|
On 13 September 2022, the Central Bank of Ireland (the Central Bank) reprimanded and fined Danske Bank A/S, trading in Ireland as Danske Bank, €1,820,000 pursuant to its Administrative Sanctions Procedure for three breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010, as amended (the CJA).
The three CJA breaches stem from the failure by Danske Bank A/S (Danske) to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customers of its Irish branch1, for a period of almost nine years, between 2010 and 2019. The root cause of this failure was historic data filters that were applied within Danske’s automated transaction monitoring system, first implemented in 2005 and rolled out to the Irish branch in 2006. Danske failed to consider the appropriateness of these historic data filters within the system or make any adjustments to the system to take account of the specific requirements of the CJA when it came into force in Ireland in 2010. This led to the erroneous exclusion of certain categories of customers from transaction monitoring, including some customers rated by Danske as high and medium risk, which caused the three breaches of the CJA in this case. In May 2015, Danske became aware, as a result of an internal audit report, of the inadequacies in its transaction monitoring system and the nature of the risks they posed, yet it failed to notify the Irish branch of these issues and to take adequate action for almost four years. It is estimated that between 31 August 2015 and 31 March 2019, 348,321 transactions, equating to approximately one in forty or 2.43% of all transactions processed through the Irish branch were not monitored for money laundering and terrorist financing risk. The Central Bank has determined the appropriate fine to be €2,600,000, which has been reduced by 30%2 to €1,820,000 in accordance with the early settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure (ASP). This is the first penalty that the Central Bank has imposed on a financial institution which is incorporated and supervised outside of Ireland (i.e. in Denmark) but which operates in Ireland as a branch on a passport basis3. The Central Bank has responsibility for Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) supervision of Danske’s branch operations in Ireland. The three breaches comprised of failures by Danske under the CJA relating to:
The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seana Cunningham, said: “The importance of transaction monitoring in the global fight against money laundering and terrorist financing cannot be overstated. It is imperative that firms implement robust transaction monitoring controls which are appropriate to the money laundering risks present and the size, activities, and complexity of their business. These controls must be applied to all customers, irrespective of their risk rating, as they enable firms to detect unusual transactions or patterns of transactions and where required apply enhanced customer due diligence to determine whether the transactions are suspicious. The Central Bank recognises that while firms may rely on automated solutions for transaction monitoring, they must ensure that systems employed for this purpose are appropriately monitored, and calibrated correctly to take account of the actual money laundering or terrorist financing risk to which the firm is exposed. In this case, the transaction monitoring system used by the Irish branch was a Danske group wide automated system that had applied historic data filters which operated to erroneously exclude certain categories of customers from being monitored for a period of almost nine years. This led to the serious breaches in this case. This case highlights the requirement for firms, including those operating in Ireland on a branch basis, to ensure that group systems, controls, policies and procedures are compatible with Irish legal requirements and to ensure that their governance framework and risk management measures operate effectively. These should be risk-based and proportionate, informed by firms’ business risk assessment of their money laundering and terrorist financing risk exposure. Danske became aware that its automated transaction monitoring system erroneously excluded certain categories of customers in May 2015 but failed to rectify it or notify the Irish branch or the Central Bank of this issue. It was only in October 2018 when the Irish branch identified the issue that steps were taken to rectify it, which were completed in March 2019. However, the Central Bank was not informed of the issue until February 2019. The failures to rectify the issue and to notify the Central Bank promptly are aggravating factors in this case. The Central Bank expects firms to bring failures to its attention at the earliest opportunity and