The Financial Conduct Authority (FCA) has issued a Final Notice in respect of failings of Canara Bank, one of the largest public sector banks owned by the Government of India. The FCA has fined Canara Bank £896,100 and has restricted it from accepting deposits from new customers for 147 days.
Canara Bank has two branched in the UK (London and in Leicester), and offers a wide range of regulated and unregulated financial products and services, including current accounts, term deposits, remittances, and corporate banking services.
The FCA found that between 26 November 2012 and 29 January 2016, Canara failed to maintain adequate anti-money laundering (AML) systems and controls and failed to take sufficient steps to remedy identified weaknesses, despite having been notified of inadequacies in its AML systems and controls. These failures were systemic and affected almost all levels of its business and governance structure including senior management, governance/oversight, the three lines of defence model, and the money laundering reporting function.
Firms are required to maintain robust AML systems and controls, to manage risks in relation to being exposed to those seeking to launder the proceeds of crime or to finance terrorism. Firms that do not do so may have an unfair competitive advantage over firms that are compliant, both because they save the costs of implementing and operating such systems, and because this may attract customers who are not welcome at other more compliant organisations.
At the end of November 2012, the FCA visited Canara as part of a thematic project on trade finance and, following this visit, the FCA highlighted serious weakness in the AML systems and controls (for example, the absence of an automated means of identifying PEPs). Canara afterward claimed that steps were taken to remedy to these weaknesses; in particular, they confirmed in writing to the FCA that any customer on-boarded after July 2012 had been given an appropriate risk rating which was to be re-assessed after six months.
Canara was visited again in April 2015. During this second visit it became apparent that not only were the remedial actions insufficient to rectify issues originally identified but also that Canara had failed to test the implementation and effectiveness of the steps taken. No evidence was found that AML risks were being considered, such as enhanced due diligence and on-going monitoring conducted for high-risk customers. It also emerged that the level of AML knowledge possessed by key staff was deficient and that incorrect and inconsistent practices were in place. A failure to embed a culture of compliance with regulatory requirements throughout the firm was also identified.
A Skilled Person was appointed by the Prudential Regulation Authority (PRA) in September 2015, and their final report in January 2016 highlighted several significant deficiencies with respect to Canara’s AML systems and controls, the oversight and monitoring of those controls, and the general governance of Canara’s risk control framework. By failing to take reasonable care to manage its AML risks and comply with applicable regulatory and legal AML requirements (including the failure to conduct timely and adequate remediation of weaknesses identified by the FCA during both the visits) Canara was found in breach of Principle 3 (Management and Control) of the FCA’s Principles for Business.
The FCA also found that this also amounted to a breach of the Money Laundering Regulation 2007 (the Regulation), which requires firms and its senior management to ensure that adequate AML policies and procedures are in place and are operating effectively.
The Final Notice highlights the importance for branches of overseas banks and their senior management (a) to have sufficient understanding of their regulatory responsibilities and (b) to ensure that obligations are met with appropriate resources. In Canara case, senior management positions in the UK were filled with staff from its Head Office in India. This practice, although not prohibited, contributed to the significant faults as some key members of staff lacked the necessary understanding of applicable UK AML requirements. Senior management was found to lack an adequate understanding of financial crime issues and compliance with financial crime law and regulation.
The FCA assessed the impact and nature of the misconduct as a level four out of five on their scale of seriousness, which resulted in a fine of 15% of the total revenue for the relevant period (in this case, circa £7.1 million). Canara fully co-operated with the investigation and they agreed to settle at an early stage, qualifying for a 30% discount (the amount initially imposed was almost £1.3 million and the number of days for the restriction above of 210). The FCA acknowledged that the firm’s substantive AML deficiencies now have been rectified, as confirmed by the Skilled Person’s report in April 2018.
The Canara case suggests that the FCA’s approach to AML failures can be fierce even when small firms are involved (Canara UK’s customer base was relatively small in the relevant period, with less than 1,200 customers). Among the findings were:
- A lack of an effective risk management framework;
- A lack of training (the FCA found that none was provided to Canara staff since 2012);
- A lack of adequate policies and procedures (Canara did not have a compliance manual in place);
- A “tick-box” approach to compliance monitoring (Canara was relying on an insufficient Compliance Monitoring checklist); and
- A lack of periodic reporting from the money laundering reporting function.
Senior management should ensure none of the above deficiencies can be ascribed to their firm.
The FCA ‘s view is that the length of the restriction imposed will deter Canara and other firms from committing similar breaches. A strong compliance culture across organisations is a powerful deterrence tool to use to avoid being under the spotlight, which can result even more expensive than implementing a proper financial crime prevention framework.