The Dubai Financial Services Authority has levied a small fine of US$640,000 on the Dutch banking giant ABN AMRO for bad money-laundering controls that pervaded its private banking operation.

The regulator says that the contraventions at ABN, which has a significant private banking arm in the Dubai International Financial Centre, were 'widespread.' The bank benefited from the usual 20% discount (in the UK it is 30%) by caving in to all regulatory demands as soon as the DFSA's investigation began. The bank's global operating income in the first quarter of this year was €2.17 billion, which makes the regulator's assertion that the monetary penalty was 'significant' (coupled with the fact that most international money-laundering investigations involve Dubai) seem a trifle underwhelming.

Broken principles

The fine seems even less imposing when one reads out the litany of sins of which ABN has been found guilty. The DFSA says that it broke no less than three of its core principles: principle 2 (in GEN rule 4.2.2) by failing to conduct its business activities with due skill care and diligence; principle 3 by not managing its affairs effectively and responsibly and not having adequate compliance systems and controls (GEN rule 4.2.3); and principle 4 (GEN rule 4.2.4) by not devoting adequate resources to the job. The worst offender was the compliance department, which did not monitor and control the activities of the relationship managers in its private banking business or identify and offset the money-laundering risks.

Blowing the whistle

Throughout the summer of 2014 the bank received anonmyous complaints about rules being broken from members of staff. In early July its internal investigators were already looking at the first bevy of complaints. The resultant report said that ABN’s AML-related policies and procedures (in particular, its policies and procedures governing client acceptance and anti-money laundering and wealth structuring activities) were being ignored. Its files on clients did not contain the necessary documents to prove the contrary; the 'customer due diligence' information and documents on clients with complex structures (which comprised 20 of the 68 client relationships in the review) did not reveal the identities of beneficial owners, the clients' sources of wealth and funds, or the reasons for which they were opening the accounts.

Some RMs, moreover, had been involved in arranging or providing wealth structuring activities for clients, in breach of ABN’s own policies and procedures that related to those specific activities. Like all Anglocentric financial regulators, the DFSA is always displeased when a firm fails to follow its own internal policies, whether those policies are based on regulatory necessity or not.

This was also the case with the bank's policies for background checks on introducers who were entitled to finders' fees. Not only were these checks inadequate by ABN's own standards; some RMs allowed introducers to go on having a say in their relationships with clients after the introductions were over - something with which the DFSA found fault.

Personal Investment Companies

Dubai's Personal Investment Companies figure prominently in the case. Offshorepedia states that a PIC, or Personal Investment Corporation, is a term used in the banking industry to refer to an International Business Company or IBC, a term more often used in the Caribbean. The average PIC is created for a private banking client with the aim of holding that client’s investment assets. Some RMs at ABN did not understand their own policies and procedures in relation to third-party transactions for client relationships that were PICs. In 12 out of 40 customer relationships, the initial funding of accounts opened for clients that were PICs was through third-party transactions. These payments, the decision notice says, "were found not to be in line with ABN’s customer risk assessment and 'know your customer' information for clients."

At least 40 of the incoming third-party transactions that the internal investigators reviewed involved the receipt of funds from exchange houses located in the UAE. Documents received by ABN for these transactions were either inadequate or non-existent. ABN’s transaction monitoring scenarios for PIC accounts were not calibrated for commercial account transactions, so its transaction monitoring system did not identify third-party transactions in PIC accounts properly. Meanwhile, they found that 37 invoices, obtained by RMs in response to transaction alerts (raised in relation to transactions in client accounts), were suspicious; they found that four loan and investment agreement documents, which had been obtained as part of the KYC 'source of wealth' information-gathering process, were suspicious; and they found six undated and pre-signed trade orders, pertaining to at least three clients, being held "under the direction of" RMs in direct contravention of ABN’s policies.

