Central Bank fines Ulster Bank €3.325m

01 November 2016 Press Release

Settlement Agreement between the Central Bank of Ireland and Ulster Bank Ireland DAC (formerly Ulster Bank Ireland Limited)

Ulster Bank Ireland DAC fined €3,325,000 by the Central Bank of Ireland in respect of anti-money laundering and terrorist financing failures

The Central Bank of Ireland (the ‘Central Bank’) fined Ulster Bank Ireland DAC (‘Ulster Bank Ireland’) and reprimanded it for breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010 (the ‘CJA 2010’). The breaches have been admitted by Ulster Bank Ireland.

The CJA 2010 requires credit and financial institutions to adopt and implement adequate policies and procedures appropriate to their business to prevent and detect the commission of money laundering and terrorist financing.

The breaches occurred over a six year period, from enactment of the CJA 2010 on 15 July 2010 until 2016. The breaches identified significant failings in Ulster Bank Ireland’s anti-money laundering/countering the financing of terrorism (‘AML/CFT’) framework and procedures in respect of:

  • Outsourcing: governance and control of AML/CFT outsourcing
  • Risk Assessment: assessment of money laundering/terrorist financing (‘ML/TF’) risks specific to its business and the relevant mitigating systems and controls
  • Customer due diligence: identification and verification of existing customers who predated the Irish AML/CFT laws effected in May 1995 (‘Pre-95 customers’)

The Central Bank also identified areas of non-compliance in respect of trade finance procedure manuals, adherence to internal procedures, AML/CFT training of non-executive directors and reliance on third parties in respect of customer due diligence (‘CDD’).

Director of Enforcement, Derville Rowland, said:

“Robust frameworks, systems and controls must be the cornerstone of credit and financial institutions’ compliance with anti-money laundering legislation. Weaknesses in anti-money laundering controls expose the Irish and global financial system to abuse and threaten to undermine its stability. In today’s global environment, the threat of money laundering and terrorist financing requires credit and financial institutions operating in Ireland to rise to the challenge of managing and mitigating these risks.

It is incumbent upon our retail banks to counter the threat of money laundering through robust anti-money laundering frameworks, systems and controls. Retail banks are the lifeblood of the Irish financial system, providing essential banking and financial services for millions of consumers and businesses daily. The sheer volume and range of transactions processed exposes the Irish retail banking sector to an increased threat of money laundering and terrorist financing. Retail banks must counter this increased threat head on.

Ulster Bank Ireland’s breaches are especially concerning as they point to unacceptable weaknesses in key aspects of its anti-money laundering framework, systems and controls over an extended period of time. As one of the largest retail banks in Ireland, Ulster Bank Ireland provides a gateway to the financial system for more than one million customers through its extensive network of branches, online and telephone banking. Therefore, it is imperative that it vigorously applies the highest levels of anti-money laundering compliance in order to protect, not only itself, but its customers and the wider financial system. Firms play a vital role in assisting An Garda Síochána and the Revenue Commissioners in their investigation of money laundering and terrorist financing through the detection and reporting of suspicious activity.

This case also highlights that firms who outsource must have in place appropriate controls to oversee outsourced activity, which must be documented and clear. This is even more critical where the outsourcing is within the group because these situations tend to foster a misplaced sense of  complacency regarding regulatory compliance. Of course, the effectiveness of such controls is contingent upon a firm’s commitment to observing them.

When the Central Bank identifies a failure to deal with these risks we will not hesitate to enforce compliance. The fine imposed on Ulster Bank Ireland demonstrates that the Central Bank will take action where anti-money laundering frameworks and controls are not sufficiently robust. The enforcement of anti-money laundering governance and controls is and will continue to be a priority for the Central Bank.”

Background 

Ulster Bank Ireland is authorised to carry on banking business in Ireland under Section 9 of the Central Bank Act 1971. It is one of the largest banks in Ireland with over 110 branches and 1.1 million customers. Its principal activities consist of retail and commercial banking.

Since 15 July 2010, Ulster Bank Ireland has been required to comply with the CJA 2010. The Central Bank has responsibility for securing the compliance of credit and financial firms with the CJA 2010.

During 2012 and 2013, the Central Bank conducted a review of Ulster Bank Ireland’s compliance with the CJA 2010. This review identified of a number of issues in respect of Ulster Bank Ireland’s compliance with the CJA 2010. During this period, Ulster Bank Ireland also self-reported a number of issues of non-compliance with the CJA 2010. In December 2013, the Central Bank initiated engagement with Ulster Bank Ireland in respect of remediation efforts in areas where non-compliance with the CJA 2010 had been identified.

On 20 March 2015, the Central Bank notified Ulster Bank Ireland of its decision to commence an investigation into suspected breaches of the CJA 2010.

Prescribed Contraventions 

The Central Bank’s investigation identified 8 breaches of the CJA 2010, namely:

Poor controls over AML/CFT outsourcing

Ulster Bank Ireland is part of a group of companies headed by Royal Bank of Scotland plc (‘RBS’) as the ultimate holding company. Ulster Bank Ireland outsources 25 AML/CFT activities mainly to other 4 entities in the RBS group. The outsourced activities involve a wide range of key AML/CFT obligations under the CJA 2010.

