Amongst the numerous other posts on the subject I wanted to share my views on the € 775 million fine imposed on ING by the Netherlands Public Prosecution Service (NPPS) for money laundering offences as announced on 4 September.
There is a lot to be said about the cascade of CDD deficiencies that lead the bank to leave significant proceeds of crime undetected, but I shall resist for now the temptation to dive into them.
Instead I’d like to focus on the enforcement action itself and why, far from being yet another fine in what is becoming regular headlines, it represents an extraordinary turn of events in the EU. I look forward to your comments and views in return.
As a start I would suggest a read of the actual settlement agreement and the accompanying statement of facts, with kudos to the NPPS for providing an English translation: https://www.om.nl/actueel/nieuwsberichten/@103952/ing-pays-775-million/
A criminal penalty
Enforcement actions for AML failures have been limited in Europe in number and amounts compared to the US, and the UK FCA’s enforcement action of January 2017 for £ 163 million against Deutsche Bank constituted the first sizeable punishment of a bank for its ongoing CDD/AML deficiencies. But this was a civil penalty imposed by a financial regulator for Compliance shortcomings where the criminal nature of funds involved was not established in the enforcement notice.
First, the ING case is fundamentally different as it is a criminal penalty where ING was found guilty of having committed money laundering. The settlement agreement states that:
“On the basis of the criminal investigation, the Netherlands Public Prosecution Service believes that ING, in the period from 2010 up to and including 2016, committed criminal offenses that arose from shortcomings in (the implementation of) its FEC CDD policy, as revealed in the Houston investigation (including the insufficient or inadequate operation of its internal client and transaction monitoring system), namely a violation of Articles 3, 5, 8 and 16 of the Anti-Money Laundering and Counter Terrorism Financing Act […], punishable under Article 2(1) of the Economic Offenses Act […], and doing so habitually as specified in Article 6(1) under 3 EOA, as well as culpable money laundering (Article 420quater of the Dutch Criminal Code […], as specified in Part II of Annex 1;
There are two specific money laundering offences at play:
- Deficiencies in implementing the preventive measures of the Dutch AML/CFT act, which would normally carry only civil penalties. I have not been able to source an English version of the Dutch Economic Offenses Act but the wording suggests a criminal offence of failure to prevent economic crime.
- An explicit offence of failure to report suspicious activity as the deficiencies in AML controls led to an inability to detect suspicious activity where there were reasonable grounds to suspect money laundering (Note here the unambiguous application of an objective test of suspicion arising directly from the investigations into the criminal activities of ING’s clients): “ING NL should have reasonably suspected that some of the cash flows through its clients’ bank accounts originated from some form of crime”
Second, the criminal penalty includes a disgorgement of € 100 million, corresponding not to revenues from business with illegitimate clients (the NPPS states it doesn’t know that number) but to costs that the bank saved by not sufficiently spending on AML controls. In many institutions BAU budget constraints remain a prime impediment to fixing AML/CDD controls and creating a cost-efficient, customer friendly and risk-oriented FCC infrastructure.
There is to my knowledge no precedent of a national authority imposing a material penalty for failure to dedicate adequate financial resources. This is to be read in conjunction with the criticism expressed by the NPPS for a culture of “business over Compliance”.
Law enforcement challenging regulatory and governance standards
Third, The Dutch law enforcement authorities chose an out-of-court settlement instead of a court prosecution, hence reaching a faster set of outcomes (money in public coffers, clear warning sign to the rest of the industry, asserting authority). This is typical of what US law enforcement authorities have been doing and the NPPS is explicit about the deterrent effect it is pursuing.
The out-of-court settlement also saves the regulator (DNB) the necessity to explain in the public eye why it did not take decisive enforcement action of its own even though ING is a systemically important bank (and the only one in the Netherlands).
While the NPPS goes to great length to recall the various warnings and redresses issued to the bank by the DNB and stresses its collaboration with the DNB in the investigation itself, the fact that a law enforcement authority is taking upon itself to dive into the regulatory failures of the bank and its consequences of indirectly supporting financial crime is a turning point. The statement of facts, probably written in collaboration with the DNB, shows a clear and precise command of detailed regulatory requirements for CDD reminiscent of US cease & desist orders.
