Final Notice
On , the Financial Conduct Authority issued a Final Notice to Al Rayan Bank PLC
1
FINAL NOTICE
1.
ACTION
1.1.
For the reasons given in this Final Notice, the Authority hereby imposes on Al
Rayan Bank PLC (“Al Rayan”) a financial penalty of £4,023,600, pursuant to
section 206 of the Act.
1.2
Al Rayan agreed to resolve this matter and qualified for a 30% (stage 1) discount
under the Authority’s executive settlement procedures. Were it not for this
discount, the Authority would have imposed a financial penalty of £5,748,000 on
Al Rayan.
2.
SUMMARY OF REASONS
2.1.
The Authority has the operational objective of protecting and enhancing the
integrity of the UK financial system. The laundering of money through UK financial
institutions undermines the integrity of the UK financial system. Financial
institutions operating in the UK are therefore responsible for minimising their risk
of being used for criminal purposes, including the risk of being used to facilitate
money laundering or terrorist financing.
2.2.
To mitigate this risk, UK firms must take reasonable care to organise and control
their affairs responsibly and effectively and to establish, implement and maintain
adequate policies and procedures for countering the risk of them being used to
further financial crime, for example, by those seeking to launder the proceeds of
2
crime, evade financial sanctions, or finance terrorism. This includes establishing
and maintaining appropriate risk-based anti-money laundering (“AML”) systems
and controls which are compliant with the applicable Money Laundering
Regulations. The obligations on a firm under the Money Laundering Regulations
2007 (the “ML Regulations”) include:
2.2.1.
applying, on a risk-sensitive basis, enhanced customer due diligence
(“EDD”) measures and enhanced ongoing monitoring in any situation
which by its nature can present a higher risk of money laundering or
terrorist financing;
2.2.2.
applying scrutiny to transactions undertaken throughout the course of
their relationship with a customer to ensure that the transactions are
consistent with the firm’s knowledge of the customer;
2.2.3.
keeping documents, data or information obtained for the purpose of
applying customer due diligence (“CDD”) measures up-to-date;
2.2.4.
providing adequate training to staff in relation to the law relating to
money laundering and terrorist financing and in how to recognise and
deal with transactions and other activities which may be related to money
laundering or terrorist financing; and
2.2.5.
establishing and maintaining appropriate and risk-sensitive policies and
procedures in order to prevent activities related to money laundering and
terrorist financing, including in relation to internal control and the
monitoring and management of compliance with such policies and
procedures.
2.3.
Al Rayan is headquartered in Birmingham and operates through several branches
throughout the UK. Al Rayan’s parent bank, Al Rayan (UK) Limited is a subsidiary
of Masraf Al Rayan Q.S.C (“MAR”), a Qatar-based Islamic bank. Al Rayan provides
Sharia compliant savings, finance and current account services to over 90,000
personal, business and premier customers, including a significant number of
customers from member states of the Gulf Cooperation Council (“GCC”) who are
primarily serviced by Al Rayan’s GCC business areas. The other two business areas
(Home Purchase Plan (“HPP”) and Commercial Property Finance (“CPF”)) operated
by Al Rayan principally provide secured lending arrangements to UK customers
3
for the primary purpose of acquiring residential (HPP) and commercial property
(CPF) in the UK. Al Rayan’s Knightsbridge branch, established on 15 May 2015,
was set up to specifically target high net worth (“HNW”) and ultra-high net worth
(“UHNW”) individuals, and particularly focussed on GCC based customers.
2.4.
Al Rayan was required, pursuant to the Authority’s Principles for Businesses (the
“Principles”), to take reasonable care to organise its affairs responsibly and
effectively, with adequate risk management systems. Al Rayan was also required
to have policies and procedures in place, comprehensive and proportionate to its
business activities, to enable it to identify, assess, monitor and manage money
laundering risk.
2.5.
Between 1 April 2015 and 30 November 2017 (“the Relevant Period”), Al Rayan
failed to meet these requirements and, in doing so, breached Principle 3. In
particular:
2.5.1.
Al Rayan failed to establish, implement and maintain appropriate and
risk-sensitive policies and procedures in relation to the application of EDD
and, in particular, in relation to establishing high-risk customers’ Source
of Wealth and Source of Funds at the point of onboarding;
2.5.2.
Although Al Rayan identified that cash transactions presented a high-risk
of financial crime, it nonetheless failed to establish, implement and
maintain appropriate and risk-sensitive policies and procedures in
relation to the handling and treatment of cash deposits, including whether
they should be accepted or rejected if adequate Source of Funds
information was not provided or when there was suspicion in relation to
the transaction. Al Rayan accepted £22.74 million in cash deposits of over
£10,000 across its branch network during the Relevant Period;
2.5.3.
Al Rayan failed to carry out adequate EDD in relation to establishing high-
risk customers’ Source of Wealth and Source of Funds at the point of
onboarding and subsequently failed to carry out EDD and enhanced
ongoing monitoring in higher risk situations. For the purposes of
onboarding, Al Rayan relied on due diligence carried out by financial
institutions within GCC states, in circumstances where it was aware this
would not meet the required standards under the ML Regulations and
where Al Rayan’s own policies stated that customers from GCC countries
should be subject to the same CDD and EDD as customers from other
nations;
2.5.4.
Al Rayan’s failure to establish high-risk customers’ Source of Wealth and
Source of Funds at onboarding contributed to its inability/failure to
adequately corroborate the origin of customer monies in subsequent
large, in person, cash deposits, considered by Al Rayan to be higher risk
transactions;
2.5.5.
Al Rayan failed to adequately scrutinize transactions undertaken through
the course of its relationship with customers, including the Source of
Funds involved in such transactions, specifically in relation to the receipt
of large cash deposits;
2.5.6.
Where Al Rayan’s Second Line of Defence indicated, following a
transaction review, that further EDD was required the EDD was not
undertaken and there was no framework in place to ensure the concerns
were addressed;
2.5.7.
Al Rayan failed to keep documents, data or information obtained for the
purposes of applying CDD and EDD measures up-to-date. There was a
significant back-log of over 300 existing high-risk and PEP customers
whose KYC (“know your client”) periodic reviews had not been
undertaken during the Relevant Period in accordance with Al Rayan’s
policies and were overdue;
2.5.8.
Al Rayan failed to provide adequate training to staff, including in relation
to the handling of large cash deposits and the “tipping off” rules, which
led to the acceptance of large, in person cash deposits without adequate
challenge or scrutiny at the point of deposit;
2.5.9.
Al Rayan failed to have appropriate internal controls in order to prevent
activities related to money laundering and terrorist financing. An internal
audit of its Financial Crime Unit (“FCU”) (a key part of Al Rayan’s Second
Line of Defence) was not conducted over an 8-year period, between 2009
and 2017, meaning that it was unable to ensure the First and Second Line
of Defence were functioning appropriately; and
5
2.5.10.
Al Rayan was specifically made aware of the risks presented by
deficiencies in its financial crime systems and controls through the
Relevant Period. In 2015 and 2017, the Authority visited Al Rayan to
review its AML control framework. During both of those visits, the
Authority identified weaknesses across Al Rayan’s AML control framework
that Al Rayan was required to address. However, Al Rayan failed to
remediate those weaknesses in accordance with its own remediation
action plan and certain key actions remained unresolved during the
Relevant Period.
2.6.
These failings arose in circumstances where Al Rayan was specifically targeting
higher risk customers and undertaking large cash transactions within its GCC
business area which heightened the potential for financial crime to occur. During
the Relevant Period, Al Rayan’s processes permitted money to enter the UK
financial system without carrying out appropriate due diligence to ensure the
money was for legitimate purposes and not connected with financial crime. The
Authority recognises that Al Rayan’s HPP and CPF business areas related to
financing activities funded by deposits from a predominantly low risk customer
base, presenting a significantly reduced financial crime risk.
2.7.
On 5 April 2019, owing to the concerns raised by the Authority in respect of Al
Rayan’s AML control framework and the lack of sufficient progress by Al Rayan in
remediating the concerns, Al Rayan entered into a voluntary requirement
restricting it from accepting or processing any new deposit account applications
from: any prospective person categorised as high-risk for the purposes of financial
crime risk (as defined in Al Rayan’s customer risk rating tool and associated
methodology), politically exposed persons (“PEPs”), or family members or known
close associates of PEPs.
2.8.
On 13 July 2018, the Authority imposed a requirement upon Al Rayan to appoint
a Skilled Person under section 166 of the Act. Working with the Skilled Person
over more than 3 years, Al Rayan committed significant resources to improving
its AML control framework. These improvements resulted in the Authority lifting
the voluntary requirement in June 2022. Al Rayan continues to be subject to a
limited business restriction until certain of its processes are automated.
2.9.
The Authority hereby imposes on Al Rayan a financial penalty of £4,023,600
pursuant to section 206 of the Act.
6
3.
DEFINITIONS
3.1.
The definitions below are used in this Notice:
“the Act” means the Financial Services and Markets Act 2000;
“2015 Action Plan” means Al Rayan’s AML remediation action plan which was put
in place following the Authority’s 2015 visit;
“AML” means anti-money laundering;
“AML champions” means Al Rayan’s nominated AML subject matter experts;
“the Authority” means the body corporate previously known as the Financial
Services Authority and renamed on 1 April 2013 as the Financial Conduct
Authority;
“Authority’s file review” means the review of 15 customer files including individual,
corporate and charity customers carried out as part of the investigation;
“BRCC” means the Risk, Compliance & Credit Committee of the Board;
“CDD” means customer due diligence measures as defined in Regulation 5 of the
ML Regulations;
“CPF” means Al Rayan’s Commercial Property Financial business area which
principally provides secured lending arrangements to UK customers for the
primary purpose of acquiring commercial property in the UK;
“CRRS” means Al Rayan’s customer risk rating system which was updated as part
of the 2015 Action Plan and which began to be implemented in November 2016;
“EDD” means enhanced customer due diligence as defined in Regulation 14 of the
ML Regulations;
“First Line of Defence” means front line staff namely branch cashiers and branch
management;
7
“FCU” means Financial Crime Unit, a key part of Al Rayan’s Second Line of
Defence;
“GCC” means Gulf Cooperation Council, a regional union of Gulf states comprising
Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates;
“HNW” means High Net Worth individual – Al Rayan classified a HNW customer as
a customer with an estimated annual income of £500,000 to £1,000,000 and/or
estimated net assets of £1,000,000 – 15,000,000;
“HPP” means Al Rayan’s Home Purchase Plan business area which principally
provides secured lending arrangements to UK customers for the primary purpose
of acquiring residential property in the UK;
“JMLSG” means the Joint Money Laundering Steering Group. The JMLSG is a body
comprised of the leading UK trade associations in the financial services sector;
“JMLSG Guidance” means the guidance that was applicable during the Relevant
Period issued by the JMLSG, and approved by the Treasury, on compliance with
the legal requirements in the ML Regulations, the regulatory requirements in the
Handbook and evolving practice within the financial services industry. The JMLSG
Guidance sets out good practice for the UK financial services sector on the
prevention of money laundering and combatting of terrorist financing;
“KYC” means Know Your Customer;
“KYC Periodic Review” means KYC periodic review of an existing customer’s
information and risk classification;
“MAR” means Masraf Al-Rayan Q.S.C, Al Rayan’s parent bank based in Qatar;
“ML Regulations” means the Money Laundering Regulations 2007, which were in
force in respect of conduct beginning after 15 December 2007 and before 26 June
2017 inclusive;
“MLRO” means Money Laundering Reporting Officer;
“NCA” means National Crime Agency;
“Other Business” means customers, predominantly charities and corporate
entities, who do not form part of the GCC, HPP or CPF business areas and whose
deposits were utilised by Al Rayan’s Treasury business area;
“PEP” means a Politically Exposed Person as defined in Regulation 14(5) of the ML
Regulations;
“Premier Branch” means Al Rayan’s Knightsbridge branch;
“Relevant Period” means 1 April 2015 – 30 November 2017;
“SAR” means a Suspicious Activity Report;
“Second Line of Defence” means Al Rayan’s Financial Crime Unit and Compliance
team;
“Skilled Person” means the skilled person appointed by Al Rayan, as imposed by
the Authority under section 166 of the Act;
“Source of Funds” refers to the origin of funds involved in the business relationship
or occasional transaction. It refers to the activity that generated the funds, for
example salary payments or sale proceeds, as well as the means through which
the customer’s or beneficial owner’s funds were transferred;
“Source of Wealth” describes how a customer or beneficial owner acquired their
total wealth;
“tipping off” means the offences defined in the Proceeds of Crime Act 2002,
section 333A;
“Third Line of Defence” means Al Rayan’s Internal Audit function;
“TM1” means a Transaction Monitoring system which monitored transfers in and
out of customers’ accounts (Al Rayan’s core banking system);
“TM2” means a Transaction Monitoring System which was used for real-time card
transactions which were monitored on a 24/7 basis via a third party;
“UHNW” means Ultra High Net Worth individual – Al Rayan classified an UHNW
customer as a customer with an estimated annual income of over £1m and/or
estimated net assets of more than £15m.
4.
FACTS AND MATTERS
4.1.
Al Rayan was authorised in August 2004 and until December 2014 was known as
the Islamic Bank of Britain. Al Rayan is headquartered in Birmingham and, during
the Relevant Period, operated through ten UK branches.
4.2.
Al Rayan’s parent bank, Al Rayan (UK) Limited is a subsidiary of MAR1, an Islamic
Bank which is based in Qatar. Al Rayan provides Sharia compliant savings, finance
and current account services to over 90,000 personal, business and premier
customers. Al Rayan provides banking services to retail customers, as well as
corporate and charitable entities. Many of Al Rayan’s customers are nationals of
countries in the GCC, who are primarily serviced by Al Rayan’s GCC business area.
4.3.
Al Rayan’s business is organised around three main business areas: GCC, HPP and
CPF. The GCC business, in summary, comprises deposit-taking, current account
and other banking facilities (including lending) provided to a range of retail
customers (primarily individuals who are nationals of countries in the GCC or non-
GCC premier customers who require UK-based banking services), a significant
number of whom are rated “high risk”. By contrast, the HPP and CPF divisions
provide financing products, with some customers having operational accounts to
facilitate the repayment of the underlying loan products. Al Rayan also conducted
business with a number of customers, predominantly charities and corporate
entities, who do not form part of the GCC, HPP or CPF business areas and whose
deposits were utilised by Al Rayan’s Treasury business area (“Other Business”).
4.4.
In January 2015, Al Rayan policy identified that “Premier Banking and wealth
management is perceived to be high-risk for money laundering purposes because
the relevant customers have complex needs requiring complex solutions … Al
Rayan has assessed its current accounts and treasury deposit accounts for high
net worth individuals as presenting a higher level of risk.”
4.5.
Al Rayan’s Knightsbridge branch (also referred to as the “Premier Branch”) was
opened on 15 May 2015 and was established to provide premier banking services
1Whilst MAR is mentioned in this Notice, no criticisms are made of MAR which is not subject to the ML
Regulations.
to predominately HNW and UHNW individuals from GCC countries, within Al
Rayan’s GCC business area. As at the end of September 2017, the Knightsbridge
branch had approximately 1,500 current accounts and 258 Home Purchase with
a book value of approximately £253m. The majority of Al Rayan’s high-risk
customers from an AML perspective were serviced through the Knightsbridge
branch.
4.6.
On 1,133 occasions, Al Rayan accepted in person cash deposits of more than
£10,000 across its branch network during the Relevant Period. These deposits
totalled £22.74 million and included 60 cash deposits of more than £50,000, 16
which were more than £100,000 and 9 of more than £200,000.
4.7.
Al Rayan policy identified that cash transactions presented a high-risk of financial
crime and left the bank particularly vulnerable, because of the nature and
universal acceptability of cash and the fact that there is little or no audit trail, such
that its “Preventing Financial Crime” manual stated that “special care is required
in handling cash transactions for large amounts, even for customers who maintain
accounts with the Bank. Any questionable activity must be examined to establish
the source of funds and/or wealth if appropriate and to determine and document
the reason for the activity”.
Previous Assessments by the Authority of Al Rayan’s AML systems and
controls
The Authority’s 2015 assessment
4.8.
In April 2015, the Authority carried out an assessment of Al Rayan’s AML and
sanctions systems and controls, as part of the Authority’s AML supervision
strategy (the “Authority’s 2015 Assessment”). As a part of the assessment, the
Authority reviewed 17 high-risk/PEP customer files as well as 5 standard risk files.
4.9.
Following the assessment, the Authority set out in a letter to Al Rayan a number
of serious concerns in relation to its AML systems and controls and alerted Al
Rayan to the need to ensure that there was a sufficient focus on AML measures
throughout its business and to ensure that compliance with legal and regulatory
requirements was prioritised. The deficiencies identified included:
4.9.1.
No formal documented risk assessment of customers to identify higher
risk customers with the exception of PEPs and customers linked to
sanctioned countries.
4.9.2.
Little information regarding the purpose and intended nature of the
relationship was gathered for individual customers.
4.9.3.
A failure to conduct adequate EDD on the basis that, amongst other
things, there was a failure to adequately verify or gain sufficient
information in relation to PEP customers’ Source of Wealth and Source
of Funds, including a general lack of willingness to seek further
information from customers.
4.9.4.
Weaknesses in the quality of ongoing monitoring and periodic reviews,
with reviews either non-existent or sporadic in a number of instances.
Where reviews had been undertaken, there were concerns about the
quality and judgement at sign off, for example, a number of reviews
were signed off despite a clear lack of adequate EDD, missing
documents and discrepancies on file.
4.9.5.
Weaknesses across all three lines of defence with no internal audit of
the FCU (a key part of Al Rayan’s Second Line of Defence in AML
matters) for a protracted period.
4.10.
The Authority asked Al Rayan to set out the action it planned to take to remedy
the findings. In response, Al Rayan put in place an Action Plan dated 9 July 2015
(the “2015 Action Plan”) which included the following planned steps:
4.10.1.
conducting a retrospective review of all existing PEP and high-risk
customer files to identify any information gaps;
4.10.2.
carrying out a remediation exercise on existing customers to ensure it
gathered sufficient information in relation to Source of Wealth and
Source of Funds for PEP customers;
4.10.3.
engaging an external consultant to assist Al Rayan with, amongst other
things, (a) defining and documenting the approach to onboarding PEPs
and high-risk customers, and (b) identifying and documenting what
constitutes sufficient evidence of Source of Wealth and how it should be
captured;
4.10.4.
conducting an internal audit of the FCU. The scope of the review was to
focus on the principal findings of the Authority’s 2015 Assessment and
to include a qualitative assessment of the robustness of the systems
and control in mitigating financial crime risks;
4.10.5.
determining and documenting new processes for the on-going
monitoring of PEPs and high-risk customers; and
4.10.6.
introducing sector and role specific training in 2016.
The Authority’s 2017 assessment
4.11.
In June 2017, the Authority conducted a further assessment of Al Rayan’s AML
and sanctions systems and controls, focussing on the Knightsbridge branch (the
“Authority’s 2017 Assessment”). As part of the assessment, the Authority
reviewed a further 19 customer files. The Authority concluded that, whilst some
improvements to the financial crime control framework had been made since the
Authority’s 2015 Assessment, there were ongoing and significant concerns in
relation to weaknesses Al Rayan had committed to address in the 2015 Action
Plan. The Authority identified:
4.11.1.
concerns with the quality of the EDD conducted on high-risk customers
who had been onboarded after the Authority’s 2015 Assessment,
amongst other things, in relation to the identification and verification of
customers’ Source of Wealth and Source of Funds;
4.11.2.
over 300 periodic reviews for high-risk customers and PEP customers
were past their due date;
4.11.3.
that no defined framework was in place at branch level to register or
acknowledge when customer periodic reviews were due, relying solely
on the FCU to control and advise on due dates; and
4.11.4.
that Al Rayan had still not completed the internal audit of the FCU (which
the 2015 Action Plan had stated would be completed by 30 November
2015), two years after receiving feedback from the Authority that such
a review was required which meant that there had been no internal audit
of the FCU for 8 years.,
4.12.
The Authority identified two further serious concerns in relation to Al Rayan’s AML
systems and controls during the 2017 visit, namely:
4.12.1.
the controls and oversight in place at the Knightsbridge branch in
relation to the handling and treatment of large cash transactions, and
the willingness to accept cash deposits without always gaining sufficient
evidence of Source of Funds; and
4.12.2.
a lack of knowledge and understanding within the Knightsbridge branch
of the “tipping off” offence whereby a fear of committing this offence
was discouraging branch staff from rejecting cash deposits even when
they had concerns.
4.13.
As a result of the Authority’s 2015 and 2017 assessments, the Authority imposed
a skilled person requirement upon the firm and the Skilled Person was appointed
on 17 September 2018.
Al Rayan’s customer risk classification
4.14.
Al Rayan implemented the same AML policies and procedures across all its
branches and had in place policies and procedures designed to identify the
financial crime risk posed by a potential customer and on-board them in
accordance with its risk appetite.
4.15.
Al Rayan’s customer risk classification included low, medium and high-risk
customer categories. Certain customers were automatically classified as “high-
risk”, including:
4.15.1.
HNWs, i.e. customers with an estimated annual income of £500,000 to
£1,000,000 and/or estimated net assets of £1m to £15m;
4.15.2.
UHNWs, i.e. customers with an estimated annual income of over £1m
and/or estimated net assets of more than £15m; and
4.15.3.
all customers classified as PEPs (although between March 2015 and
January 2016, there were inconsistencies across Al Rayan’s polices as
to the risk classification of PEPs).
4.16.
Throughout the Relevant Period, Al Rayan’s approach to risk-rating charities and
UK corporate customers was unclear. The policies appear to contradict each other
and variously indicated that a low, medium or high risk could be assigned and it
is unclear how these policies were applied.
4.17.
Al Rayan’s policies provided that it “will deal with customers where the customer's
profile is consistent with the Bank’s vision and strategic objectives and Risk
Management Framework (“RMF”)” and “undertake activity involving PEP's, HNW
clients and other heightened risk customer types subject to the satisfactory
application of Bank's AML policy and procedural standards, including that
concerning due diligence efforts over business activities, source of wealth and
source of funds.”
Requirements in relation to EDD – establishing and, where appropriate,
verifying Source of Wealth and Source of Funds
ML Regulations and JMLSG
4.18.
Regulation 14(1)(b) (Enhanced customer due diligence and ongoing monitoring)
of the ML Regulations provides, amongst other things, that a firm must apply on
a risk sensitive basis EDD measures and enhanced ongoing monitoring in any
situation which by its nature can present a higher risk of money laundering or
terrorist financing.
4.19.
As applicable to Regulation 14(1)(b) of the ML Regulations, paragraphs 4.50 and
5.5.6 of Part I of the JMLSG state:
4.19.1.
“Where a customer is assessed as carrying a higher risk, then depending
on the product sought, it will be necessary to seek additional information
in respect of the customer, to be better able to judge whether or not
the higher risk that the customer is perceived to present is likely to
materialise. Such additional information may include an understanding
of where the customer’s funds and wealth have come from.”
4.19.2.
“When someone becomes a new customer, or applies for a new product
or service, or where there are indications that the risk associated with
an existing business relationship might have increased, the firm should,
depending on the nature of the product or service for which they are
applying, request information as to the customer’s residential status,
employment and salary details, and other sources of income or wealth
(e.g., inheritance, divorce settlement, property sale), in order to decide
whether to accept the application or continue with the relationship. The
firm should consider whether, in some circumstances, evidence of
source of wealth or income should be required (for example, if from an
inheritance, see a copy of the will)”.
4.20.
Regulation 14(4)(b) of the ML Regulations requires that PEP customers are subject
to EDD and a firm must, amongst other things, take adequate measures to
establish the Source of Wealth and Source of Funds involved in the relationship
or transaction.
4.21.
As regards Regulation 14(4)(b), paragraph 5.5.30 of Part I of the JMLSG states
that “As part of its EDD, the firm should consider, on a risk sensitive basis,
whether the information regarding source of wealth and source of funds should
be evidenced. For example, for source of wealth or funds from inheritance, a copy
of the Will could be requested, or if from a sale of property, evidence of
conveyancing could be sought.”
4.22.
In relation to the wealth management sector, paragraph 5.13 of Part II of the
JMLSG provides that “As a minimum requirement to counter the perceived and
actual risks, the firm, and those acting in support of the business, must exercise
a greater degree of diligence throughout the relationship which will be beyond
that needed for normal retail banking purposes”, further stating that “The firm
must endeavour to understand the nature of the client’s business and consider
whether it is consistent and reasonable, including the origins of the client’s wealth
[and] Where possible and appropriate, documentary evidence relating to the
economic activity that gave rise to the wealth.”
4.23.
Thus establishing and, where appropriate, verifying (a) how a customer acquired
their total wealth (Source of Wealth) and (b) the origin of the funds involved in
the relationship or transaction, including the activity that generated the funds and
the means though which the funds were transferred (Source of Funds) is an
important aspect of EDD and can be an essential element of understanding the
financial crime risks associated with a customer either at the point of onboarding
or thereafter.
4.24.
Regulation 17 (2)(d)(iii)-(iv) (Reliance) of the ML Regulations states that a firm
may rely on due diligence conducted by a non-EEA third party provided that it is:
4.24.1.
subject to requirements equivalent to those laid down in Directive
2005/60/EC of the European Parliament and of the Council of 26th
October 2005 on the prevention of the use of the financial system for
the purpose of money laundering and terrorist financing (“the Third
Money Laundering Directive”); and
4.24.2.
supervised for compliance with those requirements in a manner
equivalent to section 2 of Chapter V of the Third Money Laundering
Directive.
Al Rayan’s Policies and procedures
4.25.
Al Rayan’s “Preventing Financial Crime” manual dated 14 January 2015 warned
that “…Wealthy and powerful customers often wield political power and influence.
There is often a desire for extreme confidentiality and reluctance to provide
evidence of beneficial ownership and source of wealth.”
4.26.
The manual required Al Rayan to “obtain background information about a
customer prior to establishing a relationship or opening an account. In particular,
to verify the identity of the customer and find out the customer’s business, source
of income and where necessary the source of wealth, the expected level of activity
on the customer’s account and the reasons for opening the account” and
”undertake additional due diligence on customers or agents that are deemed to
present a higher risk.” It further stated that “The extent to which the information
is verified will depend on the risk assessment of the customer.”
4.27.
Thus, on the Authority’s reading, the “Preventing Financial Crime” manual
required Al Rayan to obtain information in relation to the Source of Wealth and
Source of Funds of customers identified as high-risk, and also to verify this
information through documentary evidence on a risk-sensitive basis. However, it
did not attempt to articulate with any specificity what Source of Wealth and Source
of Funds information and/or documentary evidence for the purposes of verification
should be gathered.
4.28.
Al Rayan’s procedures for gathering EDD at onboarding for individual high-risk
customers required staff to record certain high-level information including a
customer’s employment, monthly income from employment, sources of other
income if applicable, the nature and type of transactions to be undertaken and
the nature/level of business to be conducted. It also required staff to record the
origins of the customer’s wealth and to include evidence to validate the
information obtained from the customer. However, once again, Al Rayan’s
procedures did not give clear guidance to staff as to what information (for
example, in terms of what might constitute an appropriate level of detail) and/or
evidence of the origins of the customer’s wealth they were required to gather.
4.29.
The Authority has noted from the customer file reviews that it undertook in the
context of this investigation that there were three due diligence documents
completed at onboarding for individuals:
4.29.1. the KYC checklist;
4.29.2. the Account Application Form; and
4.29.3. the KYC (EDD) supplementary form, replaced in January 2016 by the
Customer Due Diligence – Individual Overall Summary form.
4.30.
The KYC checklist set out the key due diligence questions to be asked, risk rating
to be applied, account type and relevant documents to be completed at
onboarding.
4.31.
The Account Application Form gathered information in relation to, amongst other
things, a customer’s employment status/income and whether the customer was a
home-owner, together with the value of the property.
4.32.
The KYC (EDD) supplementary form and Customer Due Diligence – Individual
Overall Summary forms, all:
4.32.1.
required an explanation of the customer’s Source of Wealth;
4.32.2.
indicated
that
there
was
a
need
for
some
measure
of
verification/validation of a customer’s Source of Wealth (for example,
advising staff that “Evidence should be obtained” or to “Attach support
narrative and documents if required” or of the need for “independent
verification”); and
4.32.3.
required an explanation of the nature and type of transactions to be
undertaken.