to act expediently to address identified errors. The Central Bank will hold firms, including those operating in Ireland on a passporting basis, fully accountable where they fail to take such actions. Anti-money laundering and countering the financing of terrorism compliance is, and will remain, a key priority for the Central Bank. This case demonstrates our willingness to pursue enforcement actions and impose sanctions where firms fail in their anti-money laundering/countering the financing of terrorism compliance.” Background Danske is a credit institution incorporated in Denmark and authorised there by the Danish Financial Supervisory Authority (the Danish FSA). It is the largest bank in Denmark serving personal, business, corporate and institutional clients and operates in a number of other countries via a branch network. Danske’s Irish branch operates on a ‘freedom of establishment’ basis i.e. because Danske is established and authorised in Denmark, it is entitled to ‘passport’ in to Ireland and establish a branch here. The Irish branch is not a separate legal entity to Danske, and it is for this reason that Danske is the named party in the enforcement action. Supervision of the Irish branch sits predominantly with the Danish FSA (as home regulator) but the Central Bank (as host country) regulates it for conduct of business rules and is responsible for supervision of compliance by Danske’s branch operations in Ireland with AML/CFT obligations under the CJA. Danske’s Irish branch predominantly provides banking services to large corporate and institutional customers including the public sector in Ireland4. Consequently, transaction volumes through the Irish branch, including cross-border funds transfers, are substantial. The Irish branch utilises a group wide automated transaction monitoring system that is implemented and managed by Danske from Denmark. The Legislative Framework The CJA requires a credit and financial institution to monitor any business relationship that it has with a customer to the extent reasonably warranted by the risk of money laundering/terrorist financing (ML/TF). ‘Transaction Monitoring’ forms part of a broader system of interconnected elements that comprise a firm’s defence against ML/TF and is an important method which assists firms in identifying high risk situations which may require enhanced due diligence on a customer. Firms are also required to adopt and maintain a system of policies, procedures and controls in relation to AML/CFT, and to monitor compliance with those policies, procedures and controls. Such policies, procedures and controls include, inter alia, those dealing with the monitoring of transactions for the identification and scrutiny of any complex, large or unusual patterns of transactions. The Investigation The Central Bank’s investigation confirmed serious inadequacies within Danske’s automated transaction monitoring system. Historic filters were applied to Danske’s automated transaction monitoring system which erroneously excluded certain categories of customers from transaction monitoring. This led to Danske being in breach of certain obligations under the CJA which gave rise to the three breaches in this case (see below under Prescribed Contraventions for further detail). The investigation found that the exclusion of certain categories of customers from transaction monitoring was first identified in a May 2015 internal audit report. The May 2015 internal audit report also identified inadequacies with Danske’s transaction monitoring policies for certain categories of customers. However, these internal audit findings were not communicated by Danske to either its Irish branch or the Central Bank. Steps were only taken to monitor the transactions of these customers in October 2018 when the Irish branch became aware of the issue, which were completed by the end of March 2019. The Central Bank was not informed of this issue until February 2019. To illustrate the scale of the failure to monitor, it is estimated that, during the period from 2015 to 2019 when Danske was aware of the issue, 348,321 transactions, equating to approximately one in every forty or 2.43% of all transactions processed through the Irish branch were not monitored. Danske has confirmed to the Central Bank that by the end of March 2019 it had fully deactivated the erroneous historic filters which gave rise to the breaches in this case. Danske has also confirmed that by April 2020, it completed a third party review exercise for the period 2016 to 2019. Danske has advised that the outcome of the review showed that the risk of suspicious transactions amongst those examined was very low. Prescribed Contraventions The Central Bank's investigation identified three breaches of the CJA, as set out below. Breach by failure to conduct transaction monitoring Between 15 July 2010 and 31 March 2019 Danske breached sections 30B(1)(a), 35(3) and 36A(1) (as applicable) of the CJA by failing to monitor the transactions of certain categories of customers for money laundering and terrorist financing risk. The failure meant that the Irish branch was not in a position to:
