Bank fined €310,217 by FIAU for breaching AML rules

The Financial Intelligence Analysis Unit (FIAU) has fined ECCM Bank plc €310,217, due to irregularities found during an offsite compliance review in 2020 which found the credit institution in breach of anti-money laundering rules.

ECCM Bank plc was granted a banking license in 2014, following a purchase from Raiffeisen Bank International AG, and has a paid-up share capital of €117.7 million.

When the FIAU requested a business risk assessment (BRA), the company provided one from March 2019, which is a year later than when it was required to draft one. Furthermore, it failed to reference the national risk assessment (NRA) and the supranational risk assessment (SRA). Even though the bank operated in a manner that carried less risk than other credit institutions, it was still required to carry out a comprehensive BRA in good time.

The bank was reprimanded for failing to carry out the BRA, and for failing to reference the NRA and SRA.

On inspection of the bank’s customer risk assessment (CRA), it was discovered that the bank used knowyourcountry.com as a source for rating risk from a geographical perspective. Despite its benefits, there were concerns with the bank’s understanding of the risk ratings, since it did not have the reasoning behind the ratings it was using.

The tool the bank used for CRA also lacked the inclusion of additional jurisdictions that could be linked to the respective business relationship, as it only considered the country where the customer is incorporated and where it operates, but not the volume of business in each jurisdiction.

The FIAU also noticed that the bank failed to properly outline the risks coming from business relations in the CRA of its clients. While the bank claimed to have detailed knowledge of its corporate customers, the client files did not reflect that.

This was of particular concern when there were undisclosed beneficiaries and high-volume transactions, or when a foundation was involved in a corporate structure. The banks’ CRA failed to properly understand the money laundering/financing terrorism risks when it came to complex client structures.

Some customer assessments were done only after the clients were already onboarded and allowed to transact, and they were not subject to the latest methods of CRA. While the bank has since updated its CRA methodology and committed to keep doing so, the bank still had failed to adequately perform periodic reviews in the past. The bank was thus reprimanded for failing to comply with its own policies and procedures in relation to periodic reviews of its customers.

The bank was also found to have failed to collect enough information on the business activity of its customers. In a couple of instances, the bank had information that customers held investments, but no reasoning was given behind them. In other examples, it did not have sufficient information on the expected activity undertaken throughout the business relationship.

A regular concern by the FIAU was that the bank, on multiple occasions, would update the CRA of its customers after the business relationship had already been established, making the bank unable to properly monitor its customers.

There were also concerns when the bank collected information on sources of funds, being overly generic at times such as “world-wide business activities.” Lacking any further information is a shortcoming as the bank would not be able to properly understand how and where the money was generated.

Lastly, when it came to monitoring transactions, there was an absence of sufficient information to understand the source of funds but was satisfied with the flow of funds.

In one of the cases, there was an incoming transaction of €100 million and two outgoing transactions, one of over €1 million and the other of €1 million. The supporting documentation for the transactions were minutes of an extraordinary general assembly which did not reference the transactions. The bank did provide minutes showing that the €100 million were for investment, however, they were not part of the documents submitted by the bank during the compliance review. Furthermore, the minutes did not indicate where the money was from, or how it was generated but only outlined its purpose.

Regarding the two outgoing transactions, the bank had said that they were related to share capital increases by the customer shareholders, and while the minutes did reference the transactions, they did not mention the full amount payable. Regarding this, it was also noted the information was absent for the source of funds, and how it was generated.

The FIAU stressed the importance of knowing the source of funds, how it was generated, and not only why it was being transacted.

In addition to the fine, the bank has been tasked with a remediation directive, to ensure that it takes the necessary steps to understand the risks surrounding its operations and implements sufficient controls to mitigate the identified risks. It also must provide a revised BRA, and clearly outline how it has tackled its shortcomings. It must also take steps to address shortcomings in its CRA and enhance its scrutiny of transactions, especially those diverging from customer expectations.