Last week the FCA issued a Decision Notice against Mohammad Prodhan, the former CEO of Sonali Bank (UK) Limited, fining him £76,400 for allegedly failing to take reasonable steps to assess and mitigate anti-money laundering risks. The case is a significant shift from previous AML-related enforcement action by the FCA against individuals, where the focus was on MLROs rather than senior executives.
The FCA decision is being referred to the Upper Tribunal, but sheds important light on how the FCA expects senior managers with responsibility for AML to engage with AML risks, which are rising to the top of board agendas across Europe.
We’ve explained the decision below, and 8 practical lessons that bank executives can draw from it.
The Decision
Mr Prodhan was the CEO of Sonali bank’s UK subsidiary (SBUK) from 2012-2015 and was responsible for its anti-money laundering systems and controls. According to the FCA, when Mr Prodhan became CEO he was informed that the FCA had identified serious failures within SBUK’s systems in 2010, and that the bank had undertaken to rectify them. Two months later, Mr Prodhan received further warnings from internal auditors that the bank’s anti-money laundering systems were not adequate. The FCA said that despite these warnings, Mr Prodhan failed to ensure that the bank's staff appreciated the need to comply with the UK’s anti-money laundering compliance rules and failed to rectify the issues and to appropriately oversee, manage and resource SBUK’s MLRO function.
The FCA’s case against Mr Prodhan comes after the agency imposed penalties on SBUK and its former MLRO, Steven Smith, for anti-money laundering failings. In a final notice on 12 October 2016, the FCA fined SBUK £3.3 million and banned it from accepting deposits from new customers for 168 days. The FCA fined Smith £17,900 on the same day and banned him from holding a compliance position at a regulated firm.
8 Practical Lessons
Although the detailed facts of the case may seem remote from the experience of senior executives at large banks, a number of broader practical lessons can be learnt from it:
1 Understand the AML risks arising from the business you are responsible for: The FCA expects a senior manager with responsibility for AML systems and controls to be able to explain the material AML risks arising from their business, and how those risks are identified and monitored.
2 Ensure responsibilities are clear: AML processes involve a combination of business and second line functions and sometimes outsourced providers and/or support from the bank’s global operations. Test whether the divisions of responsibilities are clear – problems can arise when different parts of a bank make incorrect assumptions about what others are doing.
3 Get assurance your bank’s AML systems and controls are operating effectively to manage those risks: Reliance on assurances from the MLRO alone may not be enough in the FCA’s eyes. Ensure you are getting adequate assurance (eg from Compliance, Audit or external advisors) about the effectiveness of your AML controls.
4 Respond to Red Flags/Warning Signs: FCA enforcement action in relation to AML often follows warnings from internal or external sources that are not acted upon. When significant AML issues are flagged, ensure an adequate plan is in place to address those issues, and get reliable evidence that the plans have been effective.
5 Make AML a board agenda item: Ensure the board gets useful MI in relation to AML risks and issues and can demonstrate active engagement with the way those risks and issues are identified and managed.
6 Support the MLRO and Financial Crime Team: Ensure that the MLRO and financial crime team are adequately resourced and respected within the organisation. Ensuring the financial crime team is of the right calibre is often as important as headcount and amounts spent.
7 Make AML risk part of your own decision making: Make AML risk analysis an integral part of your own business decisions – for example, when considering new business opportunities.
8 Promote a culture where AML is seen as a business as well as compliance responsibility: A failure by the business to see AML as their (as well as a Compliance) responsibility can lead to problems. Promote a culture where AML is seen as a business issue.