Santander’s festive £107m penalty: what can we learn from the FCA’s latest AML enforcement?
3 Jan 2023
As the Financial Conduct Authority imposes a £107m penalty on Santander bank for breaching its anti-money laundering rules, Hickman & Rose barrister Tom Bushnell asks, in a blog, what this means for other banks’ AML efforts.
On 8th December 2022, the FCA announced it had imposed a nine-figure financial penalty on Santander UK Plc for failing to properly adhere to its anti-money laundering rules.
The £107,793,300 penalty came almost exactly a year after another high street bank – this time NatWest – was fined £264,772,619 after it pleaded guilty to three offences under the Money Laundering Regulations 2007.
Before NatWest, HSBC and Standard Chartered Bank were also on the receiving end of multi-million-pound FCA penalties for AML weaknesses.
But other than positive headlines for the FCA – and financial headaches for the banks – what does this latest penalty on Santander mean? What can lawyers and AML professionals learn from it?
The Santander penalty
Santander was found by the FCA to have breached Principle 3 of its Principles for Businesses. Principle 3 requires that a firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.” Sitting beneath that in the FCA’s handbook is SYSC, or Senior Management Arrangements, Systems & Controls. The relevant parts of SYSC requires firms like Santander to have systems and controls to meet the firm’s regulatory obligations and prevent the firm being used to further financial crime. “Regulatory obligations” here includes the Money Laundering Regulations (2007 and 2017, the “MLRs”). For a more detailed discussion of the FCA’s powers in this area, see this recent blog by my colleague Olivia Dwan.
The FCA found AML weaknesses in Santander’s Business Banking portfolio. These included failures to share relevant AML information between different parts of the business, and failures to obtain sufficient information about customers when onboarding them.
Those weaknesses continued during the lifetime of customer relationships: the FCA found that Santander lacked “an effective framework within Business Banking for ongoing customer monitoring.”
Ongoing monitoring is the obligation under the MLRs to scrutinise transactions during the course of a customer relationship, and to keep customer due diligence information up to date. In retail banks, this obligation is usually discharged in four ways:
- Automated transaction monitoring (computer generated reports that are triggered by unusual account activity);
- Manual transaction monitoring (staff reporting concerns);
- Investigations into activity highlighted by either form of monitoring; and
- Independent reviews (usually periodic or triggered by specific events).
Santander was criticised by the FCA in relation to three of these. Its automated transaction monitoring system “lacked sophistication”, some alerts were subject to significant delays before investigation; and at the start of the period under investigation, Santander did not carry out any periodic reviews on its business customers.
Finally, the FCA found issues with Santander’s account closure processes which led, in some cases, to significant delays before suspicious accounts were closed.
Echoes of NatWest?
Followers of FCA enforcement action will likely have noticed the similarities with National Westminster Bank Plc, known as NatWest, in 2021.
On 13 December 2021, NatWest was sentenced at Southwark Crown Court to a fine of £264,772,619.95 after it had earlier pleaded guilty to three breaches of the Money Laundering Regulations 2007. This was the first time the FCA had chosen to use its criminal powers in relation to AML. It remains a landmark case.
It is vital to note that the test under the MLRs for criminal liability is different to the test under the FCA’s handbook for regulatory liability; and that the standard of proof for criminal conviction (that the jury is sure) is higher than that for a regulatory penalty (the balance of probabilities). No criminal allegation was made by the FCA in relation to Santander.
However, the two cases highlight the struggles that large banks have had in meeting their AML obligations over the last decade. Three issues stand out.
1. The role of individual customers
In both the Santander and NatWest cases, the FCA identified failings in relation to particular customers in order to shine a light on the banks’ systems and controls.
In the case of NatWest, Fowler Oldfield Limited, a gold dealer, deposited £365m into NatWest accounts over the course of five years. £264m of that was in cash, with the eye-catching detail that at one branch these deposits were sometimes made in black bin liners which would occasionally tear at the weight of the money inside.