4.33.
The KYC (EDD) supplementary form was used throughout 2015 and included basic
provisions for staff to understand “the origins of the client’s wealth” and stated
that “evidence should be obtained”. This form was replaced by January 2016 with
the Customer Due Diligence – Individual Overall Summary form.
4.34.
Versions of the Customer Due Diligence – Individual Overall Summary form, used
to assist in gathering EDD at onboarding from January 2016 onwards, included a
“Source of Wealth and Source of Funds EDD Guidance and Checklist”. The
checklist set out further requirements on independent verification of Source of
Wealth and Source of Funds, stating the objectives were to:
4.34.1.
“Validate that the customer’s SoW and SoF’s are generated legitimately
with no direct or indirect connection to financial crime”;
4.34.2.
“Understand the level / nature of underlying AML risk, including
difficulties that may arise in establishing / verifying the customer’s SoW
and SoF’s and the impact that may have on residual AML risk”.
4.35.
The guidance on the nature of Source of Wealth and Source of Funds information
and evidence to be acquired stated:
4.35.1.
“The aim is to build ‘the story’ and validate how the customer accrued
their net wealth and how they intend to fund their relationship with the
Bank. Simple statements such as ‘income from business’ ‘inheritance’
and ‘transfer from overseas account’ are not sufficient”.
4.36. For the sources of information which were acceptable to use, the guidance stated:
4.36.1.
“Due diligence assessment should be undertaken using a number of
different / collaborative sources with emphasis on independent
verification. Meaningful assessments must be made specifically
addressing AML objectives”.
4.37.
Whilst Al Rayan’s KYC EDD forms clearly aspired to establishing the customer’s
Source of Wealth and Source of Funds by gathering relevant information and
verifying it, as with the “Preventing Financial Crime” manual referred to above,
there was an absence of clear guidance to staff as to what information/evidence
they were required to obtain as a prerequisite to onboarding a high-risk customer.
4.38.
The Customer Due Diligence – Individual Overall Summary form, used from 2016
onwards, also required an explanation of the rationale for the approval of
onboarding a customer from an AML risk perspective and confirmation that Al
Rayan’s policy and guidance in relation to Source of Wealth and Source of Funds
had been satisfactorily applied.
4.39.
Al Rayan proceeded on the basis that no members of the GCC were listed as
equivalent jurisdictions to the UK / EU in relation to the prevailing AML
requirements. Therefore Al Rayan acknowledged that due diligence conducted
through Al Rayan’s parent bank, MAR, could not be solely relied upon for the
purpose of satisfying Al Rayan’s financial crime controls. In this regard, Al Rayan’s
internal policies expressly stated that for any “new applications from its parent
company, Masraf Al Rayan, the Bank will follow the same procedures and
requirements as for any normal (none referred) application in line with the KYC
Matrix”.
4.40.
The Authority identified two documents which were completed for both corporate
and charity customers at onboarding:
4.40.1.
KYB Checklist; and
4.40.2.
Non-Personal Account or Charities Application Form.
4.41.
Both documents were used to gather CDD in relation to corporate and charity
customers, providing for the collection of key identification evidence and obtaining
an understanding of their principal business and expected account activity.
4.42.
Al Rayan’s policies and procedures did not provide further granular guidance for
staff in order to enable them to understand what EDD was required for charities
or corporate customers classified as high-risk.
Issues identified with EDD at onboarding
Identified concerns in relation to establishing Source of Wealth and Source of
Funds for high-risk customers
The Authority’s 2015 Assessment
4.43.
The Authority’s 2015 Assessment of Al Rayan’s AML systems and controls
identified concerns in relation to the EDD gathered for customers during
onboarding. Specifically, in relation to the sufficiency of Source of Wealth and
Source of Funds, the Authority noted that “The vast majority of the High-risk and
PEP files we tested failed in relation to EDD. In most instances, staff had failed to
adequately verify or gain sufficient information in relation to Source of Wealth and
Source of Funds for PEP customers.” Following the Authority’s 2015 Assessment,
Al Rayan developed the 2015 Action Plan, to be conducted by the FCU to address
issues identified by the Authority, including a remediation exercise on existing
customers to ensure sufficient information was held in relation to Source of Wealth
and Source of Funds.
The 2015 Third Party Review
4.44.
In December 2015, a third party review of Al Rayan’s AML systems and controls
also identified concerns in relation to the adequacy of Source of Wealth and Source
of Funds gathered by Al Rayan. A review of 50 high-risk customer files found:
4.44.1.
in 17 of 50 files (34%), Al Rayan failed to identify the customer’s Source
of Funds;
4.44.2.
in 41 of 50 files (82%), Al Rayan failed to verify the customer’s Source
of Funds;
4.44.3.
in 25 of 50 files (50%), Al Rayan failed to identify the customer’s Source
of Wealth ; and
4.44.4.
in 48 of 50 cases (96%), Al Rayan failed to verify the customer’s Source
of Wealth.
The Authority’s 2017 assessment
4.45.
The Authority’s 2017 Assessment assessed Al Rayan’s AML and sanctions systems
and controls, focussing on the Knightsbridge branch. The Authority concluded
that, whilst some improvements to the financial crime control framework had been
made since the Authority’s 2015 Assessment, significant concerns in relation to
issues Al Rayan had committed to address in the 2015 Action Plan, had not been
adequately addressed.
4.46.
File reviews conducted during the Authority’s 2017 Assessment again identified
concerns with the adequacy of the EDD conducted on high-risk customers,
including instances where no EDD was evidenced and there were insufficient
details of Source of Wealth and Source of Funds.
4.47.
In August 2017, 2 years after being notified by the FCA that an audit was required
and 8 years from the last internal audit of the FCU, Al Rayan conducted an internal
audit of the FCU (the “2017 Internal Audit”) which identified ‘major’ concerns in
relation to the verification of high-risk and PEP customers’ Source of Wealth and
Source of Funds at onboarding. The findings were consistent with the third party
review conducted in December 2015 (see paragraph 4.44 above).
4.48.
The 2017 Internal Audit of FCU also stated that “during our fieldwork, we noted
that
there
were
instances
where
the
remediation
exercise
results/recommendations have not been implemented by FCU” and accordingly
further remediation steps were recommended (see paragraph 4.146 below for
further details in this regard). The 2017 Internal Audit noted in this regard that
“[i]n one instance, a review of a customer’s profile recommended the closure of
all related accounts due the lack of information provided about the source of
wealth and source of funds and in light of the particular customer’s father’s
embezzlement scandal and the particular customer’s account was closed by
another financial institution due to AML concerns”, however this recommendation
had not been implemented. The 2017 Internal Audit further recommended that
“an assessment of the entire customer database to identify information gaps and
inaccuracies for all High-risk and PEP customers and actions should be taken to
remediate these gaps to ensure compliance with FCA SYSC 6.3.1.”
The Authority’s Customer File Review
4.49.
During this investigation, the Authority reviewed a further 15 customer files,
selected across customers who made large cash deposits through the Relevant
Period, including 9 individual customers (one of whom was onboarded prior to the
Relevant Period), 2 corporate customers and 4 charity customers (two of whom
were onboarded prior to the Relevant Period). In short, the Authority identified
deficiencies in Al Rayan’s AML control framework across all 15 files.
4.50.
In relation to the EDD conducted at onboarding, there was a failure to adequately
establish the Source of Wealth and/or the Source of Funds in respect of 7 of the
8 the individual customers who were onboarded during the Relevant Period, either
through a failure to obtain a meaningful level of information or to verify such
information as was obtained, in circumstances where such measures were
appropriate. For 7 of the 8 customers, the Source of Wealth and Source of Funds
assessments relied upon statements made by the customer at onboarding and
were supported by a combination of:
4.50.1.
letters of recommendation from MAR/GCC-based banks; and/or
4.50.2.
bank
statements/cheques
from
the
customer’s
non-EEA
bank
account(s); and/or
4.50.3.
open-source searches and screening.
4.51.
Al Rayan’s policies stated that high-risk customers referred by MAR should be
subject to the same EDD procedures as any other high-risk Al Rayan customer.
Al Rayan was therefore aware that it could not rely solely on customer information
collected by MAR and that it needed to conduct its own EDD as required to satisfy
the ML Regulations.
4.52.
Reliance on customers’ declarations, the very limited information contained in
customers’ non-EEA bank statements, screening and letters of recommendation
from MAR, did not provide Al Rayan with an adequate understanding of how these
customers acquired their wealth and did not enable Al Rayan to adequately
identify the Source of Funds to be used in the banking relationship and subsequent
transactions. Thus, there was a failure on the part of Al Rayan to gather a
meaningful level of information in relation to the customers’ Source of Wealth and
Source of Funds and, furthermore, a failure to verify the limited information that
was gathered.
Corporates and Charities
4.53.
As detailed in paragraph 4.16 above, it is unclear from Al Rayan’s policies how it
risk-rated both corporate and charity customers at onboarding and, furthermore,
the customer files reviewed by the Authority during this investigation did not
indicate that a risk rating or risk assessment had been applied to the 2 corporate
customers and the 2 charity customers onboarded during the Relevant Period.
Customer file examples of Al Rayan’s application of EDD in relation to seeking to
establish Source of Wealth and Source of Funds at onboarding
4.54.
Al Rayan onboarded Customer A at the Knightsbridge branch on 9 September
2015 as a customer of its GCC business area. It assessed Customer A as an HNW
and PEP customer and in accordance with Al Rayan’s policies classified Customer
A as high-risk.
4.55.
The documents Al Rayan completed at onboarding (the Premier KYC checklist, the
Account Application Form and the 2015 version of the KYC (EDD) supplementary
form) identified the customer’s income and assets as: salary from State
employment (stated to be in excess of £10 million annually); estimated value of
residential home (in excess of £10 million); and income from the ownership of
residential and commercial properties in Qatar. The KYC (EDD) Supplementary
form recorded, in response to “The Origins of the client’s wealth (evidence should
be obtained)” section, that Customer A “…used to be a minister…now he owns
properties all over Qatar…”.
4.56.
Al Rayan accepted bank statements of a MAR savings and current account from 2
July 2015 – 13 September 2015 from Customer A as identification and verification
of Customer A’s Source of Wealth and Source of Funds.
4.57.
Whilst Customer A’s MAR account statements identified a high balance of funds
during September 2015 (at some points in excess of 12 million Qatari Riyal), the
transactional narratives on the bank statements did not provide any meaningful
information in relation to or evidence of Customer A’s Source of Wealth or Source
of Funds as described in the account opening documents. The narrative
descriptions on the statements provided line entries such as “House Cheque
Drawn”, “House Cheque Deposit” and “Cash Deposit”, however such descriptions
did not provide Al Rayan with evidence to verify the customer’s overall wealth and
did not demonstrate the origins of the funds that were to be utilised in the banking
relationship with Al Rayan. No further evidence was held on file in support of the
customer’s Source of Wealth or Source of Funds, for example, there was no
attempt to obtain any form of corroboration of the stated salary or evidence of
ownership of, or income from, the customer’s property portfolio.
Customer B
4.58.
Al Rayan onboarded Customer B at the Knightsbridge branch on 24 August 2016
as a customer of its GCC business area. It assessed Customer B as an UHNW and
PEP customer and in accordance with Al Rayan’s policies, Customer B was classed
as high-risk.
4.59.
The documents completed at onboarding were the Premier KYC checklist, the
Account Application Form and the (2016) Customer Due Diligence – Individual
Overall Summary form containing the Source of Wealth and Source of Funds EDD
Guidance and Checklist. These documents outlined Customer B’s income and
assets as: a joint property portfolio valued at approximately £125 million
generating £6 million income per annum, inheritance, income from family
businesses and salary (£75,000 per annum). It also noted that “The client’s family
inherited the major part of their wealth”. More detailed explanations in relation to
the income and assets were not sought and, in this way, only very scant and high-
level information was obtained in relation to Customer B’s overall Source of
Wealth.
4.60.
As regards the EDD evidence on file as at onboarding, this comprised of a letter
from a GCC bank confirming Customer B’s address, an open-source search,
screening conducted on Customer B and savings account statements from a Qatar
bank account. The savings account statements showed Customer B’s balance in
that account from time to time and included brief transactional narratives
however, they did not provide Al Rayan with meaningful information and/or
evidence to verify the customer’s Source of Wealth and they did not demonstrate
the origins of the funds that were to be utilised in the banking relationship with Al
Rayan. The savings account statements provided at onboarding showed a starting
balance as at March 2016 of in excess of 900,000 QAR however they did not shed
any light on the origin of the funds in the account as at this time. In addition,
from the very limited information obtained at onboarding, it is immediately
apparent that the savings account statements related to only a fraction of
Customer B’s overall wealth. In this way, whilst the savings account statements
did include reference to a number of credits described as being “Salary” which
accorded with Customer B’s explanation at onboarding that he had a salary of
£75,000 per annum, they reflected only a fraction of the customer’s overall
income/wealth and, in any event, there was no underlying evidence to support
the origin of even these payments.
4.61.
The Authority also notes that the 2016 Source of Wealth and Source of Funds EDD
Guidance and Checklist effective at the time Customer B was onboarded set out
guidance for understanding a customer’s Source of Wealth and Source of Funds
and indicated in relation to due diligence that the emphasis should be on
“independent verification”. Al Rayan nonetheless proceeded on the basis that
customer declarations, the savings account statements and a letter confirming
Customer B’s address from a GCC bank were effective EDD. The Authority’s view
is that this information did not constitute “independent verification” of the
customer’s Source of Wealth and Source of Funds.
4.62.
In summary, whilst the bank statements provided by Customer B included the
balance within that savings account and made reference to salary payments being
received, they did not provide a meaningful level of information or verification as
to the provenance of the monies in that account or the customer’s overall wealth.
There was no further evidence held on file to independently verify the Source of
Wealth or Source of Funds at onboarding, for example, payslips, a will or probate
information evidencing the inheritance, or evidence of ownership or income from
the property portfolio. Despite this, the Customer Due Diligence – Overall
Summary indicated that the Source of Wealth and Funds Guidance & Checklist
had been properly applied.
4.63.
Al Rayan onboarded Customer C at the Knightsbridge branch on 29 September
2016 as a customer of its GCC business area. Al Rayan assessed Customer C as
an HNW and PEP customer and in accordance with Al Rayan’s policies classed
Customer C as high-risk.
4.64.
Three documents were completed for Customer C’s onboarding: the Premier KYC
checklist, the Premier Application Form and the Customer Due Diligence - Overall
Summary. These documents identified the customer’s income and assets as:
income from employment, inheritance and rental income from a large property
portfolio (with annual income being approximately £3 million). Once again, more
detailed information as to the income/assets was not sought such that only very
scant and high-level information was obtained in relation to Customer C’s overall
Source of Wealth.
4.65.
The evidence on file in support of Customer C’s Source of Wealth and Source of
Funds at onboarding was similarly limited and comprised a declaration by the
customer, a written reference provided by MAR confirming the customer’s address
in Qatar and that its MAR account was in good standing and copies of the MAR
current account statements for September 2016. There was also open-source
material confirming the customer’s employment in a non-remunerative role on
file.
4.66.
Once again, the MAR current account statements did not provide a meaningful
level of information or verification in relation to Customer C’s Source of Wealth or
Source of Funds. There was no further independent information or evidence held
on file to verify the nature and extent of the customer’s employment, inheritance
or ownership of/income from the property portfolio (such as payslips, will or
probate documents or evidence of ownership or income from the property
portfolio).
4.67.
Despite this, the Customer Due Diligence - Overall Summary and the Premier
Application Form stated that the Source of Wealth and Funds Guidance and
Checklist had been satisfactorily applied. It was also noted that “Due diligence
checks have been properly evidenced and documented…”.
Customer D
4.68.
Al Rayan onboarded Customer D at the Coventry Road branch on 30 November
2015. Customer D, one of Al Rayan’s Other Business customers, was identified as
a start-up UK limited company which had recently been incorporated with a sole
proprietor and shareholder, whose principal activity was to repair, buy and sell
forklifts/heavy duty vehicles and sell them internationally, through the
proprietor‘s father who was based in Iraq and who was also to provide a large
initiating payment. There is no evidence on file of a risk rating having been
assigned to this customer.
4.69.
Paragraph 4.32 of Part I of the JMLSG sets out that “Customers (not necessarily
PEPs) based in, or conducting business in or through, a high-risk jurisdiction, or
a jurisdiction with known higher levels of corruption or organised crime, or drug
production/distribution” is a risk factor which should be taken into account in
assessing a customer’s overall risk category. Shortly following the onboarding of
Customer D, Al Rayan's AML / CTF & Sanctions (AML) Risk Appetite dated 17
December 2015 set out that Al Rayan would not engage in transactional activity
involving foreign jurisdictions that had:
“a Corruption Perception Index (CPI) score of less than [20] and or, is listed by
the Financial Action Task Force (FATF) as a [High Risk and Non Cooperative
Jurisdiction.”
The document noted that Iraq had a CPI of 16 and was included on FATF's list of
high risk, non-cooperative jurisdictions. Therefore, Al Rayan’s policy specifically
restricted Customer D’s business activities.
4.70.
Notwithstanding, the Authority considers that it is clear that Customer D should
have been categorised as high-risk and therefore EDD should have been
conducted on Customer D at onboarding.
4.71.
However, the information gathered at the point of onboarding fell well short of
adequate EDD. Two documents were completed at onboarding, a “Business
Application form KYB Checklist” and “Non-personal account application form”.
These documents identified Customer D and set out its principal activities and
anticipated level of business. Standard CDD information was gathered in relation
to Customer D as a UK limited company however as regards seeking to establish
a meaningful understanding of Customer D and its proprietor’s father’s activities,
this was limited to the provision of a handful of one page, paper invoices from
third parties to a business based in Iraq. No further information was gathered in
relation the proprietor’s father, such as the nature of his business activities in Iraq
and/or his source of income/wealth, despite the fact that Customer D would be
engaged in the purchase and sale of construction equipment through its
proprietor’s father in Iraq, a high-risk jurisdiction, and was also to receive a large
initiating payment from the proprietor’s father in Iraq.
Summary of EDD at onboarding
4.72.
Throughout the Relevant Period, Al Rayan was repeatedly informed and reminded
of the weaknesses in its AML framework, including in relation to EDD for the
purposes of establishing customers’ Source of Wealth and Source of Funds.
Despite this, Al Rayan failed to ensure that its policies and procedures in relation
to the identification and verification of customers’ Source of Wealth and Source of
Funds at onboarding met the relevant regulatory requirements and, in doing so,
also failed to ensure that it was compliant with its obligation to counter the risk
that Al Rayan might be used to further financial crime.
4.73.
It is evident, with reference to the Authority’s file reviews, that Al Rayan failed to
undertake adequate EDD to establish its high-risk customers’ Source of Wealth
and Source of Funds, both in terms of gathering meaningful information from its
customers and, where it was appropriate to do so, verifying that information.
Rather than gathering documentary evidence in order to independently verify its
high-risk customers’ Source of Wealth and Source of Funds, for individual
customers, Al Rayan frequently relied upon information provided by the customer
itself and high-level information from MAR, whilst also placing unwarranted
reliance on non-EEA bank statements which provided very little, if any,
information in relation to the customer’s broader wealth and the provenance of
the customer’s monies. Due to the high-risk and PEP nature of these customers,
identification and verification of their Source of Wealth and Source of Funds was
appropriate and therefore required to comply with both Al Rayan’s internal polices
and the ML Regulations. However, despite this, Al Rayan failed to take sufficient
steps to establish and verify its high-risk customers’ Source of Wealth and Source
of Funds.
30
EDD for large cash deposits
ML Regulations and JMLSG
4.74.
In accordance with Regulation 14(1)(b) of the ML Regulations, a firm must apply,
on a risk-sensitive basis, EDD measures and enhanced ongoing monitoring in any
“situation which by its nature can present a higher risk of money laundering or
terrorist financing.” Where the customer is classified as a PEP, firms must “take
adequate measures to establish the source of wealth and source of funds which
are involved in the proposed business relationship or occasional transaction”.
4.75.
Regulation 8(2)(a) of the ML Regulations states that ongoing monitoring of a
business relationship means “scrutiny of transactions undertaken throughout the
course of the relationship (including, where necessary, the source of funds) to
ensure that the transactions are consistent with the relevant person’s knowledge
of the customer, his business and risk profile”.
4.76.
Regulation 20(2)(a)(i)-(iii) of the ML Regulations also states that a firm must
establish and maintain appropriate and risk-sensitive policies and procedures
“which provide for the identification and scrutiny of (i) complex or unusually large
transactions; (ii) unusual patterns of transactions which have no apparent
economic or visible lawful purpose; and (iii) any other activity which the relevant
person regards as particularly likely by its nature to be related to money
laundering or terrorist financing”.
4.77.
In relation to Regulation 14(1) of the ML Regulations, paragraph 5.7.12 of Part I
of the JMLSG states that “Higher risk accounts and customer relationships require
enhanced ongoing monitoring. This will generally mean more frequent or intensive
monitoring.” Likewise, in relation to Regulation 14(1)(b) of the ML Regulations,
paragraph 4.51 of Part I of the JMLSG states that “Where the risks of ML/TF are
higher, firms must conduct enhanced due diligence measures consistent with the
risks identified. In particular, they should increase the degree and nature of
monitoring of the business relationship, in order to determine whether these
transactions or activities appear unusual or suspicious.”
4.78.
In relation to Regulation 8, paragraph 5.7.2 of Part I of the JMLSG states that
“Monitoring customer activity helps identify unusual activity. If unusual activities
cannot be rationally explained, they may involve money laundering or terrorist
financing … The key elements of any system are having up-to-date customer
information, on the basis of which it will be possible to spot the unusual, and
asking pertinent questions to elicit the reasons for unusual transactions or
activities in order to judge whether they may represent something suspicious.”
4.79.
Paragraph 4.32 of Part I of the JMLSG also states that “Customers engaged in a
business which involve significant amounts of cash” is a risk factor which firms
need to consider and, furthermore, paragraph 4.36 states that “Firms should
examine, as far as reasonably possible, the background and purpose of all
complex, unusual large transactions, and all unusual patterns of transactions
which have no apparent economic or lawful purpose.”
4.80.
The Authority considers that, in accordance with the ML Regulations and the
JMLSG guidance, when material amounts of physical cash are presented over the
counter by a high-risk customer, EDD/enhanced ongoing monitoring measures
should be applied, an important component of which is scrutiny of the Source of
Funds provided. The degree of scrutiny and the type of supporting evidence
required for the corroboration of Source of Funds is dependent on the specific
circumstances and the level of money laundering or terrorist financing risk.
Al Rayan’ policies and procedures for large cash deposits
Source of Wealth and Source of Funds
4.81.
Al Rayan’s policies identified that cash transactions presented a high-risk of
financial crime and left the bank particularly vulnerable, because of the nature
and universal acceptability of cash and the fact that there is little or no audit trail.
They further provided that “special care is required in handling cash transactions
for large amounts, even for customers who maintain accounts with the Bank. Any
questionable activity must be examined to establish the source of funds and/or
wealth if appropriate and to determine and document the reason for the activity.
The basic principle to be followed is that the quantity and frequency of cash
transactions should have relevance to the nature and size of the customer’s
4.82.
Al Rayan’s policies set out a non-exhaustive list of cash-based scenarios which
would amount to suspicious or questionable activity in relation to possible financial
crime, for example:
4.82.1.
Unusually large cash deposits made by an individual or company whose
ostensible business activity would normally be generated by cheques
and other instruments.
4.82.2.
A one-off substantial cash deposit mainly composed of high
denomination notes.
4.82.3.
Customers who deposit cash by means of numerous credit slips so that
the total of each deposit is unremarkable, but the total of all credits is
significant.
4.82.4.
An account or customer that has frequent deposits or large amounts of
currency wrapped in currency straps that have been stamped by other
banks.
4.82.5.
Customers who seek to exchange large quantities of low denomination
notes for those of higher denominations or frequently exchange cash
into other currencies.
4.82.6.
Large cash deposits in connection to property transactions.
4.83.
When accepting cash deposits greater than £3,000, Al Rayan’s First Line of
Defence (the cashiers) was required, in accordance with Al Rayan policy, to review
a customer’s transaction history/activity and assess whether the transaction was
in line with the customer’s profile. Al Rayan’s cashiers were also required, in
accordance with Al Rayan policy, to question each customer paying in funds of
over £3,000 with respect to the Source of Funds and record the details in the
notes section on Al Rayan’s customer database, regardless of the customer’s risk
rating.
4.84.
Whilst Al Rayan’s policies did not explicitly require cashiers to obtain evidence of
Source of Funds for cash deposits over £3,000, in November 2017, all branches
received an email from senior management which stated, “[to] reiterate...the
process in the Cashier Manual…For cash deposits above £3000 you must obtain
proof of the source of funds before accepting the deposit. If the customer does
not have this proof then you cannot accept the deposit.” Thus, although Al Rayan’s
policies failed to make this clear, the expectation was that cashiers should gather
evidence of Source of Funds in respect of cash deposits in excess of £3,000.
4.85.
Al Rayan’s “Cashiering - Branch Procedure Document” detailed the cash related
procedures and controls which were to be followed in all branches, through the
Relevant Period. These procedures were adopted in the Knightsbridge branch
when it was first established. However, the procedures were not at all clear and
precise about:
4.85.1.
the steps required when presented with a higher risk situation, such as
large cash transactions involving high-risk customers, both in terms of
what information should be gathered from the customer by way of
explanation, in what circumstances documentary evidence of Source of
Funds was required and guidance as to what would comprise acceptable
documentary evidence; and
4.85.2.
whether cash deposits should be accepted or rejected if there was any
suspicion about the Source of Funds and/or evidence of the Source of
Funds was not available.
4.86.
The Authority considers that, having identified cash deposits as posing a high risk
from an AML perspective, it was incumbent upon Al Rayan to ensure that it
implemented appropriate risk-sensitive policies and procedures so that its staff
would know what to do when confronted with a cash transaction. As referred to
above, Al Rayan failed to do so.
Monitoring procedures for Second Line of Defence
4.87.
The Second Line of Defence (primarily the FCU), was responsible for conducting
transaction monitoring. Al Rayan used two systems to monitor transactions:
4.87.1.
TM1: which monitored transfers in and out of customers’ accounts; and
4.87.2.
TM2: which was used for real-time card transactions monitored on a
24/7 basis via a third party.
4.88.
The FCU reviewed transactions which triggered set rules within TM1 and TM2 and
were flagged for further monitoring. For example, deposits of more than £10,000
in a single deposit or in aggregate over 7 days, or where a customer was placed
on a “watch list”.
4.89.
The FCU reviewed each flagged transaction and determined whether the activity
warranted further investigation. If the transaction did not warrant further
investigation, the FCU noted the reasons why and authorised the transaction. If
after the investigation, suspicions remained, an internal disclosure report would
be made to the MLRO, or nominated deputy, for validation and onward reporting
to the NCA. All payments had been received by Al Rayan at this stage and any
actions were retrospective.
The nature of Al Rayan’s cash deposits
4.90.
As detailed above at paragraph 4.72 - 4.73, throughout the Relevant Period, Al
Rayan onboarded high-risk customers without conducting adequate EDD in terms
of establishing their Source of Wealth and Source of Funds, despite being
repeatedly informed and reminded of the weaknesses in its EDD procedures in
these areas.
4.91.
The Authority notes, based on its file review in this investigation, the following
recurring themes for each customer type:
4.91.1.
the individual (as opposed to corporate) customer files recorded large,
in person, cash deposits at Al Rayan’s branches, which resulted from
customers withdrawing cash from an overseas bank account,
transporting it into the UK and physically depositing the money over the
counter, into their Al Rayan bank account;
4.91.2.
the corporate customer files recorded cash deposits which were higher
than anticipated and, in one instance, related to a business with
activities in an overseas jurisdiction associated with higher levels of
corruption; and
4.91.3.
certain charity customer files recorded large cash deposits as a result of
donations and frequently transferred monies overseas to higher risk
jurisdictions.
4.92.
