The Central Bank of Ireland has handed Ulster Bank Ireland DAC a €3,325,000 fine for failing to comply with anti-money laundering and terrorist financing rules for six years.

The regulator also reprimanded the bank for breaking the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010, which the bank has admitted to doing. The Act requires credit and financial institutions to follow policies and procedures to prevent and detect the commission of money laundering and terrorist financing.

The breaches occurred over a six-year period, starting with the Act's enactment on 15 July 2010 and ending this year. Ulster Bank transgressed in respect of:

• outsourcing, both in terms of governance and control;
• the assessment of money laundering/terrorist financing risks specific to its business and the relevant mitigating systems and controls; and
• 'know your customer' controls, specifically the identification and verification of existing customers who predated the Irish AML/CFT laws effected in May 1995. This process was known in the United Kingdom as 'retrospection.'

The Central Bank also identified areas of non-compliance in respect of adherence to internal procedures, AML/CFT training for non-executive directors and reliance on third parties in respect of KYC/'customer due diligence' operations. It also kept bad trade finance procedure manuals.

Ulster Bank Ireland is authorised to carry on banking business in Ireland under Section 9 of the Central Bank Act 1971. It is one of the largest banks in Ireland with more than 110 branches and 1.1 million customers. Its principal activities consist of retail and commercial banking.

During 2012 and 2013, the Central Bank conducted a review of Ulster Bank Ireland’s compliance with the Criminal Justice Act. It also owned up to various examples of non-compliance with the Act. In December 2013, the Central Bank demanded remediation and began an investigation in 2015. The Central Bank’s investigation identified eight breaches of the Act.

Poor controls over AML/CFT outsourcing

Ulster Bank Ireland is part of a group of companies headed up by Royal Bank of Scotland plc, which is the ultimate holding company. It outsources 25 AML/CFT activities, mainly to four other entities in the RBS group. The outsourced activities involve a wide range of key AML/CFT obligations under the Criminal Justice Act.

The Central Bank identified two significant failings in respect of Ulster Bank Ireland’s governance and oversight of those outsourced AML/CFT activities between 15 July 2010 and 15 October 2016. It failed to put an outsourcing policy in place between 15 July 2010 and June 2011 (an 11-month period) and also failed to put a service-level agreement in place for 19 of the 25 outsourced activities when the outsourcing commenced, as required by its internal policy. Of the 19 activities that the service-level agreements did not cover, the average duration of the gap was two years, with 13 of those 19 activities not covered for a period of three years and longer.

Given Ulster Bank Ireland’s extensive reliance on AML/CFT outsourcing, the absence of these two important controls over outsourcing exposed it to an unacceptable risk that it would fail to obey the Act. The regulator regards outsourcing policies as key controls. Such an agreement, it says, ought to describe the way in which the bank monitors it, who is responsible for doing the monitoring, and what happens in the case of a termination of the services. It has also praised service-level agreements for providing further control in the form of contracts for outsourcing relationships that sets out the rights and duties of the parties and usually specify agreed-upon performance levels.

Failure to conduct a ML/TF risk assessment

A thorough assessment of ML/TF risk exposure is essential in the regulator's eyes as it allows a firm to identify the kinds of ML/TF risks to which it is exposed as a result of its business model and to help it develop appropriate AML/CFT policies and procedures and design 'proportionate systems.' The risk assessment must be proportionate to the nature, scale and complexity of a firm’s activities.

Ulster Bank Ireland failed to conduct an assessment of the ML/TF risks of its business for a period of more than years. Furthermore, until April 2014, its risk assessment was inadequate in that it failed to provide any quantitative and/or qualitative evaluation of its exposure to the risk factors that it had identified.

Customer due diligence

The Act requires firms to complete CDD (i.e. exercise 'know your customer' controls) to identify and verify customers at certain times, especially when they 'onboard' new customers and when they have concerns relating to documents previously obtained for the purposes of identifying and verifying customers.

The regulator identified a number of failings in Ulster Bank Ireland’s procedures and systems in respect of CDD.

• Section 33(1)(d) CJA requires firms to be "customer duly diligent" if there are reasonable grounds to doubt that existing documents and information about customers are accurate and adequate for the purposes of verifying or confirming customers' identities. When the CJA came into force, Ulster Bank ought to have reviewed and confirmed the adequacy of the documents and information it held for pre-1995 customers to find out whether s33(1)(d) required something to which the regulator refers as "completion of CDD." It failed to do so.
• Ulster Bank provided 64,900 pre-1995 customers with new products without 'completing' CDD in circumstances where s33(1)(d) applied.
• Customer identification markers which indicated that customers were exempt from CDD remained on Ulster Bank Ireland’s system contrary to various written-down procedures.
• The bank relied on a third party to conduct CDD but the contractual arrangement in place did not satisfy the conditions in section 40, which permits firms to rely on third parties but only if there is an arrangement in place that stipulates that the firm may rely on the third party to conduct CDD and the firm is satisfied that, upon request, that third party will forward the documents or information obtained when conducting CDD to the firm as soon as practicable.

Guidance in relation to the identification of suspicious activity

Detection and prevention of ML/TF depends on the timely identification and subsequent reporting of suspicious activity. The regulator thinks it vital that all employees and officers in the financial sector, including board members, are trained in the law relating to money laudering/terrorist finance and their legal duty to report suspicious activity.

In this regard, the Central Bank found that Ulster Bank failed to demonstrate that it had trained its non-executive directors about the CJA before 2013. In particular, it failed to provide them with any training as regards the identification of suspicious transactions and activities until March 2014. This failure occurred despite the issue of a ‘Dear CEO’ letter by the Central Bank in October 2012, in which the Central Bank noted that it had identified deficiencies in AML/CFT training in many firms, including that of board members and senior managers.

In the same regard, although not of concern to the private client sector, the bank failed to have adequate policies and procedures specific to trade finance.

Factors in the decision to levy a penalty

In deciding the appropriate penalty to impose, the Central Bank considered the following matters.

• The seriousness with which the conduct is viewed, particularly given the firm’s central role in the financial services system and the highly risky nature of its business in respect of money laundering and terrorist finance.
• The extended period of time over which the breaches occurred. The duration of the contraventions on average persisted for more than four years.
• The co-operation of the firm during the investigation and its decision to settle at an early stage of the regulator's sanctioning procedure.
• The firm's remedial action.
• The fact that all bar one breach continued after the enhancement of the Central Bank’s sanctioning powers under the Central Bank (Supervision and Enforcement) Act 2013.

Despite the mitigating factors in this list, however, many commentators believe the eventual fine to be on the lenient side.