The Central Bank identified two significant failings in respect of Ulster Bank Ireland’s governance and oversight of those outsourced AML/CFT activities between 15 July 2010 and 15 October 2016. Firstly, Ulster Bank Ireland failed to put an outsourcing policy in place from 15 July 2010 until June 2011 (an 11 month period). Secondly, Ulster Bank Ireland failed to put a service level agreement (‘SLA’) in place for 19 of the 25 outsourced activities when the outsourcing commenced, as required by its internal policy. Of the 19 activities which were not covered by SLAs, the average duration of the gap was 2 years, with 13 of those 19 activities not covered for a period of 3 years and longer.

Given Ulster Bank Ireland’s extensive reliance on AML/CFT outsourcing, the absence of these two important controls over outsourcing exposed it to an unacceptable risk that an outsourcing failure would prevent it from meeting its CJA 2010 obligations. An outsourcing policy is a key control that sets out the governance of outsourcing arrangements in order to ensure that a firm has the necessary oversight and control, including how the arrangement is set up and monitored, who is responsible for monitoring, and what happens in the case of an expected or unexpected termination of the services. SLAs provide further control in the form of a framework or contract for an individual outsourcing relationship that sets out the rights and duties of the parties and usually specifies agreed performance levels.

Failure to conduct ML/TF risk assessment

A thorough assessment of ML/TF risk exposure is fundamental to a robust AML/CFT framework as it allows a firm to identify the particular ML/TF risks to which it is exposed as a result of its business model and to inform the development of appropriate AML/CFT policies and procedures, and the design of proportionate systems. The risk assessment must be proportionate to the nature, scale and complexity of a firm’s activities. Insufficient or absent ML/TF risk management policies, procedures and processes exposes firms to significant risks, including not only financial, but also reputational, operational and compliance risks.

Ulster Bank Ireland failed to conduct an assessment of the ML/TF risks of its business for a period of over 2 years. Furthermore, until April 2014, Ulster Bank Ireland’s risk assessment was inadequate in that it failed to provide any quantitative and/or qualitative evaluation of its exposure to the identified risk factors.

Customer due diligence

The CJA 2010 requires firms to complete CDD to identify and verify customers at certain times, including when firms take on new customers and where they have concerns relating to documents previously obtained for the purposes of identifying and verifying customers.

The CDD process is at the heart of AML compliance and ML/TF prevention in financial services and is designed to ensure that firms know their customer and are able to predict typical customer behaviour. This critical information allows firms to properly fulfil their obligations to monitor, identify and report unusual and potentially suspicious activity.

The Central Bank identified a number of failings in Ulster Bank Ireland’s procedures and systems in respect of CDD, namely:

  • Section 33(1)(d) of the CJA 2010 requires firms to complete CDD where there are reasonable grounds to doubt that existing customer documents and information are accurate and adequate for the purposes of verifying or confirming customer identity. When the CJA 2010 was introduced, Ulster Bank Ireland needed to formally review and confirm the adequacy of the documents and information it held for Pre-95 customers to determine if Section 33(1)(d) required completion of CDD, however, Ulster Bank Ireland failed to do this;
  • Ulster Bank Ireland provided new products to 64,900 Pre-95 customers without completing CDD in circumstances where section 33(1)(d) of the CJA applied;
  • Customer identification markers which indicated that customers were exempt from CDD remained on Ulster Bank Ireland’s system contrary to documented procedures; and
  • Ulster Bank Ireland relied on a third party to conduct CDD where the contractual arrangement in place did not satisfy the conditions in Section 40 of the CJA 2010. Section 40 permits firms to rely on third parties to conduct CDD, but only if there is an arrangement in place which stipulates that the firm may rely on the third party to conduct CDD and the firm is satisfied that, when requested, the third party will forward the documents or information obtained when conducting CDD to the firm as soon as practicable.

Guidance in relation to identification of suspicious activity

Detection and prevention of ML/TF depends on the timely identification and subsequent reporting of suspicious activity. It is vital that all employees and officers in the financial sector, including board members, are provided with training on the law relating to AML/CFT and their legal duty to report suspicious activity.

In this regard, the Central Bank identified the following specific failings in Ulster Bank Ireland’s procedures:

  • Ulster Bank Ireland failed to demonstrate that training was provided to its non-executive directors on the CJA 2010 until 2013, and in particular, it failed to provide any training to its non-executive directors on identifying suspicious transactions and activities until March 2014. This failure occurred despite the issue of a ‘Dear CEO’ letter by the Central Bank in October 2012, in which the Central Bank noted that it had identified deficiencies in AML/CFT training across firms, including that of board members and senior management; and
  • Ulster Bank Ireland failed to have adequate policies and procedures specific to trade finance and in particular, until February 2015 it failed to include guidance in the procedure manuals for its trade finance business on the identification of potentially suspicious activity in that business i.e. ‘trade finance red flags’.

Penalty Decision Factors 

In deciding the appropriate penalty to impose, the Central Bank considered the following matters:

  • Seriousness with which the conduct is viewed, particularly given the Firm’s central role in the financial services system and the high risk nature of the Firm’s business in terms of ML/TF.
  • The extended period of time over which the breaches occurred, spanning the period 15 July 2010 up until 2016 and the fact that the duration of the contraventions on average persisted for more than 4 years.
  • The co-operation of the Firm during the investigation and in settling at an early stage in the Central Bank’s Administrative Sanctions Procedure.
  • The actions taken by the Firm to remediate the breaches.
  • The fact that all bar 1 breach continued post the enhancement of the Central Bank’s sanctioning powers under the Central Bank (Supervision and Enforcement) Act 2013.

The Central Bank confirms its investigation into Ulster Bank Ireland in respect of this matter is closed.