The Authority’s view is that all of these scenarios clearly entailed a higher risk of
financial crime and accordingly it was important for Al Rayan to have robust
processes in place for conducting EDD/enhanced ongoing monitoring and, more
specifically, to establish and, where appropriate, verify customers’ Source of
Funds in the context of such cash transactions.
Issues identified with monitoring of cash deposits
The Authority’s 2017 Assessment
4.93.
The Authority’s 2017 Assessment identified serious concerns with Al Rayan’s
handling and treatment of large cash transactions and its willingness to accept
cash deposits without always gaining sufficient evidence of Source of Funds. In
addition, the Authority discovered that there was a lack of understanding of the
“tipping off” offence at the Knightsbridge branch such that branch staff would not
reject cash deposits, even where they had suspicions around the Source of Funds,
due to a concern that rejecting the deposit might amount to “tipping off” a
customer within the meaning of section 333A of the Proceeds of Crime Act 2002.
If there were suspicions around a customer’s Source of Funds, rather than
rejecting the cash deposit, branch staff would escalate the issue internally and if
necessary, submit a SAR, having already taken in and banked the monies.
4.94.
The internal audit report of the Knightsbridge branch dated January 2018
concluded that the First and Second Line of Defence were:
4.94.1.
unable to exercise the required judgment regarding the receipt of large
cash deposits, specifically in relation to the requisite Source of Funds;
4.94.2.
not sufficiently risk aware or pro-active in seeking advice from Head
Office when they encountered situations about which they should
reasonably have questions or suspicions;
4.94.3.
unable to adequately consider whether cash deposits should be
accepted or rejected if there was any suspicion about the Source of
Funds and/or evidence of the Source of Funds was not available; and
36
4.94.4.
it was noted in some cases that cashiers were reluctant to offend
customers by not accepting deposits.
4.95.
Aside from the findings of Al Rayan’s 2018 internal audit, the Authority’s own
enquiries also identified that certain First Line of Defence staff’s understanding in
relation to the treatment of cash deposits, as communicated by management, was
to “take in money regardless”.
4.96.
In this regard, the accepted position amongst some of the cashiers was that, due
to the majority of customers being HNW or UHNW, a customer’s status was taken
for granted and there was little questioning of customers in relation to Source of
Funds at the point of deposit, as it was presumed that all the necessary checks
had been done.
Suspicious activity (Tipping Off)
4.97.
Thus although Al Rayan policies (such as the Cashiering Branch Procedure
Document) provided some guidance to staff about the “tipping off” offence and
how to avoid tipping off customers in relation to potentially suspicious
transactions, in reality, there was a fundamental misunderstanding in this area
amongst First Line of Defence staff at the Knightsbridge branch. This led to the
First Line of Defence’s reluctance to request further information/evidence from
customers which, in turn, resulted in the situation whereby Al Rayan failed to
carry out appropriate EDD and enhanced ongoing monitoring to ensure that cash
deposited over the counter was for legitimate purposes and not connected with
financial crime. These failings exposed Al Rayan to an unacceptable risk that it
would be used to further financial crime.
The Authority’s file review
Individual customers
4.98.
The Authority’s review of 9 individual customer’s cash deposits in the context of
this investigation showed HNWs withdrawing large amounts of cash from their
GCC bank accounts, transporting the cash to the UK and then physically depositing
the cash, in person, over the counter into their Al Rayan account(s).
4.99.
In relation to 7 of the 8 customers onboarded during the Relevant Period, the
Authority identified, as explained at paragraph 4.49 - 4.52 and 4.72 - 4.73, that
their Source of Wealth and/or Source of Funds had not been adequately
established at onboarding.
4.100. The Authority also identified that there was inadequate scrutiny applied by the
First and Second Line of Defence at the point of certain cash deposits, such that
Al Rayan failed to adequately establish the origin of the cash and, therefore, the
extent to which there was a risk that Al Rayan might have been being used to
further financial crime. From its file reviews, the Authority identified that Al Rayan
failed to gather adequate information and evidence in relation to these cash
transactions such that its knowledge of them was, in large part, limited to the fact
that the cash in question derived from a non-EEA bank account. However, Al
Rayan had little or no knowledge of how the funds in the non-EEA bank account
had been generated (partly as a result of the abovementioned EDD deficiencies
at the point of onboarding) and Al Rayan failed to obtain adequate information
and evidence to support the origin of the cash transactions.
Corporate and charity customers
4.101. The Authority’s file reviews of two corporate customers identified instances of
significant cash deposits over and above the anticipated level set out at
onboarding and insufficient EDD/enhanced ongoing monitoring, including a failure
to obtain meaningful information as to/evidence of the Source of Funds for the
cash deposits.
4.102. The Authority’s file reviews for two of the four charity customers identified
instances of large cash deposits being accepted by Al Rayan with inadequate
scrutiny of the explanations provided and insufficient consideration of previous
transactions and anticipated account activity.
Examples of inadequate measures to understand customers’ Source of Funds on
large cash deposits
4.103. Al Rayan onboarded Customer C on 29 September 2016 and identified Customer
C as an HNW and PEP at the point of onboarding. The EDD conducted at
38
onboarding, as detailed in paragraph 4.63 - 4.67 above, did not adequately
establish Customer C’s Source of Wealth and Source of Funds.
4.104. Customer C’s onboarding documents noted the anticipated account activity to be
a bank transfer of £50,000 into the account 3 to 4 times a year. However, as it
transpired, the account was credited with cash deposits as opposed to bank
transfers and these cash deposits doubled the anticipated account activity for a
year within a 9-month period. A total of £460,000 in cash was deposited at the
Knightsbridge branch between 30 September 2016 and 7 July 2017, which
included a cash deposit of £250,000 on 21 November 2016, two cash deposits of
£100,000 on 8 May 2017 and 7 July 2017, and a £10,000 cash deposit on 1 June
2017.
Cash deposit 1 - £250,000
4.105. On 21 November 2016, Customer C made a cash deposit of £250,000 at the
Knightsbridge branch. Al Rayan’s records indicate that the money was withdrawn
from the customer’s GCC bank account and exchanged into Sterling and Euros in
Qatar on 18 January 2016, 26 September 2016 and 16 November 2016. The First
Line of Defence accepted a cheque drawn on a GCC bank account indicating that
funds derived from Customer C’s GCC bank account and currency exchange
receipts as evidence of Source of Funds.
4.106. Following the receipt of this cash deposit, the Second Line of Defence queried with
the First Line of Defence the reason why the transaction was not made via a bank
transfer as expected. The reason provided was that “he had the cash at home
because he exchanges the Sterling throughout the year…”. The Second Line of
Defence cited “no concerns” with the transaction or the reason given for it, despite
it being significantly different both in size and nature to the type of transactions
which were anticipated at onboarding and Al Rayan having no meaningful
understanding of how the funds were generated. The Second Line of Defence
requested that any future large cash deposits be made via bank transfer, however
this was stated to be for safety concerns rather than AML concerns.
Cash Deposits 2 and 3 of £100,000 each
4.107. Customer C made two subsequent cash deposits of £100,000, on 8 May 2017 and
7 July 2017:
4.107.1. For cash deposit 2, a currency exchange receipt for £100,000 from a
GCC foreign exchange company dated 25 April 2017 was provided in
support of the transaction.
4.107.2. For cash deposit 3, a GCC bank statement indicating that a cheque had
been cashed and a currency exchange receipt for £100,000 from a GCC
foreign exchange company dated 22 June 2017 was provided in support
of the transaction.
4.108. The Second Line of Defence did not identify any concerns at the time of cash
deposits 2 and 3 despite, once again, having no meaningful understanding of how
the funds had been generated. In addition, the Second Line of Defence made no
further reference to its earlier request that, in future transactions, the deposit be
made by bank transfer as opposed to in cash.
Cash deposit 4 £10,000
4.109. On 1 June 2017, Customer C made a further cash deposit of £10,000 and a cash
withdrawal of the same amount. The purpose of the transaction recorded by the
Second Line of Defence was the exchange of £20 notes into £50 notes. There is
no evidence on the file of any attempt to establish the Source of Funds in support
of this deposit or of questions being asked of Customer C as to the reason for this
transaction.
4.110. The Second Line of Defence did not cite any concerns with cash deposit 4 despite
this scenario specifically comprising one of the hallmarks for questionable activity
identified in Al Rayan’s policies and procedures in relation to handling large cash
deposits (see paragraph 4.82.5 above).
Summary in relation to Customer C
4.111. At onboarding, Customer C was classified as a PEP/HNW and therefore high-risk.
Regulation 14 (4)(b) of the ML Regulations required Al Rayan to conduct
“adequate measures to establish the source of wealth and source of funds which
are involved in the proposed business relationship or occasional transaction” in
those circumstances. However, as explained in paragraphs 4.63 - 4.67 and 4.72
- 4.73 above, Al Rayan did not undertake adequate EDD in relation to Customer
C at onboarding, and there was a failure to establish its Source of Wealth and
Source of Funds.
4.112. In relation to cash deposits over £3,000, Al Rayan’s policy required the First and
Second Line of Defence to scrutinise Source of Funds and for staff to be vigilant;
it further required that all unusual transactions for all customers be identified and
discretely researched, particularly in relation to large cash deposits, as detailed in
paragraph 4.82.
4.113. In cash deposits 1, 2 and 3, Al Rayan understood Customer C to have deposited
money deriving from a GCC bank account into their Al Rayan account in the UK.
The evidence supporting the Source of Funds in relation to these transactions
demonstrated that (a) the cash appeared to originate from the customer’s GCC
bank account, (b) a cheque or cash was deposited with GCC-based foreign
exchange bureaus, (c) cash was provided in Sterling and Euros in return and (d)
this cash was then deposited into Customer C’s Al Rayan account in the UK. The
deficient EDD conducted at Customer C’s onboarding, as detailed in paragraphs
4.63 - 4.67 and 4.72 - 4.73 above, meant that Al Rayan did not have a meaningful
understanding of its Source of Wealth and Source of Funds. In these
circumstances, the provision of a GCC bank statement or a cheque drawn on a
GCC account, coupled with currency exchange receipts, did not enable Al Rayan
to establish and corroborate that Customer C’s Source of Funds for the purposes
of the cash transactions was legitimate and not connected to financial crime.
4.114. The Second Line of Defence did not adequately investigate the AML risk presented
by cash deposits 1, 2 and 3. Its enquiries failed to identify that Al Rayan had not
adequately established Source of Wealth and Source of Funds at onboarding and
it accepted at face value such limited explanations as the customer gave for the
purpose of the cash transactions without adequate investigation. Of further
concern, these cash transactions occurred in circumstances where, at onboarding,
it had been recorded that credits were to be made via bank transfer and not via
cash deposits through currency exchanges in the GCC. Furthermore, the cash
deposits that were made substantially exceeded the expected annual account
activity recorded at onboarding, with no evidence on file to support that any of
these red flags were investigated by the First and Second Line of Defence.
4.115. Finally, for cash deposit 4, no evidence of Source of Funds was provided in support
of the transaction despite the fact that the exchange of low denominations notes
into high denomination notes was an example included in Al Rayan’s policies of
‘questionable activity’, requiring further investigation. There is no evidence that
any such investigation took place.
Customer D
4.116. Al Rayan onboarded Customer D at the Coventry Road, Birmingham branch on 30
November 2015. Customer D, one of Al Rayan’s Other Business customers, was
identified as a start-up UK limited company which had recently been incorporated
with a sole proprietor and shareholder, whose principal activity was to repair, buy
and sell forklifts/heavy duty vehicles and sell them internationally, through the
proprietor’s father who was based in Iraq. As detailed in paragraph 4.68 - 4.71
above, minimal information was gathered in relation the proprietor’s father’s
activities in Iraq and/or his source of income, despite the fact that Customer D
would be engaged in the purchase and sale of construction equipment through
him in Iraq and was also to receive a large initiating payment from the proprietor’s
father in Iraq, a high-risk jurisdiction.
4.117. From the documentation produced at onboarding, the expected account activity
was noted as follows; “Regarding credit and debit International transactions
[Customer D] will be doing around 10k a month. As this is a start-up business the
figure is a forecast so when business picks [up] the customer will come into the
branch to inform of any changes. Cash withdrawals/deposits would be around 2k
(per month) but [Customer D] is expecting most of transfer to [be] electronic
transfer as payment will [be] mostly nationwide.” Overall, it was anticipated that
there would be annual turnover of £200,000.
4.118. Over a two-year period, Al Rayan received approximately £580,000 in cash
deposits from Customer D, despite the fact that the initial indication at onboarding
was that “cash withdrawals/deposits would be around 2k (per month)” and,
further, that Customer B was expecting most of the transfers to be electronic
transfers. The evidence of Source of Funds provided in support of the cash
deposits consisted of single page, paper invoice receipts from sales of construction
vehicles/other items, all of which were addressed to businesses in Iraq. While Al
Rayan’s Second Line of Defence identified concerns in relation to the overall
turnover and requirement for updated EDD, no concerns were identified in relation
to the cash deposits.
Summary Customer D
4.119. At onboarding, it appears that no risk classification was applied to Customer D.
The Authority’s view is that, as per paragraph 4.68 - 4.70 above, Customer D
should have been classified as high-risk. However, as explained in paragraph 4.71
above, Al Rayan’s due diligence at onboarding fell well short of adequate EDD in
relation to Customer D.
4.120. Of the 25 cash deposits over £10,000 made by Customer D over the two-year
period, (a) no further queries were raised by Al Rayan’s First or Second Line of
Defence, as to why these monies were being deposited in cash in contrast with
the anticipated “electronic transfer” activity on the account as recorded at
onboarding and (b) no further evidence of Source of Funds was provided to
support the receipt of large sums of cash other than the above invoice receipts.
4.121. Al Rayan did not adequately investigate the AML risk presented by the cash
deposits and its enquiries failed to identify that only an inadequate level of due
diligence had been performed at the point of onboarding. In addition, although
the increase in anticipated account activity for Customer D was identified multiple
times by the Second Line of Defence through 2016, no further EDD was gathered
in relation to the activities underlying the cash deposits.
4.122. The account for Customer E, one of Al Rayan’s Other Business customers, was
opened at the Coventry Road, Birmingham Branch of Al Rayan on 29 May 2015.
Customer E was a UK charity running as a limited company, with international
operations. As explained at paragraph 4.16 above, Al Rayan’s approach to risk-
rating charities was unclear and no risk rating in relation to Customer E is provided
in the documentation at onboarding. The account opening documentation stated
that the charity raised donations which were to be used for the relief of poverty
throughout the world but mainly in certain high-risk jurisdictions. Customer E was
recognised as being a recipient of donations from the general public (some of
which would be cash) and it was anticipated that it would be making international
payments of approximately £300,000 annually, including to high-risk overseas
jurisdictions.
4.123. The account opening documentation also recorded that the annual turnover for
Customer E was expected to be £800,000 per annum with anticipated cash activity
(i.e. credits and debits) of £10,000 per month.
4.124. On 16 August 2016, Customer E made a cash deposit of approximately £360,000.
This cash deposit was unusually large both in terms of anticipated account activity
and actual activity on the account, as illustrated by the fact that a total of only
approximately £500,000 had been deposited into the account during the previous
13 months. Despite this, the Second Line of Defence identified “no concerns” with
this deposit on the basis of some cursory enquiries whereby the cash was said to
have come from a religious festival collection and had been kept in a safe with
donations “saved over a time/months”. There is no evidence that the Second Line
of Defence assessed this cash deposit in the context of the previous cash deposits
made into the account, noting only the turnover on the account and the amount
of credits to date. Had they done so, they would have been aware of Customer
E’s separate cash deposit of £99,940 which was made on 24 June 2016, just two
months before and which appeared to raise questions about the high-level
explanation given as to the accumulation of cash over time. In any event, the
Authority considers that, given its magnitude and in the circumstances, Customer
E’s cash deposit of 16 August 2016 was a higher risk situation which should
accordingly have triggered a meaningful level of EDD and enhanced ongoing
monitoring.
Summary of Issues with EDD on cash deposits
4.125. The Authority considers that the file reviews undertaken in the context of this
investigation demonstrate that Al Rayan failed to:
4.125.1. adequately perform EDD and enhanced ongoing monitoring in the
context of higher risk situations, namely where customers sought to
make large, in person, deposits of cash over the counter. This included
a failure to establish and verify customers’ Source of Funds in relation
to such high-risk transactions. In this regard, Al Rayan’s failure to
adequately establish high-risk customers’ Source of Wealth and Source
of Funds at onboarding contributed to its subsequent inability/failure to
establish its customers’ Source of Funds in the context of the cash
transactions, such that it did not have a meaningful understanding of
the origin of these monies and it was not able to assess whether those
transactions were for legitimate purposes and not in connection with
financial crime; and
4.125.2. adequately scrutinise potentially suspicious activity given, in particular,
that (a) Al Rayan had itself identified that cash transactions presented
a high-risk of financial crime and left the bank particularly vulnerable,
(b) the cash transactions observed by the Authority in the context of its
file reviews were frequently inconsistent with the account activity
expected on the basis of information supplied at the point of onboarding,
(c) Al Rayan did not adequately enquire into the overall purpose or
reason for the cash transactions in order to evaluate whether they had
a legitimate economic or lawful purpose and (d) Al Rayan did not
establish the Source of Funds of the cash transactions in circumstances
where it had also failed to establish customers’ overall Source of Wealth
and Source of Funds at the point of onboarding.
Ongoing Monitoring – KYC Periodic Review
ML Regulations and JMLSG
4.126. Regulation 8 (1)-(2) of the ML Regulations (Ongoing monitoring) states that:
“(1) A relevant person must conduct ongoing monitoring of a business
relationship.
(2) “Ongoing monitoring” of a business relationship means—
(a) scrutiny of transactions undertaken throughout the course of the relationship
(including, where necessary, the source of funds) to ensure that the transactions
are consistent with the relevant person's knowledge of the customer, his business
and risk profile; and
(b) keeping the documents, data or information obtained for the purpose of
applying customer due diligence measures up-to-date.”
4.127. In accordance with Regulation 14 (1)(b) of the ML Regulations, a firm must also
apply, on a risk-sensitive basis, EDD and enhanced ongoing monitoring in any
situation which by its nature can present a higher risk of money laundering or
terrorist financing. Paragraph 5.7.12 of Part I of the JMLSG states that “Higher
risk accounts and customer relationships require enhanced ongoing monitoring.
This will generally mean more frequent or intensive monitoring.”
Al Rayan’s policies in relation to KYC periodic reviews
4.128. At the start of the Relevant Period, between 1 April 2015 and 17 March 2016, Al
Rayan’s policies stated that “information held relating to HNW and GCC customers
will be reviewed and updated on a yearly basis, or when a material change occurs
in the risk profile of a customer. Periodic review of particular customers will be
made on a risk-based basis, i.e. PEPs are conducted quarterly.”
4.129. The “High Risk Customer Policy” dated 17 March 2016, subsequently required that
all high-risk customers be reviewed annually, stating that:
“Consistent with the risk-based AML approach, CDD and supporting customer
profiles for all High-risk relationships must be reassessed at least on an annual
basis. These annual reviews will be conducted by Financial Crime Unit (“FCU”)
with the assistance of the Relationship Managers…
All High Risk customer relationships must be reviewed at least annually by the
Board Risk Credit and Compliance Committee as part its risk management
responsibilities. Amongst others, on a risk basis the results of enhanced on-going
monitoring should form part of the reporting process to the committee and the
assessment of the High Risk customer relationship and decisions over
continuation.”
4.130. As part of this process, Al Rayan’s Second Line of Defence was responsible for:
conducting customer risk assessments to ensure all KYC was collected and
updated to Al Rayan’s systems; ensuring red flag indicators were considered; and
assessing the justification for the retention of the high-risk customer with
reference to the legitimacy of the customer’s Source of Wealth and Source of
Funds. Once the review was completed, the assessment would be submitted to
the MLRO for re-approval of the relationship with the customer.
Issues identified with KYC periodic reviews
The Authority’s 2015 Assessment
4.131. In 2015, the Authority identified weaknesses in the quality of Al Rayan’s KYC
periodic reviews, with reviews being either non-existent or sporadic. The Authority
also had concerns over the quality and judgement at sign-off of the KYC periodic
reviews that were undertaken. The Authority’s concerns included:
4.131.1. the forms used to carry out the reviews were insufficient to adequately
re-assess the relationship for changes in the risk profile, either as a
result of account activity or changes in the customer profile, and often
consisted of a 'cut and paste' of the original information provided by the
customer;
4.131.2. in some cases, there was conflicting information on the customer file
which had not been challenged or escalated, for example, contradictory
information concerning Source of Wealth and Source of Funds which Al
Rayan had not questioned or rectified; and
4.131.3. Reviews were signed off despite a clear lack of adequate EDD, missing
documents and discrepancies on file.
4.132. The Authority asked Al Rayan to set out the action it planned to take to remedy
the findings of the Authority’s 2015 Assessment. In response, Al Rayan put in
place the 2015 Action Plan which set out the planned steps to rectify the
deficiencies identified, including:
4.132.1. conducting a retrospective review of all existing PEP and high-risk
customer files to identify any information gaps;
4.132.2. carrying out a remediation exercise on existing customers to ensure it
gathered sufficient information in relation to Source of Wealth and
Source of Funds for PEP clients; and
4.132.3. determining and documenting new processes for the on-going
monitoring of PEPs and high-risk clients.
4.133. Following these findings, Al Rayan intended to implement the CRRS system which
would enable the automatic generation of alerts when a customer’s KYC periodic
review was due, the aim being to enable Al Rayan to adequately manage its
ongoing monitoring obligations of customers.
The Authority’s 2017 Assessment
4.134. In June 2017, the Authority’s 2017 Assessment found that:
4.134.1. Over 300 KYC periodic reviews for high risk and PEPs were past their
due date; and
4.134.2. Al Rayan did not have a defined framework in place at branch level to
register or acknowledge when customer KYC periodic reviews were due.
In this regard, Al Rayan relied solely on the FCU to control and advise
on due dates.
4.135. More broadly, the Authority’s 2017 Assessment also found there were ongoing
and significant concerns in relation to weaknesses Al Rayan had committed to
address in the 2015 Action Plan, including the completion of customer file
remediation work.
4.136. In response to the Authority’s 2017 assessment, amongst other things, Al Rayan
recognised that “the backlog of Periodic Reviews of client files is not at an
acceptable level”.
4.137. Al Rayan recognised that its recommended improvements to the KYC periodic
review process following the Authority’s 2015 visit had not been implemented and
stated that the backlog of periodic reviews of client files would be addressed by
30 April 2018. Reasons provided for the ongoing delay were cited in Al Rayan’s
August 2017 internal audit as follows: “due to resource constraints, the FCU did
not perform their annual review of High-risk customers in 2016”.
4.138. Al Rayan also considered that the introduction of the CRRS would provide a
defined framework at branch level “to register or acknowledge when client
periodic reviews are due”.
The Authority’s file review – KYC periodic reviews
4.139. In the context of this investigation, the Authority reviewed 15 customer files
across the Relevant Period and found that none of the 14 of 15 files due for KYC
period review contained any evidence to indicate a KYC periodic review had been
undertaken.
4.140. The customer file review undertaken by the Authority did identify ad hoc requests
made by Al Rayan’s Second Line of Defence for further CDD and EDD to be
conducted on certain customers (due to transaction monitoring indicating a
material change in the expected account activity or concern with the information
held about the customer) however, in a number of instances, these were simply
ignored or followed up in a manner which was entirely inadequate. The following
example highlights a customer file where the need for further EDD was identified
by the Second Line of Defence, but there is no evidence on file to suggest that
those further measures were undertaken.
Customer file example of no EDD being undertaken despite a material change in
the customer’s circumstance
Customer D
4.141. Customer D was onboarded as a corporate customer in November 2015 (see
paragraphs 4.116 – 4.121). It was a start-up UK limited company which had been
recently incorporated with a sole proprietor and shareholder, whose principal
activity was to repair, buy and sell forklifts/heavy duty vehicles and sell them
internationally, through the proprietor’s father, who was based in Iraq.
4.142. The first significant payment made into Customer D’s account in January 2016,
shortly after onboarding, was a “loan” from Customer D’s father for approximately
£124,000 (which was paid by way of bank transfer). The payment was made from
a high-risk jurisdiction in relation to a new customer who was to be dealing with
the purchase/sale of construction vehicles in Iraq, a high-risk jurisdiction.
Inadequate due diligence was performed at onboarding in relation to Customer
D’s proprietor’s father and the business in Iraq, such that Al Rayan did not have
a meaningful understanding as to the origin of this initiating payment.
4.143. In May 2016, a transaction was flagged for monitoring and the Second Line of
Defence highlighted a concern that “expected turnover was £200k pa… To date
they have had £262,606.02. Will ask branch to get more info”. Following this
query from the Second Line of Defence, the First Line of Defence stated “The
funds have come from his father and he is expecting more funds around 400k as
the business has improved. He has around 20 fork lifts and is looking to expand
his business". Despite the vague nature of this response, it did not trigger any
further investigation or an attempt to corroborate this explanation by the First or
Second Line of Defence.
4.144. In October 2016, the Second Line of Defence noted that “Looking at the
anticipated turnover it looks like they are doing more so will ask branch to do new
EDD on the company”. However, despite this request from the Second Line of
Defence, no further enquiries or EDD information are recorded on the file.
4.145. In November 2016, a Second Line of Defence file note following a cash deposit on
16 November 2016 which had triggered transaction monitoring stated “Expected
turnover is £200,000 PA. Turnover so far is £1,094,946.03. Asked branch to do
EDD and ask about the turnover”. However, despite this request from the Second
Line of Defence, once again, no further enquiries or EDD are recorded on the file.
4.146. In the case of Customer D, the Second Line of Defence did identify the need for
further EDD to be conducted on the customer due to the fivefold increase in
account turnover in a year, but there is no evidence on the customer file to
suggest that additional EDD was undertaken. For example, there is no indication
that Al Rayan made any attempt to obtain a meaningful understanding of
Customer D’s business, how it was that the activity on the account was so much
higher than anticipated and/or why there were such a large number of high-value
cash deposits, again, in circumstances where this was contrary to anticipated
activity on the account; likewise, Al Rayan seemingly made no proactive attempt
to obtain any commercial documentation underlying the business activities of
Customer D, instead relying solely on single-page invoices volunteered by
Customer D. A failure to perform adequate EDD and enhanced ongoing monitoring
in relation to Customer D, even when the need to do so was specifically identified
by the Second Line of Defence, exposed Al Rayan to the risk of being used to
facilitate financial crime, especially given the nature of Consumer D’s business,
the geographical location of its operations and the amount of cash received (see
paragraphs 4.116 – 4.121 above).
Internal audit
4.147. Al Rayan’s Internal Audit function was responsible for auditing Al Rayan’s
compliance with UK statutory and regulatory obligations and with financial crime
policies and procedures. The Internal Audit function acted as Al Rayan’s Third Line
of Defence.
4.148. Al Rayan conducted an internal audit of the FCU in February 2009. The Authority
noted in its 2015 assessment that an internal audit of the FCU had not been
conducted for a number of years prior to 2015 and Al Rayan was informed that
one should be undertaken. Following the Authority’s 2015 Assessment, Al Rayan
put in place the 2015 Action Plan which set out the planned steps to rectify the
deficiencies identified, including conducting an internal audit of the FCU. In terms
of timing, the 2015 Action Plan stated that the internal audit was scheduled to
commence in September 2015 and the due date for completion was 30 November
2015. However, as it transpired, the Authority’s 2017 Assessment noted that Al
Rayan had still not completed the internal audit of the FCU two years after
receiving feedback from the Authority that such a review was required.
4.149. Al Rayan finally completed the internal audit of the FCU in 2017 (“Al Rayan’s 2017
Internal Audit”), 8 years after the previous internal audit of the FCU had been
carried out. The scope of the review was to focus on the principal deficiencies
identified by the FCA and it was to include a qualitative assessment of the
robustness of the systems and control in mitigating financial crime risks.
4.150. Al Rayan’s 2017 Internal Audit report in relation to the FCU was produced in
August 2017 and its review of the Knightsbridge branch was produced in January
2018 (the “2018 Internal Audit of the Knightsbridge branch”) which included a
review of “branch procedures – Cash Transactions & Anti money laundering”.