This development is also symptomatic of a mounting loss of patience with European regulatory authorities’ difficulties in enforcing Compliance standards on the continent, including due to the fragmented nature of national supervision frameworks and the lack of effective pan-European capacity. A recent article from the FT addresses this point: https://www.ft.com/content/0b2476e4-b02b-11e8-99ca-68cf89602132
Fourth, the responsibility of senior management at the bank is clearly called out (the bank’s management has unequivocally acknowledged their part in the situation). While a long series of technical CDD deficiencies are identified, the NPPS makes it clear where accountability rests:
“There was a lack of awareness, also among the senior management involved, of the importance of soundly carrying out of this policy. There was also a lack of awareness about the extent to which ING NL continued to underperform in terms of meeting its legal obligations for many years; the ‘tone at the top’ did not sufficiently buy into the importance of the proper carrying out of AML/CTF Act obligations”.
As for specifics, this lack of attention from the top resulted in:
- the commonly accepted governance model of 3 lines of defence operating inefficiently in silos and diluting personal accountability
- the lack of sustainability in remedial actions undertaken by the bank, seeking short term fixes over future-proof solutions
- a lack of Compliance culture, manifest in poor escalations and “business over Compliance” behaviours
What to expect
If prosecutors are bound to take a more proactive, US-style stance in AML enforcement, what should banks’ board of directors and senior management expect? I would suggest:
- Higher amounts of settlements – when a criminal offence is established as opposed to a civil one with lower tests of wrongdoing, the amounts will necessarily be higher. € 775 million will make boards rethink their involvement in FCC. Note the amount is not tax deductible and at a 25% corporate tax rate in the Netherlands, ING shareholders are effectively looking at a billion Euros impact on the bottom line.
- Of course this amount does not include the hundreds of millions in legal bills, remediation actions, hurried transformation programmes, lost opportunities, direct loss of business, staff turnaround and other associated syndromes
- Investments and ongoing expenditure on sustainable systems and controls will be expected. If focusing on short term cost savings is the current strategy, bank directors should be invited to look again at the numbers and where saving € 100 million led ING to.
- Similarly, if the strategy is to focus on short term remedial actions (which can themselves be very costly), bank directors should re-evaluate priorities in light of the impact of failing to sustainably implement financial crime prevention measures.
- Criminal liabilities – the Dutch prosecutor’s office was explicit in stating that no individuals were found personally guilty, but the warning shot has been fired. Unless banks change course there is a risk of criminal indictment for senior management or board members beyond the body corporate.
- This is compounded by the identified weakness of the 3-lines of defence model which is only as effective as senior management wants it to be, with tone from the top, availability of resources and active board support being essential to its success. Directors will soon be asked to demonstrate a clear understanding and ownership of financial crime risks. On this topic please see the survey by Alix Partners: https://www.alixpartners.com/insights-impact/insights/2017-global-anti-money-laundering-and-sanctions-compliance-survey/
- Regulators are unlikely to watch from the side-lines as political authorities are bound to question the effectiveness of the supervisory process. Similarly to what happened in the US after the historic HSBC fine, expect regulators to start touring banks much more proactively, testing AML systems and controls much more systematically and demanding best-in-class AML infrastructures.
What should be done
In the light of this extraordinary turn of events, what should boards of directors and senior banking leaders do? I would suggest the following to-do list:
- Understand the issues, risks and liabilities related to financial crime as a board, not leaving these matters to the head of the audit or compliance committee, and ensuring senior, experienced Compliance presence on the board. Also, putting to use the experience of their own bank or that of peers in the US will be beneficial.
- Think in terms of financial crime prevention, not only regulatory compliance. The investigation into ING was intelligence-led and arose from criminal inquiries into actual proceeds of crime flowing through the banks’ customers accounts, not as a result of regulatory supervision (even though the supervisory process did play a role in demonstrating a history of insufficient attention to the issue)
- Implement the risk-based approach (RBA) by ensuring that firm-wide risk assessments are complete and up-to-date, with thorough and complete evaluations of internal controls. The EBA risk factor guidelines on CDD provide the framework for such risk assessments and operate on a comply-or-explain basis, making the RBA non-optional.
- Review high risk businesses such as correspondent banking and trade finance, and international retail networks including in the EU (refer to the Danske Bank case if this is still a subject of debate)
- Ensure the second line is unequivocally equipped with the resources, independence, authority and backing from the top to enforce the FCC programme
- Prioritize FCC controls and sustainable expenditure in the first line by holding the business lines accountable for effective financial crime risk management, as opposed to pressurizing Operations for cost reductions
How we can help
This post would not be complete without a brief mention on how we can support banks’ senior management’s efforts in avoiding similar issues. For a range of effective advisory, training and capacity building solutions visit Efficiency Management Consulting and contact us with your requirements.
In particular our training programme CDD FROM THE TOP is specifically designed for board members and senior executives seeking to gain a rounded understanding of the dynamics of financial crime prevention, their risks and liabilities and the practical road to success. Contact us today for a first conversation.
I look forward to your comments.