If NatWest, one of the UK’s ‘big four’ banks, finds it hard to comply with money laundering laws, what hope is there for the rest of us? The facts behind the first ever prosecution of its kind suggest some pointers for aspiring banks, and others in the regulated sector.
‘Know Your Customer’ is Not a One-Off Task
The guiding principle of money laundering regulations (MLRs) for banks, and other regulated businesses, is ‘Know Your Customer’ (KYC). But too often this is interpreted as a one-off task to be done when ‘on-boarding’ – in banks’ case, opening a first account. The beginning of NatWest’s problems with Fowler Oldfield, then a family-run jeweller in Bradford, with a projected turnover of £15m a year, was arguably when it first committed its understanding about its business to a standard KYC form.
While the bank rightly recognised the risks of businesses that dealt in gold and precious metals, its relationship manager and compliance function were reassured by Fowler Oldfield’s assurance that its customers would pay in electronic funds, not cash. It would use cash to pay its suppliers, but this would be purchased from a reputable source (initially Travelex, later G4S). With those parameters, and given the law at the time, the bank was not criticised for its initial decision to take on the customer.
The problem was that, over time, these parameters changed significantly. The company acquired new directors, ballooned in size, and then started selling gold, in large volumes, in exchange for cash. The bank’s systems required, in theory, those KYC basics to be reviewed in response to such changes, and at periodic intervals. But those systems failed, so that both its relationship manager (on a personal level) and its compliance function (institutionally) never really seemed to adjust to the new reality. In short, they didn’t truly know their customer anymore.
‘Risk Assessment’ Requires Common Sense
The point of KYC information, updated or not, is not to sit there on a file, but to equip a regulated business to assess the risks from a transaction or business relationship. Assessing risk is perhaps the most important function under the MLRs, and it does require some expertise, helped by guidance from industry and from law enforcement.
For experts, an interesting feature of the Fowler Oldfield case is how laws and guidance on businesses involving cash and precious metals have changed over time. Since 2013, when this account was opened, there have been numerous alerts about the use of gold as currency and in tax fraud, while the MLRs have been tightened up for businesses that buy for cash, and that trade in gold and other precious metals.
It did not, though, need an expert to spot that Fowler Oldfield had started paying in vast quantities of bank notes (some Scottish, though it had no business there), which in some cases literally stank – having grown mouldy from years of being stored away, for reasons that were unexplained and unexplored.
These common-sense observations prompted internal reports, but they were overridden by automated processes – including a change that standardised the business’ category as ‘trader in metals’, rather than one that recognised its particular risks – and by the relationship manager, who stuck to the line that such uses of cash were consistent with the nature of the business.
Regulated Customers are High Risk Customers
Among other things, the moment when Fowler Oldfield started selling for cash, as well as buying for cash, was significant for legal reasons. At the time (though this has since changed), the definition of a ‘High Value Dealer’ (HVD) in the MLRs captured the former, though not the latter. So, Fowler Oldfield itself was obliged to comply with the MLRs, including doing KYC on those customers that paid it in cash.
The apparent perspective of the relationship manager to this is very interesting, in part because it reflects a widespread attitude of regulated businesses to regulated customers. Asked about its compliance with the MLRs and relationship with HMRC (which supervised such compliance, though not it seems very well), Fowler Oldfield claimed both were excellent. It provided a copy of its registration certificate, named a local law firm that handled its KYC processes for it, and said that it regularly met with HMRC, which always gave it a clean bill of health. (It even added, with peculiar bravado, that HMRC itself relied on Fowler Oldfield’s expertise in some matters.)
Setting aside for a moment the question of whether these claims were true, it is striking how the fact that this business now had to comply with MLRs, to be supervised and to seek legal help, seem to have fed into the process of NatWest’s risk assessment. The temptation, perhaps, is to think that a business’ regulated status inherently makes it more respectable, more trustworthy, less risky. But the truth is that businesses like Fowler Oldfield (and, indeed, NatWest itself) need to be regulated precisely because they pose a risk; their compliance with the MLRs should never be taken for granted.
Due Diligence is about Checking, Not Trusting
The registration certificate that Fowler Oldfield provided to NatWest was out of date. The law firm it had approached for advice did not, in fact, undertake KYC checks on its behalf. The meetings it had had with HMRC had not been about its compliance with the MLRs, but about its suspected involvement in tax fraud. Far from being given a clean bill of health on this score, it had been subjected to a significant penalty for making tax reclaims that it ought to have known arose from fictitious transactions.
How does a ‘big four’ bank manage to be fooled in this way? By trusting its relationship manager, who in turn it seems trusted his customer, and not checking any documents or details they were given. The process of customer due diligence (CDD) – particularly ‘enhanced’ due diligence (EDD), which the MLRs require for higher risk customers – can be awkward on an inter-personal level, as well as resource-intensive, with intrusive questions about sources of wealth and beneficial owners, and (for regulated customers) about their own KYC processes, CDD, EDD and the like. It may be tempting for a relationship manager simply to accept what they are told, and for a bank not to intrude by looking over that manager’s shoulder.
The logic, though, of CDD and EDD is that the information and the documents gathered can, and (on occasion, at least) should be independently verified. The reason why registration documents have dates on them is so that the person receiving them can see when they have expired. A business’ instructions to lawyers may be protected by professional privilege, but it can also instruct its lawyers to confirm to its bank the nature of work they do. Meetings with HMRC may be confidential, but their regularity and subject matter can be confirmed or denied. That may take a bit of work, but as this case shows, the cost of not doing it can also be high.