4.151. Both Internal Audit reports identified ‘major’ and ‘significant’ issues across key
areas of Al Rayan’s financial crime controls, including:
4.151.1. The process to identify high-risk customers and the risk assessment
performed at a number of non-Premier branches was very limited.
4.151.2. the onboarding of high-risk and PEP customers, in particular, the
inadequacy of EDD including Source of Wealth and Source of Funds
acquired at onboarding (see paragraphs 4.43 - 4.73.).
4.151.3. ongoing monitoring, whereby it was identified that the list of high-risk
and PEP customers monitored was incomplete, as follows:
4.151.3.1.
35 high-risk customers were not included on the monitoring list,
representing 13% of the total monitoring list of 271 high-risk
customers; and
4.151.3.2.
19 PEP customers were not included on the monitoring list,
representing 5.5% of the total monitoring list of 351 PEP
customers.
4.151.4. annual KYC periodic reviews of high-risk customers had not been
undertaken in 2016. (see paragraphs 4.130 - 4.138); and
4.151.5. inadequate management and supervision in relation to the handling of
large cash deposits in the Knightsbridge branch, with a need for
“bespoke Branch procedures and training reflecting the high-risk at
Knightsbridge branch around acceptance of large cash deposits and
associated anti-money laundering procedures.” (see paragraph 4.125
above and the section of this Notice entitled ‘Training’ immediately
below).
4.152. The Authority considers that the extent of the deficiencies across Al Rayan’s AML
systems and controls was exacerbated by its failure to conduct an internal audit
of the FCU until August 2017. In this way, Al Rayan operated for over 8 years
(between February 2009 and August 2017) without an effective Third Line of
Defence, meaning that weaknesses in Al Rayan’s AML control framework were not
identified and persisted for a significant period of time which, in turn, led to the
risk of Al Rayan being used in furtherance of financial crime.
Training
4.153. Al Rayan’s “Preventing Financial Crime” manual dated 14 January 2015 provided
that:
“One of the most important controls over the prevention and detection of money
laundering is to have employees who are alert to the risks of money laundering.
They must be well trained in the identification of activities or transactions which
may prove to be suspicious. Staff who are meeting with customers or handling
transactions and instructions may be either the Bank’s strongest defence against
money laundering and terrorist financing or its weakest link.”
4.154. The Authority’s customer file reviews and interview evidence demonstrate that
staff across Al Rayan’s First and Second Lines of Defence had insufficient
knowledge and understanding of the ML Regulations to adequately carry out EDD,
both in terms of establishing customers’ Source of Wealth and Source of Funds at
the point of onboarding and establishing customers’ Source of Funds in the
context of higher risk situations, as well as adequately identifying and resolving
suspicious activity.
4.155. In April 2015, the Authority carried out its 2015 Assessment of Al Rayan’s AML
and sanctions systems and controls. Following the assessment, the Authority set
out a number of serious concerns in relation to Al Rayan’s AML systems and
controls and alerted Al Rayan to the need to ensure that there was a sufficient
focus on AML measures throughout its business and to ensure that compliance
with legal and regulatory requirements was prioritised. In response, Al Rayan put
in place the 2015 Action Plan which included introducing sector and role specific
training in 2016 whereby “Training programmes (computer based or otherwise)
will be developed which are specific for the first and second line areas of the
business” and “AML Champions in each front line business area to be identified
and trained to act as experts within the front line areas”.
4.156. Al Rayan’s Knightsbridge branch, established on 15 May 2015, was set up to
specifically target HNW and UHNW individuals, and particularly focussed on GCC-
based customers. From June 2015, Al Rayan was aware of a lack of training and
supervision of staff at the Knightsbridge branch. Over the ensuing months, senior
management committees noted that staff at the Knightsbridge branch had not
been observed (such as by way of ‘1:1’ meetings) due to a lack of management
resource and ‘Training’ was allocated a ‘red’ risk category. In this way, Al Rayan
failed to supervise staff within the Knightsbridge branch during the first six months
of its opening. This lack of training and supervision occurred in circumstances
where it was well-known that the Knightsbridge branch dealt with a large
proportion of Al Rayan’s high-risk customers and Al Rayan was specifically aware
of the risks associated with increased exposure to high-risk customers.
4.157. In June 2017, the Authority conducted its 2017 Assessment, concluding that,
whilst some improvements to the financial crime control framework had been
made since the Authority’s 2015 Assessment, there were ongoing and significant
concerns in relation to weaknesses that Al Rayan had committed to address in the
2015 Action Plan, including the introduction of more targeted training for staff.
The Authority also identified two further serious areas of concern during the 2017
visit, namely:
4.157.1. the controls and oversight in place at the Knightsbridge branch in
relation to the handling and treatment of large cash transactions, and
the willingness to accept cash deposits without always gaining sufficient
evidence of Source of Funds; and
4.157.2. a lack of knowledge and understanding within the Knightsbridge branch
of the “tipping off” offence whereby a fear of committing this offence
was discouraging branch staff from rejecting cash deposits even when
they had concerns.
4.158. In September 2017, senior management noted that the “root cause” of the
deficiencies at the Knightsbridge branch identified by the Authority’s 2017
Assessment (namely around the handling of large cash transactions and the lack
of understanding of the “tipping off” offence) was linked to poor training of staff.
Accordingly, third party training providers were being considered to provide
targeted training for frontline customer-facing roles and AML champions, and to
ensure that induction training was sufficient. Al Rayan also wrote to the Authority
on 8 September 2017, amongst other things, stating that:
4.158.1. “We acknowledge that the failure of staff at the Knightsbridge branch to
fully understand the “tipping off” rules in relation to the cash handling
procedures was very concerning”;
4.158.2. further “role specific” training was being organised for all branch staff
and Head Office, with additional workshops and testing to ensure all the
regulations and guidelines were fully understood; and
4.158.3. the format of the training would include face-to-face classroom training
which would allow staff the opportunity to have “question and answer”
sessions with the trainers.
4.159. However, despite these intentions, the 2018 Internal Audit of the Knightsbridge
branch still concluded that, until very recently, the training provided to Al Rayan
staff was “generic and computer based” and that:
“Given the Branch’s Premier Banking clientele, and their habit of depositing and
withdrawing large amounts of cash, we are of the view that this is insufficient,
and that more bespoke training is required. It was highlighted by the Chief
Commercial Officer that he requested from the Compliance team to provide a
bespoke training to the Branch staff.”
4.160. The 2018 Internal Audit of the Knightsbridge branch also noted that Al Rayan’s
branch staff were not “sufficiently risk aware, and are not sufficiently pro-active
in seeking advice from Head Office when they encounter situations about which
they should reasonably have questions or suspicions.”
4.161. Thus, Al Rayan staff received ‘generic computer-based training’ throughout the
Relevant Period which was not sufficiently targeted towards their AML needs.
Whilst Al Rayan did put in place ‘AML champions’ to whom AML related questions
and queries were to be directed, the training that the AML champions themselves
received did not encompass critical areas where knowledge was lacking in the
First and Second Line of Defence (such as how to adequately establish Source of
Wealth and Source of Funds, and the handling of large cash deposits.
4.162. The Authority considers it is evident that the inadequate training of staff (for
example, in relation to the handling of large cash transactions) contributed to the
deficiencies across Al Rayan’s EDD processes, thereby exposing Al Rayan to the
risk to being used to further financial crime.
Failure to implement remediation
4.163. Following the Authority’s 2015 Assessment, Al Rayan implemented its 2015 Action
Plan to remediate the Authority’s concerns with Al Rayan’s AML control
framework.
4.164. Al Rayan failed to remediate three key issues by the end of the Relevant Period,
as follows:
4.164.1. Al Rayan failed to complete the remediation of the due diligence on
Source of Wealth and Source of Funds for high-risk and PEP customers.
Not all high-risk and PEP files existing before 2016 had been fully
remediated, with 245 of the 423 customer files still requiring
remediation as of 7 September 2017, despite the 2015 Action Plan
stating that this exercise would be complete before the end of 2015.
4.164.2. Al Rayan failed to address the backlog of KYC periodic reviews of high-
risk and PEP customer files and also failed to put in place a defined
framework at branch level to register or acknowledge when KYC periodic
reviews were due. 316 of the 665 high-risk and PEP customer files had
not been subject to KYC periodic review from 1 April 2015 to 7
September 2017.
4.164.3. As explained at paragraph 4.153 - 4.162 above, Al Rayan failed to
implement sector and role specific AML training for the First and Second
Lines of the business.
4.165. In addition, between February 2009 and July 2015 Al Rayan neglected to carry
out an internal audit of the FCU. The 2015 Action Plan required the internal audit
to be completed by November 2015, however it was not completed until August
2017. Therefore Al Rayan did not have an effective Third Line of Defence over the
FCU and in relation to AML matters for over 8 years.
4.166. The interim MLRO Report for the reporting period January 2017 to August 2017
referred to issues in relation to the resource available to Al Rayan, on the basis of
an inability to acquire “the correct level of experienced and qualified staff”. The
Report went on to state that this lack of adequate resource “hampered” Al Rayan’s
ability to remediate certain deficiencies across its financial crime framework by
the end of the Relevant Period.
5.
FAILINGS
5.1.
The regulatory provisions relevant to this Notice are referred to in Annex A.
5.2.
Principle 3 required Al Rayan to take reasonable care to organise its affairs
responsibly and effectively, with adequate risk management systems. Al Rayan
was also required to have policies and procedures in place, comprehensive and
proportionate to its business activities, to enable it to identify, assess, monitor
and manage money laundering risk.
5.3.
Al Rayan failed to meet these requirements and, in doing so, breached Principle 3
in that during the Relevant Period:
5.3.1.
Al Rayan failed to establish, implement and maintain appropriate and
risk-sensitive policies and procedures in relation to the application of EDD
and, in particular, in relation to establishing high-risk customers’ Source
of Wealth and Source of Funds at the point of onboarding. In this regard,
the policies and procedures in place in relation to the appropriate
information/evidence required to establish and verify customers’ Source
of Wealth and Source of Funds were not sufficiently clear, the result of
which was that high-risk and PEP customers were onboarded on the basis
of inadequate EDD. (See paragraphs 4.25 - 4.73).
5.3.2.
Although Al Rayan identified that cash transactions presented a high-risk
of financial crime, it nonetheless failed to establish, implement and
maintain appropriate and risk-sensitive policies and procedures in
relation to the handling and treatment of cash deposits, including whether
they should be accepted or rejected if adequate Source of Funds
information was not provided or when there was suspicion in relation to
the transaction. In this regard, Al Rayan’s policies and procedures for
processing large cash deposits were not sufficiently clear so as to inform
staff what evidence of Source of Funds was required. Al Rayan accepted
£22.74 million in cash deposits of over £10,000 across its branch network
during the Relevant Period. (See paragraphs 4.81 - 4.125).
5.3.3.
Al Rayan failed to carry out adequate EDD in relation to establishing high-
risk customers’ Source of Wealth and Source of Funds at the point of
onboarding and subsequently failed to carry out EDD and enhanced
ongoing monitoring in higher risk situations. For the purposes of
onboarding, Al Rayan relied on due diligence carried out by financial
institutions within GCC states, in circumstances where it was aware this
would not meet the required standards under the ML Regulations and
where Al Rayan’s own policies stated that customers from GCC countries
should be subject to the same CDD and EDD as customers from other
nations.
In
addition,
Al
Rayan
staff
were
over-reliant
upon
uncorroborated explanations from customers as to their Source of Wealth
and Source of Funds, together with bank account statements and letters
of recommendation from non-EEA financial institutions which provided
very limited information about customers’ overall wealth and/or the
origins of their funds. (See paragraphs 4.25 - 4.125).
5.3.4.
Al Rayan’s failure to establish high-risk customers’ Source of Wealth and
Source of Funds at onboarding contributed to its inability/failure to
adequately corroborate the origin of customer monies in subsequent
large, in person, cash deposits, considered by Al Rayan to be higher risk
transactions. (See paragraphs 4.25 - 4.125).
5.3.5.
Al Rayan failed to adequately scrutinize transactions undertaken through
the course of its relationship with customers, including the Source of
Funds involved in such transactions, specifically in relation to the receipt
of large cash deposits. (See paragraphs 4.93 - 4.125).
5.3.6.
Where Al Rayan’s Second Line of Defence indicated, following a
transaction review, that further EDD was required the EDD was not
undertaken and there was no framework in place to ensure the concerns
were addressed; (See paragraphs 4.128 - 4.146).
5.3.7.
Al Rayan failed to keep documents, data or information obtained for the
purposes of applying CDD and EDD measures up-to-date. In 2017, the
Authority found that there was a significant back-log of over 300 existing
high-risk and PEP customers whose KYC periodic reviews had not been
undertaken during the Relevant Period in accordance with Al Rayan’s
policies and were overdue. (See paragraphs 4.131 - 4.146).
5.3.8.
Al Rayan failed to provide adequate AML training for staff throughout the
Relevant Period, including in relation to the handling of large cash
deposits and the “tipping off” rules, which led to the acceptance of large,
in person cash deposits without adequate challenge or scrutiny at the
point of deposit. (See paragraphs 4.153 – 4.162).
5.3.9.
Al Rayan failed to have appropriate internal controls in order to prevent
activities related to money laundering and terrorist financing. An internal
audit of the FCU (Al Rayan’s Second Line of Defence) was not conducted
over an 8-year period, between 2009 and 2017, meaning that it was
unable to ensure the First and Second Line of Defence were functioning
appropriately. (See paragraph 4.165).
5.3.10.
Al Rayan was specifically made aware of the risks presented by
deficiencies in its financial crime systems and controls through the
Relevant Period. In 2015 and 2017, the Authority visited Al Rayan to
review its AML control framework. During both of those visits, the
Authority identified weaknesses across Al Rayan’s AML control framework
that Al Rayan was required to address. However, Al Rayan failed to
remediate those weaknesses in accordance with its own remediation
action plan and certain key actions remained unresolved during the
Relevant Period. For example, by September 2017, (1) almost 50% of
high-risk customers files had not been subject to a KYC periodic review
in line with Al Rayan policy; (2) contrary to commitments made in the
2015 Action Plan, there was no framework in place to effectively manage
KYC period reviews; and (3) Al Rayan had failed to implement adequate
AML training for the First and Second Lines of Defence. (See paragraphs
5.4.
These failings arose in circumstances where Al Rayan was specifically targeting
higher risk customers and undertaking large cash transactions within its GCC
business area, which heightened the potential for financial crime to occur. During
the Relevant Period, Al Rayan’s processes permitted money to enter the UK
financial system without carrying out appropriate due diligence to ensure the
money was for legitimate purposes and not connected with financial crime. The
Authority recognises that the HPP and CPF divisions whose business related to
financing activities, were funded by deposits from a predominantly low risk
customer base, presenting a significantly reduced financial crime risk.
5.5.
As a consequence of these inadequacies in Al Rayan’s AML control framework, it
was unable to adequately identify, assess, monitor or manage its money
laundering risk, particularly in relation to high-risk customers, which resulted in
an unacceptable level of risk that it would be used by those seeking to launder
money or commit financial crime.
6.
SANCTION
Financial penalty
6.1.
The Authority’s policy for imposing a financial penalty is set out in Chapter 6 of
DEPP. In respect of conduct occurring on or after 6 March 2010, the Authority
applies a five-step framework to determine the appropriate level of financial
penalty. DEPP 6.5A sets out the details of the five-step framework that applies in
respect of financial penalties imposed on firms.
Step 1: disgorgement
6.2.
Pursuant to DEPP 6.5A.1G, at Step 1 the Authority seeks to deprive a firm of the
financial benefit derived directly from the breach where it is practicable to quantify
this.
6.3.
The Authority has not identified any financial benefit that Al Rayan derived directly
from its breach.
6.4.
Step 1 is therefore £0.
Step 2: the seriousness of the breach
6.5.
Pursuant to DEPP 6.5A.2G, at Step 2 the Authority determines a figure that
reflects the seriousness of the breach. Where the amount of revenue generated
by a firm from a particular product line or business area is indicative of the harm
or potential harm that its breach may cause, that figure will be based on a
percentage of the firm’s revenue from the relevant products or business area.
6.6.
The Authority considers that the revenue generated by Al Rayan is indicative of
the harm or potential harm caused by its breach. The Authority has therefore
determined a figure based on a percentage of Al Rayan’s relevant revenue. Al
Rayan’s relevant revenue is the revenue derived by Al Rayan’s business areas
funded by its deposit-taking activity during the period of the breach. The period
of Al Rayan’s breach was from April 2015 to November 2017. The Authority
considers Al Rayan’s relevant revenue for this period to be £106,445,890.
6.7.
In deciding on the percentage of the relevant revenue that forms the basis of the
step 2 figure, the Authority considers the seriousness of the breach and chooses
a percentage between 0% and 20%. This range is divided into five fixed levels
which represent, on a sliding scale, the seriousness of the breach; the more
serious the breach, the higher the level. For penalties imposed on firms there are
the following five levels:
6.7.1.
Level 1 – 0%
6.7.2.
Level 2 – 5%
6.7.3.
Level 3 – 10%
6.7.4.
Level 4 – 15%
6.7.5.
Level 5 – 20%
6.8.
In assessing the seriousness level, the Authority takes into account various factors
which reflect the impact and nature of the breach, and whether it was committed
deliberately or recklessly. DEPP 6.5A.2G(11) lists factors likely to be considered
‘level 4 or 5 factors’. Of these, the Authority considers the following factors to be
relevant:
6.8.1.
the breaches revealed serious or systemic weaknesses in the firm’s
procedures or in the management of systems or internal controls
relating to all or part of the firm’s business; and
6.8.2.
the breaches created a significant risk that financial crime would be
facilitated, occasioned or otherwise occur.
6.9.
Taking all of these factors into account, the Authority considers the seriousness
of the breach to be level 4 and so the Step 2 figure is 15% of £106,445,890.
6.10.
Step 2 is therefore £15,966,883.
6.11.
Pursuant to DEPP 6.5.3(3)G, the Authority may decrease the level of penalty
arrived at after applying Step 2 of the framework if it considers that the penalty
is disproportionately high for the breaches concerned. Notwithstanding the serious
and long-running nature of Al Rayan’s breaches, the Authority considers that the
level of penalty would nonetheless be disproportionate if it were not reduced and
should be adjusted.
6.12.
The Authority considers that relevant revenue should include revenue from the
HPP and CPF business areas because those business areas were funded by
customer deposits affected by some of the misconduct. However, in contrast with
Al Rayan’s GCC business area and its Other Business, the overwhelming
proportion of the funding for the HPP and CPF business areas derived from
transactions that were made by predominantly low risk customers making
predominantly low risk transactions.
6.13.
The reasons for a reduction in this instance therefore result from the very different
financial crime risks relating to the clearly separate business areas affected by the
failings. The Authority considers that the penalty otherwise calculated at Step 2
would be disproportionate.
6.14.
In order to achieve a penalty that is proportionate to the breach, and having taken
into account previous cases, the Step 2 figure is reduced to £4,790,065.
Step 3: mitigating and aggravating factors
6.15.
Pursuant to DEPP 6.5A.3G, at Step 3 the Authority may increase or decrease the
amount of the financial penalty arrived at after Step 2, but not including any
amount to be disgorged as set out in Step 1, to take into account factors which
aggravate or mitigate the breach.
6.16.
The Authority considers that the following factors aggravate the breach:
6.16.1.
The Authority visited Al Rayan in 2015, as part of its supervisory
strategy for Al Rayan and to carry out a review of its AML control
framework. The Authority sent its feedback letter to Al Rayan on 16
June 2015 highlighting the weaknesses identified by the review. The
Authority also visited Al Rayan in 2017 and again informed Al Rayan of
its ongoing concerns about aspects of its AML control framework.
Despite these express warnings, the deficiencies in Al Rayan’s AML
control framework were not addressed in an adequate timeframe or in
accordance with the 2015 Action Plan and it failed to remediate a
number of key issues by the end of the Relevant Period.
6.16.2.
The Authority has published guidance on the steps firms can take to
reduce financial crime risk and provided examples of good and back
practice since 2011. Since 1990, the JMLSG has published detailed
written guidance on AML controls. During the Relevant Period, the
JMLSG provided guidance on compliance with the legal requirements of
the ML Regulations, regulatory requirements in the Handbook and
evolving practice in the financial services industry. Before, or during,
the Relevant Period the Authority published the following guidance in
relation to AML controls which set out examples to assist firms:
6.16.2.1. in March 2008, the Authority published a report titled “Review of
firms’ implementation of a risk-based approach to anti-money
laundering”. The report notes, among other things, that a firm must
take steps to ensure that its knowledge about a business
relationship with a customer remains current, and keeps documents,
data and information obtained in the CDD context up to date;
6.16.2.2. in June 2011, the Authority published a report titled “Banks’
management of high money-laundering risk situations: How banks
deal with high-risk customers (including politically exposed
persons), correspondent banking relationships and wire transfers”.
The report highlighted the importance of banks applying meaningful
EDD measures in high-risk situations and noted the importance of
carrying out enhanced monitoring of high-risk customers throughout
relationships; and
6.16.2.3. in December 2011, the Authority published “Financial Crime: A
Guide for Firms”. The guide highlighted the need to conduct
adequate CDD checks, perform ongoing monitoring and carry out
EDD measures and enhanced ongoing monitoring when handling
higher-risk situations.
6.16.2.4. In November 2014, the Authority published a report titled “How
small banks manage money laundering and sanctions risk: Update”.
This
review
focused
on
high-risk
customers,
PEPs,
and
correspondent banking and found that there were continuing
weaknesses in most small banks’ AML systems and controls,
including significant and widespread weaknesses in key AML
controls, including AML risk assessments at both a business and
customer level, and EDD and ongoing-monitoring of high risk, PEP,
and correspondent relationships.
6.16.3.
The Authority has published a number of Notices against firms for AML
weaknesses both before and during the Relevant Period, including in
respect of Alpari Limited on 5 May 2010, Coutts & Company on 23 March
2012, Habib Bank AG Zurich on 4 May 2012, Turkish Bank (UK) Limited
Bank PLC on 22 January 2014, Barclays Bank PLC on 25 November
2015, Sonali Bank (UK) Limited on 12 October 2016 and Deutsche Bank
AG on 30 January 2017. These actions stressed to the industry the
Authority’s view of firms with AML deficiencies, and Al Rayan was
accordingly aware of the importance of implementing and maintaining
robust AML systems and controls.
6.17.
Consequently, Al Rayan was aware, or ought to have been aware, of the
importance of putting in place and maintaining effective procedures to detect and
prevent money laundering.
6.18.
The Authority considers that the following factor mitigates the breach:
6.18.1.
On 13 July 2018, the Authority imposed a requirement upon Al Rayan
to appoint a Skilled Person under section 166 of the Act. Thereafter, Al
Rayan entered into a voluntary requirement restricting it from accepting
or processing any new deposit account applications from: any
prospective person categorised as high-risk for the purposes of financial
crime (as defined in Al Rayan’s customer risk rating tool and associated
methodology), PEPs, or family members or known close associates of
PEPs. Working with the Skilled Person over more than 3 years Al Rayan
committed significant resources to improving its AML control
framework, as a consequence of which the Authority lifted the voluntary
requirement in June 2022.
6.19.
Having taken into account these aggravating and mitigating factors, the Authority
considers that the Step 2 figure should be increased by 20%.
6.20.
Step 3 is therefore £5,748,078.
Step 4: adjustment for deterrence
6.21.
Pursuant to DEPP 6.5A.4G, if the Authority considers the figure arrived at after
Step 3 is insufficient to deter the firm who committed the breach, or others, from
committing further or similar breaches, then the Authority may increase the
penalty.
6.22.
The Authority considers that the Step 3 figure of £5,748,078 represents a
sufficient deterrent to Al Rayan and others, and so has not increased the penalty
at Step 4.
6.23.
Step 4 is therefore £5,748,078.
Step 5: settlement discount
6.24.
Pursuant to DEPP 6.5A.5G, if the Authority and the firm on whom a penalty is to
be imposed agree the amount of the financial penalty and other terms, DEPP 6.7
provides that the amount of the financial penalty which might otherwise have
been payable will be reduced to reflect the stage at which the Authority and the
firm reached agreement. The settlement discount does not apply to the
disgorgement of any benefit calculated at Step 1.
6.25.
The Authority and Al Rayan reached agreement at Stage 1 and so a 30% discount
applies to the Step 4 figure.
6.26.
Step 5 is therefore £4,023,655.
6.27.
The Authority hereby imposes a total financial penalty of £4,023,600 on Al Rayan
for breaching Principle 3.
7.
PROCEDURAL MATTERS
7.1.
This Notice is given to Al Rayan Bank PLC under and in accordance with section
390 of the Act. The following statutory rights are important.
Decision maker
7.2.
The decision which gave rise to the obligation to give this Notice was made by the
Settlement Decision Makers.
Manner and time for payment
7.3.
The financial penalty must be paid in full by Al Rayan Bank PLC to the Authority
no later than 25 January 2023.
If the financial penalty is not paid
7.4.
If all or any of the financial penalty is outstanding on 25 January 2023, the
Authority may recover the outstanding amount as a debt owed by Al Rayan Bank
PLC and due to the Authority.
7.5.
Sections 391(4), 391(6) and 391(7) of the Act apply to the publication of
information about the matter to which this notice relates. Under those provisions,
the Authority must publish such information about the matter to which this notice
relates as the Authority considers appropriate. The information may be published
in such manner as the Authority considers appropriate. However, the Authority
may not publish information if such publication would, in the opinion of the
Authority, be unfair to Al Rayan Bank PLC or prejudicial to the interests of
consumers or detrimental to the stability of the UK financial system.
7.6.
The Authority intends to publish such information about the matter to which this
Final Notice relates as it considers appropriate.
Authority contacts
7.7.
For more information concerning this matter generally, contact Richard Topham
(direct line: 020 7066 1180 / email: richard.topham@fca.org.uk) or Owen Dixon
(direct line: 020 7066 9374 / email: owen.dixon@fca.org.uk) at the Authority.
Lauren Rafter
Financial Conduct Authority, Enforcement and Market Oversight Division
ANNEX A
RELEVANT STATUTORY AND REGULATORY PROVISIONS
1.1.
The Authority’s statutory objectives, set out in section 1B(3) of the Act, include the
integrity objectives (protecting and enhancing the integrity of the UK financial
system).
1.2.
Section 206(1) of the Act provides:
“If the Authority considers that an authorised person has contravened a
requirement imposed on him by or under this Act… it may impose on him a penalty,
in respect of the contravention, of such amount as it considers appropriate.”
RELEVANT REGULATORY PROVISIONS
Principles for Businesses
1.3.
The Principles are a general statement of the fundamental obligations of firms
under the regulatory system and are set out in the Authority’s Handbook. They
derive their authority from the Authority’s rule-making powers set out in the Act.
The relevant Principles are as follows.
1.4.
Principle 3 provides:
A firm must take reasonable care to organise and control its affairs responsibly and
effectively, with adequate risk management systems.
Senior Management Arrangements, Systems and Controls (“SYSC”)
1.5.
SYSC 6.1.1R provides:
A firm must establish, implement and maintain adequate policies and procedures
sufficient to ensure compliance of the firm including its managers, employees and
appointed representatives (or where applicable, tied agents) with its obligations
under the regulatory system and for countering the risk that the firm might be used
to further financial crime.
1.6.
SYSC 6.3.1R provides:
A firm must ensure the policies and procedures established under SYSC 6.1.1R
include systems and controls that:
(1) enable it to identify, assess, monitor and manage money laundering risk; and
(2) are comprehensive and proportionate to the nature, scale and complexity of its
activities.”
1.7.
SYSC 6.3.3R provides:
A firm must carry out a regular assessment of the adequacy of these systems and
controls to ensure that they comply with SYSC 6.3.1R.”
DEPP
1.8.
Chapter 6 of DEPP, which forms part of the Authority’s Handbook, sets out the
Authority’s statement of policy with respect to the imposition and amount of
financial penalties under the Act.
The Enforcement Guide
1.9.
The Enforcement Guide sets out the Authority’s approach to exercising its main
enforcement powers under the Act.
1.10. Chapter 7 of the Enforcement Guide sets out the Authority’s approach to exercising
its power to impose a financial a penalty.
