AML Framework Controls- common failures observed by the FCA SEC and FINRA

5. Transaction monitoring

The FCA noted extensive findings for transaction monitoring. In particular, the FCA cautioned that overseas firms should not rely on group-led transaction monitoring solutions which do not appropriately cater for the risks posed by the business activities and underlying customer base of the regulated entity. 

In addition, transaction monitoring systems need to address the relevant red flags and typologies and ensure proper calibration. To this end, firms need to customise the relevant thresholds and parameters and cannot simply use ‘off-the-shelf’ calibration. Firms also need to demonstrate how the thresholds would relate to the levels of expected activity of specific customers.

Understanding the technical set up of the transaction monitoring systems is also essential to ensuring that the system is operationalised to support any changes in the business such that all transactional activity is captured. Effective monitoring requires regular assessments of the data feeds and data integrity of the systems. In addition, firms should ensure that where transaction monitoring triggers an alert, the firm has the appropriately trained staff to investigate the alert, consider the alert against the established customer profile and sufficiently document any decisions made during that investigation. 

The FCA demonstrated their willingness to enforce these AML/CTF principles in the recent fine for Commerzbank AG. The fine totalled £37,805,400 and constituted a 30% discount for cooperation for failing to put adequate anti-money laundering systems and controls in place. By its own account, Commerzbank determined that its transaction monitoring tool was not fit for purpose and did not have access to key information from certain Commerzbank’s transaction systems, creating the risk that potentially suspicious transactions were not identified. For example, in 2015 Commerzbank London identified that 40 high-risk countries were missing, and 1,110 high-risk clients had not been added to the transaction monitoring tool. The FCA concluded that along with Commerzbank's failures in CDD and EDD processes, it also failed to address long-standing weaknesses in its automated tool for monitoring money laundering risks.

Similarly, in 2018 AUSTRAC fined Commonwealth Bank of Australia (CBA) $700 million for its AML/CTF compliance and risk management practices in relation to its Intelligent Deposit Machines (IDMs). AUSTRAC noted that inter alia, CBA did not comply with the requirement relating to monitoring of transactions, noting that it did not work as intended with respect to a number of accounts during a certain time period. As a result, CBA made a number of changes including upgrading its technology platforms and enhancing their controls. 
In order to better tackle transaction monitoring issues, an innovative program has recently been established by five major banks in the Netherlands (ABN AMRO, ING, Rabobank, Triodos Bank and de Volksbank) which allows them to collectively fight against money laundering and terrorist financing via joint monitoring of transactions.  The banks encrypt their transaction data and send it to a central function which then undertakes the monitoring and reports back to each bank or to the Dutch financial intelligence unit if necessary. This progressive approach serves as better practice in identifying suspicious patterns and trends in transaction activity that are part of a wider criminal scheme and would otherwise be difficult to identify for an individual bank with limited visibility. 

6. Suspicious Activity Reports (SARS)

The FCA noted that better policies and procedures are required around escalations, documentation and staff training in relation to SARs. Firms are expected to demonstrate their investigation, decision-making processes and rationale for either reporting or not reporting SARs. Ashurst recently published an article outlining AUSTRAC's guidance on submitting more effective suspicious matter reports (SMR). Specifically, the following should be considered when creating an SMR:

• full visibility of suspicious activity;
• effective description of red flags;
• documenting an appropriate crime type keyword;
• documenting ECDD actions performed and findings;
• including all relevant know your customer (KYC) information;
• clear and structured reporting; and
• timely SMR submissions.

Further details on each requirement are outlined in the article. 

Emerging Findings from the United States Regulators

The Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) are the FCA's counterparts in the United States. FINRA's annual findings report on the Examination and Risk Monitoring program and the SEC's bulletin note several control failings in the AML frameworks. Some of the emerging issues are highlighted below. 

Low priced securities and other fraud with Omnibus Accounts

The SEC has cautioned firms about the risks arising from illicit activities associated with transactions in low-priced securities through omnibus (nominee or nested) accounts, where the identity of a foreign financial institution’s underlying customer or the ultimate beneficial owner of the funds and securities are unknown to a firm because of the omnibus account structure. Even though, the ultimate beneficial owner in this case may not be the firm's "customer" for the purposes of CDD and EDD rules, there are circumstances where this information needs to be considered as part of the firm's AML control framework. Some of the red flags below may denote high risk situations and therefore require further due diligence.

• An account is opened in the name of a foreign financial institution, that sells shares of stock on an unregistered basis on behalf of customers.
• The account is using a master/sub structure, which enables trading anonymity with respect to the sub-accounts’ activity, and engages in trading activity that raises red flags.
• There is a sudden spike in demand and price in, a thinly traded or high risk security.
• The customer’s activity represents a significant proportion of the daily trading volume in a thinly traded or high risk security.
• The customer is domiciled in, or is doing business in a jurisdiction that is known as a bank secrecy haven, tax shelter, high-risk geographic location.
• The customer for no apparent reason engages in transactions involving certain types of riskier securities, such low priced securities or bearer bonds, which although legitimate, have been used in connection with fraudulent schemes and money laundering activity.
• A customer buys and sells securities with no discernable purpose or circumstances that appear unusual.
• Two or more unrelated customer accounts at the firm trade an illiquid or higher risk securities suddenly and simultaneously.
• The customer appears to buy or sell securities based on advanced knowledge of pending customer orders.

Therefore, firms need to take further due diligence where trading occurs through omnibus, nominee or nesting accounts, especially where red flags are present.

Due Diligence in Restricted Markets

In addition to transacting in omnibus accounts in high risk securities, firms should also conduct reviews for foreign nominee accounts that appear to have been opened to invest in the initial public offerings, and subsequent aftermarket training, in products, or in markets that are restricted. FINRA specifically outlined the required due diligence where accounts are opened at the discretion of others, or multiple accounts are opened using the same foreign bank or multiple accounts are opened with the same employer and email domain. However, more broadly, FINRA's findings suggest that firms should be more diligent in designing controls that monitor trading in restricted or emerging markets. 

Ashurst regularly advises and assists financial institutions with the performance of gap analysis across a broad range of risks, including anti-money laundering frameworks.

Authors: Tanya Raitsina, Director; Tim Brookes, Director; Ruby Hamid, Partner; Neil Donovan, Senior Associate; Samantha Carroll, Counsel; and Kim Yen Nguyen, Associate.