 figure of the penalty calculation.
33. Although not the focus of either the 16 April 2014 letter or the 2016 Visit, the
Authority considers that ADMISI’s AML systems were nonetheless still
considered by the Authority in 2014 as being deficient as the AML Risk
Assessment Matrix did not produce a rounded assessment of the financial
crime risks associated with a client (see paragraph 4.45 in the Notice).
Accordingly, the Authority does consider it an aggravating factor that ADMISI
was previously put on notice about the Authority’s concerns, as set out in
paragraph 6.16(1) in the Notice.
34. Whether crystallised money laundering has been identified is a factor that
may be relevant to an assessment of seriousness of the breach at Step 2 of
the penalty calculation in accordance with DEPP 6.5A.2G(7)(e). However, the
Authority does not consider that the absence of identified crystallised money
laundering should amount to a mitigating factor for the purposes of Step 3 of
the penalty calculation, as systemically deficient AML systems carry the
inherent risk of failing to identify money laundering activity sufficiently or at
all.
35. The Authority acknowledges the length of time that has passed since the
identification of ADMISI’s breach and the length of time of the Authority’s
investigation, but does not consider that this in itself detracts from ADMISI’s
failings or amounts to a mitigating factor, particularly when the impact on
the proceedings has not been ascertained. Any concerns that ADMISI has
about the Authority’s conduct may be pursued by referring the matter to the
Authority’s Complaints Scheme established under the Financial Services Act
2012.
36. DEPP 6.5A.3G(2)(b) states that the degree of co-operation shown during an
investigation of the breach may constitute a mitigating factor. The Authority
considers that a reduction at Step 3 should only occur if the degree of co-
operation went above and beyond what would be expected of a firm subject
to a statutory investigation. Whilst the Authority acknowledges that ADMISI
has co-operated with its investigation, it does not consider that it has co-
operated any further than would normally be expected in all the
circumstances; and accordingly, it does not consider that the Firm’s co-
operation should in this case amount to a mitigating factor.
37. Although taking remedial steps following the identification of a breach may
constitute a mitigating factor in accordance with DEPP 6.5A.3G(2)(d), this is
usually when a firm takes such steps of its own volition, or went considerably
further than remediating its systems to an acceptable level. Notwithstanding
the costs implications for ADMISI for agreeing to a VREQ, it was upon the
Authority’s invitation that ADMISI agreed to the VREQ, which was a
necessary minimum measure to manage money laundering risks to an
acceptable standard. The Authority considers that ADMISI commenced its
remediation exercise only after it was alerted to wide-ranging issues
identified by the Authority in the 2016 Visit, the remediation exercise itself
did no more than establish AML systems which complied with regulatory
requirements, and there were significant issues with its implementation. The
Authority does not consider that the steps taken by ADMISI to remedy the
breaches to be a mitigating factor for the purposes of Step 3 of the penalty
calculation.
38. The Authority considers that the aggravating factors identified in paragraph
6.16 of this Notice merit a 10% uplift in the penalty.