FINAL NOTICE
1.
ACTION
1.1.
For the reasons given in this Final Notice, the Authority hereby imposes on Al
Rayan Bank PLC (“Al Rayan”) a financial penalty of £4,023,600, pursuant to
section 206 of the Act.
1.2
Al Rayan agreed to resolve this matter and qualified for a 30% (stage 1) discount
under the Authority’s executive settlement procedures. Were it not for this
discount, the Authority would have imposed a financial penalty of £5,748,000 on
Al Rayan.
2.
SUMMARY OF REASONS
2.1.
The Authority has the operational objective of protecting and enhancing the
integrity of the UK financial system. The laundering of money through UK financial
institutions undermines the integrity of the UK financial system. Financial
institutions operating in the UK are therefore responsible for minimising their risk
of being used for criminal purposes, including the risk of being used to facilitate
money laundering or terrorist financing.
2.2.
To mitigate this risk, UK firms must take reasonable care to organise and control
their affairs responsibly and effectively and to establish, implement and maintain
adequate policies and procedures for countering the risk of them being used to
further financial crime, for example, by those seeking to launder the proceeds of
2
crime, evade financial sanctions, or finance terrorism. This includes establishing
and maintaining appropriate risk-based anti-money laundering (“AML”) systems
and controls which are compliant with the applicable Money Laundering
Regulations. The obligations on a firm under the Money Laundering Regulations
2007 (the “ML Regulations”) include:
2.2.1.
applying, on a risk-sensitive basis, enhanced customer due diligence
(“EDD”) measures and enhanced ongoing monitoring in any situation
which by its nature can present a higher risk of money laundering or
terrorist financing;
2.2.2.
applying scrutiny to transactions undertaken throughout the course of
their relationship with a customer to ensure that the transactions are
consistent with the firm’s knowledge of the customer;
2.2.3.
keeping documents, data or information obtained for the purpose of
applying customer due diligence (“CDD”) measures up-to-date;
2.2.4.
providing adequate training to staff in relation to the law relating to
money laundering and terrorist financing and in how to recognise and
deal with transactions and other activities which may be related to money
laundering or terrorist financing; and
2.2.5.
establishing and maintaining appropriate and risk-sensitive policies and
procedures in order to prevent activities related to money laundering and
terrorist financing, including in relation to internal control and the
monitoring and management of compliance with such policies and
procedures.
2.3.
Al Rayan is headquartered in Birmingham and operates through several branches
throughout the UK. Al Rayan’s parent bank, Al Rayan (UK) Limited is a subsidiary
of Masraf Al Rayan Q.S.C (“MAR”), a Qatar-based Islamic bank. Al Rayan provides
Sharia compliant savings, finance and current account services to over 90,000
personal, business and premier customers, including a significant number of
customers from member states of the Gulf Cooperation Council (“GCC”) who are
primarily serviced by Al Rayan’s GCC business areas. The other two business areas
(Home Purchase Plan (“HPP”) and Commercial Property Finance (“CPF”)) operated
by Al Rayan principally provide secured lending arrangements to UK customers
3
for the primary purpose of acquiring residential (HPP) and commercial property
(CPF) in the UK. Al Rayan’s Knightsbridge branch, established on 15 May 2015,
was set up to specifically target high net worth (“HNW”) and ultra-high net worth
(“UHNW”) individuals, and particularly focussed on GCC based customers.
2.4.
Al Rayan was required, pursuant to the Authority’s Principles for Businesses (the
“Principles”), to take reasonable care to organise its affairs responsibly and
effectively, with adequate risk management systems. Al Rayan was also required
to have policies and procedures in place, comprehensive and proportionate to its
business activities, to enable it to identify, assess, monitor and manage money
laundering risk.
2.5.
Between 1 April 2015 and 30 November 2017 (“the Relevant Period”), Al Rayan
failed to meet these requirements and, in doing so, breached Principle 3. In
particular:
2.5.1.
Al Rayan failed to establish, implement and maintain appropriate and
risk-sensitive policies and procedures in relation to the application of EDD
and, in particular, in relation to establishing high-risk customers’ Source
of Wealth and Source of Funds at the point of onboarding;
2.5.2.
Although Al Rayan identified that cash transactions presented a high-risk
of financial crime, it nonetheless failed to establish, implement and
maintain appropriate and risk-sensitive policies and procedures in
relation to the handling and treatment of cash deposits, including whether
they should be accepted or rejected if adequate Source of Funds
information was not provided or when there was suspicion in relation to
the transaction. Al Rayan accepted £22.74 million in cash deposits of over
£10,000 across its branch network during the Relevant Period;
2.5.3.
Al Rayan failed to carry out adequate EDD in relation to establishing high-
risk customers’ Source of Wealth and Source of Funds at the point of
onboarding and subsequently failed to carry out EDD and enhanced
ongoing monitoring in higher risk situations. For the purposes of
onboarding, Al Rayan relied on due diligence carried out by financial
institutions within GCC states, in circumstances where it was aware this
would not meet the required standards under the ML Regulations and
where Al Rayan’s own policies stated that customers from GCC countries
should be subject to the same CDD and EDD as customers from other
nations;
2.5.4.
Al Rayan’s failure to establish high-risk customers’ Source of Wealth and
Source of Funds at onboarding contributed to its inability/failure to
adequately corroborate the origin of customer monies in subsequent
large, in person, cash deposits, considered by Al Rayan to be higher risk
transactions;
2.5.5.
Al Rayan failed to adequately scrutinize transactions undertaken through
the course of its relationship with customers, including the Source of
Funds involved in such transactions, specifically in relation to the receipt
of large cash deposits;
2.5.6.
Where Al Rayan’s Second Line of Defence indicated, following a
transaction review, that further EDD was required the EDD was not
undertaken and there was no framework in place to ensure the concerns
were addressed;
2.5.7.
Al Rayan failed to keep documents, data or information obtained for the
purposes of applying CDD and EDD measures up-to-date. There was a
significant back-log of over 300 existing high-risk and PEP customers
whose KYC (“know your client”) periodic reviews had not been
undertaken during the Relevant Period in accordance with Al Rayan’s
policies and were overdue;
2.5.8.
Al Rayan failed to provide adequate training to staff, including in relation
to the handling of large cash deposits and the “tipping off” rules, which
led to the acceptance of large, in person cash deposits without adequate
challenge or scrutiny at the point of deposit;
2.5.9.
Al Rayan failed to have appropriate internal controls in order to prevent
activities related to money laundering and terrorist financing. An internal
audit of its Financial Crime Unit (“FCU”) (a key part of Al Rayan’s Second
Line of Defence) was not conducted over an 8-year period, between 2009
and 2017, meaning that it was unable to ensure the First and Second Line
of Defence were functioning appropriately; and
5
2.5.10.
Al Rayan was specifically made aware of the risks presented by
deficiencies in its financial crime systems and controls through the
Relevant Period. In 2015 and 2017, the Authority visited Al Rayan to
review its AML control framework. During both of those visits, the
Authority identified weaknesses across Al Rayan’s AML control framework
that Al Rayan was required to address. However, Al Rayan failed to
remediate those weaknesses in accordance with its own remediation
action plan and certain key actions remained unresolved during the
Relevant Period.
2.6.
These failings arose in circumstances where Al Rayan was specifically targeting
higher risk customers and undertaking large cash transactions within its GCC
business area which heightened the potential for financial crime to occur. During
the Relevant Period, Al Rayan’s processes permitted money to enter the UK
financial system without carrying out appropriate due diligence to ensure the
money was for legitimate purposes and not connected with financial crime. The
Authority recognises that Al Rayan’s HPP and CPF business areas related to
financing activities funded by deposits from a predominantly low risk customer
base, presenting a significantly reduced financial crime risk.
2.7.
On 5 April 2019, owing to the concerns raised by the Authority in respect of Al
Rayan’s AML control framework and the lack of sufficient progress by Al Rayan in
remediating the concerns, Al Rayan entered into a voluntary requirement
restricting it from accepting or processing any new deposit account applications
from: any prospective person categorised as high-risk for the purposes of financial
crime risk (as defined in Al Rayan’s customer risk rating tool and associated
methodology), politically exposed persons (“PEPs”), or family members or known
close associates of PEPs.
2.8.
On 13 July 2018, the Authority imposed a requirement upon Al Rayan to appoint
a Skilled Person under section 166 of the Act. Working with the Skilled Person
over more than 3 years, Al Rayan committed significant resources to improving
its AML control framework. These improvements resulted in the Authority lifting
the voluntary requirement in June 2022. Al Rayan continues to be subject to a
limited business restriction until certain of its processes are automated.
2.9.
The Authority hereby imposes on Al Rayan a financial penalty of £4,023,600
pursuant to section 206 of the Act.
6
3.
DEFINITIONS
3.1.
The definitions below are used in this Notice:
“the Act” means the Financial Services and Markets Act 2000;
“2015 Action Plan” means Al Rayan’s AML remediation action plan which was put
in place following the Authority’s 2015 visit;
“AML” means anti-money laundering;
“AML champions” means Al Rayan’s nominated AML subject matter experts;
“the Authority” means the body corporate previously known as the Financial
Services Authority and renamed on 1 April 2013 as the Financial Conduct
Authority;
“Authority’s file review” means the review of 15 customer files including individual,
corporate and charity customers carried out as part of the investigation;
“BRCC” means the Risk, Compliance & Credit Committee of the Board;
“CDD” means customer due diligence measures as defined in Regulation 5 of the
ML Regulations;
“CPF” means Al Rayan’s Commercial Property Financial business area which
principally provides secured lending arrangements to UK customers for the
primary purpose of acquiring commercial property in the UK;
“CRRS” means Al Rayan’s customer risk rating system which was updated as part
of the 2015 Action Plan and which began to be implemented in November 2016;
“EDD” means enhanced customer due diligence as defined in Regulation 14 of the
ML Regulations;
“First Line of Defence” means front line staff namely branch cashiers and branch
management;
7
“FCU” means Financial Crime Unit, a key part of Al Rayan’s Second Line of
Defence;
“GCC” means Gulf Cooperation Council, a regional union of Gulf states comprising
Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates;
“HNW” means High Net Worth individual – Al Rayan classified a HNW customer as
a customer with an estimated annual income of £500,000 to £1,000,000 and/or
estimated net assets of £1,000,000 – 15,000,000;
“HPP” means Al Rayan’s Home Purchase Plan business area which principally
provides secured lending arrangements to UK customers for the primary purpose
of acquiring residential property in the UK;
“JMLSG” means the Joint Money Laundering Steering Group. The JMLSG is a body
comprised of the leading UK trade associations in the financial services sector;
“JMLSG Guidance” means the guidance that was applicable during the Relevant
Period issued by the JMLSG, and approved by the Treasury, on compliance with
the legal requirements in the ML Regulations, the regulatory requirements in the
Handbook and evolving practice within the financial services industry. The JMLSG
Guidance sets out good practice for the UK financial services sector on the
prevention of money laundering and combatting of terrorist financing;
“KYC” means Know Your Customer;
“KYC Periodic Review” means KYC periodic review of an existing customer’s
information and risk classification;
“MAR” means Masraf Al-Rayan Q.S.C, Al Rayan’s parent bank based in Qatar;
“ML Regulations” means the Money Laundering Regulations 2007, which were in
force in respect of conduct beginning after 15 December 2007 and before 26 June
2017 inclusive;
“MLRO” means Money Laundering Reporting Officer;
“NCA” means National Crime Agency;
“Other Business” means customers, predominantly charities and corporate
entities, who do not form part of the GCC, HPP or CPF business areas and whose
deposits were utilised by Al Rayan’s Treasury business area;
“PEP” means a Politically Exposed Person as defined in Regulation 14(5) of the ML
Regulations;
“Premier Branch” means Al Rayan’s Knightsbridge branch;
“Relevant Period” means 1 April 2015 – 30 November 2017;
“SAR” means a Suspicious Activity Report;
“Second Line of Defence” means Al Rayan’s Financial Crime Unit and Compliance
team;
“Skilled Person” means the skilled person appointed by Al Rayan, as imposed by
the Authority under section 166 of the Act;
“Source of Funds” refers to the origin of funds involved in the business relationship
or occasional transaction. It refers to the activity that generated the funds, for
example salary payments or sale proceeds, as well as the means through which
the customer’s or beneficial owner’s funds were transferred;
“Source of Wealth” describes how a customer or beneficial owner acquired their
total wealth;
“tipping off” means the offences defined in the Proceeds of Crime Act 2002,
section 333A;
“Third Line of Defence” means Al Rayan’s Internal Audit function;
“TM1” means a Transaction Monitoring system which monitored transfers in and
out of customers’ accounts (Al Rayan’s core banking system);
“TM2” means a Transaction Monitoring System which was used for real-time card
transactions which were monitored on a 24/7 basis via a third party;
“UHNW” means Ultra High Net Worth individual – Al Rayan classified an UHNW
customer as a customer with an estimated annual income of over £1m and/or
estimated net assets of more than £15m.
4.
FACTS AND MATTERS
4.1.
Al Rayan was authorised in August 2004 and until December 2014 was known as
the Islamic Bank of Britain. Al Rayan is headquartered in Birmingham and, during
the Relevant Period, operated through ten UK branches.
4.2.
Al Rayan’s parent bank, Al Rayan (UK) Limited is a subsidiary of MAR1, an Islamic
Bank which is based in Qatar. Al Rayan provides Sharia compliant savings, finance
and current account services to over 90,000 personal, business and premier
customers. Al Rayan provides banking services to retail customers, as well as
corporate and charitable entities. Many of Al Rayan’s customers are nationals of
countries in the GCC, who are primarily serviced by Al Rayan’s GCC business area.
4.3.
Al Rayan’s business is organised around three main business areas: GCC, HPP and
CPF. The GCC business, in summary, comprises deposit-taking, current account
and other banking facilities (including lending) provided to a range of retail
customers (primarily individuals who are nationals of countries in the GCC or non-
GCC premier customers who require UK-based banking services), a significant
number of whom are rated “high risk”. By contrast, the HPP and CPF divisions
provide financing products, with some customers having operational accounts to
facilitate the repayment of the underlying loan products. Al Rayan also conducted
business with a number of customers, predominantly charities and corporate
entities, who do not form part of the GCC, HPP or CPF business areas and whose
deposits were utilised by Al Rayan’s Treasury business area (“Other Business”).
4.4.
In January 2015, Al Rayan policy identified that “Premier Banking and wealth
management is perceived to be high-risk for money laundering purposes because
the relevant customers have complex needs requiring complex solutions … Al
Rayan has assessed its current accounts and treasury deposit accounts for high
net worth individuals as presenting a higher level of risk.”
4.5.
Al Rayan’s Knightsbridge branch (also referred to as the “Premier Branch”) was
opened on 15 May 2015 and was established to provide premier banking services
1Whilst MAR is mentioned in this Notice, no criticisms are made of MAR which is not subject to the ML
Regulations.
to predominately HNW and UHNW individuals from GCC countries, within Al
Rayan’s GCC business area. As at the end of September 2017, the Knightsbridge
branch had approximately 1,500 current accounts and 258 Home Purchase with
a book value of approximately £253m. The majority of Al Rayan’s high-risk
customers from an AML perspective were serviced through the Knightsbridge
branch.
4.6.
On 1,133 occasions, Al Rayan accepted in person cash deposits of more than
£10,000 across its branch network during the Relevant Period. These deposits
totalled £22.74 million and included 60 cash deposits of more than £50,000, 16
which were more than £100,000 and 9 of more than £200,000.
4.7.
Al Rayan policy identified that cash transactions presented a high-risk of financial
crime and left the bank particularly vulnerable, because of the nature and
universal acceptability of cash and the fact that there is little or no audit trail, such
that its “Preventing Financial Crime” manual stated that “special care is required
in handling cash transactions for large amounts, even for customers who maintain
accounts with the Bank. Any questionable activity must be examined to establish
the source of funds and/or wealth if appropriate and to determine and document
the reason for the activity”.
Previous Assessments by the Authority of Al Rayan’s AML systems and
controls
The Authority’s 2015 assessment
4.8.
In April 2015, the Authority carried out an assessment of Al Rayan’s AML and
sanctions systems and controls, as part of the Authority’s AML supervision
strategy (the “Authority’s 2015 Assessment”). As a part of the assessment, the
Authority reviewed 17 high-risk/PEP customer files as well as 5 standard risk files.
4.9.
Following the assessment, the Authority set out in a letter to Al Rayan a number
of serious concerns in relation to its AML systems and controls and alerted Al
Rayan to the need to ensure that there was a sufficient focus on AML measures
throughout its business and to ensure that compliance with legal and regulatory
requirements was prioritised. The deficiencies identified included:
4.9.1.
No formal documented risk assessment of customers to identify higher
risk customers with the exception of PEPs and customers linked to
sanctioned countries.
4.9.2.
Little information regarding the purpose and intended nature of the
relationship was gathered for individual customers.
4.9.3.
A failure to conduct adequate EDD on the basis that, amongst other
things, there was a failure to adequately verify or gain sufficient
information in relation to PEP customers’ Source of Wealth and Source
of Funds, including a general lack of willingness to seek further
information from customers.
4.9.4.
Weaknesses in the quality of ongoing monitoring and periodic reviews,
with reviews either non-existent or sporadic in a number of instances.
Where reviews had been undertaken, there were concerns about the
quality and judgement at sign off, for example, a number of reviews
were signed off despite a clear lack of adequate EDD, missing
documents and discrepancies on file.
4.9.5.
Weaknesses across all three lines of defence with no internal audit of
the FCU (a key part of Al Rayan’s Second Line of Defence in AML
matters) for a protracted period.
4.10.
The Authority asked Al Rayan to set out the action it planned to take to remedy
the findings. In response, Al Rayan put in place an Action Plan dated 9 July 2015
(the “2015 Action Plan”) which included the following planned steps:
4.10.1.
conducting a retrospective review of all existing PEP and high-risk
customer files to identify any information gaps;
4.10.2.
carrying out a remediation exercise on existing customers to ensure it
gathered sufficient information in relation to Source of Wealth and
Source of Funds for PEP customers;
4.10.3.
engaging an external consultant to assist Al Rayan with, amongst other
things, (a) defining and documenting the approach to onboarding PEPs
and high-risk customers, and (b) identifying and documenting what
constitutes sufficient evidence of Source of Wealth and how it should be
captured;
4.10.4.
conducting an internal audit of the FCU. The scope of the review was to
focus on the principal findings of the Authority’s 2015 Assessment and
to include a qualitative assessment of the robustness of the systems
and control in mitigating financial crime risks;
4.10.5.
determining and documenting new processes for the on-going
monitoring of PEPs and high-risk customers; and
4.10.6.
introducing sector and role specific training in 2016.
The Authority’s 2017 assessment
4.11.
In June 2017, the Authority conducted a further assessment of Al Rayan’s AML
and sanctions systems and controls, focussing on the Knightsbridge branch (the
“Authority’s 2017 Assessment”). As part of the assessment, the Authority
reviewed a further 19 customer files. The Authority concluded that, whilst some
improvements to the financial crime control framework had been made since the
Authority’s 2015 Assessment, there were ongoing and significant concerns in
relation to weaknesses Al Rayan had committed to address in the 2015 Action
Plan. The Authority identified:
4.11.1.
concerns with the quality of the EDD conducted on high-risk customers
who had been onboarded after the Authority’s 2015 Assessment,
amongst other things, in relation to the identification and verification of
customers’ Source of Wealth and Source of Funds;
4.11.2.
over 300 periodic reviews for high-risk customers and PEP customers
were past their due date;
4.11.3.
that no defined framework was in place at branch level to register or
acknowledge when customer periodic reviews were due, relying solely
on the FCU to control and advise on due dates; and
4.11.4.
that Al Rayan had still not completed the internal audit of the FCU (which
the 2015 Action Plan had stated would be completed by 30 November
2015), two years after receiving feedback from the Authority that such
a review was required which meant that there had been no internal audit
of the FCU for 8 years.,
4.12.
The Authority identified two further serious concerns in relation to Al Rayan’s AML
systems and controls during the 2017 visit, namely:
4.12.1.
the controls and oversight in place at the Knightsbridge branch in
relation to the handling and treatment of large cash transactions, and
the willingness to accept cash deposits without always gaining sufficient
evidence of Source of Funds; and
4.12.2.
a lack of knowledge and understanding within the Knightsbridge branch
of the “tipping off” offence whereby a fear of committing this offence
was discouraging branch staff from rejecting cash deposits even when
they had concerns.
4.13.
As a result of the Authority’s 2015 and 2017 assessments, the Authority imposed
a skilled person requirement upon the firm and the Skilled Person was appointed
on 17 September 2018.
Al Rayan’s customer risk classification
4.14.
Al Rayan implemented the same AML policies and procedures across all its
branches and had in place policies and procedures designed to identify the
financial crime risk posed by a potential customer and on-board them in
accordance with its risk appetite.
4.15.
Al Rayan’s customer risk classification included low, medium and high-risk
customer categories. Certain customers were automatically classified as “high-
risk”, including:
4.15.1.
HNWs, i.e. customers with an estimated annual income of £500,000 to
£1,000,000 and/or estimated net assets of £1m to £15m;
4.15.2.
UHNWs, i.e. customers with an estimated annual income of over £1m
and/or estimated net assets of more than £15m; and
4.15.3.
all customers classified as PEPs (although between March 2015 and
January 2016, there were inconsistencies across Al Rayan’s polices as
to the risk classification of PEPs).
4.16.
Throughout the Relevant Period, Al Rayan’s approach to risk-rating charities and
UK corporate customers was unclear. The policies appear to contradict each other
and variously indicated that a low, medium or high risk could be assigned and it
is unclear how these policies were applied.
4.17.
Al Rayan’s policies provided that it “will deal with customers where the customer's
profile is consistent with the Bank’s vision and strategic objectives and Risk
Management Framework (“RMF”)” and “undertake activity involving PEP's, HNW
clients and other heightened risk customer types subject to the satisfactory
application of Bank's AML policy and procedural standards, including that
concerning due diligence efforts over business activities, source of wealth and
source of funds.”
Requirements in relation to EDD – establishing and, where appropriate,
verifying Source of Wealth and Source of Funds
ML Regulations and JMLSG
4.18.
Regulation 14(1)(b) (Enhanced customer due diligence and ongoing monitoring)
of the ML Regulations provides, amongst other things, that a firm must apply on
a risk sensitive basis EDD measures and enhanced ongoing monitoring in any
situation which by its nature can present a higher risk of money laundering or
terrorist financing.
4.19.
As applicable to Regulation 14(1)(b) of the ML Regulations, paragraphs 4.50 and
5.5.6 of Part I of the JMLSG state:
4.19.1.
“Where a customer is assessed as carrying a higher risk, then depending
on the product sought, it will be necessary to seek additional information
in respect of the customer, to be better able to judge whether or not
the higher risk that the customer is perceived to present is likely to
materialise. Such additional information may include an understanding
of where the customer’s funds and wealth have come from.”
4.19.2.
“When someone becomes a new customer, or applies for a new product
or service, or where there are indications that the risk associated with
an existing business relationship might have increased, the firm should,
depending on the nature of the product or service for which they are
applying, request information as to the customer’s residential status,
employment and salary details, and other sources of income or wealth
(e.g., inheritance, divorce settlement, property sale), in order to decide
whether to accept the application or continue with the relationship. The
firm should consider whether, in some circumstances, evidence of
source of wealth or income should be required (for example, if from an
inheritance, see a copy of the will)”.
4.20.
Regulation 14(4)(b) of the ML Regulations requires that PEP customers are subject
to EDD and a firm must, amongst other things, take adequate measures to
establish the Source of Wealth and Source of Funds involved in the relationship
or transaction.
4.21.
As regards Regulation 14(4)(b), paragraph 5.5.30 of Part I of the JMLSG states
that “As part of its EDD, the firm should consider, on a risk sensitive basis,
whether the information regarding source of wealth and source of funds should
be evidenced. For example, for source of wealth or funds from inheritance, a copy
of the Will could be requested, or if from a sale of property, evidence of
conveyancing could be sought.”
4.22.
In relation to the wealth management sector, paragraph 5.13 of Part II of the
JMLSG provides that “As a minimum requirement to counter the perceived and
actual risks, the firm, and those acting in support of the business, must exercise
a greater degree of diligence throughout the relationship which will be beyond
that needed for normal retail banking purposes”, further stating that “The firm
must endeavour to understand the nature of the client’s business and consider
whether it is consistent and reasonable, including the origins of the client’s wealth
[and] Where possible and appropriate, documentary evidence relating to the
economic activity that gave rise to the wealth.”
4.23.
Thus establishing and, where appropriate, verifying (a) how a customer acquired
their total wealth (Source of Wealth) and (b) the origin of the funds involved in
the relationship or transaction, including the activity that generated the funds and
the means though which the funds were transferred (Source of Funds) is an
important aspect of EDD and can be an essential element of understanding the
financial crime risks associated with a customer either at the point of onboarding
or thereafter.
4.24.
Regulation 17 (2)(d)(iii)-(iv) (Reliance) of the ML Regulations states that a firm
may rely on due diligence conducted by a non-EEA third party provided that it is:
4.24.1.
subject to requirements equivalent to those laid down in Directive
2005/60/EC of the European Parliament and of the Council of 26th
October 2005 on the prevention of the use of the financial system for
the purpose of money laundering and terrorist financing (“the Third
Money Laundering Directive”); and
4.24.2.
supervised for compliance with those requirements in a manner
equivalent to section 2 of Chapter V of the Third Money Laundering
Directive.
Al Rayan’s Policies and procedures
4.25.
Al Rayan’s “Preventing Financial Crime” manual dated 14 January 2015 warned
that “…Wealthy and powerful customers often wield political power and influence.
There is often a desire for extreme confidentiality and reluctance to provide
evidence of beneficial ownership and source of wealth.”
4.26.
The manual required Al Rayan to “obtain background information about a
customer prior to establishing a relationship or opening an account. In particular,
to verify the identity of the customer and find out the customer’s business, source
of income and where necessary the source of wealth, the expected level of activity
on the customer’s account and the reasons for opening the account” and
”undertake additional due diligence on customers or agents that are deemed to
present a higher risk.” It further stated that “The extent to which the information
is verified will depend on the risk assessment of the customer.”
4.27.
Thus, on the Authority’s reading, the “Preventing Financial Crime” manual
required Al Rayan to obtain information in relation to the Source of Wealth and
Source of Funds of customers identified as high-risk, and also to verify this
information through documentary evidence on a risk-sensitive basis. However, it
did not attempt to articulate with any specificity what Source of Wealth and Source
of Funds information and/or documentary evidence for the purposes of verification
should be gathered.
4.28.
Al Rayan’s procedures for gathering EDD at onboarding for individual high-risk
customers required staff to record certain high-level information including a
customer’s employment, monthly income from employment, sources of other
income if applicable, the nature and type of transactions to be undertaken and
the nature/level of business to be conducted. It also required staff to record the
origins of the customer’s wealth and to include evidence to validate the
information obtained from the customer. However, once again, Al Rayan’s
procedures did not give clear guidance to staff as to what information (for
example, in terms of what might constitute an appropriate level of detail) and/or
evidence of the origins of the customer’s wealth they were required to gather.
4.29.
The Authority has noted from the customer file reviews that it undertook in the
context of this investigation that there were three due diligence documents
completed at onboarding for individuals:
4.29.1. the KYC checklist;
4.29.2. the Account Application Form; and
4.29.3. the KYC (EDD) supplementary form, replaced in January 2016 by the
Customer Due Diligence – Individual Overall Summary form.
4.30.
The KYC checklist set out the key due diligence questions to be asked, risk rating
to be applied, account type and relevant documents to be completed at
onboarding.
4.31.
The Account Application Form gathered information in relation to, amongst other
things, a customer’s employment status/income and whether the customer was a
home-owner, together with the value of the property.
4.32.
The KYC (EDD) supplementary form and Customer Due Diligence – Individual
Overall Summary forms, all:
4.32.1.
required an explanation of the customer’s Source of Wealth;
4.32.2.
indicated
that
there
was
a
need
for
some
measure
of
verification/validation of a customer’s Source of Wealth (for example,
advising staff that “Evidence should be obtained” or to “Attach support
narrative and documents if required” or of the need for “independent
verification”); and
4.32.3.
required an explanation of the nature and type of transactions to be
undertaken.
