Author: Jonathan J. Rusch

On April 17, the European Banking Authority (EBA) announced that it had closed “its formal investigation into a possible breach of Union law by the Estonian Financial Services Authority (FSA)  (Finantsinspektsioon) and the Danish Financial Services Authority (Finanstilsynet) in connection with money laundering activities linked to Danske Bank and its Estonian branch in particular.”  The EBA’s terse release added only that the EBA’s Board of Supervisors had voted the day before to reject a proposal for a breach of European Union law recommendation.

Previously, the EBA had announced on February 19 that it had opened an investigation of the Danish and Estonian FSAs  under Article 17 of the EBA’s founding Regulation.  The abrupt end of the EBA’s investigation, however, sent vague and ambiguous signals about the basis and significance of that decision.

One report by EU Observer took the view that the Board of Supervisors’ action had “cleared Danish and Estonian financial regulators of breaking any EU laws in their handling of” the Danske Bank situation.  Reuters reported, however, that “[n]ational banking supervisors who control the [EBA} effectively forced it to clear” the Estonian and Danish FSAs.  All but one of the 28 national supervisors on the Board reportedly rejected the EBA’s recommendation.  That rejection, according to Reuters, “blocked any further legal action by the EBA against the Estonian and Danish supervisors and signaled EU states’ reluctance to let the bloc’s authorities investigate the exposure of their banking systems to financial crime.”

Note: The lack of transparency in this action by the EBA should satisfy no one.  Given the already white-hot glare of publicity over the Danske Bank scandal since last fall, and calls by the European Commission and European Parliament members for further inquiry into the FSAs’ oversight of Danske Bank, the EBA must have known, at the time it opened the investigation of the Danish and Estonian FSAs, that even that initial step would create a particularly dark cloud of suspicion over those FSAs.

For its part, the Board of Supervisors’ decision, while entirely within its authority, does nothing to dispel doubts about the capacity of the EBA to play any meaningful role in ensuring effective AML oversight within the Union.   If it truly concluded, on the basis of available evidence, that there is no basis to pursue the inquiry further against either FSA, the Board owes it to the Commission – and to the FSAs whose conduct was called into question – to say so in specific terms.

On April 9, the United Kingdom Financial Conduct Authority (FCA) announced that it had fined Standard Chartered Bank (SCB) £102,163,200 “for Anti-Money Laundering (AML) breaches in two higher risk areas of its business.”  The FCA stated that it had conducted investigations into two areas of SCB’s business that SCB had identified as higher risk: (1) its UK Wholesale Bank Correspondent Banking business; and (2) its branches in the United Arab Emirates (UAE).

The FCA stated that it had found “serious and sustained shortcomings” in SCB’s AML controls relating to customer due diligence and ongoing monitoring, and that SCB “failed to establish and maintain risk-sensitive policies and procedures, and failed to ensure its UAE branches applied UK equivalent AML and counter-terrorist financing controls.”

The United Kingdom Money Laundering Regulations 2007 (MLRs), according to the FCA, required SCB to take two specific types of actions.  First, it was required to “establish and maintain appropriate and risk sensitive policies and procedures to reduce the risk it may be used to launder the proceeds of crime, evade financial sanctions or finance terrorism.” Second, it had “to require its global (non-EEA) branches and subsidiaries to apply policies and procedures in relation to due diligence and ongoing monitoring that are equivalent to those required of”  SCB in the United Kingdom.

The FCA, however, found “significant shortcomings” in SCB’s own internal assessments of the adequacy of its AML controls, as well as “its approach towards identifying and mitigating material money laundering risks and its escalation of money laundering risks.” These failings, in the FCA’s judgment, exposed SCB “to the risk of breaching sanctions and increased the risk of Standard Chartered receiving and/or laundering the proceeds of crime.”  SCB’s reported failings “occurred in its UK Correspondent Banking business during the period from November 2010 to July 2013 and in its UAE branches during the period from November 2009 to December 2014.”

