Compliance
ANALYSIS: When PEP Assets Are Corporate: Lessons From A Bank's Punishment

A major issue for compliance is that entity known as the "politically exposed person", or PEP. What happens when PEPs take corporate form? This article examines what happened when a bank was punished.
All the time, private bankers encounter the wealth of
“politically-exposed persons” or PEPs in corporate form. Instead
of dealing in cash resources, they find themselves having to deal
with wealth that is tied up in special purpose vehicles or other
corporate structures. With this in mind, readers will be
interested in the reasons why the Financial Conduct Authority,
the UK financial regulator, recently fined Standard Bank £7.64
million ($12.81 million) for lax money-laundering controls.
The drafting of the decision notice is a trifle vague, especially
as regards the “dodges” with which the bank carried on business
without the proper “extra/enhanced due diligence” or EDD during
the period in question (2007-11). The Joint Money Laundering
Steering Group's guidelines state that whenever a customer-firm
is known to be linked to a “politically-exposed person” or PEP,
perhaps when the PEP is a director or a shareholder, it is likely
that this will put the customer into a “higher risk category”, so
EDD is vital.
The “dodges” tended to revolve around the practice of
mis-categorising the risks inherent in each jurisdiction, or in
the presence of a PEP or, failing that, the accurate allocation
of risk categories but a subsequent failure to allocate EDD
accordingly. In 2009 Standard Bank had a massive
re-categorisation of its corporate customers into high, medium
and low risk. Maddeningly, the FCA does not tell us what
categories it used between 2007 and 2009. If it followed the
example of some private banks of the time, it might have simply
had two categories – standard risk and high risk – but this
remains speculation.
One example of a “dodge” was of two customers classified as
medium risk. Both were involved in the mining of precious metals
(an industry identified by Standard Bank as being highly risky),
both were incorporated in jurisdictions that Standard Bank had
classified as highly risky and both were connected to PEPs.
Despite these “red flags”, they had been given a “medium risk"
tag because their parent companies were listed on recognised
investment exchanges. The FCA was not fooled. It did not,
however, say whether these RIEs (of which the UK has seven) were
in the UK.
In another “dodge”, the customer was a listed company in a highly
risky jurisdiction whose ultimate beneficial owner - obviously
some high-net-worth individual or other - was hidden from view,
although the bank thought it knew who it was. Someone at the bank
asked the compliance department to sign a waiver, which it did
with the following murky phrase:.
“[The company] is a well-established, managed and listed company
in [highly risky jurisdiction]. Although, we do not have all the
details of single largest shareholder of the company, the founder
and his brother remained the key men of the company. Lacking of
such information would not have a significant negative impact on
our bank’s position as compared with [Company’s] other existing
banks.” Isn’t that marvellous?
The FCA does not explain what this means or what the compliance
department thought it meant. In doing so, it has missed an
opportunity to warn compliance departments in detail about the
kinds of pretext that relationship managers and salespeople use
in their quest to cast EDD aside.
No actual money-laundering is alleged to have taken place at the
bank, making the FCA's need to justify its fine in detail all the
more urgent. It does nothing of the kind, however. In note 4.27
it lists some 'high risk customers' that the bank had identified
as such, noting that it then failed to monitor them in accordance
with its policy of six-monthly reviews for that category (in one
case, the checks only happened twice in nearly seven years).
Then, in 4.28 it states, quite baldly and without a further word
of explanation: “This failing was systemic across Standard Bank,
impacting 4,300 of its 5,339 customers (80 per cent).” This is a
stunning revelation that is surely worthy of more comment,
especially about how the figure came to light, but that is where
the matter ends.
The FCA is vague in other areas, for instance in its descriptions
on page seven of the bank “taking some steps towards applying
EDD” or “attempting to apply EDD” in some cases. What do these
phrases mean? In view of its heavy price tag, the decision notice
ought to be brimming with detailed explanations of how someone
can “try” to monitor something but fail.
On page nine, the FCA finds no fault with Standard Bank's revised
set of classifications but, frustratingly, stops short of telling
the public whether it thinks that the bank had managed to get
them broadly right. Under the new (and present) rubric, highly
risky customer relationships were to be reviewed annually; those
that posed medium risk were to be reviewed biennially; and those
that posed low risk were to be reviewed every three years.
Despite the FCA's shortcomings in describing the “dodges” that it
wants other banks to eschew, the tenor of Standard Bank's
approach to EDD is clear. The bank had a consistent habit of
going selectively through some of the motions while the money
kept rolling in.
(The author of the article, Chris Hamblin, is editor of
Compliance Matters and Offshore Red, two sister news services to
this publication.)