4.33.
The KYC (EDD) supplementary form was used throughout 2015 and included basic
provisions for staff to understand “the origins of the client’s wealth” and stated
that “evidence should be obtained”. This form was replaced by January 2016 with
the Customer Due Diligence – Individual Overall Summary form.
4.34.
Versions of the Customer Due Diligence – Individual Overall Summary form, used
to assist in gathering EDD at onboarding from January 2016 onwards, included a
“Source of Wealth and Source of Funds EDD Guidance and Checklist”. The
checklist set out further requirements on independent verification of Source of
Wealth and Source of Funds, stating the objectives were to:
4.34.1.
“Validate that the customer’s SoW and SoF’s are generated legitimately
with no direct or indirect connection to financial crime”;
4.34.2.
“Understand the level / nature of underlying AML risk, including
difficulties that may arise in establishing / verifying the customer’s SoW
and SoF’s and the impact that may have on residual AML risk”.
4.35.
The guidance on the nature of Source of Wealth and Source of Funds information
and evidence to be acquired stated:
4.35.1.
“The aim is to build ‘the story’ and validate how the customer accrued
their net wealth and how they intend to fund their relationship with the
Bank. Simple statements such as ‘income from business’ ‘inheritance’
and ‘transfer from overseas account’ are not sufficient”.
4.36. For the sources of information which were acceptable to use, the guidance stated:
4.36.1.
“Due diligence assessment should be undertaken using a number of
different / collaborative sources with emphasis on independent
verification. Meaningful assessments must be made specifically
addressing AML objectives”.
4.37.
Whilst Al Rayan’s KYC EDD forms clearly aspired to establishing the customer’s
Source of Wealth and Source of Funds by gathering relevant information and
verifying it, as with the “Preventing Financial Crime” manual referred to above,
there was an absence of clear guidance to staff as to what information/evidence
they were required to obtain as a prerequisite to onboarding a high-risk customer.
4.38.
The Customer Due Diligence – Individual Overall Summary form, used from 2016
onwards, also required an explanation of the rationale for the approval of
onboarding a customer from an AML risk perspective and confirmation that Al
Rayan’s policy and guidance in relation to Source of Wealth and Source of Funds
had been satisfactorily applied.
4.39.
Al Rayan proceeded on the basis that no members of the GCC were listed as
equivalent jurisdictions to the UK / EU in relation to the prevailing AML
requirements. Therefore Al Rayan acknowledged that due diligence conducted
through Al Rayan’s parent bank, MAR, could not be solely relied upon for the
purpose of satisfying Al Rayan’s financial crime controls. In this regard, Al Rayan’s
internal policies expressly stated that for any “new applications from its parent
company, Masraf Al Rayan, the Bank will follow the same procedures and
requirements as for any normal (none referred) application in line with the KYC
Matrix”.
4.40.
The Authority identified two documents which were completed for both corporate
and charity customers at onboarding:
4.40.1.
KYB Checklist; and
4.40.2.
Non-Personal Account or Charities Application Form.
4.41.
Both documents were used to gather CDD in relation to corporate and charity
customers, providing for the collection of key identification evidence and obtaining
an understanding of their principal business and expected account activity.
4.42.
Al Rayan’s policies and procedures did not provide further granular guidance for
staff in order to enable them to understand what EDD was required for charities
or corporate customers classified as high-risk.
Issues identified with EDD at onboarding
Identified concerns in relation to establishing Source of Wealth and Source of
Funds for high-risk customers
The Authority’s 2015 Assessment
4.43.
The Authority’s 2015 Assessment of Al Rayan’s AML systems and controls
identified concerns in relation to the EDD gathered for customers during
onboarding. Specifically, in relation to the sufficiency of Source of Wealth and
Source of Funds, the Authority noted that “The vast majority of the High-risk and
PEP files we tested failed in relation to EDD. In most instances, staff had failed to
adequately verify or gain sufficient information in relation to Source of Wealth and
Source of Funds for PEP customers.” Following the Authority’s 2015 Assessment,
Al Rayan developed the 2015 Action Plan, to be conducted by the FCU to address
issues identified by the Authority, including a remediation exercise on existing
customers to ensure sufficient information was held in relation to Source of Wealth
and Source of Funds.
The 2015 Third Party Review
4.44.
In December 2015, a third party review of Al Rayan’s AML systems and controls
also identified concerns in relation to the adequacy of Source of Wealth and Source
of Funds gathered by Al Rayan. A review of 50 high-risk customer files found:
4.44.1.
in 17 of 50 files (34%), Al Rayan failed to identify the customer’s Source
of Funds;
4.44.2.
in 41 of 50 files (82%), Al Rayan failed to verify the customer’s Source
of Funds;
4.44.3.
in 25 of 50 files (50%), Al Rayan failed to identify the customer’s Source
of Wealth ; and
4.44.4.
in 48 of 50 cases (96%), Al Rayan failed to verify the customer’s Source
of Wealth.
The Authority’s 2017 assessment
4.45.
The Authority’s 2017 Assessment assessed Al Rayan’s AML and sanctions systems
and controls, focussing on the Knightsbridge branch. The Authority concluded
that, whilst some improvements to the financial crime control framework had been
made since the Authority’s 2015 Assessment, significant concerns in relation to
issues Al Rayan had committed to address in the 2015 Action Plan, had not been
adequately addressed.
4.46.
File reviews conducted during the Authority’s 2017 Assessment again identified
concerns with the adequacy of the EDD conducted on high-risk customers,
including instances where no EDD was evidenced and there were insufficient
details of Source of Wealth and Source of Funds.
4.47.
In August 2017, 2 years after being notified by the FCA that an audit was required
and 8 years from the last internal audit of the FCU, Al Rayan conducted an internal
audit of the FCU (the “2017 Internal Audit”) which identified ‘major’ concerns in
relation to the verification of high-risk and PEP customers’ Source of Wealth and
Source of Funds at onboarding. The findings were consistent with the third party
review conducted in December 2015 (see paragraph 4.44 above).
4.48.
The 2017 Internal Audit of FCU also stated that “during our fieldwork, we noted
that
there
were
instances
where
the
remediation
exercise
results/recommendations have not been implemented by FCU” and accordingly
further remediation steps were recommended (see paragraph 4.146 below for
further details in this regard). The 2017 Internal Audit noted in this regard that
“[i]n one instance, a review of a customer’s profile recommended the closure of
all related accounts due the lack of information provided about the source of
wealth and source of funds and in light of the particular customer’s father’s
embezzlement scandal and the particular customer’s account was closed by
another financial institution due to AML concerns”, however this recommendation
had not been implemented. The 2017 Internal Audit further recommended that
“an assessment of the entire customer database to identify information gaps and
inaccuracies for all High-risk and PEP customers and actions should be taken to
remediate these gaps to ensure compliance with FCA SYSC 6.3.1.”
The Authority’s Customer File Review
4.49.
During this investigation, the Authority reviewed a further 15 customer files,
selected across customers who made large cash deposits through the Relevant
Period, including 9 individual customers (one of whom was onboarded prior to the
Relevant Period), 2 corporate customers and 4 charity customers (two of whom
were onboarded prior to the Relevant Period). In short, the Authority identified
deficiencies in Al Rayan’s AML control framework across all 15 files.
4.50.
In relation to the EDD conducted at onboarding, there was a failure to adequately
establish the Source of Wealth and/or the Source of Funds in respect of 7 of the
8 the individual customers who were onboarded during the Relevant Period, either
through a failure to obtain a meaningful level of information or to verify such
information as was obtained, in circumstances where such measures were
appropriate. For 7 of the 8 customers, the Source of Wealth and Source of Funds
assessments relied upon statements made by the customer at onboarding and
were supported by a combination of:
4.50.1.
letters of recommendation from MAR/GCC-based banks; and/or
4.50.2.
bank
statements/cheques
from
the
customer’s
non-EEA
bank
account(s); and/or
4.50.3.
open-source searches and screening.
4.51.
Al Rayan’s policies stated that high-risk customers referred by MAR should be
subject to the same EDD procedures as any other high-risk Al Rayan customer.
Al Rayan was therefore aware that it could not rely solely on customer information
collected by MAR and that it needed to conduct its own EDD as required to satisfy
the ML Regulations.
4.52.
Reliance on customers’ declarations, the very limited information contained in
customers’ non-EEA bank statements, screening and letters of recommendation
from MAR, did not provide Al Rayan with an adequate understanding of how these
customers acquired their wealth and did not enable Al Rayan to adequately
identify the Source of Funds to be used in the banking relationship and subsequent
transactions. Thus, there was a failure on the part of Al Rayan to gather a
meaningful level of information in relation to the customers’ Source of Wealth and
Source of Funds and, furthermore, a failure to verify the limited information that
was gathered.
Corporates and Charities
4.53.
As detailed in paragraph 4.16 above, it is unclear from Al Rayan’s policies how it
risk-rated both corporate and charity customers at onboarding and, furthermore,
the customer files reviewed by the Authority during this investigation did not
indicate that a risk rating or risk assessment had been applied to the 2 corporate
customers and the 2 charity customers onboarded during the Relevant Period.
Customer file examples of Al Rayan’s application of EDD in relation to seeking to
establish Source of Wealth and Source of Funds at onboarding
4.54.
Al Rayan onboarded Customer A at the Knightsbridge branch on 9 September
2015 as a customer of its GCC business area. It assessed Customer A as an HNW
and PEP customer and in accordance with Al Rayan’s policies classified Customer
A as high-risk.
4.55.
The documents Al Rayan completed at onboarding (the Premier KYC checklist, the
Account Application Form and the 2015 version of the KYC (EDD) supplementary
form) identified the customer’s income and assets as: salary from State
employment (stated to be in excess of £10 million annually); estimated value of
residential home (in excess of £10 million); and income from the ownership of
residential and commercial properties in Qatar. The KYC (EDD) Supplementary
form recorded, in response to “The Origins of the client’s wealth (evidence should
be obtained)” section, that Customer A “…used to be a minister…now he owns
properties all over Qatar…”.
4.56.
Al Rayan accepted bank statements of a MAR savings and current account from 2
July 2015 – 13 September 2015 from Customer A as identification and verification
of Customer A’s Source of Wealth and Source of Funds.
4.57.
Whilst Customer A’s MAR account statements identified a high balance of funds
during September 2015 (at some points in excess of 12 million Qatari Riyal), the
transactional narratives on the bank statements did not provide any meaningful
information in relation to or evidence of Customer A’s Source of Wealth or Source
of Funds as described in the account opening documents. The narrative
descriptions on the statements provided line entries such as “House Cheque
Drawn”, “House Cheque Deposit” and “Cash Deposit”, however such descriptions
did not provide Al Rayan with evidence to verify the customer’s overall wealth and
did not demonstrate the origins of the funds that were to be utilised in the banking
relationship with Al Rayan. No further evidence was held on file in support of the
customer’s Source of Wealth or Source of Funds, for example, there was no
attempt to obtain any form of corroboration of the stated salary or evidence of
ownership of, or income from, the customer’s property portfolio.
Customer B
4.58.
Al Rayan onboarded Customer B at the Knightsbridge branch on 24 August 2016
as a customer of its GCC business area. It assessed Customer B as an UHNW and
PEP customer and in accordance with Al Rayan’s policies, Customer B was classed
as high-risk.
4.59.
The documents completed at onboarding were the Premier KYC checklist, the
Account Application Form and the (2016) Customer Due Diligence – Individual
Overall Summary form containing the Source of Wealth and Source of Funds EDD
Guidance and Checklist. These documents outlined Customer B’s income and
assets as: a joint property portfolio valued at approximately £125 million
generating £6 million income per annum, inheritance, income from family
businesses and salary (£75,000 per annum). It also noted that “The client’s family
inherited the major part of their wealth”. More detailed explanations in relation to
the income and assets were not sought and, in this way, only very scant and high-
level information was obtained in relation to Customer B’s overall Source of
Wealth.
4.60.
As regards the EDD evidence on file as at onboarding, this comprised of a letter
from a GCC bank confirming Customer B’s address, an open-source search,
screening conducted on Customer B and savings account statements from a Qatar
bank account. The savings account statements showed Customer B’s balance in
that account from time to time and included brief transactional narratives
however, they did not provide Al Rayan with meaningful information and/or
evidence to verify the customer’s Source of Wealth and they did not demonstrate
the origins of the funds that were to be utilised in the banking relationship with Al
Rayan. The savings account statements provided at onboarding showed a starting
balance as at March 2016 of in excess of 900,000 QAR however they did not shed
any light on the origin of the funds in the account as at this time. In addition,
from the very limited information obtained at onboarding, it is immediately
apparent that the savings account statements related to only a fraction of
Customer B’s overall wealth. In this way, whilst the savings account statements
did include reference to a number of credits described as being “Salary” which
accorded with Customer B’s explanation at onboarding that he had a salary of
£75,000 per annum, they reflected only a fraction of the customer’s overall
income/wealth and, in any event, there was no underlying evidence to support
the origin of even these payments.
4.61.
The Authority also notes that the 2016 Source of Wealth and Source of Funds EDD
Guidance and Checklist effective at the time Customer B was onboarded set out
guidance for understanding a customer’s Source of Wealth and Source of Funds
and indicated in relation to due diligence that the emphasis should be on
“independent verification”. Al Rayan nonetheless proceeded on the basis that
customer declarations, the savings account statements and a letter confirming
Customer B’s address from a GCC bank were effective EDD. The Authority’s view
is that this information did not constitute “independent verification” of the
customer’s Source of Wealth and Source of Funds.
4.62.
In summary, whilst the bank statements provided by Customer B included the
balance within that savings account and made reference to salary payments being
received, they did not provide a meaningful level of information or verification as
to the provenance of the monies in that account or the customer’s overall wealth.
There was no further evidence held on file to independently verify the Source of
Wealth or Source of Funds at onboarding, for example, payslips, a will or probate
information evidencing the inheritance, or evidence of ownership or income from
the property portfolio. Despite this, the Customer Due Diligence – Overall
Summary indicated that the Source of Wealth and Funds Guidance & Checklist
had been properly applied.
4.63.
Al Rayan onboarded Customer C at the Knightsbridge branch on 29 September
2016 as a customer of its GCC business area. Al Rayan assessed Customer C as
an HNW and PEP customer and in accordance with Al Rayan’s policies classed
Customer C as high-risk.
4.64.
Three documents were completed for Customer C’s onboarding: the Premier KYC
checklist, the Premier Application Form and the Customer Due Diligence - Overall
Summary. These documents identified the customer’s income and assets as:
income from employment, inheritance and rental income from a large property
portfolio (with annual income being approximately £3 million). Once again, more
detailed information as to the income/assets was not sought such that only very
scant and high-level information was obtained in relation to Customer C’s overall
Source of Wealth.
4.65.
The evidence on file in support of Customer C’s Source of Wealth and Source of
Funds at onboarding was similarly limited and comprised a declaration by the
customer, a written reference provided by MAR confirming the customer’s address
in Qatar and that its MAR account was in good standing and copies of the MAR
current account statements for September 2016. There was also open-source
material confirming the customer’s employment in a non-remunerative role on
file.
4.66.
Once again, the MAR current account statements did not provide a meaningful
level of information or verification in relation to Customer C’s Source of Wealth or
Source of Funds. There was no further independent information or evidence held
on file to verify the nature and extent of the customer’s employment, inheritance
or ownership of/income from the property portfolio (such as payslips, will or
probate documents or evidence of ownership or income from the property
portfolio).
4.67.
Despite this, the Customer Due Diligence - Overall Summary and the Premier
Application Form stated that the Source of Wealth and Funds Guidance and
Checklist had been satisfactorily applied. It was also noted that “Due diligence
checks have been properly evidenced and documented…”.
Customer D
4.68.
Al Rayan onboarded Customer D at the Coventry Road branch on 30 November
2015. Customer D, one of Al Rayan’s Other Business customers, was identified as
a start-up UK limited company which had recently been incorporated with a sole
proprietor and shareholder, whose principal activity was to repair, buy and sell
forklifts/heavy duty vehicles and sell them internationally, through the
proprietor‘s father who was based in Iraq and who was also to provide a large
initiating payment. There is no evidence on file of a risk rating having been
assigned to this customer.
4.69.
Paragraph 4.32 of Part I of the JMLSG sets out that “Customers (not necessarily
PEPs) based in, or conducting business in or through, a high-risk jurisdiction, or
a jurisdiction with known higher levels of corruption or organised crime, or drug
production/distribution” is a risk factor which should be taken into account in
assessing a customer’s overall risk category. Shortly following the onboarding of
Customer D, Al Rayan's AML / CTF & Sanctions (AML) Risk Appetite dated 17
December 2015 set out that Al Rayan would not engage in transactional activity
involving foreign jurisdictions that had:
“a Corruption Perception Index (CPI) score of less than [20] and or, is listed by
the Financial Action Task Force (FATF) as a [High Risk and Non Cooperative
Jurisdiction.”
The document noted that Iraq had a CPI of 16 and was included on FATF's list of
high risk, non-cooperative jurisdictions. Therefore, Al Rayan’s policy specifically
restricted Customer D’s business activities.
4.70.
Notwithstanding, the Authority considers that it is clear that Customer D should
have been categorised as high-risk and therefore EDD should have been
conducted on Customer D at onboarding.
4.71.
However, the information gathered at the point of onboarding fell well short of
adequate EDD. Two documents were completed at onboarding, a “Business
Application form KYB Checklist” and “Non-personal account application form”.
These documents identified Customer D and set out its principal activities and
anticipated level of business. Standard CDD information was gathered in relation
to Customer D as a UK limited company however as regards seeking to establish
a meaningful understanding of Customer D and its proprietor’s father’s activities,
this was limited to the provision of a handful of one page, paper invoices from
third parties to a business based in Iraq. No further information was gathered in
relation the proprietor’s father, such as the nature of his business activities in Iraq
and/or his source of income/wealth, despite the fact that Customer D would be
engaged in the purchase and sale of construction equipment through its
proprietor’s father in Iraq, a high-risk jurisdiction, and was also to receive a large
initiating payment from the proprietor’s father in Iraq.
Summary of EDD at onboarding
4.72.
Throughout the Relevant Period, Al Rayan was repeatedly informed and reminded
of the weaknesses in its AML framework, including in relation to EDD for the
purposes of establishing customers’ Source of Wealth and Source of Funds.
Despite this, Al Rayan failed to ensure that its policies and procedures in relation
to the identification and verification of customers’ Source of Wealth and Source of
Funds at onboarding met the relevant regulatory requirements and, in doing so,
also failed to ensure that it was compliant with its obligation to counter the risk
that Al Rayan might be used to further financial crime.
4.73.
It is evident, with reference to the Authority’s file reviews, that Al Rayan failed to
undertake adequate EDD to establish its high-risk customers’ Source of Wealth
and Source of Funds, both in terms of gathering meaningful information from its
customers and, where it was appropriate to do so, verifying that information.
Rather than gathering documentary evidence in order to independently verify its
high-risk customers’ Source of Wealth and Source of Funds, for individual
customers, Al Rayan frequently relied upon information provided by the customer
itself and high-level information from MAR, whilst also placing unwarranted
reliance on non-EEA bank statements which provided very little, if any,
information in relation to the customer’s broader wealth and the provenance of
the customer’s monies. Due to the high-risk and PEP nature of these customers,
identification and verification of their Source of Wealth and Source of Funds was
appropriate and therefore required to comply with both Al Rayan’s internal polices
and the ML Regulations. However, despite this, Al Rayan failed to take sufficient
steps to establish and verify its high-risk customers’ Source of Wealth and Source
of Funds.
30
EDD for large cash deposits
ML Regulations and JMLSG
4.74.
In accordance with Regulation 14(1)(b) of the ML Regulations, a firm must apply,
on a risk-sensitive basis, EDD measures and enhanced ongoing monitoring in any
“situation which by its nature can present a higher risk of money laundering or
terrorist financing.” Where the customer is classified as a PEP, firms must “take
adequate measures to establish the source of wealth and source of funds which
are involved in the proposed business relationship or occasional transaction”.
4.75.
Regulation 8(2)(a) of the ML Regulations states that ongoing monitoring of a
business relationship means “scrutiny of transactions undertaken throughout the
course of the relationship (including, where necessary, the source of funds) to
ensure that the transactions are consistent with the relevant person’s knowledge
of the customer, his business and risk profile”.
4.76.
Regulation 20(2)(a)(i)-(iii) of the ML Regulations also states that a firm must
establish and maintain appropriate and risk-sensitive policies and procedures
“which provide for the identification and scrutiny of (i) complex or unusually large
transactions; (ii) unusual patterns of transactions which have no apparent
economic or visible lawful purpose; and (iii) any other activity which the relevant
person regards as particularly likely by its nature to be related to money
laundering or terrorist financing”.
4.77.
In relation to Regulation 14(1) of the ML Regulations, paragraph 5.7.12 of Part I
of the JMLSG states that “Higher risk accounts and customer relationships require
enhanced ongoing monitoring. This will generally mean more frequent or intensive
monitoring.” Likewise, in relation to Regulation 14(1)(b) of the ML Regulations,
paragraph 4.51 of Part I of the JMLSG states that “Where the risks of ML/TF are
higher, firms must conduct enhanced due diligence measures consistent with the
risks identified. In particular, they should increase the degree and nature of
monitoring of the business relationship, in order to determine whether these
transactions or activities appear unusual or suspicious.”
4.78.
In relation to Regulation 8, paragraph 5.7.2 of Part I of the JMLSG states that
“Monitoring customer activity helps identify unusual activity. If unusual activities
cannot be rationally explained, they may involve money laundering or terrorist
financing … The key elements of any system are having up-to-date customer
information, on the basis of which it will be possible to spot the unusual, and
asking pertinent questions to elicit the reasons for unusual transactions or
activities in order to judge whether they may represent something suspicious.”
4.79.
Paragraph 4.32 of Part I of the JMLSG also states that “Customers engaged in a
business which involve significant amounts of cash” is a risk factor which firms
need to consider and, furthermore, paragraph 4.36 states that “Firms should
examine, as far as reasonably possible, the background and purpose of all
complex, unusual large transactions, and all unusual patterns of transactions
which have no apparent economic or lawful purpose.”
4.80.
The Authority considers that, in accordance with the ML Regulations and the
JMLSG guidance, when material amounts of physical cash are presented over the
counter by a high-risk customer, EDD/enhanced ongoing monitoring measures
should be applied, an important component of which is scrutiny of the Source of
Funds provided. The degree of scrutiny and the type of supporting evidence
required for the corroboration of Source of Funds is dependent on the specific
circumstances and the level of money laundering or terrorist financing risk.
Al Rayan’ policies and procedures for large cash deposits
Source of Wealth and Source of Funds
4.81.
Al Rayan’s policies identified that cash transactions presented a high-risk of
financial crime and left the bank particularly vulnerable, because of the nature
and universal acceptability of cash and the fact that there is little or no audit trail.
They further provided that “special care is required in handling cash transactions
for large amounts, even for customers who maintain accounts with the Bank. Any
questionable activity must be examined to establish the source of funds and/or
wealth if appropriate and to determine and document the reason for the activity.
The basic principle to be followed is that the quantity and frequency of cash
transactions should have relevance to the nature and size of the customer’s
4.82.
Al Rayan’s policies set out a non-exhaustive list of cash-based scenarios which
would amount to suspicious or questionable activity in relation to possible financial
crime, for example:
4.82.1.
Unusually large cash deposits made by an individual or company whose
ostensible business activity would normally be generated by cheques
and other instruments.
4.82.2.
A one-off substantial cash deposit mainly composed of high
denomination notes.
4.82.3.
Customers who deposit cash by means of numerous credit slips so that
the total of each deposit is unremarkable, but the total of all credits is
significant.
4.82.4.
An account or customer that has frequent deposits or large amounts of
currency wrapped in currency straps that have been stamped by other
banks.
4.82.5.
Customers who seek to exchange large quantities of low denomination
notes for those of higher denominations or frequently exchange cash
into other currencies.
4.82.6.
Large cash deposits in connection to property transactions.
4.83.
When accepting cash deposits greater than £3,000, Al Rayan’s First Line of
Defence (the cashiers) was required, in accordance with Al Rayan policy, to review
a customer’s transaction history/activity and assess whether the transaction was
in line with the customer’s profile. Al Rayan’s cashiers were also required, in
accordance with Al Rayan policy, to question each customer paying in funds of
over £3,000 with respect to the Source of Funds and record the details in the
notes section on Al Rayan’s customer database, regardless of the customer’s risk
rating.
4.84.
Whilst Al Rayan’s policies did not explicitly require cashiers to obtain evidence of
Source of Funds for cash deposits over £3,000, in November 2017, all branches
received an email from senior management which stated, “[to] reiterate...the
process in the Cashier Manual…For cash deposits above £3000 you must obtain
proof of the source of funds before accepting the deposit. If the customer does
not have this proof then you cannot accept the deposit.” Thus, although Al Rayan’s
policies failed to make this clear, the expectation was that cashiers should gather
evidence of Source of Funds in respect of cash deposits in excess of £3,000.
4.85.
Al Rayan’s “Cashiering - Branch Procedure Document” detailed the cash related
procedures and controls which were to be followed in all branches, through the
Relevant Period. These procedures were adopted in the Knightsbridge branch
when it was first established. However, the procedures were not at all clear and
precise about:
4.85.1.
the steps required when presented with a higher risk situation, such as
large cash transactions involving high-risk customers, both in terms of
what information should be gathered from the customer by way of
explanation, in what circumstances documentary evidence of Source of
Funds was required and guidance as to what would comprise acceptable
documentary evidence; and
4.85.2.
whether cash deposits should be accepted or rejected if there was any
suspicion about the Source of Funds and/or evidence of the Source of
Funds was not available.
4.86.
The Authority considers that, having identified cash deposits as posing a high risk
from an AML perspective, it was incumbent upon Al Rayan to ensure that it
implemented appropriate risk-sensitive policies and procedures so that its staff
would know what to do when confronted with a cash transaction. As referred to
above, Al Rayan failed to do so.
Monitoring procedures for Second Line of Defence
4.87.
The Second Line of Defence (primarily the FCU), was responsible for conducting
transaction monitoring. Al Rayan used two systems to monitor transactions:
4.87.1.
TM1: which monitored transfers in and out of customers’ accounts; and
4.87.2.
TM2: which was used for real-time card transactions monitored on a
24/7 basis via a third party.
4.88.
The FCU reviewed transactions which triggered set rules within TM1 and TM2 and
were flagged for further monitoring. For example, deposits of more than £10,000
in a single deposit or in aggregate over 7 days, or where a customer was placed
on a “watch list”.
4.89.
The FCU reviewed each flagged transaction and determined whether the activity
warranted further investigation. If the transaction did not warrant further
investigation, the FCU noted the reasons why and authorised the transaction. If
after the investigation, suspicions remained, an internal disclosure report would
be made to the MLRO, or nominated deputy, for validation and onward reporting
to the NCA. All payments had been received by Al Rayan at this stage and any
actions were retrospective.
The nature of Al Rayan’s cash deposits
4.90.
As detailed above at paragraph 4.72 - 4.73, throughout the Relevant Period, Al
Rayan onboarded high-risk customers without conducting adequate EDD in terms
of establishing their Source of Wealth and Source of Funds, despite being
repeatedly informed and reminded of the weaknesses in its EDD procedures in
these areas.
4.91.
The Authority notes, based on its file review in this investigation, the following
recurring themes for each customer type:
4.91.1.
the individual (as opposed to corporate) customer files recorded large,
in person, cash deposits at Al Rayan’s branches, which resulted from
customers withdrawing cash from an overseas bank account,
transporting it into the UK and physically depositing the money over the
counter, into their Al Rayan bank account;
4.91.2.
the corporate customer files recorded cash deposits which were higher
than anticipated and, in one instance, related to a business with
activities in an overseas jurisdiction associated with higher levels of
corruption; and
4.91.3.
certain charity customer files recorded large cash deposits as a result of
donations and frequently transferred monies overseas to higher risk
jurisdictions.
4.92.