The FCA also provided several examples of the failings in question:

• “opening an account with 3 million UAE Dirham in cash in a suitcase (just over £500,000) with little evidence that the origin of the funds had been investigated;
• “failing to collect sufficient information on a customer exporting a commercial product which could, potentially, have a military application. This product was exported to over 75 countries, including two jurisdictions where armed conflict was taking place or was likely to be taking place; and
• “not reviewing due diligence on a customer despite repeated red flags such as a blocked transaction from another bank indicating a link to a sanctioned entity.”

SCB’s agreement to accept the FCA’s findings meant that the bank qualified for a 30 percent discount that resulted in the £102,163,200 fine.  Absent the discount, the FCA stated that the fine would have been £145,947,500.

Note:  This fine against SCB for AML violations, coming on the same day that the U.S. Department of Justice announced the criminal settlement of more than $1 billion with SCB for Iranian sanctions violations, should serve as a cautionary tale for financial institution boards of directors and C-level officials.  Any financial institution in which more than one of its financial-crimes compliance programs has had serious failings during the same periods —  that is, sanctions from 2007 to 2011, and AML from November 2010 to July 2013 (correspondent banking) and from November 2009 to December 2014 (UAE) – cannot seriously claim that it had a culture of compliance during those periods, and should therefore expect penalties of this magnitude.

To understand more clearly the FCA’s findings and reasoning, financial-crime compliance officers should peruse the FCA’s Decision Notice in this case, and use its findings as points of comparison to evaluate the soundness of their own AML programs.  Among other findings, that Notice included a specific observation that

SCB’s failings are particularly serious because they occurred against a background of heightened awareness within SCB of issues with its global financial crime controls arising from action taken by US regulators and prosecutors, direct feedback from the Authority, and through its own internal assessments. In addition, throughout the Relevant Period, the Authority, along with the UK government as well as international and domestic governmental organisations, repeatedly issued communications regarding jurisdictions with a high risk of money laundering and/or financial crime.

Financial institutions should therefore recognize that regulators such as the FCA can and will take into account the cumulative knowledge of a financial institution about its financial-crimes risks, as well as the range of external and internal sources of that knowledge, in determining whether that institution should be held accountable for any lapses or failures of its financial-crimes compliance programs.

On April 15, the United States Department of Justice announced that Munich-based UniCredit Bank AG (UCB AG) had agreed to plead guilty to conspiring to violate the International Emergency Economic Powers Act (IEEPA) and to defraud the United States, “by processing hundreds of millions of dollars of transactions through the U.S. financial system on behalf of an entity designated as a weapons of mass destruction proliferator and other Iranian entities subject to U.S. economic sanctions.”  UCB AG and another bank that is part of the UniCredit Group, Vienna-headquartered UniCredit Bank Austria (BA), agreed to enter into a series of settlements with federal and local departments and agencies, in which the banks agreed to pay a total of more than $1.3 billion.

With regard to UCB AG, the Department stated that

[a]ccording to court documents, over the course of almost 10 years, UCB AG knowingly and willfully moved at least $393 million through the U.S. financial system on behalf of sanctioned entities, most of which was for an entity the U.S. Government specifically prohibited from accessing the U.S. financial system.  UCB AG engaged in this criminal conduct through a scheme, formalized in its own bank polic[i]es and designed to conceal from U.S. regulators and banks the involvement of sanctioned entities in certain transactions.  UCB AG routed illegal payments through U.S. financial institutions for the benefit of the sanctioned entities in ways that concealed the involvement of the sanctioned entities, including through the use of companies that UCB AG knew would appear unconnected to the sanctioned entity despite being controlled by the sanctioned entity.

With regard to BA, the Department stated that

[a]ccording to admissions in the non-prosecution agreement and accompanying statement of facts, between 2002 and 2012, BA used non-transparent methods to send payments related to sanctioned jurisdictions such as Iran through the United States.  BA conspired to violate IEEPA and defraud the United States by processing transactions worth at least $20 million through the United States on behalf of customers located or doing business in Iran and other countries subject to U.S. economic sanctions or customers otherwise subject to U.S. economic sanctions.

