The anti-money laundering efforts of European banks is being hamstrung by failures to manage key customer data and perform proper due diligence, regulators say
Banks’ failure to collect know-your-customer (KYC) data and their tendency to manage high-risk customer due diligence manually are hampering their anti-money laundering (AML) efforts, according to regulators in the United Kingdom. Further, many banks’ assessment of financial crime risk has also been found to be inadequate.
Some UK banks, are failing to collect customer information such as income and occupation details. In some cases, customer risk assessment frameworks are underdeveloped or non-existent, which translates into poor initial due diligence and weak enhanced due diligence for high-risk customers and politically exposed persons, UK regulators said.
Inadequate customer due diligence will make transaction monitoring systems less effective, the UK Financial Conduct Authority (FCA) noted in April.
“One of the problems is not being aware, habitually, of the actual risk they are managing,” says Gabriel Cozma, head of Lysis Financial and Fintech at the Lysis Group in the UK, adding that too often banks ignore the risk. “And once you don’t understand the risk, you cannot apply controls. How would you create scenarios and rules when you don’t really understand the risks you have to manage?”
Deficiencies highlighted
Business-wide risk assessments that the FCA reviewed were “generally poor”, with insufficient detail on the financial crime risks to which the business was exposed. The FCA observed a lack of consistency in customer risk assessment.
“We also see instances where there are significant discrepancies in how the rationale for specific risk-ratings are arrived at and recorded by firms. There is often a lack of documentation recording the key risks and the methodology in place to assess the aggregate inherent risk profile of individual customers,” the FCA said in 2021.
The FCA has had a particular focus on failures observed at UK retail banks and challenger banks. UK enforcement action against NatWest and HSBC, together with Credit Suisse’s 2022 guilty verdict in a Swiss court for laundering Bulgarian drug dealers’ cash, and Deutsche Bank’s continuing AML/KYC failures, are just a handful of examples which demonstrate that global systemically important banks are experiencing similar challenges in the battle against dirty money.
Spending billions
Big banks have reported that they spend billions on financial crime prevention and employ thousands of experts to run transaction-monitoring programs. NatWest Group, for example, has said it is investing about £1 billion on financial crime controls over the next five years and has more than 5,000 staff working in specialist financial crime roles.
NatWest has paid out £279 million in three UK fines for financial crime control failures since 2010. The bank’s latest set of interim results from August 2022, however, stated that Royal Bank of Scotland International was referred to the Isle of Man’s Financial Services Authority’s enforcement division after an inspection of AML/CFT controls and procedures relating to specific customers.
Indeed, banks’ continued reliance on spreadsheets and other manual processes means their approach to financial crime compliance and detection lacks coherence and consistency. “We often identify instances where CDD [customer due diligence] measures are not adequately performed or recorded. This includes seeking information on the purpose and intended nature of a customer relationship (where appropriate) and assessments of that information,” the FCA said in 2021.
Firms are unable to track clients effectively in a spreadsheet for AML and KYC purposes, and spreadsheets are not conducive to tracking changes in client behavior or bringing any consistency to continuing due diligence. Yet few banks have invested in workflow technology that could bring more consistency and assurance to client on-boarding, continuing due diligence and client management, particularly when it comes to high-risk clients.
Managing financial crime policies through spreadsheets and static documents such as PDFs posted on an intranet portal means policies and guidance are difficult to access or may not be current, which makes taking a consistent approach to financial crime risk assessment and client onboarding difficult.
“Of course, firms use some technology in places, but some of the challenges and what we’re seeing now is the risk of workflow type solutions that provide some level of consistency across the board,” says Henry Balani, head of industry and regulatory affairs at regtech firm Encompass Corporation in London.
Manual processes
When regulators mention manual processes, most of the time that means firms are using a spreadsheet to manage financial crime risk across a range of activities, such as onboarding or transaction monitoring. For example, the FCA’s 2017 final notice fining Deutsche Bank £163 million for the mirror trading-related control failures notes that the bank lacked automated AML systems for detecting suspicious trades.
“When it was informed by Deutsche Bank’s operations team that ‘providing a spreadsheet will not be possible as this is done manually by a team member and capturing so many records will be painful’, the AML team did not persist with its enquiries,” the FCA wrote in its 2017 enforcement notice.
Deutsche Bank says it has since “beefed up” resources to combat money laundering, spending 2 billion euros between 2019 and 2020 and employing 1,600 members of staff worldwide “to fight financial crime”. In April 2021, however, the German financial markets regulator BaFin ordered Deutsche Bank to further improve its AML safeguards and comply with due diligence obligations. And in May 2022, prosecutors, federal police, and other officials searched the bank’s Frankfurt headquarters to investigate suspicions of money laundering it had reported to the authorities.
Manual processes also come up in relation to sanctions screening, which the FCA has been assessing following the introduction of sanctions on Russian individuals and companies. The FCA has found “varying levels of adequacy”, and much of that hinges on whether firms are using manual or automated screening systems. “Issues we have identified tend to be around the effectiveness of firms’ customers’ sanction-screening processes,” explains Nikhil Rathi, the FCA’s chief executive, in a letter to the Treasury Select Committee on July 4.
The FCA had written to firms that use manual sanctions-screening tools to remind them to have “well-established and well-maintained systems and controls to counter the risk of their business being used to further financial crime, including evading sanctions,” Rathi said.