The Authority’s view is that all of these scenarios clearly entailed a higher risk of
financial crime and accordingly it was important for Al Rayan to have robust
processes in place for conducting EDD/enhanced ongoing monitoring and, more
specifically, to establish and, where appropriate, verify customers’ Source of
Funds in the context of such cash transactions.
Issues identified with monitoring of cash deposits
The Authority’s 2017 Assessment
4.93.
The Authority’s 2017 Assessment identified serious concerns with Al Rayan’s
handling and treatment of large cash transactions and its willingness to accept
cash deposits without always gaining sufficient evidence of Source of Funds. In
addition, the Authority discovered that there was a lack of understanding of the
“tipping off” offence at the Knightsbridge branch such that branch staff would not
reject cash deposits, even where they had suspicions around the Source of Funds,
due to a concern that rejecting the deposit might amount to “tipping off” a
customer within the meaning of section 333A of the Proceeds of Crime Act 2002.
If there were suspicions around a customer’s Source of Funds, rather than
rejecting the cash deposit, branch staff would escalate the issue internally and if
necessary, submit a SAR, having already taken in and banked the monies.
4.94.
The internal audit report of the Knightsbridge branch dated January 2018
concluded that the First and Second Line of Defence were:
4.94.1.
unable to exercise the required judgment regarding the receipt of large
cash deposits, specifically in relation to the requisite Source of Funds;
4.94.2.
not sufficiently risk aware or pro-active in seeking advice from Head
Office when they encountered situations about which they should
reasonably have questions or suspicions;
4.94.3.
unable to adequately consider whether cash deposits should be
accepted or rejected if there was any suspicion about the Source of
Funds and/or evidence of the Source of Funds was not available; and
36
4.94.4.
it was noted in some cases that cashiers were reluctant to offend
customers by not accepting deposits.
4.95.
Aside from the findings of Al Rayan’s 2018 internal audit, the Authority’s own
enquiries also identified that certain First Line of Defence staff’s understanding in
relation to the treatment of cash deposits, as communicated by management, was
to “take in money regardless”.
4.96.
In this regard, the accepted position amongst some of the cashiers was that, due
to the majority of customers being HNW or UHNW, a customer’s status was taken
for granted and there was little questioning of customers in relation to Source of
Funds at the point of deposit, as it was presumed that all the necessary checks
had been done.
Suspicious activity (Tipping Off)
4.97.
Thus although Al Rayan policies (such as the Cashiering Branch Procedure
Document) provided some guidance to staff about the “tipping off” offence and
how to avoid tipping off customers in relation to potentially suspicious
transactions, in reality, there was a fundamental misunderstanding in this area
amongst First Line of Defence staff at the Knightsbridge branch. This led to the
First Line of Defence’s reluctance to request further information/evidence from
customers which, in turn, resulted in the situation whereby Al Rayan failed to
carry out appropriate EDD and enhanced ongoing monitoring to ensure that cash
deposited over the counter was for legitimate purposes and not connected with
financial crime. These failings exposed Al Rayan to an unacceptable risk that it
would be used to further financial crime.
The Authority’s file review
Individual customers
4.98.
The Authority’s review of 9 individual customer’s cash deposits in the context of
this investigation showed HNWs withdrawing large amounts of cash from their
GCC bank accounts, transporting the cash to the UK and then physically depositing
the cash, in person, over the counter into their Al Rayan account(s).
4.99.
In relation to 7 of the 8 customers onboarded during the Relevant Period, the
Authority identified, as explained at paragraph 4.49 - 4.52 and 4.72 - 4.73, that
their Source of Wealth and/or Source of Funds had not been adequately
established at onboarding.
4.100. The Authority also identified that there was inadequate scrutiny applied by the
First and Second Line of Defence at the point of certain cash deposits, such that
Al Rayan failed to adequately establish the origin of the cash and, therefore, the
extent to which there was a risk that Al Rayan might have been being used to
further financial crime. From its file reviews, the Authority identified that Al Rayan
failed to gather adequate information and evidence in relation to these cash
transactions such that its knowledge of them was, in large part, limited to the fact
that the cash in question derived from a non-EEA bank account. However, Al
Rayan had little or no knowledge of how the funds in the non-EEA bank account
had been generated (partly as a result of the abovementioned EDD deficiencies
at the point of onboarding) and Al Rayan failed to obtain adequate information
and evidence to support the origin of the cash transactions.
Corporate and charity customers
4.101. The Authority’s file reviews of two corporate customers identified instances of
significant cash deposits over and above the anticipated level set out at
onboarding and insufficient EDD/enhanced ongoing monitoring, including a failure
to obtain meaningful information as to/evidence of the Source of Funds for the
cash deposits.
4.102. The Authority’s file reviews for two of the four charity customers identified
instances of large cash deposits being accepted by Al Rayan with inadequate
scrutiny of the explanations provided and insufficient consideration of previous
transactions and anticipated account activity.
Examples of inadequate measures to understand customers’ Source of Funds on
large cash deposits
4.103. Al Rayan onboarded Customer C on 29 September 2016 and identified Customer
C as an HNW and PEP at the point of onboarding. The EDD conducted at
38
onboarding, as detailed in paragraph 4.63 - 4.67 above, did not adequately
establish Customer C’s Source of Wealth and Source of Funds.
4.104. Customer C’s onboarding documents noted the anticipated account activity to be
a bank transfer of £50,000 into the account 3 to 4 times a year. However, as it
transpired, the account was credited with cash deposits as opposed to bank
transfers and these cash deposits doubled the anticipated account activity for a
year within a 9-month period. A total of £460,000 in cash was deposited at the
Knightsbridge branch between 30 September 2016 and 7 July 2017, which
included a cash deposit of £250,000 on 21 November 2016, two cash deposits of
£100,000 on 8 May 2017 and 7 July 2017, and a £10,000 cash deposit on 1 June
2017.
Cash deposit 1 - £250,000
4.105. On 21 November 2016, Customer C made a cash deposit of £250,000 at the
Knightsbridge branch. Al Rayan’s records indicate that the money was withdrawn
from the customer’s GCC bank account and exchanged into Sterling and Euros in
Qatar on 18 January 2016, 26 September 2016 and 16 November 2016. The First
Line of Defence accepted a cheque drawn on a GCC bank account indicating that
funds derived from Customer C’s GCC bank account and currency exchange
receipts as evidence of Source of Funds.
4.106. Following the receipt of this cash deposit, the Second Line of Defence queried with
the First Line of Defence the reason why the transaction was not made via a bank
transfer as expected. The reason provided was that “he had the cash at home
because he exchanges the Sterling throughout the year…”. The Second Line of
Defence cited “no concerns” with the transaction or the reason given for it, despite
it being significantly different both in size and nature to the type of transactions
which were anticipated at onboarding and Al Rayan having no meaningful
understanding of how the funds were generated. The Second Line of Defence
requested that any future large cash deposits be made via bank transfer, however
this was stated to be for safety concerns rather than AML concerns.
Cash Deposits 2 and 3 of £100,000 each
4.107. Customer C made two subsequent cash deposits of £100,000, on 8 May 2017 and
7 July 2017:
4.107.1. For cash deposit 2, a currency exchange receipt for £100,000 from a
GCC foreign exchange company dated 25 April 2017 was provided in
support of the transaction.
4.107.2. For cash deposit 3, a GCC bank statement indicating that a cheque had
been cashed and a currency exchange receipt for £100,000 from a GCC
foreign exchange company dated 22 June 2017 was provided in support
of the transaction.
4.108. The Second Line of Defence did not identify any concerns at the time of cash
deposits 2 and 3 despite, once again, having no meaningful understanding of how
the funds had been generated. In addition, the Second Line of Defence made no
further reference to its earlier request that, in future transactions, the deposit be
made by bank transfer as opposed to in cash.
Cash deposit 4 £10,000
4.109. On 1 June 2017, Customer C made a further cash deposit of £10,000 and a cash
withdrawal of the same amount. The purpose of the transaction recorded by the
Second Line of Defence was the exchange of £20 notes into £50 notes. There is
no evidence on the file of any attempt to establish the Source of Funds in support
of this deposit or of questions being asked of Customer C as to the reason for this
transaction.
4.110. The Second Line of Defence did not cite any concerns with cash deposit 4 despite
this scenario specifically comprising one of the hallmarks for questionable activity
identified in Al Rayan’s policies and procedures in relation to handling large cash
deposits (see paragraph 4.82.5 above).
Summary in relation to Customer C
4.111. At onboarding, Customer C was classified as a PEP/HNW and therefore high-risk.
Regulation 14 (4)(b) of the ML Regulations required Al Rayan to conduct
“adequate measures to establish the source of wealth and source of funds which
are involved in the proposed business relationship or occasional transaction” in
those circumstances. However, as explained in paragraphs 4.63 - 4.67 and 4.72
- 4.73 above, Al Rayan did not undertake adequate EDD in relation to Customer
C at onboarding, and there was a failure to establish its Source of Wealth and
Source of Funds.
4.112. In relation to cash deposits over £3,000, Al Rayan’s policy required the First and
Second Line of Defence to scrutinise Source of Funds and for staff to be vigilant;
it further required that all unusual transactions for all customers be identified and
discretely researched, particularly in relation to large cash deposits, as detailed in
paragraph 4.82.
4.113. In cash deposits 1, 2 and 3, Al Rayan understood Customer C to have deposited
money deriving from a GCC bank account into their Al Rayan account in the UK.
The evidence supporting the Source of Funds in relation to these transactions
demonstrated that (a) the cash appeared to originate from the customer’s GCC
bank account, (b) a cheque or cash was deposited with GCC-based foreign
exchange bureaus, (c) cash was provided in Sterling and Euros in return and (d)
this cash was then deposited into Customer C’s Al Rayan account in the UK. The
deficient EDD conducted at Customer C’s onboarding, as detailed in paragraphs
4.63 - 4.67 and 4.72 - 4.73 above, meant that Al Rayan did not have a meaningful
understanding of its Source of Wealth and Source of Funds. In these
circumstances, the provision of a GCC bank statement or a cheque drawn on a
GCC account, coupled with currency exchange receipts, did not enable Al Rayan
to establish and corroborate that Customer C’s Source of Funds for the purposes
of the cash transactions was legitimate and not connected to financial crime.
4.114. The Second Line of Defence did not adequately investigate the AML risk presented
by cash deposits 1, 2 and 3. Its enquiries failed to identify that Al Rayan had not
adequately established Source of Wealth and Source of Funds at onboarding and
it accepted at face value such limited explanations as the customer gave for the
purpose of the cash transactions without adequate investigation. Of further
concern, these cash transactions occurred in circumstances where, at onboarding,
it had been recorded that credits were to be made via bank transfer and not via
cash deposits through currency exchanges in the GCC. Furthermore, the cash
deposits that were made substantially exceeded the expected annual account
activity recorded at onboarding, with no evidence on file to support that any of
these red flags were investigated by the First and Second Line of Defence.
4.115. Finally, for cash deposit 4, no evidence of Source of Funds was provided in support
of the transaction despite the fact that the exchange of low denominations notes
into high denomination notes was an example included in Al Rayan’s policies of
‘questionable activity’, requiring further investigation. There is no evidence that
any such investigation took place.
Customer D
4.116. Al Rayan onboarded Customer D at the Coventry Road, Birmingham branch on 30
November 2015. Customer D, one of Al Rayan’s Other Business customers, was
identified as a start-up UK limited company which had recently been incorporated
with a sole proprietor and shareholder, whose principal activity was to repair, buy
and sell forklifts/heavy duty vehicles and sell them internationally, through the
proprietor’s father who was based in Iraq. As detailed in paragraph 4.68 - 4.71
above, minimal information was gathered in relation the proprietor’s father’s
activities in Iraq and/or his source of income, despite the fact that Customer D
would be engaged in the purchase and sale of construction equipment through
him in Iraq and was also to receive a large initiating payment from the proprietor’s
father in Iraq, a high-risk jurisdiction.
4.117. From the documentation produced at onboarding, the expected account activity
was noted as follows; “Regarding credit and debit International transactions
[Customer D] will be doing around 10k a month. As this is a start-up business the
figure is a forecast so when business picks [up] the customer will come into the
branch to inform of any changes. Cash withdrawals/deposits would be around 2k
(per month) but [Customer D] is expecting most of transfer to [be] electronic
transfer as payment will [be] mostly nationwide.” Overall, it was anticipated that
there would be annual turnover of £200,000.
4.118. Over a two-year period, Al Rayan received approximately £580,000 in cash
deposits from Customer D, despite the fact that the initial indication at onboarding
was that “cash withdrawals/deposits would be around 2k (per month)” and,
further, that Customer B was expecting most of the transfers to be electronic
transfers. The evidence of Source of Funds provided in support of the cash
deposits consisted of single page, paper invoice receipts from sales of construction
vehicles/other items, all of which were addressed to businesses in Iraq. While Al
Rayan’s Second Line of Defence identified concerns in relation to the overall
turnover and requirement for updated EDD, no concerns were identified in relation
to the cash deposits.
Summary Customer D
4.119. At onboarding, it appears that no risk classification was applied to Customer D.
The Authority’s view is that, as per paragraph 4.68 - 4.70 above, Customer D
should have been classified as high-risk. However, as explained in paragraph 4.71
above, Al Rayan’s due diligence at onboarding fell well short of adequate EDD in
relation to Customer D.
4.120. Of the 25 cash deposits over £10,000 made by Customer D over the two-year
period, (a) no further queries were raised by Al Rayan’s First or Second Line of
Defence, as to why these monies were being deposited in cash in contrast with
the anticipated “electronic transfer” activity on the account as recorded at
onboarding and (b) no further evidence of Source of Funds was provided to
support the receipt of large sums of cash other than the above invoice receipts.
4.121. Al Rayan did not adequately investigate the AML risk presented by the cash
deposits and its enquiries failed to identify that only an inadequate level of due
diligence had been performed at the point of onboarding. In addition, although
the increase in anticipated account activity for Customer D was identified multiple
times by the Second Line of Defence through 2016, no further EDD was gathered
in relation to the activities underlying the cash deposits.
4.122. The account for Customer E, one of Al Rayan’s Other Business customers, was
opened at the Coventry Road, Birmingham Branch of Al Rayan on 29 May 2015.
Customer E was a UK charity running as a limited company, with international
operations. As explained at paragraph 4.16 above, Al Rayan’s approach to risk-
rating charities was unclear and no risk rating in relation to Customer E is provided
in the documentation at onboarding. The account opening documentation stated
that the charity raised donations which were to be used for the relief of poverty
throughout the world but mainly in certain high-risk jurisdictions. Customer E was
recognised as being a recipient of donations from the general public (some of
which would be cash) and it was anticipated that it would be making international
payments of approximately £300,000 annually, including to high-risk overseas
jurisdictions.
4.123. The account opening documentation also recorded that the annual turnover for
Customer E was expected to be £800,000 per annum with anticipated cash activity
(i.e. credits and debits) of £10,000 per month.
4.124. On 16 August 2016, Customer E made a cash deposit of approximately £360,000.
This cash deposit was unusually large both in terms of anticipated account activity
and actual activity on the account, as illustrated by the fact that a total of only
approximately £500,000 had been deposited into the account during the previous
13 months. Despite this, the Second Line of Defence identified “no concerns” with
this deposit on the basis of some cursory enquiries whereby the cash was said to
have come from a religious festival collection and had been kept in a safe with
donations “saved over a time/months”. There is no evidence that the Second Line
of Defence assessed this cash deposit in the context of the previous cash deposits
made into the account, noting only the turnover on the account and the amount
of credits to date. Had they done so, they would have been aware of Customer
E’s separate cash deposit of £99,940 which was made on 24 June 2016, just two
months before and which appeared to raise questions about the high-level
explanation given as to the accumulation of cash over time. In any event, the
Authority considers that, given its magnitude and in the circumstances, Customer
E’s cash deposit of 16 August 2016 was a higher risk situation which should
accordingly have triggered a meaningful level of EDD and enhanced ongoing
monitoring.
Summary of Issues with EDD on cash deposits
4.125. The Authority considers that the file reviews undertaken in the context of this
investigation demonstrate that Al Rayan failed to:
4.125.1. adequately perform EDD and enhanced ongoing monitoring in the
context of higher risk situations, namely where customers sought to
make large, in person, deposits of cash over the counter. This included
a failure to establish and verify customers’ Source of Funds in relation
to such high-risk transactions. In this regard, Al Rayan’s failure to
adequately establish high-risk customers’ Source of Wealth and Source
of Funds at onboarding contributed to its subsequent inability/failure to
establish its customers’ Source of Funds in the context of the cash
transactions, such that it did not have a meaningful understanding of
the origin of these monies and it was not able to assess whether those
transactions were for legitimate purposes and not in connection with
financial crime; and
4.125.2. adequately scrutinise potentially suspicious activity given, in particular,
that (a) Al Rayan had itself identified that cash transactions presented
a high-risk of financial crime and left the bank particularly vulnerable,
(b) the cash transactions observed by the Authority in the context of its
file reviews were frequently inconsistent with the account activity
expected on the basis of information supplied at the point of onboarding,
(c) Al Rayan did not adequately enquire into the overall purpose or
reason for the cash transactions in order to evaluate whether they had
a legitimate economic or lawful purpose and (d) Al Rayan did not
establish the Source of Funds of the cash transactions in circumstances
where it had also failed to establish customers’ overall Source of Wealth
and Source of Funds at the point of onboarding.
Ongoing Monitoring – KYC Periodic Review
ML Regulations and JMLSG
4.126. Regulation 8 (1)-(2) of the ML Regulations (Ongoing monitoring) states that:
“(1) A relevant person must conduct ongoing monitoring of a business
relationship.
(2) “Ongoing monitoring” of a business relationship means—
(a) scrutiny of transactions undertaken throughout the course of the relationship
(including, where necessary, the source of funds) to ensure that the transactions
are consistent with the relevant person's knowledge of the customer, his business
and risk profile; and
(b) keeping the documents, data or information obtained for the purpose of
applying customer due diligence measures up-to-date.”
4.127. In accordance with Regulation 14 (1)(b) of the ML Regulations, a firm must also
apply, on a risk-sensitive basis, EDD and enhanced ongoing monitoring in any
situation which by its nature can present a higher risk of money laundering or
terrorist financing. Paragraph 5.7.12 of Part I of the JMLSG states that “Higher
risk accounts and customer relationships require enhanced ongoing monitoring.
This will generally mean more frequent or intensive monitoring.”
Al Rayan’s policies in relation to KYC periodic reviews
4.128. At the start of the Relevant Period, between 1 April 2015 and 17 March 2016, Al
Rayan’s policies stated that “information held relating to HNW and GCC customers
will be reviewed and updated on a yearly basis, or when a material change occurs
in the risk profile of a customer. Periodic review of particular customers will be
made on a risk-based basis, i.e. PEPs are conducted quarterly.”
4.129. The “High Risk Customer Policy” dated 17 March 2016, subsequently required that
all high-risk customers be reviewed annually, stating that:
“Consistent with the risk-based AML approach, CDD and supporting customer
profiles for all High-risk relationships must be reassessed at least on an annual
basis. These annual reviews will be conducted by Financial Crime Unit (“FCU”)
with the assistance of the Relationship Managers…
All High Risk customer relationships must be reviewed at least annually by the
Board Risk Credit and Compliance Committee as part its risk management
responsibilities. Amongst others, on a risk basis the results of enhanced on-going
monitoring should form part of the reporting process to the committee and the
assessment of the High Risk customer relationship and decisions over
continuation.”
4.130. As part of this process, Al Rayan’s Second Line of Defence was responsible for:
conducting customer risk assessments to ensure all KYC was collected and
updated to Al Rayan’s systems; ensuring red flag indicators were considered; and
assessing the justification for the retention of the high-risk customer with
reference to the legitimacy of the customer’s Source of Wealth and Source of
Funds. Once the review was completed, the assessment would be submitted to
the MLRO for re-approval of the relationship with the customer.
Issues identified with KYC periodic reviews
The Authority’s 2015 Assessment
4.131. In 2015, the Authority identified weaknesses in the quality of Al Rayan’s KYC
periodic reviews, with reviews being either non-existent or sporadic. The Authority
also had concerns over the quality and judgement at sign-off of the KYC periodic
reviews that were undertaken. The Authority’s concerns included:
4.131.1. the forms used to carry out the reviews were insufficient to adequately
re-assess the relationship for changes in the risk profile, either as a
result of account activity or changes in the customer profile, and often
consisted of a 'cut and paste' of the original information provided by the
customer;
4.131.2. in some cases, there was conflicting information on the customer file
which had not been challenged or escalated, for example, contradictory
information concerning Source of Wealth and Source of Funds which Al
Rayan had not questioned or rectified; and
4.131.3. Reviews were signed off despite a clear lack of adequate EDD, missing
documents and discrepancies on file.
4.132. The Authority asked Al Rayan to set out the action it planned to take to remedy
the findings of the Authority’s 2015 Assessment. In response, Al Rayan put in
place the 2015 Action Plan which set out the planned steps to rectify the
deficiencies identified, including:
4.132.1. conducting a retrospective review of all existing PEP and high-risk
customer files to identify any information gaps;
4.132.2. carrying out a remediation exercise on existing customers to ensure it
gathered sufficient information in relation to Source of Wealth and
Source of Funds for PEP clients; and
4.132.3. determining and documenting new processes for the on-going
monitoring of PEPs and high-risk clients.
4.133. Following these findings, Al Rayan intended to implement the CRRS system which
would enable the automatic generation of alerts when a customer’s KYC periodic
review was due, the aim being to enable Al Rayan to adequately manage its
ongoing monitoring obligations of customers.
The Authority’s 2017 Assessment
4.134. In June 2017, the Authority’s 2017 Assessment found that:
4.134.1. Over 300 KYC periodic reviews for high risk and PEPs were past their
due date; and
4.134.2. Al Rayan did not have a defined framework in place at branch level to
register or acknowledge when customer KYC periodic reviews were due.
In this regard, Al Rayan relied solely on the FCU to control and advise
on due dates.
4.135. More broadly, the Authority’s 2017 Assessment also found there were ongoing
and significant concerns in relation to weaknesses Al Rayan had committed to
address in the 2015 Action Plan, including the completion of customer file
remediation work.
4.136. In response to the Authority’s 2017 assessment, amongst other things, Al Rayan
recognised that “the backlog of Periodic Reviews of client files is not at an
acceptable level”.
4.137. Al Rayan recognised that its recommended improvements to the KYC periodic
review process following the Authority’s 2015 visit had not been implemented and
stated that the backlog of periodic reviews of client files would be addressed by
30 April 2018. Reasons provided for the ongoing delay were cited in Al Rayan’s
August 2017 internal audit as follows: “due to resource constraints, the FCU did
not perform their annual review of High-risk customers in 2016”.
4.138. Al Rayan also considered that the introduction of the CRRS would provide a
defined framework at branch level “to register or acknowledge when client
periodic reviews are due”.
The Authority’s file review – KYC periodic reviews
4.139. In the context of this investigation, the Authority reviewed 15 customer files
across the Relevant Period and found that none of the 14 of 15 files due for KYC
period review contained any evidence to indicate a KYC periodic review had been
undertaken.
4.140. The customer file review undertaken by the Authority did identify ad hoc requests
made by Al Rayan’s Second Line of Defence for further CDD and EDD to be
conducted on certain customers (due to transaction monitoring indicating a
material change in the expected account activity or concern with the information
held about the customer) however, in a number of instances, these were simply
ignored or followed up in a manner which was entirely inadequate. The following
example highlights a customer file where the need for further EDD was identified
by the Second Line of Defence, but there is no evidence on file to suggest that
those further measures were undertaken.
Customer file example of no EDD being undertaken despite a material change in
the customer’s circumstance
Customer D
4.141. Customer D was onboarded as a corporate customer in November 2015 (see
paragraphs 4.116 – 4.121). It was a start-up UK limited company which had been
recently incorporated with a sole proprietor and shareholder, whose principal
activity was to repair, buy and sell forklifts/heavy duty vehicles and sell them
internationally, through the proprietor’s father, who was based in Iraq.
4.142. The first significant payment made into Customer D’s account in January 2016,
shortly after onboarding, was a “loan” from Customer D’s father for approximately
£124,000 (which was paid by way of bank transfer). The payment was made from
a high-risk jurisdiction in relation to a new customer who was to be dealing with
the purchase/sale of construction vehicles in Iraq, a high-risk jurisdiction.
Inadequate due diligence was performed at onboarding in relation to Customer
D’s proprietor’s father and the business in Iraq, such that Al Rayan did not have
a meaningful understanding as to the origin of this initiating payment.
4.143. In May 2016, a transaction was flagged for monitoring and the Second Line of
Defence highlighted a concern that “expected turnover was £200k pa… To date
they have had £262,606.02. Will ask branch to get more info”. Following this
query from the Second Line of Defence, the First Line of Defence stated “The
funds have come from his father and he is expecting more funds around 400k as
the business has improved. He has around 20 fork lifts and is looking to expand
his business". Despite the vague nature of this response, it did not trigger any
further investigation or an attempt to corroborate this explanation by the First or
Second Line of Defence.
4.144. In October 2016, the Second Line of Defence noted that “Looking at the
anticipated turnover it looks like they are doing more so will ask branch to do new
EDD on the company”. However, despite this request from the Second Line of
Defence, no further enquiries or EDD information are recorded on the file.
4.145. In November 2016, a Second Line of Defence file note following a cash deposit on
16 November 2016 which had triggered transaction monitoring stated “Expected
turnover is £200,000 PA. Turnover so far is £1,094,946.03. Asked branch to do
EDD and ask about the turnover”. However, despite this request from the Second
Line of Defence, once again, no further enquiries or EDD are recorded on the file.
4.146. In the case of Customer D, the Second Line of Defence did identify the need for
further EDD to be conducted on the customer due to the fivefold increase in
account turnover in a year, but there is no evidence on the customer file to
suggest that additional EDD was undertaken. For example, there is no indication
that Al Rayan made any attempt to obtain a meaningful understanding of
Customer D’s business, how it was that the activity on the account was so much
higher than anticipated and/or why there were such a large number of high-value
cash deposits, again, in circumstances where this was contrary to anticipated
activity on the account; likewise, Al Rayan seemingly made no proactive attempt
to obtain any commercial documentation underlying the business activities of
Customer D, instead relying solely on single-page invoices volunteered by
Customer D. A failure to perform adequate EDD and enhanced ongoing monitoring
in relation to Customer D, even when the need to do so was specifically identified
by the Second Line of Defence, exposed Al Rayan to the risk of being used to
facilitate financial crime, especially given the nature of Consumer D’s business,
the geographical location of its operations and the amount of cash received (see
paragraphs 4.116 – 4.121 above).
Internal audit
4.147. Al Rayan’s Internal Audit function was responsible for auditing Al Rayan’s
compliance with UK statutory and regulatory obligations and with financial crime
policies and procedures. The Internal Audit function acted as Al Rayan’s Third Line
of Defence.
4.148. Al Rayan conducted an internal audit of the FCU in February 2009. The Authority
noted in its 2015 assessment that an internal audit of the FCU had not been
conducted for a number of years prior to 2015 and Al Rayan was informed that
one should be undertaken. Following the Authority’s 2015 Assessment, Al Rayan
put in place the 2015 Action Plan which set out the planned steps to rectify the
deficiencies identified, including conducting an internal audit of the FCU. In terms
of timing, the 2015 Action Plan stated that the internal audit was scheduled to
commence in September 2015 and the due date for completion was 30 November
2015. However, as it transpired, the Authority’s 2017 Assessment noted that Al
Rayan had still not completed the internal audit of the FCU two years after
receiving feedback from the Authority that such a review was required.
4.149. Al Rayan finally completed the internal audit of the FCU in 2017 (“Al Rayan’s 2017
Internal Audit”), 8 years after the previous internal audit of the FCU had been
carried out. The scope of the review was to focus on the principal deficiencies
identified by the FCA and it was to include a qualitative assessment of the
robustness of the systems and control in mitigating financial crime risks.
4.150. Al Rayan’s 2017 Internal Audit report in relation to the FCU was produced in
August 2017 and its review of the Knightsbridge branch was produced in January
2018 (the “2018 Internal Audit of the Knightsbridge branch”) which included a
review of “branch procedures – Cash Transactions & Anti money laundering”.
