FIAU slaps local bank with €189,274 fine for breach in AML rules

*Updated to include BNF Bank’s statement (below)

The Financial Intelligence Analysis Unit (FIAU) has fined BNF Bank €189,274, due to irregularities found during an offsite compliance review in 2020 which found the credit institution in breach of anti-money laundering rules.

BNF Bank, previously known as Banif Bank, started operating in Malta in 2008. JUD Investment Group Ltd, a subsidiary of Al Faisal International for Investment, is BNF Bank’s majority shareholder with a 92.4 per cent stake. The remaining shares are held by Maltese shareholders.

The FIAU noted that, while the bank drafted its business risk assessment (BRA) in 2019, a year later than it was required to, it acknowledged the bank’s assertation that it conducted annual money laundering (ML) risk assessments as part of operational risk. However, despite demonstrating a general understanding of money laundering and terrorism financing risk (ML/FT), the bank provided only basic and high-level risk assessments. Thus, it fell short of the requirements of an adequate BRA and thus was reprimanded.

When analysing the bank’s customer risk assessment (CRA), the FIAU came across two main findings. The bank had deficiencies in its risk assessment methodology (up to 31st December 2019), and there was no evidence of CRA during onboarding.

Until 31st December 2019, the bank did not consider what classified a business relationship low or medium risk. This is due to the bank having lacked a comprehensive methodology to categorise the range of risk factors when entering a new business relationship/occasional transaction. Therefore, it was unable to provide a conclusive and consistent risk rating of its customers.

The risk considerations used by the bank were: whether the customer had any connections to politically exposed persons (PEPs), connections to high-risk/prohibited/non-reputable jurisdictions, adverse media, and if there were any dealings in a business sector/activity that was considered high-risk by the bank.

Following 2019, the bank took action to enhance its CRA, and started implementing the necessary updates to their customers.

The bank had also failed to conduct CRA when onboarding new customers, so in practice, the bank was not adhering to its own policies and procedures. Since this was not carried out at the onset of the business relationship/occasional transaction, it made it more difficult to identify actual risks, and potential risks of customers, and as a result, the bank was unable to formulate a risk profile and allocate necessary resources.

It was also found to have failed to conduct adverse media screening on two corporate customers at the onboarding stage.

Issues were also identified with six of the bank’s high-risk business relationships. It had failed to perform enhanced measures, such as collecting sufficient information and documentation on the customers’ source of funds & wealth. The bank also failed to question large withdrawals conducted by the customers.

The FIAU also identified shortcomings in the bank’s record keeping. During a compliance examination, the bank provided a list of its active and inactive customers, which was deemed inconclusive by MFSA officials. The bank said that omissions were a result of a fault arising from the extraction process from the Core Banking System. While the FIAU acknowledged that it was a genuine mistake due to human errors, it affected the bank’s efficiency and reliability in complying with authorities’ requests in this regard.

A minor lack of adherence to the bank’s policies and procedures was also identified, when it was found that, a file review which was meant to be conducted on three customers every 12 months, was delayed.

Lastly, the FIAU came across a couple of shortcomings regarding the monitoring of transactions.

The first issue arose from the lack of sufficient information on customers. In one instance, a corporate customer withdrew an aggregate total of four million euros, and the bank did not obtain sufficient reassurance of the purpose of the withdrawals. The bank was expected to ascertain the veracity and legitimacy of the reasons for the withdrawals, such as requesting an agreement from the customer delineating the payment terms, frequency and means of payment.

The second issue arose from the bank’s reliance on manual scrutiny by the bank’s employees when it came to identifying anomalies/suspicious transactions. The bank was found to have a very limited number of internal suspicious transaction reports (STRs), especially relative to the size of the bank and the number of transactions processed daily.

The bank held that since 2020, it had embarked on an extensive transaction monitoring program, which would lead to a fully-fledged automated transaction monitoring system. It also pushed for a number of other improvements such as staff training to better monitor transactions and engaged a specialist data analyst to assist in the creation and handling of automated reporting and data extraction.

The FIAU commended the bank’s proactive approach, however, noted that, at the time of the compliance examination, the bank still relied on manual scrutiny. It also added that transactions which cumulatively exceeded the bank’s reportable thresholds, or ambiguous transactional patterns couldn’t be successfully identified, which adversely influences the bank’s potential to effectively detect and flag suspicious transactions. However, the FIAU also noted that those transactions took place around 2015.

In addition to the fine of €189,274, and reprimand for the bank’s failure to conduct its BRA in time, the FIAU also served the bank a remediation directive aimed at improving the bank’s CRA to better understand the risks surrounding its operations, and transaction monitoring.

The FIAU responded positively to the bank’s proactive approach in identifying and addressing its shortcomings before the review was initiated, and for taking immediate action following the review, before receiving the remediation directive. It also commended the bank for notifying the FIAU of its actions and for the details it provided of its ongoing planned actions. Lastly, it also responded positively to the bank’s top management’s commitment to combat ML/FT.

Statement by BNF Bank

The Bank has noted the FIAU report issued today, the findings of which mostly happened in or around 2015. On acquisition by the current majority shareholder, the Bank embarked on a thorough and pro-active review of all its processes and controls specifically around its AML and CFT obligations. This has been viewed very positively by the FIAU in its publication issued today. The Bank is committed to continue to work with all regulators in Malta in striving to further enhance the high standards by which it holds itself to.