Breach in relation to enhanced customer due diligence measures Between 14 June 2013 and 31 March 2019 Danske breached section 39 of the CJA on the basis that by failing to conduct transaction monitoring on certain categories of customers, it did not take into consideration an important part of due diligence i.e. transaction monitoring data, which is necessary to identify and assess ML/TF risks specific to those customers and identify whether additional measures were required on these certain categories of customers. Breach in adopting ML/TF policies and procedures Between 15 July 2010 and 31 March 2019, Danske breached sections 54(1), 54(2) and 54(4) of the CJA on the basis that the policies, procedures and controls that were in place did not operate to identify the erroneous exclusion of certain categories of customers from transaction monitoring as set out above. The May 2015 internal audit report identified inadequacies with Danske’s transaction monitoring policies for certain categories of customers and Danske took some steps in 2015 to address this by introducing a new AML/CFT policy. Nonetheless, certain categories of customers continued to be excluded from transaction monitoring in the Irish branch. Penalty Decision Factors In deciding the appropriate penalty to impose, the Central Bank had regard to the Outline of the Administrative Sanctions Procedure, dated 2018 and the ASP Sanctions Guidance, dated November 2019. It considered the need to impose a level of penalty proportionate to the nature, seriousness and impact of the contraventions. The following particular factors are highlighted in this case: The Nature, Seriousness and Impact of the Contraventions Two of the breaches were ongoing for almost nine years, and the other was ongoing for almost six years. The breaches represent serious weaknesses in Danske’s internal AML/CFT controls. Monitoring transactions, ensuring that an important part of due diligence is taken into consideration to identify where additional measures are required, and having effective policies, procedure and controls are critical parts of a firm’s internal AML/CFT framework. Danske’s failures in this regard in respect of certain categories of customers that transacted through its Irish branch reveal serious weaknesses in these controls. From its May 2015 internal audit report, Danske became aware of the inadequacies in its transaction monitoring system, the nature of the ML/TF risks that they posed and that it was at risk of non-compliance with legal requirements. Despite this, Danske failed to take adequate action for almost four years or to inform the Irish branch of these internal audit findings. The breaches of the CJA after this point were reckless. The Central Bank considers that the breaches in this case represent a serious departure from the required standard. Two Aggravating Factors Failure to Report and Failure to Remediate promptly Danske was on notice of the inadequacies in its transaction monitoring system which erroneously excluded certain categories of customer from the time that they were uncovered in the May 2015 internal audit report but it did not report the matter to the Central Bank until February 2019, almost four years later. Furthermore, Danske continued to exclude certain categories of customers from transaction monitoring until March 2019. The Central Bank views both of these failures as particularly aggravating given the context of increased supervisory engagement it initiated in July 2018 with Danske following media reports of AML/CFT concerns in other jurisdictions in relation to Danske. Both of these failings are serious aggravating factors in this case. Other Considerations The following were also taken into consideration when determining the appropriate sanction:
1 This included a range of customers, including those categorised by Danske as banks, insurance, stockbrokers and specialised lending customers. 2 Further information is available on the Early Discount Scheme at point 4 of the Notes section. 3 In this case, Danske is “passporting in” to Ireland i.e. it uses an authorisation obtained in Denmark to sell its products or services in Ireland. The legal entity remains in Denmark, and it operates in Ireland by way of a ‘branch’. Further information on ‘passporting’ is available at point 8 of the Notes section. 4 This includes the Central Bank. Notes
0 Comments
Central Bank says firm failed to report suspicious transactions promptly.