4.151. Both Internal Audit reports identified ‘major’ and ‘significant’ issues across key
areas of Al Rayan’s financial crime controls, including:
4.151.1. The process to identify high-risk customers and the risk assessment
performed at a number of non-Premier branches was very limited.
4.151.2. the onboarding of high-risk and PEP customers, in particular, the
inadequacy of EDD including Source of Wealth and Source of Funds
acquired at onboarding (see paragraphs 4.43 - 4.73.).
4.151.3. ongoing monitoring, whereby it was identified that the list of high-risk
and PEP customers monitored was incomplete, as follows:
4.151.3.1.
35 high-risk customers were not included on the monitoring list,
representing 13% of the total monitoring list of 271 high-risk
customers; and
4.151.3.2.
19 PEP customers were not included on the monitoring list,
representing 5.5% of the total monitoring list of 351 PEP
customers.
4.151.4. annual KYC periodic reviews of high-risk customers had not been
undertaken in 2016. (see paragraphs 4.130 - 4.138); and
4.151.5. inadequate management and supervision in relation to the handling of
large cash deposits in the Knightsbridge branch, with a need for
“bespoke Branch procedures and training reflecting the high-risk at
Knightsbridge branch around acceptance of large cash deposits and
associated anti-money laundering procedures.” (see paragraph 4.125
above and the section of this Notice entitled ‘Training’ immediately
below).
4.152. The Authority considers that the extent of the deficiencies across Al Rayan’s AML
systems and controls was exacerbated by its failure to conduct an internal audit
of the FCU until August 2017. In this way, Al Rayan operated for over 8 years
(between February 2009 and August 2017) without an effective Third Line of
Defence, meaning that weaknesses in Al Rayan’s AML control framework were not
identified and persisted for a significant period of time which, in turn, led to the
risk of Al Rayan being used in furtherance of financial crime.
Training
4.153. Al Rayan’s “Preventing Financial Crime” manual dated 14 January 2015 provided
that:
“One of the most important controls over the prevention and detection of money
laundering is to have employees who are alert to the risks of money laundering.
They must be well trained in the identification of activities or transactions which
may prove to be suspicious. Staff who are meeting with customers or handling
transactions and instructions may be either the Bank’s strongest defence against
money laundering and terrorist financing or its weakest link.”
4.154. The Authority’s customer file reviews and interview evidence demonstrate that
staff across Al Rayan’s First and Second Lines of Defence had insufficient
knowledge and understanding of the ML Regulations to adequately carry out EDD,
both in terms of establishing customers’ Source of Wealth and Source of Funds at
the point of onboarding and establishing customers’ Source of Funds in the
context of higher risk situations, as well as adequately identifying and resolving
suspicious activity.
4.155. In April 2015, the Authority carried out its 2015 Assessment of Al Rayan’s AML
and sanctions systems and controls. Following the assessment, the Authority set
out a number of serious concerns in relation to Al Rayan’s AML systems and
controls and alerted Al Rayan to the need to ensure that there was a sufficient
focus on AML measures throughout its business and to ensure that compliance
with legal and regulatory requirements was prioritised. In response, Al Rayan put
in place the 2015 Action Plan which included introducing sector and role specific
training in 2016 whereby “Training programmes (computer based or otherwise)
will be developed which are specific for the first and second line areas of the
business” and “AML Champions in each front line business area to be identified
and trained to act as experts within the front line areas”.
4.156. Al Rayan’s Knightsbridge branch, established on 15 May 2015, was set up to
specifically target HNW and UHNW individuals, and particularly focussed on GCC-
based customers. From June 2015, Al Rayan was aware of a lack of training and
supervision of staff at the Knightsbridge branch. Over the ensuing months, senior
management committees noted that staff at the Knightsbridge branch had not
been observed (such as by way of ‘1:1’ meetings) due to a lack of management
resource and ‘Training’ was allocated a ‘red’ risk category. In this way, Al Rayan
failed to supervise staff within the Knightsbridge branch during the first six months
of its opening. This lack of training and supervision occurred in circumstances
where it was well-known that the Knightsbridge branch dealt with a large
proportion of Al Rayan’s high-risk customers and Al Rayan was specifically aware
of the risks associated with increased exposure to high-risk customers.
4.157. In June 2017, the Authority conducted its 2017 Assessment, concluding that,
whilst some improvements to the financial crime control framework had been
made since the Authority’s 2015 Assessment, there were ongoing and significant
concerns in relation to weaknesses that Al Rayan had committed to address in the
2015 Action Plan, including the introduction of more targeted training for staff.
The Authority also identified two further serious areas of concern during the 2017
visit, namely:
4.157.1. the controls and oversight in place at the Knightsbridge branch in
relation to the handling and treatment of large cash transactions, and
the willingness to accept cash deposits without always gaining sufficient
evidence of Source of Funds; and
4.157.2. a lack of knowledge and understanding within the Knightsbridge branch
of the “tipping off” offence whereby a fear of committing this offence
was discouraging branch staff from rejecting cash deposits even when
they had concerns.
4.158. In September 2017, senior management noted that the “root cause” of the
deficiencies at the Knightsbridge branch identified by the Authority’s 2017
Assessment (namely around the handling of large cash transactions and the lack
of understanding of the “tipping off” offence) was linked to poor training of staff.
Accordingly, third party training providers were being considered to provide
targeted training for frontline customer-facing roles and AML champions, and to
ensure that induction training was sufficient. Al Rayan also wrote to the Authority
on 8 September 2017, amongst other things, stating that:
4.158.1. “We acknowledge that the failure of staff at the Knightsbridge branch to
fully understand the “tipping off” rules in relation to the cash handling
procedures was very concerning”;
4.158.2. further “role specific” training was being organised for all branch staff
and Head Office, with additional workshops and testing to ensure all the
regulations and guidelines were fully understood; and
4.158.3. the format of the training would include face-to-face classroom training
which would allow staff the opportunity to have “question and answer”
sessions with the trainers.
4.159. However, despite these intentions, the 2018 Internal Audit of the Knightsbridge
branch still concluded that, until very recently, the training provided to Al Rayan
staff was “generic and computer based” and that:
“Given the Branch’s Premier Banking clientele, and their habit of depositing and
withdrawing large amounts of cash, we are of the view that this is insufficient,
and that more bespoke training is required. It was highlighted by the Chief
Commercial Officer that he requested from the Compliance team to provide a
bespoke training to the Branch staff.”
4.160. The 2018 Internal Audit of the Knightsbridge branch also noted that Al Rayan’s
branch staff were not “sufficiently risk aware, and are not sufficiently pro-active
in seeking advice from Head Office when they encounter situations about which
they should reasonably have questions or suspicions.”
4.161. Thus, Al Rayan staff received ‘generic computer-based training’ throughout the
Relevant Period which was not sufficiently targeted towards their AML needs.
Whilst Al Rayan did put in place ‘AML champions’ to whom AML related questions
and queries were to be directed, the training that the AML champions themselves
received did not encompass critical areas where knowledge was lacking in the
First and Second Line of Defence (such as how to adequately establish Source of
Wealth and Source of Funds, and the handling of large cash deposits.
4.162. The Authority considers it is evident that the inadequate training of staff (for
example, in relation to the handling of large cash transactions) contributed to the
deficiencies across Al Rayan’s EDD processes, thereby exposing Al Rayan to the
risk to being used to further financial crime.
Failure to implement remediation
4.163. Following the Authority’s 2015 Assessment, Al Rayan implemented its 2015 Action
Plan to remediate the Authority’s concerns with Al Rayan’s AML control
framework.
4.164. Al Rayan failed to remediate three key issues by the end of the Relevant Period,
as follows:
4.164.1. Al Rayan failed to complete the remediation of the due diligence on
Source of Wealth and Source of Funds for high-risk and PEP customers.
Not all high-risk and PEP files existing before 2016 had been fully
remediated, with 245 of the 423 customer files still requiring
remediation as of 7 September 2017, despite the 2015 Action Plan
stating that this exercise would be complete before the end of 2015.
4.164.2. Al Rayan failed to address the backlog of KYC periodic reviews of high-
risk and PEP customer files and also failed to put in place a defined
framework at branch level to register or acknowledge when KYC periodic
reviews were due. 316 of the 665 high-risk and PEP customer files had
not been subject to KYC periodic review from 1 April 2015 to 7
September 2017.
4.164.3. As explained at paragraph 4.153 - 4.162 above, Al Rayan failed to
implement sector and role specific AML training for the First and Second
Lines of the business.
4.165. In addition, between February 2009 and July 2015 Al Rayan neglected to carry
out an internal audit of the FCU. The 2015 Action Plan required the internal audit
to be completed by November 2015, however it was not completed until August
2017. Therefore Al Rayan did not have an effective Third Line of Defence over the
FCU and in relation to AML matters for over 8 years.
4.166. The interim MLRO Report for the reporting period January 2017 to August 2017
referred to issues in relation to the resource available to Al Rayan, on the basis of
an inability to acquire “the correct level of experienced and qualified staff”. The
Report went on to state that this lack of adequate resource “hampered” Al Rayan’s
ability to remediate certain deficiencies across its financial crime framework by
the end of the Relevant Period.
5.
FAILINGS
5.1.
The regulatory provisions relevant to this Notice are referred to in Annex A.
5.2.
Principle 3 required Al Rayan to take reasonable care to organise its affairs
responsibly and effectively, with adequate risk management systems. Al Rayan
was also required to have policies and procedures in place, comprehensive and
proportionate to its business activities, to enable it to identify, assess, monitor
and manage money laundering risk.
5.3.
Al Rayan failed to meet these requirements and, in doing so, breached Principle 3
in that during the Relevant Period:
5.3.1.
Al Rayan failed to establish, implement and maintain appropriate and
risk-sensitive policies and procedures in relation to the application of EDD
and, in particular, in relation to establishing high-risk customers’ Source
of Wealth and Source of Funds at the point of onboarding. In this regard,
the policies and procedures in place in relation to the appropriate
information/evidence required to establish and verify customers’ Source
of Wealth and Source of Funds were not sufficiently clear, the result of
which was that high-risk and PEP customers were onboarded on the basis
of inadequate EDD. (See paragraphs 4.25 - 4.73).
5.3.2.
Although Al Rayan identified that cash transactions presented a high-risk
of financial crime, it nonetheless failed to establish, implement and
maintain appropriate and risk-sensitive policies and procedures in
relation to the handling and treatment of cash deposits, including whether
they should be accepted or rejected if adequate Source of Funds
information was not provided or when there was suspicion in relation to
the transaction. In this regard, Al Rayan’s policies and procedures for
processing large cash deposits were not sufficiently clear so as to inform
staff what evidence of Source of Funds was required. Al Rayan accepted
£22.74 million in cash deposits of over £10,000 across its branch network
during the Relevant Period. (See paragraphs 4.81 - 4.125).
5.3.3.
Al Rayan failed to carry out adequate EDD in relation to establishing high-
risk customers’ Source of Wealth and Source of Funds at the point of
onboarding and subsequently failed to carry out EDD and enhanced
ongoing monitoring in higher risk situations. For the purposes of
onboarding, Al Rayan relied on due diligence carried out by financial
institutions within GCC states, in circumstances where it was aware this
would not meet the required standards under the ML Regulations and
where Al Rayan’s own policies stated that customers from GCC countries
should be subject to the same CDD and EDD as customers from other
nations.
In
addition,
Al
Rayan
staff
were
over-reliant
upon
uncorroborated explanations from customers as to their Source of Wealth
and Source of Funds, together with bank account statements and letters
of recommendation from non-EEA financial institutions which provided
very limited information about customers’ overall wealth and/or the
origins of their funds. (See paragraphs 4.25 - 4.125).
5.3.4.
Al Rayan’s failure to establish high-risk customers’ Source of Wealth and
Source of Funds at onboarding contributed to its inability/failure to
adequately corroborate the origin of customer monies in subsequent
large, in person, cash deposits, considered by Al Rayan to be higher risk
transactions. (See paragraphs 4.25 - 4.125).
5.3.5.
Al Rayan failed to adequately scrutinize transactions undertaken through
the course of its relationship with customers, including the Source of
Funds involved in such transactions, specifically in relation to the receipt
of large cash deposits. (See paragraphs 4.93 - 4.125).
5.3.6.
Where Al Rayan’s Second Line of Defence indicated, following a
transaction review, that further EDD was required the EDD was not
undertaken and there was no framework in place to ensure the concerns
were addressed; (See paragraphs 4.128 - 4.146).
5.3.7.
Al Rayan failed to keep documents, data or information obtained for the
purposes of applying CDD and EDD measures up-to-date. In 2017, the
Authority found that there was a significant back-log of over 300 existing
high-risk and PEP customers whose KYC periodic reviews had not been
undertaken during the Relevant Period in accordance with Al Rayan’s
policies and were overdue. (See paragraphs 4.131 - 4.146).
5.3.8.
Al Rayan failed to provide adequate AML training for staff throughout the
Relevant Period, including in relation to the handling of large cash
deposits and the “tipping off” rules, which led to the acceptance of large,
in person cash deposits without adequate challenge or scrutiny at the
point of deposit. (See paragraphs 4.153 – 4.162).
5.3.9.
Al Rayan failed to have appropriate internal controls in order to prevent
activities related to money laundering and terrorist financing. An internal
audit of the FCU (Al Rayan’s Second Line of Defence) was not conducted
over an 8-year period, between 2009 and 2017, meaning that it was
unable to ensure the First and Second Line of Defence were functioning
appropriately. (See paragraph 4.165).
5.3.10.
Al Rayan was specifically made aware of the risks presented by
deficiencies in its financial crime systems and controls through the
Relevant Period. In 2015 and 2017, the Authority visited Al Rayan to
review its AML control framework. During both of those visits, the
Authority identified weaknesses across Al Rayan’s AML control framework
that Al Rayan was required to address. However, Al Rayan failed to
remediate those weaknesses in accordance with its own remediation
action plan and certain key actions remained unresolved during the
Relevant Period. For example, by September 2017, (1) almost 50% of
high-risk customers files had not been subject to a KYC periodic review
in line with Al Rayan policy; (2) contrary to commitments made in the
2015 Action Plan, there was no framework in place to effectively manage
KYC period reviews; and (3) Al Rayan had failed to implement adequate
AML training for the First and Second Lines of Defence. (See paragraphs
5.4.
These failings arose in circumstances where Al Rayan was specifically targeting
higher risk customers and undertaking large cash transactions within its GCC
business area, which heightened the potential for financial crime to occur. During
the Relevant Period, Al Rayan’s processes permitted money to enter the UK
financial system without carrying out appropriate due diligence to ensure the
money was for legitimate purposes and not connected with financial crime. The
Authority recognises that the HPP and CPF divisions whose business related to
financing activities, were funded by deposits from a predominantly low risk
customer base, presenting a significantly reduced financial crime risk.
5.5.
As a consequence of these inadequacies in Al Rayan’s AML control framework, it
was unable to adequately identify, assess, monitor or manage its money
laundering risk, particularly in relation to high-risk customers, which resulted in
an unacceptable level of risk that it would be used by those seeking to launder
money or commit financial crime.
6.
SANCTION
Financial penalty
6.1.
The Authority’s policy for imposing a financial penalty is set out in Chapter 6 of
DEPP. In respect of conduct occurring on or after 6 March 2010, the Authority
applies a five-step framework to determine the appropriate level of financial
penalty. DEPP 6.5A sets out the details of the five-step framework that applies in
respect of financial penalties imposed on firms.
Step 1: disgorgement
6.2.
Pursuant to DEPP 6.5A.1G, at Step 1 the Authority seeks to deprive a firm of the
financial benefit derived directly from the breach where it is practicable to quantify
this.
6.3.
The Authority has not identified any financial benefit that Al Rayan derived directly
from its breach.
6.4.
Step 1 is therefore £0.
Step 2: the seriousness of the breach
6.5.
Pursuant to DEPP 6.5A.2G, at Step 2 the Authority determines a figure that
reflects the seriousness of the breach. Where the amount of revenue generated
by a firm from a particular product line or business area is indicative of the harm
or potential harm that its breach may cause, that figure will be based on a
percentage of the firm’s revenue from the relevant products or business area.
6.6.
The Authority considers that the revenue generated by Al Rayan is indicative of
the harm or potential harm caused by its breach. The Authority has therefore
determined a figure based on a percentage of Al Rayan’s relevant revenue. Al
Rayan’s relevant revenue is the revenue derived by Al Rayan’s business areas
funded by its deposit-taking activity during the period of the breach. The period
of Al Rayan’s breach was from April 2015 to November 2017. The Authority
considers Al Rayan’s relevant revenue for this period to be £106,445,890.
6.7.
In deciding on the percentage of the relevant revenue that forms the basis of the
step 2 figure, the Authority considers the seriousness of the breach and chooses
a percentage between 0% and 20%. This range is divided into five fixed levels
which represent, on a sliding scale, the seriousness of the breach; the more
serious the breach, the higher the level. For penalties imposed on firms there are
the following five levels:
6.7.1.
Level 1 – 0%
6.7.2.
Level 2 – 5%
6.7.3.
Level 3 – 10%
6.7.4.
Level 4 – 15%
6.7.5.
Level 5 – 20%
6.8.
In assessing the seriousness level, the Authority takes into account various factors
which reflect the impact and nature of the breach, and whether it was committed
deliberately or recklessly. DEPP 6.5A.2G(11) lists factors likely to be considered
‘level 4 or 5 factors’. Of these, the Authority considers the following factors to be
relevant:
6.8.1.
the breaches revealed serious or systemic weaknesses in the firm’s
procedures or in the management of systems or internal controls
relating to all or part of the firm’s business; and
6.8.2.
the breaches created a significant risk that financial crime would be
facilitated, occasioned or otherwise occur.
6.9.
Taking all of these factors into account, the Authority considers the seriousness
of the breach to be level 4 and so the Step 2 figure is 15% of £106,445,890.
6.10.
Step 2 is therefore £15,966,883.
6.11.
Pursuant to DEPP 6.5.3(3)G, the Authority may decrease the level of penalty
arrived at after applying Step 2 of the framework if it considers that the penalty
is disproportionately high for the breaches concerned. Notwithstanding the serious
and long-running nature of Al Rayan’s breaches, the Authority considers that the
level of penalty would nonetheless be disproportionate if it were not reduced and
should be adjusted.
6.12.
The Authority considers that relevant revenue should include revenue from the
HPP and CPF business areas because those business areas were funded by
customer deposits affected by some of the misconduct. However, in contrast with
Al Rayan’s GCC business area and its Other Business, the overwhelming
proportion of the funding for the HPP and CPF business areas derived from
transactions that were made by predominantly low risk customers making
predominantly low risk transactions.
6.13.
The reasons for a reduction in this instance therefore result from the very different
financial crime risks relating to the clearly separate business areas affected by the
failings. The Authority considers that the penalty otherwise calculated at Step 2
would be disproportionate.
6.14.
In order to achieve a penalty that is proportionate to the breach, and having taken
into account previous cases, the Step 2 figure is reduced to £4,790,065.
Step 3: mitigating and aggravating factors
6.15.
Pursuant to DEPP 6.5A.3G, at Step 3 the Authority may increase or decrease the
amount of the financial penalty arrived at after Step 2, but not including any
amount to be disgorged as set out in Step 1, to take into account factors which
aggravate or mitigate the breach.
6.16.
The Authority considers that the following factors aggravate the breach:
6.16.1.
The Authority visited Al Rayan in 2015, as part of its supervisory
strategy for Al Rayan and to carry out a review of its AML control
framework. The Authority sent its feedback letter to Al Rayan on 16
June 2015 highlighting the weaknesses identified by the review. The
Authority also visited Al Rayan in 2017 and again informed Al Rayan of
its ongoing concerns about aspects of its AML control framework.
Despite these express warnings, the deficiencies in Al Rayan’s AML
control framework were not addressed in an adequate timeframe or in
accordance with the 2015 Action Plan and it failed to remediate a
number of key issues by the end of the Relevant Period.
6.16.2.
The Authority has published guidance on the steps firms can take to
reduce financial crime risk and provided examples of good and back
practice since 2011. Since 1990, the JMLSG has published detailed
written guidance on AML controls. During the Relevant Period, the
JMLSG provided guidance on compliance with the legal requirements of
the ML Regulations, regulatory requirements in the Handbook and
evolving practice in the financial services industry. Before, or during,
the Relevant Period the Authority published the following guidance in
relation to AML controls which set out examples to assist firms:
6.16.2.1. in March 2008, the Authority published a report titled “Review of
firms’ implementation of a risk-based approach to anti-money
laundering”. The report notes, among other things, that a firm must
take steps to ensure that its knowledge about a business
relationship with a customer remains current, and keeps documents,
data and information obtained in the CDD context up to date;
6.16.2.2. in June 2011, the Authority published a report titled “Banks’
management of high money-laundering risk situations: How banks
deal with high-risk customers (including politically exposed
persons), correspondent banking relationships and wire transfers”.
The report highlighted the importance of banks applying meaningful
EDD measures in high-risk situations and noted the importance of
carrying out enhanced monitoring of high-risk customers throughout
relationships; and
6.16.2.3. in December 2011, the Authority published “Financial Crime: A
Guide for Firms”. The guide highlighted the need to conduct
adequate CDD checks, perform ongoing monitoring and carry out
EDD measures and enhanced ongoing monitoring when handling
higher-risk situations.
6.16.2.4. In November 2014, the Authority published a report titled “How
small banks manage money laundering and sanctions risk: Update”.
This
review
focused
on
high-risk
customers,
PEPs,
and
correspondent banking and found that there were continuing
weaknesses in most small banks’ AML systems and controls,
including significant and widespread weaknesses in key AML
controls, including AML risk assessments at both a business and
customer level, and EDD and ongoing-monitoring of high risk, PEP,
and correspondent relationships.
6.16.3.
The Authority has published a number of Notices against firms for AML
weaknesses both before and during the Relevant Period, including in
respect of Alpari Limited on 5 May 2010, Coutts & Company on 23 March
2012, Habib Bank AG Zurich on 4 May 2012, Turkish Bank (UK) Limited
Bank PLC on 22 January 2014, Barclays Bank PLC on 25 November
2015, Sonali Bank (UK) Limited on 12 October 2016 and Deutsche Bank
AG on 30 January 2017. These actions stressed to the industry the
Authority’s view of firms with AML deficiencies, and Al Rayan was
accordingly aware of the importance of implementing and maintaining
robust AML systems and controls.
6.17.
Consequently, Al Rayan was aware, or ought to have been aware, of the
importance of putting in place and maintaining effective procedures to detect and
prevent money laundering.
6.18.
The Authority considers that the following factor mitigates the breach:
6.18.1.
On 13 July 2018, the Authority imposed a requirement upon Al Rayan
to appoint a Skilled Person under section 166 of the Act. Thereafter, Al
Rayan entered into a voluntary requirement restricting it from accepting
or processing any new deposit account applications from: any
prospective person categorised as high-risk for the purposes of financial
crime (as defined in Al Rayan’s customer risk rating tool and associated
methodology), PEPs, or family members or known close associates of
PEPs. Working with the Skilled Person over more than 3 years Al Rayan
committed significant resources to improving its AML control
framework, as a consequence of which the Authority lifted the voluntary
requirement in June 2022.
6.19.
Having taken into account these aggravating and mitigating factors, the Authority
considers that the Step 2 figure should be increased by 20%.
6.20.
Step 3 is therefore £5,748,078.
Step 4: adjustment for deterrence
6.21.
Pursuant to DEPP 6.5A.4G, if the Authority considers the figure arrived at after
Step 3 is insufficient to deter the firm who committed the breach, or others, from
committing further or similar breaches, then the Authority may increase the
penalty.
6.22.
The Authority considers that the Step 3 figure of £5,748,078 represents a
sufficient deterrent to Al Rayan and others, and so has not increased the penalty
at Step 4.
6.23.
Step 4 is therefore £5,748,078.
Step 5: settlement discount
6.24.
Pursuant to DEPP 6.5A.5G, if the Authority and the firm on whom a penalty is to
be imposed agree the amount of the financial penalty and other terms, DEPP 6.7
provides that the amount of the financial penalty which might otherwise have
been payable will be reduced to reflect the stage at which the Authority and the
firm reached agreement. The settlement discount does not apply to the
disgorgement of any benefit calculated at Step 1.
6.25.
The Authority and Al Rayan reached agreement at Stage 1 and so a 30% discount
applies to the Step 4 figure.
6.26.
Step 5 is therefore £4,023,655.
6.27.
The Authority hereby imposes a total financial penalty of £4,023,600 on Al Rayan
for breaching Principle 3.
7.
PROCEDURAL MATTERS
7.1.
This Notice is given to Al Rayan Bank PLC under and in accordance with section
390 of the Act. The following statutory rights are important.
Decision maker
7.2.
The decision which gave rise to the obligation to give this Notice was made by the
Settlement Decision Makers.
Manner and time for payment
7.3.
The financial penalty must be paid in full by Al Rayan Bank PLC to the Authority
no later than 25 January 2023.
If the financial penalty is not paid
7.4.
If all or any of the financial penalty is outstanding on 25 January 2023, the
Authority may recover the outstanding amount as a debt owed by Al Rayan Bank
PLC and due to the Authority.
7.5.
Sections 391(4), 391(6) and 391(7) of the Act apply to the publication of
information about the matter to which this notice relates. Under those provisions,
the Authority must publish such information about the matter to which this notice
relates as the Authority considers appropriate. The information may be published
in such manner as the Authority considers appropriate. However, the Authority
may not publish information if such publication would, in the opinion of the
Authority, be unfair to Al Rayan Bank PLC or prejudicial to the interests of
consumers or detrimental to the stability of the UK financial system.
7.6.
The Authority intends to publish such information about the matter to which this
Final Notice relates as it considers appropriate.
Authority contacts
7.7.
For more information concerning this matter generally, contact Richard Topham
(direct line: 020 7066 1180 / email: richard.topham@fca.org.uk) or Owen Dixon
(direct line: 020 7066 9374 / email: owen.dixon@fca.org.uk) at the Authority.
Lauren Rafter
Financial Conduct Authority, Enforcement and Market Oversight Division
ANNEX A
RELEVANT STATUTORY AND REGULATORY PROVISIONS
1.1.
The Authority’s statutory objectives, set out in section 1B(3) of the Act, include the
integrity objectives (protecting and enhancing the integrity of the UK financial
system).
1.2.
Section 206(1) of the Act provides:
“If the Authority considers that an authorised person has contravened a
requirement imposed on him by or under this Act… it may impose on him a penalty,
in respect of the contravention, of such amount as it considers appropriate.”
RELEVANT REGULATORY PROVISIONS
Principles for Businesses
1.3.
The Principles are a general statement of the fundamental obligations of firms
under the regulatory system and are set out in the Authority’s Handbook. They
derive their authority from the Authority’s rule-making powers set out in the Act.
The relevant Principles are as follows.
1.4.
Principle 3 provides:
A firm must take reasonable care to organise and control its affairs responsibly and
effectively, with adequate risk management systems.
Senior Management Arrangements, Systems and Controls (“SYSC”)
1.5.
SYSC 6.1.1R provides:
A firm must establish, implement and maintain adequate policies and procedures
sufficient to ensure compliance of the firm including its managers, employees and
appointed representatives (or where applicable, tied agents) with its obligations
under the regulatory system and for countering the risk that the firm might be used
to further financial crime.
1.6.
SYSC 6.3.1R provides:
A firm must ensure the policies and procedures established under SYSC 6.1.1R
include systems and controls that:
(1) enable it to identify, assess, monitor and manage money laundering risk; and
(2) are comprehensive and proportionate to the nature, scale and complexity of its
activities.”
1.7.
SYSC 6.3.3R provides:
A firm must carry out a regular assessment of the adequacy of these systems and
controls to ensure that they comply with SYSC 6.3.1R.”
DEPP
1.8.
Chapter 6 of DEPP, which forms part of the Authority’s Handbook, sets out the
Authority’s statement of policy with respect to the imposition and amount of
financial penalties under the Act.
The Enforcement Guide
1.9.
The Enforcement Guide sets out the Authority’s approach to exercising its main
enforcement powers under the Act.
1.10. Chapter 7 of the Enforcement Guide sets out the Authority’s approach to exercising
its power to impose a financial a penalty.