Trend of AML/CFT regulatory fines and identified shortcomings

In recent months, regulators have dramatically stepped up the enforcement of anti-money laundering (“AML”) and combating the funding of terrorism (“CFT”) laws and regulations. What has made this step up even more visible are the fines that have recently been imposed and published.  Nowadays, it is not uncommon for the Financial Intelligence Analysis Unit (“FIAU”) to announce a million euro fine as settlements for AML/CFT violations.

AML/CFT compliance has become a credibility issue for regulators to demonstrate that Malta is part of the international network in combating ML/FT.

Regulators expect subject persons to undertake a holistic approach to AML/CFT compliance risk management which encompasses governance and oversight, focused training to staff at all levels (including the Board of Directors), comprehensive onboarding and ongoing monitoring processes and procedures and record-keeping.

2020 is a record-breaking year for the imposition of published fines on subject persons. We have seen fines, ranging from €50,000 to over €1 million being imposed on notary publics, credit institutions, investment services firms, as well as the remote gaming sector.

In 2018, 70 administrative penalties were imposed, 60 of which where non submission of the annual compliance reports (“ACRs”). In 2019, €3,932,801 from the total fines levied, was made up of 3 administrative penalties imposed in relation to a supervisory examination within the financial sector.

The graph below illustrates the trend of fines levied by the FIAU over the last five years. It is clear that the number and, more so, the amount of fines increased considerably during 2020 (data for this year is for the first 9 months; full year data presented for the earlier years).

Information taken on 2020 refer only to published fines (which were not appealed) and was sourced from: https://fiaumalta.org/enforcement-process/#administrative-measures

Information on 2015 to 2019 refer to fines levied and was sourced from: https://fiaumalta.org/consultation-publications/#annual-reports. Both sources were accessed on 18 September 2020.

The FIAU may take other administrative matters in addition to fining a subject person. These include:

• a remediation or follow-up directive (the development and implementation of a corrective action plan required within specified deadlines);
• a notification or recommendation to other supervisory authorities or bodies;
• termination of particular business relationships; and,
• a written reprimand (this is imposed for minor contraventions of AML/CFT obligations).

The FIAU is also empowered to take any other measures as deemed appropriate to that subject person (such as requesting a subject person to carry out an internal audit and provide a copy of the audit report to the FIAU).

Throughout the period 2015 to 2020, a series of administrative penalties and remediation directives were issued. The below are few of the common shortcomings identified during the carrying out of compliance examinations by Regulators:

• Inadequate business risk assessment (“BRA”) and/or inadequate level of understanding of the risks the Company is exposed to through its operations;
• BRA not approved by the Board of Directors of the Company and no reference as to when it was published or last revised;
• No BRA in place;
• Lack of jurisdictional risk assessments;
• Inadequate or no customer risk assessment (“CRA”) procedures in place, weak or ineffective methodology applied including lack of customer risk ratings and/or lack of rationale behind risk ratings not identified;
• No Customer Acceptance Policy (“CAP”) in place;
• Issues around customer due diligence (“CDD”) measures;
• No information/no evidence held by the Company as to whether customers are politically exposed persons (“PEPs”) or otherwise;
• Lack of enhanced due diligence (“EDD”) measures carried out for PEP relationships or for higher risk situations;
• Lack of or no information obtained on the source of wealth, source of funds and the expected frequency and size of transactions;
• Failure to having in place efficient and adequate ongoing monitoring systems to ensure the effective scrutiny of transactions throughout the course of the business relationship with customers;
• Weak record-keeping procedures having inadequate records of client documentation to evidence adherence towards AML/CFT obligations;
• Record-keeping failures, including providing incomplete client lists and transactional data to the FIAU;
• Conflict of interest with respect to the MLRO function, that is where the MLRO performs another conflicting role within the subject person;
• Where remote gaming entities provide multiple brands, the accounts pertaining to the same client were not linked and were treated as separate ones rather one relationship. In such scenario, the Company failed to implement the necessary measures to ensure that accounts belonging to the same players are linked;
• Lack of processes and procedures with respect to suspicious reporting; and,
• Lack of AML/CFT training provided to the employees of the Company.

Having inadequate or poorly-managed financial crime compliance programmes will increase reputational, operational and legal risk to a Company.

Subject persons should not underestimate the cultural and operational change programme required to take a more holistic approach to financial crime. This should begin with setting the tone at the top and continue by working diligently such as having a clear and effective communication programme and allowing sufficient resources for training staff. Taking such an approach to financial crime requires significant levels of internal communication and can result in significant changes.