The settlements into which the UniCredit institutions entered include the following:

1. Department of Justice: UCB AG agreed to waive indictment and to be charged in and to plead guilty to a one-count felony criminal information charging it with knowingly and willfully conspiring to commit violations of IEEPA and to defraud the United States, from 2002 through 2011. The plea agreement with UCB AG provides that UCB AG is to forfeit $316,545,816 and to pay a fine of $468,350,000.  In addition, BA entered into a non-prosecution agreement to resolve an investigation into its violations of IEEPA, and agreed to forfeit $20 million.
2. New York County District Attorney’s Office: UCB AG entered into a plea agreement with the New York County District Attorney’s Office (DANY) for violating New York State law, pursuant to which UCB AG will pay $316,545,816. BA also entered into a non-prosecution agreement with DANY for violating New York State law.
3. Other Agencies: UniCredit SpA (the parent of both UCB AG and BA), UCB AG, and BA entered into various settlement agreements with the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the Board of Governors of the Federal Reserve System (the Federal Reserve) and the New York State Department of Financial Services (DFS). Under those agreement, the three financial institutions agreed to pay additional penalties of approximately $660 million as follows:  $611,023,421 to OFAC, which will be satisfied in part by payments to the Justice Department and the Federal Reserve; $157,770,000 to the Federal Reserve; and $405 million to DFS.

Note:  This series of settlements is noteworthy not only for the amount of the sanctions-related financial penalties that UniCredit entities agreed to pay, or the duration of the scheme, but for the fact that UCB AG’s sanction-evasion scheme was formalized in UCB AG’s own policies.  That latter fact strongly indicates a serious dereliction of duty by UCB AG’s legal and sanctions-compliance functions.  No company that explicitly articulates a commitment to evasion of legal requirements in its policies can claim to have a culture of compliance.  Other financial institutions should therefore use this set of settlements, at an appropriate time, as a basis for reviewing their own policies, to see that no provisions on those policies even suggest how their institutions should circumvent or violate any legal requirements.

Recently, the Carnegie Endowment for International Peace published a paper by Jodi Vittori, a nonresident scholar in Carnegie’s Democracy, Conflict, and Governance Program, on “Bahrain’s Fragility and Security Sector Procurement.”  Vittori’s analysis addresses three principal topics:

(1)  The Political and Economic Anatomy of the Bahraini Regime: Vittori identifies three factors that she terms the pillars of Bahraini regime survival: (i) the Sunni royal family’s maintenance of its power “through absolute control over politics”; (ii) the monarchy’s selective distribution of patronage “from oil rents to preserve a small but crucial coalition of supporters, particularly within the security sector”; and (iii) the regime’s deliberate exploitation of sectarian divisions and institutionalization of sectarian cleavages.” She also notes that the monarchy’s control of state resources and of information about those resources – including oil and gas revenues, the Bahraini sovereign wealth fund, and tax revenues – provides “a massive, unaccountable slush fund for whatever the monarchy chooses to spend it on, including expensive security sector purchases.”

(2)  The Regime’s Discontents: Sectarian and Cross-Sectarian Grievances: At the same time, the regime is the focus of both sectarian and cross-sectarian grievances, stemming from both “[t]he regime’s increasingly authoritarian behavior” and the country’s poor economy. Vittori notes, for example, that “[d]espite the roughly $50,000 per capita GDP, wages have been flat and the median income is only $13,300 per year for private sector jobs and $18,600 for public sector ones.”

(3) Bahrain’s Security Sector and Risks to Stability: Vittori states that “[t]he Bahraini security sector is essential to maintaining the monarchy’s power.” But she also recognizes that foreign powers – most notably Saudi Arabia and the United States – “play an outsized role in Bahrain’s security.”  Particularly noteworthy is the relationship of the security sector to the United States.  Vittori estimates that about 85 percent of Bahrain’s weapons come from the United States.  In particular, “[j]ust the known U.S. purchases between September 2017 and September 2018 amount to $6.22 billion, or over four and a half times the publicly declared $1.4 billion defense budget for 2017.

