The UK's financail regulator, the Financial Services Authority has slapped BNP Paribas' private banking arm with a £350,000 fine for systems failures in relation to a £1.4m fraud. This is the first fine the regulator has issued to a private bank. A senior manager at the private banking unit in London's St John's Wood is in the frame. The man, who is no longer employed by the bank and was not an approved person, spent three years between 2002 and 2005 covering up initial theft with 12 more fraudulent transactions. The transfers were worth £2.6 million in total. He used "sophisticated" forgeries of client signatures and instructions and falsified change of address documents to commit the fraud, which resulted in an eventual loss of £1.4 million, the FSA reported. The bank has borne the loss and reported the allegation to the City of London police force. Its economic crime unit told Complinet that it had opened an investigation into the fraud but declined further comment. During an initial appraisal of the bank's processes in 2002, the year it passported into the UK market, FSA inspectors made a series of recommendations to the bank about its transaction processes. "The Private Bank relies on a large transactions report. In some cases the details submitted were very basic. The lack of detail could hinder the effectiveness of the report in identifying unusual/suspicious transactions." Later that year, the bank drew up a new authorisation procedure for significant transactions, which were worth more than €150,000 in 2002. BNP Paribas' central risk policy requires independent oversight by senior management for large transactions; the London office implemented the significantly lower limit of £10,000. BNP Private Bank considered the procedures to be "impractical" given its particular circumstances and, as a result, strayed from the central procedures, which meant that significant transfers did not require explicit oversight by senior management. Although the "derogation", to use the regulator's term, was only intended for a "short term" BNP Private Bank maintained the derogated rules until it discovered the fraud, in July 2005. The final notice does not mention whether the bank applied a definite end date to the different approach. The regulator identified a further number of failures on behalf of the bank. * There was no evidence of an independent risk-based review or challenge process, which should have been in place either before and/or after the initial fraudulent transaction had taken place. * Under BNPP Private Bank's system, the relationship manager who initiated the transaction could have sole responsibility for initiating and reviewing it. Middle-office managers were responsible for checking and approving external transfers. * Senior management did not independently review a number of the fraudulent transactions prior to payment. The dishonest employee was the only person to sign the forged instructions. * A design flaw in BNPP Private Bank's IT systems made it possible to bypass the checking process conducted by middle office. This failing was identified in November 2003 and, although steps were taken to remedy it, it was only partially remedied at the time. The fine was in relation to failures of FSA PRIN 3 rules and application. The regulator considered that the bank failed to "take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems." The notice did not mention how the bank discovered the fraud but it did report the incident to both the regulator and the police. "A comprehensive review has since been conducted, involving an independent report that verified our processes, systems and controls, which we now consider to be among the best in the industry," the bank said in a press release. This article was first published by Complinet. Complinet is the leading provider of solutions that dynamically deliver highly relevant compliance intelligence to the global financial services community. For more information: www.complinet.com