A small number of RMs also broke with procedure when they secretly provided additional intermediary services to people connected with ABN clients. One RM lent one of them money; one helped to provide cash exchange services; and one organised payments between an account in the name of a company controlled by a services provider in the UAE and one ABN client and three others; and they all used ABN email accounts to do it, although it seems rather petty of the regulator to protest against this last offence.

The sky falls on ABN AMRO

So far, the bank's investigators (as opposed to its compliance officers) seem to have handled matters fairly well. They produced a report on the misconduct in mid-December and handed it to the regulator one month later. They had already notified the DFSA of their impending investigation in late August and had sent it updates periodically after that. On 5 February, ABN handed the DFSA details of a remediation plan under which it was going to review all of its private banking client relationships by October. The DFSA was obviously dissatisfied with this flurry of activity, because it began its own investigation three days later.

What the DFSA investigators found

Assessments of AML risks

The DFSA found ABN’s business risk assessments of 2013 and 2014 to be inadequate, especially when looking at country AML risk; the legal structure of ABN clients, especially PIC clients with complex ownership structures and/or offshore incorporations; actual transactions, especially those involving third party payments; and introducers. It also (in vain, as it turned out) expected the assessments to look at the rapid commercial growth of the private banking business line from a standing start in 2010 and the effect that this growth had had on the effectiveness of its control functions.

Customer risk assessments

AML Rule 6.1 requires every authorised firm to undertake a risk-based assessment of every customer and assign him an AML risk rating. Some assessments were incomplete and/or contained inconsistent and/or contradictory information; five out of 26 customer risk assessments failed to identify the ultimate beneficial owner of the client; and most customer risk assessments skimmed over the intended nature of business of the client relationship in a superficial way. Some assessments said that the client intended to conduct “third party transactions” [i.e. on behalf of others] but did not justify it. Whenever the client was an offshore company the assessment did not say why the beneficial owner was interested in such a structure. None of the risk assessments analysed “source of wealth and source of funds” satisfactorily.

About 75% of ABN’s private banking clients were classified as “increased risk,” with the remainder classed as “neutral risk”. The DFSA thought that the former category had too many risk profiles in it to be meaningful.

'Customer due diligence'

This ugly term, which originated in a meeting of the Basel Committee for Banking Supervision and is now beloved of regulators everywhere except the US, is enshrined in AML Rule 7.1.1, which also prescribes extra due diligence or EDD for high risks.

The DFSA's so-called 'client file review' found that customers had been adequately identified and verified in 22 out of 26 client relationships and in 17 the beneficial owners were identified well. However, four client files contained no evidence confirming the identity of the customer and/or beneficial owner and, moreover, were in the 'increased risk' category. They should therefore have been the subject of EDD but were not, and the same went for the cases where the beneficial owners were not identified.

The DFSA also found two instances where ABN had failed to identify a 'politically exposed person' or PEP connected to its clients.

Adequate EDD was never performed anywhere, even for customers to which ABN had assigned 'high risk' ratings.

'Ongoing CDD' was another problem. Three out of 26 clients' files were not reviewed with the frequency required by ABN's own internal rules. The regulator says that ABN did not periodically review the adequacy of the CDD information it held for all its private banking customers – a swingeing indictment. Transaction monitoring was also woeful in relation to 16 out of 26 client relationships that the regulators looked at.

Compliance and senior management oversight

'Oversight', for once, is the right word here. The DFSA reviewed a sample of internal ABN communications related to the escalation and 'discounting' (ignoring) of transaction alerts generated by ABN’s transaction monitoring system. Some alerts were discounted on the basis of superficial and inadequate (and, indeed, lying) explanations provided by RMs. All too often, the firm did not verify the underlying documents and left cases open (while business carried on) for far too long.

ABN’s compliance department did not challenge the explanations and documents it received in response to transaction alerts and, as a result, discounted them inappropriately. Periodically, it 'escalated' late responses to these alerts to the top, but the senior managers of ABN in the DIFC took an even sleepier approach. In determining the fine, the regulator has kept to the formulaic method of calculation without adding any more on top for the sake of 'deterrence.' One wonders whether this was wise.