Vittori further states that “[t]he lack of transparency and oversight in Bahrain’s defense procurement process raises the likelihood that this multi-billion-dollar budget is rife with corruption.”  The government “exempts all military procurement from public tender,” the Parliament and the National Audit Court cannot examine the security sector, there are “no restrictions on the use of agents or intermediaries in procurement contracts . . . and no anticorruption requirements for suppliers,” and the government metes out severe punishment to “anyone in the country publicizing any information about corruption associated with the security sector . . . .”  Vittori concludes that “[]he very high levels of spending for Bahrain’s security sector and significant risk of corruption therein pose a risk to the country’s economic and political stability.”

In light of the “tremendous leverage” that the United States and other Western nations have over Bahrain, Vittori offers a number of recommendations that focus on security sector procurement reform.  These include influencing Bahrain to publish a national security strategy, Western governments’ insistence “on extra scrutiny of all contracts associated with Bahrain,” encouraging Bahrain to develop a timeline and actin plan for adherence to international contracting standards, requiring the Bahraini government to submit audited statements of security-sector procurement, and using U.S. leverage over Bahraini procurement to press for reforms.

Note: Anti-bribery and corruption compliance teams strategic and political risk teams in aerospace and defense companies, or in companies with other operations in the Middle East, should read this paper for its general observations about the operations of the Bahraini monarchy, and for its insights into the significant potential for corruption in the Bahraini security sector.  Although, as Vittori commented, “[t]he Bahraini monarchy does not permit much social science research,” her paper has drawn on an extensive array of open-source materials for a nuanced analysis of the issues.

On April 11, Bloomberg reported on the contrasting growth plans of traditional financial firms and fintech companies in Europe.  Even as a bevy of financial firms in Europe and North America are cutting or expecting to cut staff, Société Générale SA, fintech in the United Kingdom saw a 61 percent increase in new fintech roles last year, and “hired aggressively in the first quarter” according to Ollie Sexton, a principal at the recruiting firm Robert Walters.

While United Kingdom fintech jobs numbered only 76,500 in 2018, the City of London projects that that number to increase to 105,500 job by 2030.  Noting that many fintechs are working to make dramatic changes in the financial industry, Sexton said that a “large proportion of jobseekers and those open to taking new positions are looking to join startups experiencing hockey stick growth rather than companies making large-scale redundancies or going through an internal restructure.”  At the same time, Sexton commented that in 2019 “firms have focused on the tech side of fintech, adding developers and engineers instead of bulking up in financial functions like risk and compliance.”

Note: Financial-industry observers – including risk and compliance officers at firms doing business with fintech companies – should take note of this article.  If fintech entrepreneurs, in the United Kingdom and elsewhere, aggressively seek to expand operations and market share without providing proportional increases in staffing and funding for risk and compliance functions, they may be setting their companies up for significant compliance problems in short order.

Recent events in the fintech world bear that out.  As the Bloomberg article correctly recognized, just last month United Kingdom fintech company Revolut attracted the attention of the Financial Conduct Authority and the media because of concerns about the company’s sanctions screening process.  In addition, according to Handelsblatt, earlier this week the German financial regulator BaFin identified numerous deficiencies at smartphone bank N26 that N26 is required to address as soon as possible.  Those deficiencies reportedly included instances of external fraud against N26 customers and poor accessibility when other financial institutions sought to contact N26 about fraudulent transfers.

Consequently, financial firms that may be interested in doing business with, or even acquiring, a fintech firm should be prepared to ask detailed questions to determine the true state of the fintech firm’s compliance programs.  Every unicorn, no matter how attractive, may have a sharp horn, and passionate predictions about future growth and profitability are no substitute for facts in calculating risks.