Bank of Ireland has been fined €3.15 million by the Central Bank for breaches to laws aimed at countering money laundering and terrorist financing, including the failure to report six suspicious transactions to the Garda and Revenue Commissioners promptly. According to the Central Bank: "The high volume and range of breaches uncovered as part of the Central Bank's investigation into Bank of Ireland point to significant weaknesses in the strength of Bank of Ireland's implementation of anti-money laundering and counterterrorist financing legislation. “Such behaviour is unacceptable and falls far short of the standard expected of one of Ireland’s largest retail banks.” It marks the second-largest penalty issued by the Central Bank in relation to the Criminal Justice (Money Laundering & Terrorist Financing) Act, 2010. Ulster Bank was fined €3.325 million last November and AIB was ordered last month to pay €2.275 million for similar violations. Bank of Ireland’s admitted to breaches between July 2010 and December 2015. These include not carrying out adequate assessments of risks of accounts being used for money laundering or terrorist financing and putting in proper mitigating systems and controls, according to the regulator. Money laundering and terrorist financing have become a key area of focus for regulators globally recently, with authorities from South Africa to Canada levying multimillion euro fines in the past year for weak anti-money laundering and counterterrorism controls. “The fine . . . in this case relates to control breaches and not actual money laundering or terrorist financing activities,” a spokesman for Bank of Ireland said. Due diligence The Central Bank found Bank of Ireland failed to carry out sufficient due diligence on an unnamed bank outside the EU, which used it for financial transactions locally. This type of activity, known as correspondent banking, carries a high risk as the domestic bank has limited information on the purpose of financial services it has agreed to carry out for an overseas lender. The regulator’s investigation also uncovered failings in relation to Bank of Ireland’s requirement to know its customers. Specifically, the bank, which remains 14 per cent State owned after the financial crisis, did not apply sufficient customer checks on an overseas “politically exposed person” to determine their source of funds and wealth. A politically exposed person can be defined as an individual who is, or has at any time in the preceding year, been entrusted with a prominent public function. A spokeswoman for the regulator and spokesman for the bank declined to identify the individual in this instance. Bank of Ireland said it takes its regulatory obligations seriously and regrets that these issues arose.
AIB has been fined €2.275 million by the Central Bank for failing to report potentially suspicious monetary transactions promptly to the Garda and Revenue.
The financial regulator found AIB guilty of six breaches of anti-money laundering laws and legislation to ensure funding doesn’t make its way to terrorist organisations. It said the breaches were the result of “significant failures” in AIB’s controls, policies and procedures. This is the biggest fine levied against AIB by the Central Bank and follows a €3.325 million fine issued last year to Ulster Bank for similar breaches.
The Central Bank has reprimanded Ulster Bank Ireland and announced fines of more than €3.3m.
The fines are in respect of anti-money laundering and terrorist financing failures, under the Criminal Justice Act. A Central Bank investigation found the bank had had left itself vulnerable to money-laundering and terrorist financing. The breaches, which occurred over a six-year period, have been admitted by Ulster Bank Ireland. The fine is the biggest ever issued by the Central Bank for breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010, and brings the total number of fines it has issued this year to various financial institutions to €7.5m, writes Noel Baker. Ulster Bank Ireland admitted the breaches and settled for the fine of €3.325m, with the Central Bank stating that all matters were concluded last Thursday. It has emerged that the breaches at the bank were linked to outsourcing and occurred over a six-year period, beginning in 2010. The Central Bank launched its probe into the problems last year and the resulting fine is the second time in recent years it has reprimanded Ulster Bank. In November 2014, Ulster Bank was hit with a record €3.5m fine for a serious IT systems failure in June and July 2012, which left 600,000 customers without essential and basic banking services over a 28-day period. In explaining the issuing of the latest fine, the Central Bank said its investigation had identified a number of areas of non-compliance with regulations and Central Bank director of enforcement Derville Rowland lambasted Ulster Bank over its failings. “Ulster Bank Ireland’s breaches are especially concerning as they point to unacceptable weaknesses in key aspects of its anti-money laundering framework, systems and controls over an extended period of time,” she said. “As one of the largest retail banks in Ireland, Ulster Bank Ireland provides a gateway to the financial system for more than one million customers through its extensive network of branches, online and telephone banking. “Therefore, it is imperative that it vigorously applies the highest levels of anti-money laundering compliance in order to protect, not only itself, but its customers and the wider financial system.” Ulster Bank has 1.1m customers, and since July 2010, has been required to comply with the CJA 2010. However, the Central Bank’s investigation identified eight breaches, including “two significant failings”: that it failed to put an outsourcing policy in place from July 15, 2010, for 11 months, and that it failed to put a service level agreement in place for 19 of the 25 outsourced activities when the outsourcing commenced. The Central Bank also said Ulster Bank failed to conduct an assessment of the ML/TF risks of its business for a period of over two years and that until April 2014, its risk assessment was inadequate as it failed to provide “any quantitative and/or qualitative evaluation of its exposure to the identified risk factors”. The probe also found that the bank provided new products to 64,900 customers without completing customer due diligence in circumstances where a relevant section of the CJA applied. There was also inadequate training for non-executive directors on CJA 2010 until 2013. This is the Central Bank’s seventh settlement in 2016 and brings the total amount of fines imposed this year to just over €7,45m. It is the 104th enforcement case concluded by the Central Bank, with the amount of fines imposed to date totalling over €49.72m.
