On June 28, Finanstilsynet, the Norwegian Financial Supervisory Authority (FSA), ordered a subsidiary of Spanish bank Santander, Santander Consumer Bank, to pay a fine of Kr. 9 million (approximately US$1 million) for violating the Norwegian Money Laundering Act. In particular, the FSA stated that Santander Consumer Bank warranted a financial penalty for defects in the operation of its electronic monitoring system “to detect suspicious transactions related to money laundering and terrorist financing.” (Note: All translations of language in the FSA order are informal.)
According to the FSA order, section 38 of the Money Laundering Act requires that banks, mortgage companies, and finance companies have electronic monitoring systems to identify issues that may indicate money laundering and terrorist financing. The Act also requires that monitoring be conducted on an ongoing basis, and that a bank investigate transactions for which there are indications of money laundering or terrorist financing. The order further stated that “[a]n effective and fast implementation of investigations and reporting suspicious matters is central to achieving the purpose of the Money Laundering Code.” When the suspicion about a transaction is not rejected, it is to be reported to Økokrim, the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime, which functions as both a police agency and a public prosecutors’ office with national authority.
The FSA observed that in December 2018, Santander Consumer Bank brought to the FSA’s attention that the bank had discovered an error in the operation of that electronic monitoring system. The bank informed the FSA that that error had resulted in approximately 1,260,000 transactions not being subject to money laundering review for more than four years, from October 30, 2014 to December 6, 2018.
After further internal review and correction of the error, the bank found that approximately 1.6 million transactions, involving 303,415 customers, had not been verified under the Money Laundering Act. Reuters reported that a bank spokesperson attributed said the error was connected to the integration of old and new IT systems, and added that it “has fully cooperated with and kept the FSA fully continuously informed.”
In response, the FSA stated that it considered all factors for assessing a financial penalty under section 50 of the Money Laundering Act. Those factors include the gravity and duration of the offense; the offender’s degree of guilt; the financial offender’s ability; the reporting entity’s risk assessments and processes; benefits that have been achieved or could have been achieved by the violation; whether third parties have suffered losses; the degree of cooperation with the authorities; and any previous violations of the Act or regulations pursuant to the Act.
With regard to those factors, the FSA stated that “the offense has been going on for a long time, and applies to many transactions and customer relationships.” It also opined “that the error in the system could and should have been uncovered and directed far earlier than was actually the case.” The FSA specifically stated that “it is particularly aggravating that the bank was, or should have been, aware that there must be errors in the system without the matter being prioritized.” It also assumed “that the bank have not had sufficient resources and attention on the weaknesses of the system and the error that led to the offense.” All of these factors, in the FSA’s view, “are relevant during the assessment of the gravity of the violation and duration, the offender’s level of guilt, and the assessment of what benefits Santander Consumer Bank has achieved or could be achieved by the violation.”
The FSA acknowledged that the bank had correctly reported the error and had contributed to the FSA’s inquiry. Even so, it cited section 46 of the Norwegian Public Administration Act as the source of “a number of factors that can be taken into account in cases concerning administrative sanctions.” The FSA’s assessment was that “the incident in the bank is of such a nature that it speaks for sanctioning, taking into account both general preventive and individual preventive considerations.” It found that “the bank did not have enough resources in the fulfillment of its legal requirements, and that the management did not implement the necessary measures even when it knew, or should have known, that there were errors in the systems.” In the FSA’s view, “it is important that suspicions about system errors and non-compliance with the [money laundering] law lead to a quick follow-up from the reporting party, even where it has to demand more resources and attention from management.”
Note: The FSA order provides a detailed example of the factors that the FSA weighs in determining whether to penalize financial institutions for failure to comply with the Norwegian Money Laundering Law. It also provides yet another reminder to financial institutions’ AML compliance teams that their review of AML internal controls must include periodic checks on the completeness, timeliness, and accuracy of their AML electronic monitoring systems. Other financial institutions have paid a substantial price when their AML compliance failures included failures or gaps in their transaction monitoring systems, and regulators in the United States and the European Union can be expected to reinforce that message in future enforcement actions.