‘Monitoring’ is Not Just ‘Watching’
The MLRs suggest a logical process, starting with initial KYC, risk assessment, and CDD or EDD, and then progressing to decisions and actions under a heading of ‘ongoing monitoring’ of a business relationship. The main headline of this case is a failure in that latter category: having taken on this client legitimately, NatWest failed to keep an eye on it. It’s worth untangling precisely what this means.
The nature of a bank, more so than most regulated service providers, is that it can see a great deal of detail about its customers’ ongoing business, even without having to ask them any questions. NatWest did, in fact, have some insight into the changes in the products traded by Fowler Oldfield, and its customer base, and of course saw the raw numbers of increased revenue, while its staff physically saw, touched, and smelled the bank notes represented by those numbers.
The problem, then, is not so much about what NatWest’s staff and systems knew, but about the way the system was set up to respond to that information. The function of ongoing monitoring is to be alert and to pay attention to things that might have significance, and to prompt thinking by suitably qualified people about what those things might mean. Should huge numbers of mouldy bank notes change the bank’s view about this business’ risks? Although the answer is surely obvious, the bank’s systems didn’t make that happen. Why?
Each ‘Line of Defence’ is a Chance to Fail
Part of the answer is in the concept of the ‘three lines of defence’, which is commonly understood in the regulated sector to mean that compliance with the MLRs is the job of three sets of people, broadly speaking: the ‘front line’ personnel (who keep an eye on risks and escalate them where appropriate); the compliance function (who assess internal reports and escalate to law enforcement); and internal audit (who check that the first two lines are working).
In terms of personal legal risks, this concept approximates to the different obligations on ‘front line’ staff to make internal reports, and on the ‘nominated officer’ of a regulated firm to report to law enforcement. In a large firm like NatWest, the practical reality is that a lot of bureaucratic layers prevent issues like Fowler Oldfield’s reaching the ‘second line’ stage of attention by the ‘nominated office function’, let alone the stage where an individual officer faces criminal liability if they don’t make an external report.
The result is that the ‘three lines’ concept, which might suggest a level of comfort that these things are being looked at from multiple angles, becomes less benign. ‘Front line’ staff, including initial assessors of whether the nominated office should be informed, end up being blamed for failures such as those seen in this case, with the supposed controls of the second and third lines applied too weakly and too late. While this prosecution was presented as a failure of the ‘first line’ function, in truth it reflects badly on all three lines, and on the ‘three lines’ concept itself.
Automation is Risky
Another truth that flows logically, if not perhaps inevitably, from the sheer size of NatWest’s operation is that hugely important decisions for this customer – and, it must be acknowledged, for countless others – were taken not by human beings but by machines. Indeed, even the human beings needed to work within machines, following processes (including making and responding to internal reports) that encouraged box-ticking rather than thinking.
For those of us who approach such technological progress sceptically, this case provides ample evidence for the adage that while humans can occasionally make stupid decisions, the most egregiously stupid decisions require a computer. As well as the misdescription of Fowler Oldfield’s business, which prompted its recategorization to ‘low risk’, NatWest’s computers also managed to mischaracterise cash deposits as cheques, and inexplicably switched off various other automated alerts that would and should have brought the heightened risks of the business to the nominated officer’s attention.
As ever, the apportioning of blame between system design and human error in this case, attempted to some extent in a lengthy statement of facts agreed between NatWest and the Financial Conduct Authority (FCA), swiftly becomes a numbing, sterile exercise in tedium, replete with acronyms and jargon. Fundamentally though, the point is that the automation, for reasons of practicality or cost, has diluted the value of the exercise so much that it overrides the common sense of any intelligent human being.
Prosecutions are Possible
The egregious nature of this failure explains, of course, why the FCA chose to prosecute NatWest, rather than pursue it (as it normally would) through the regulatory process. Or does it? What’s striking is that a case that, on its face, relates only to one customer reveals a set of systemic failures that has surely had much broader effects. NatWest’s criminal convictions, and the financial penalties imposed for them, notably relate to the former, not the latter.
The more pertinent feature of the Fowler Oldfield case, perhaps, is that various people associated with the business have been the subjects of criminal investigation. Some have been convicted and sentenced, while others’ cases are still ongoing. It may be fair to say that more detail of the bigger picture will be revealed when these other aspects are settled.
In a case where individuals are being pursued in the criminal courts, perhaps the FCA’s judgement call was that it couldn’t be seen to treat NatWest’s part in it too leniently. Indeed, if it had been a smaller bank or a single regulated individual, the banker to an alleged launderer on such a scale might be expected to stand (literally or figuratively) in the same dock, to face justice in the same courtroom. It is, arguably, NatWest’s size and institutional clout that has enabled it to deal with this case – agreed facts, guilty pleas. measured sentencing remarks and all – in the relatively light-touch way that it has.
Nevertheless, the result of this case is that NatWest – for the time being, uniquely – stands convicted of breaching the MLRs, a criminal offence. Time will tell whether this makes a difference to its reputation or its future conduct, or whether it is followed by more such cases, either from the FCA or from other regulators. But for businesses that are caught by the MLRs, and the individuals who work for them, it is certainly an event worth marking.
Taking a step back to look at the detailed failures of the case, perhaps the most important lesson is that systems designed to comply with the MLRs can fail – indeed, by diluting the effectiveness of human oversight, can actively enable laundering activity – if they lose touch with what the MLRs are meant to be about. For all of us involved in compliance functions, the case reminds us that it should not, despite appearances, be about a daily grind of box-ticking and form-filling, in service to the machine. Instead, it must be about applying our minds – and expending efforts, at times questioning the system, as well as working within it – to the vital job of stopping launderers in their tracks.