The Central Bank of Ireland has reprimanded and fined the Dublin-based life assurance arm of Swiss bank UBS after it failed to comply in a timely manner with anti money-laundering legislation introduced in 2010.
The CBI said it had fined UBS International Life Limited (UBSIL) 65,000 euros ($81,900) for failing to instruct its staff on changes to the law embodied in the Criminal Justice Act 2010. This is the Central Bank’s first administrative sanction for non-compliance by a regulated firm with anti-money laundering and counter terrorist financing laws which came into force in July 2010 said Peter Oakes, the Central Bank of Ireland's top investigator and enforcer. The law, which came into force in July 2010, is designed to protect Ireland's financial system from exposure to money laundering and terrorist financing, the CBI said. The CBI also said UBSIL had failed to show it was adequately checking information on policy holders provided by third parties, thus failing to comply fully with "know your customer" requirements. UBSIL had also failed to adopt adequate written policies and procedures for identifying and reporting suspicious transactions, the CBI said. "The breaches identified related to delays by UBSIL in implementing certain requirements of the act after it was implemented on 15 July, 2010," said UBS in a statement, adding that it had dealt with all the control weaknesses identified. A spokesman for UBS said UBSIL had worked closely with the CBI to redress the control weaknesses, and had received a near 30 percent discount on the fine originally proposed as a result, adding that UBSIL had not committed any contraventions in doing business. The Central Bank of Ireland also issued a general comment from Director of Enforcement, Peter Oakes: “This is the Central Bank’s first administrative sanction for non-compliance by a regulated firm with anti-money laundering and counter terrorist financing laws which came into force in July 2010. Firms must adopt robust and effective policies and procedures to prevent and detect money laundering and terrorist financing including ensuring that policies, procedures and business practices are updated in timely manner on foot of changes to regulatory requirements. Furthermore, such policies and procedures must be appropriate to the nature of, and risks associated with, a firm’s operations, including its local and international distribution models as well as the types of financial services and products sold or distributed. Firms are reminded that AML/CTF requirements must have, like other important governance issues, a home on the boardroom agenda. We have said previously that we have identified many instances where firms do not appear to have comprehensively reviewed their business models to assess the impact of the CJA 2010 on their businesses nor devised or deployed effective implementation plans. It is important for the integrity of the Irish regulated market and the international fight against financial crime that both European and global money laundering and terrorist financing obligations are complied with. Where the actions of a firm undermine the Central Bank’s achievement of local statutory and international obligations the firm should expect that enforcement action will follow, especially where the breach falls within our stated Enforcement Priorities and Enforcement Strategy, to which we attach high priority”. https://www.centralbank.ie/docs/default-source/news-and-media/legal-notices/settlement-agreements/public-statement-relating-to-settlement-agreement-between-the-central-bank-of-ireland-and-ubs-international-life-limited.pdf?sfvrsn=6 |
AuthorOn this page you will find a selection of links to articles useful for AFC training. Archives
January 2025
Categories
All
|
RSS Feed