In Santander’s case, it was “Customers A to F”, of whom “Customer A” is probably the most striking. Customer A opened an account saying it was for translation services and predicted a turnover of £5,000 per month. Over time, transactions on the account hit £1.5m per month. The bank came to realise that Customer A might actually be an MSB (“money service business”) but a decision to close the account wasn’t actioned until almost two years later.
Unlike Fowler Oldfield (in relation to whom an eight-month money laundering trial of its directors recently ended), no criminal allegation has been made in relation to Customer A. But both cases underline the fact that the FCA can and will use the example of individual cases to shine a light on systems weaknesses.
2. The difficulties of ongoing monitoring
Both cases show the large banks struggling with ongoing monitoring. For a start, NatWest and Santander’s automated transaction monitoring systems were found wanting, in spite of efforts over time to improve them.
Periodic reviews did not take place as regularly as they ought to: in fact, neither Fowler Oldfield nor “Customer A” received any during their customer relationships.
And both decisions highlight problems with the teams responsible for investigating alerts generated within the bank. In NatWest, it was a particular bank office which was found to be lacking in experience, with the “sufficient [training] material” being “insufficiently embedded.” In Santander, the weaknesses appear to have been based on resourcing pressures.
Ongoing monitoring is clearly a resource-intensive process, but one that the FCA is particularly interested in.
3. Ongoing efforts
Finally, both these cases took place against a backdrop of the banks knowing that they had AML difficulties and seeking to remediate them.
The Statement of Facts agreed between NatWest and the FCA recorded the “significant efforts” the bank was making during the relevant period to improve its controls and processes, including via the appointment of external specialists and the undertaking of an “AML Change Programme.”
Likewise, the FCA’s final notice in the Santander case notes that “having become aware in December 2012, at the start of the Relevant Period, of significant issues with its AML framework, Santander UK made various changes to its AML operating model and processes for Business Banking during the Relevant Period.”
It seems that compliance with these obligations has not always come easily to large retail banks, who are trying to do just that. As Mrs Justice Sara Cockerill summed up when sentencing NatWest: “Even [NatWest’s] compliance costs are enormous – the increase which has recently been made from £700 million to £1 billion for the next 5 years gives some hint of what is needed to properly comply with these Regulations which though demanding are of such great importance.”
What about individuals?
After the conviction of NatWest last year there was some clamour for action to be taken against individuals in relation to AML failings within large banks.
In my view, this misses the point. The gravamen of failures in these cases – whether serious enough for prosecution (like NatWest) or only for regulatory action (Santander, HSBC Bank Plc, Standard Chartered Bank) – lies in system weaknesses. In many of these AML cases, the errors in relation to particular customers didn’t arise because of one or a small number of individuals within the bank. Instead, the FCA took action because of weaknesses across the banks’ systems.
Indeed, part of the very rationale for having AML systems and controls and utilising the “three lines of defence” model is to prevent the actions of one or a small number of employees from allowing financial crime to occur. As such, it should be no surprise that the Money Laundering Regulations (both 2007 and 2017) impose liability directly on regulated firms: there are no complicated rules of attribution of the wrongdoing of individuals in order to establish corporate liability.
Nonetheless, the FCA does have the power to take action against individuals for their own conduct in relation to AML failures by firms. Perhaps it is only a matter of time before the FCA does so. Individuals caught up in such cases will draw little comfort from the FCA’s robust action in these cases.
What now for the FCA?
The Santander case shows the FCA’s appetite to go after big banks for AML failings remains undiminished. It will be interesting to see how, if at all, the FCA’s approach to the enforcement of these cases changes when Mark Steward, the FCA’s executive director of Enforcement and Market Oversight, steps down in spring 2023.
In the meantime, the imperative on firms to ensure their AML systems and controls are adequate remains. Senior individuals within those firms should be alive to this need and do their utmost to drive compliance: lest they want to become the subject of the FCA’s next Christmas headline.
Tom Bushnell is a barrister within the business crime team at Hickman & Rose. He specialises in financial crime and financial services regulation. He has a particular interest in enforcement action relating to AML and the Money Laundering Regulations. Before joining Hickman & Rose in 2022, he practised at the Bar and was the FCA’s junior counsel for the investigation and prosecution of NatWest.