FCA concludes first AML prosecution of a bank

• United Kingdom

• Fraud and financial crime
• Financial services

14-12-2021

The FCA’s first prosecution of a financial institution under the Money Laundering Regulations 2007 (“MLR 2007”) has ended with National Westminster Bank PLC (“NatWest”) being ordered to pay a total of over £269 million.

At a hearing in October, NatWest pleaded guilty to offences relating to failures to adhere to ongoing monitoring requirements set out in MLR 2007. The action was based on payments of approximately £365m through accounts held by Fowler Oldfield, a company involved in buying and selling gold. The £264m fine imposed closely matches the amounts deposited in cash into Fowler Oldfield’s accounts between November 2011 and June 2016. This involved daily deposits of up to £1.8m in cash. NatWest had initially declined to open accounts for Fowler Oldfield. When it did so, it had agreed that it would not accept cash deposits and received indications that Fowler Oldfield’s annual turnover would be approximately £15m. The FCA argued, and NatWest accepted, that discrepancies between anticipated and actual cash deposits ought to have been identified and acted upon as part of NatWest’s anti-money laundering (“AML”) systems and controls.

The fine imposed was reduced by one third (from £397m) to reflect NatWest’s guilty plea.

Commentary

At an earlier hearing, the FCA suggested that the fine imposed could be as high as £340m. Although some way short of that figure, this fine significantly exceeds any the FCA has yet imposed for AML related breaches using its own regulatory enforcement powers. The size of the fine imposed at the end of the criminal enforcement process, whilst very substantial, is arguably less significant than the decision to commence that process and the key messages that the FCA will consider it has reinforced by doing so.

The Judge’s detailed sentencing remarks and the accompanying statement of facts resonate strongly with many themes about standards of ongoing monitoring emphasised by the FCA in Final Notices and other publications. In particular, describing the breaches of regulations 8(1), 8(3) and 14 of MLR 2007, the Judge calls out inadequate scrutiny of transactions by staff responsible for managing the relationship with Fowler Oldfield, characterised by a lack of corroboration or critical assessment of explanations for such large cash deposits or apparent changes in business model, failures properly to review the relationship following trigger events such as changes in transaction patterns or appointments or resignations of directors and an absence of checks on the company’s risk rating. The Judge also describes failures in the automated transaction monitoring system used, including the erroneous treatment of cash deposits as cheques, shortcomings in the way in which alerts generated by the automated system were investigated and a lack of effective periodic reviews.

In this case, it appears to have been accepted that inadequacies in these and other areas contributed directly to the incorrect categorisation of Fowler Oldfield as a low risk customer, which in turn meant that an inappropriately low level of ongoing monitoring was applied to its accounts. Although shortcomings appear to have manifested particularly acutely in this case, it is not the first in which substantial penalties have resulted from failures adequately to identify or respond to AML related red flags attributable to insufficiently strong oversight and challenge – either within the first line of defence or of the first line by the second line.

The case highlights the critical importance of undertaking and properly documenting periodic reviews of the nature and purpose of business relationships as required by MLR 2007 or its successor legislation, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”) (together “MLR”). Although it is the first time the message has been reinforced in the criminal courts in a case involving a bank, the case adds to an established line of decisions emerging from the FCA in which it has emphasised the need to guard against over-reliance on relationship managers for the purposes of identifying and responding to suspicious activity on customers’ accounts.  

Whilst in this case the FCA considered that in this case significant and protracted breaches justified a criminal prosecution, we do not expect criminal prosecutions for breaches of the MLR to become the norm. Indeed, in October 2021, in response to a Freedom of Information request made of it by Eversheds Sutherland, the FCA indicated that:

• it only had one single track criminal investigation ongoing into breaches of the MLR 2007
• it had no single track criminal investigations ongoing into breaches of the MLR 2017
• it is currently investigating four dual track investigations into breaches of the MLR 2007 and/or 2017
• it has discontinued five single track criminal investigations and four dual track investigations into breaches of the MLR since July 2020.
• the oldest open case was opened in December 2016

These figures are suggestive of a careful approach to case selection by the FCA, with an emphasis on reserving its criminal enforcement powers for cases which it considers involve particularly egregious conduct and which will help it to project key enforcement messages and build precedents. The FCA is likely to be emboldened in future cases by the recovery of substantial costs in this case (amounting to over £4m, including nearly £1.8m in “internal FCA costs”). Similarly, it will consider that the imposition of a confiscation order requiring the repayment of sums equal to all fees and charges received in connection with NatWest’s relationship with Fowler Oldfield sets a helpful precedent (not least because a proportion of those sums flow back to it as the investigating authority).

In this case, the FCA did not prosecute any individuals in respect of AML failings. It may well take a different approach in future cases, particularly where those cases concern smaller institutions where responsibility for breaches may more easily be attributed to senior executives.

The FCA will regard this case as a salient reminder to institutions of all sizes (and individuals within them) of its clearly articulated expectations in relation to AML compliance. Whilst prosecutions for breaches of the MLR will remain the exception rather than the rule, this case will not be the last of its type.