Settlement Agreement between the Central Bank of Ireland and Intesa Sanpaolo Life dac

Intesa Sanpaolo Life dac fined €1,000,000 by the Central Bank of Ireland in respect of anti-money laundering and terrorist financing compliance failures

On 23 November 2017, the Central Bank of Ireland (the ‘Central Bank’) fined Intesa Sanpaolo Life dac (‘Intesa’) €1,000,000 and reprimanded it for four breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act, 2010 (the ‘CJA 2010’).  Intesa admits the four breaches. 

The Central Bank’s enforcement investigation identified significant failures in Intesa’s controls, policies and procedures in respect of anti-money laundering and counter terrorist financing (‘AML/CFT’). The breaches occurred from the enactment of the CJA 2010 in July 2010 and continued on average for three years and eleven months.  The breaches comprised of failures by Intesa relating to:

• Risk assessment: assessment of money laundering/terrorist financing (‘ML/TF’) risks specific to its business.
• Customer due diligence: policies and procedures for conduct of enhanced customer due diligence (‘ECDD’) on customers who were politically exposed persons (‘PEPs’).
• Suspicious transaction reports: procedures for reporting suspicious transactions to An Garda Síochána and the Revenue Commissioners without delay.
• AML/CFT policies and procedures: incorporation of a mechanism for regular review.

Head of Enforcement Investigations, Brenda O’Neill, said:

“The Central Bank has responsibility for monitoring and enforcing the compliance of life insurers based in Ireland with the CJA 2010. This includes insurers such as Intesa that ‘passport’ in order to operate in other EU member states on a freedom of services basis without establishing branches in those other member states.

Identified weaknesses in Intesa’s AML/CFT framework prompted the Central Bank to take enforcement action.

This case, and the level of fine imposed, reinforces the requirement that firms in all sectors must adopt robust and effective policies and procedures to prevent and detect money laundering and terrorist financing.  Furthermore, firms must ensure such policies and procedures are updated in a timely manner in response to changing legal and regulatory requirements, emerging risks and evolving business models.    The fine also reflects the significant increase in penalties imposed for AML/CFT breaches in recent years.

It is critically important that firms undertake a considered and comprehensive ML/TF risk assessment.  A firm's risk assessment is the foundation of the AML/CFT framework, which informs the development of policies and procedures appropriate to the organisation.  A risk assessment should address all relevant inherent and residual risk factors at the geographic, customer, product/service and distribution channel level in order to determine the firm’s unique risk profile and the appropriate mitigating controls. 

Intesa does not sell its life assurance products in Ireland, however, this case highlights that firms authorised in Ireland and ‘passporting’ into other European Union financial markets remain subject to Irish AML/CFT legislation. Where such firms utilise group AML/CFT policies, procedures and operational systems and controls, or place reliance on group AML/CFT functions, they must ensure these arrangements comply with Irish AML/CFT legal and regulatory requirements and effectively mitigate any risks highlighted in the firm’s own ML/TF risk assessment.“  

Background

Intesa is authorised to carry on life assurance business in Ireland as an insurance undertaking under the European Union (Insurance and Reinsurance) Regulations 2015 and is the largest ‘cross border’ life insurer authorised by the Central Bank. Intesa specialises in insurance contracts linked to investment funds (unit-linked funds) and currently has approximately 400,000 customers..

At the time of the breaches, it sold life assurance products in the Italian and Slovakian markets. 

The Central Bank has responsibility for monitoring and enforcing the compliance of life insurers based in Ireland with the CJA 2010.  This includes insurers that operate in other EU member states on a freedom of services basis without establishing branches in those other member states (known as ‘passporting’).

In June 2014, Intesa notified the Central Bank that an independent third party commissioned by Intesa had reviewed its anti-money laundering controls and identified suspected non-compliance with the CJA 2010.  The Central Bank subsequently commenced its investigation into suspected breaches of the CJA 2010.

Prescribed Contraventions

The Central Bank’s investigation of issues, prompted by the third party review, identified four breaches of the CJA 2010, namely:

Risk Assessment

 A thorough assessment of ML/TF risk exposure is fundamental to a robust AML/CFT framework as it allows a firm to identify its particular ML/TF risks and subsequently to inform the development of appropriate AML/CFT policies and procedures.  A risk assessment must be proportionate to the nature, scale and complexity of a firm’s activities. 

Until June 2011, the Firm had not completed an assessment of its ML/TF risk.  Furthermore, between June 2011 and April 2014, the Firm’s purported assessments were inadequate as they failed to identify and assess the ML/TF risks relevant to the Firm by reference to the appropriate risk categories (such as country/geographic risk, customer risk, industry risk, product risk and channel/distribution risk).

Enhanced Customer Due Diligence

 The customer due diligence process is at the heart of the AML/CFT control process.  It is designed to ensure that firms know their customers and are able to monitor customer activity throughout the business relationship.  It also allows firms to identify suspicious activity and to make suspicious transaction reports when necessary.

The CJA 2010 specifies that ECDD is required in respect of non-resident PEPs.  The Central Bank identified the following failings in relation to Intesa’s policies and procedures, under Section 54 of the CJA 2010, for ECDD on PEPs:

• The application form for new customers incorrectly excluded PEP customers resident in Italy and Slovakia from Intesa’s requirement to self-identify as PEPs for the purpose of Irish AML/CFT laws.
• Intesa failed to adopt policies and procedures that required senior management approval of PEP customer relationships.

These failings were particularly significant as Intesa was operating on a cross border basis and consequently had an increased risk of exposure to non-resident PEPs.

Reporting of Suspicious Transactions

Effective detection and prevention of ML/TF depends on timely identification and reporting of suspicious transactions within the financial services sector.   Delays in reporting suspicions to An Garda Síochána and the Revenue Commissioners have the potential to undermine the investigation of ML/TF offences. 

Under Section 54 of the CJA 2010, firms are required to have policies and procedures that address their obligation to identify, investigate and report suspicious transactions as soon as practicable.  The reporting lines were not sufficiently clear and consequently had the potential to cause confusion and delays in reporting suspicious transactions.

Review of Policies and Procedures

Firms must adopt effective and adequate AML/CFT policies and procedures that are tailored to the firm’s business. 

Intesa failed to incorporate a review mechanism in its policies and procedures. Consequently, the Firm did not review its AML Policies in February 2012 when the Department of Finance published core guidelines on the CJA 2010 for the financial services industry or, in September 2012, on publication of industry guidance for the life assurance sector. It commenced a review in November 2013 of its AML Policies following the enactment of the Criminal Justice Act 2013 (which amended the CJA 2010) A review mechanism was incorporated into the AML Policies in April 2015.

Penalty decision factors

In deciding the appropriate penalty to impose, the Central Bank considered the following matters:

• The seriousness with which the conduct is viewed, particularly given Intesa’s status as Ireland’s largest insurer operating on a cross border basis and the increased risk of exposure to PEPs.
• The extended period of time over which the breaches occurred.
• The need to impose an effective and dissuasive sanction on regulated entities.
• The co-operation of Intesa during the investigation and in settling at an early stage in the Central Bank’s Administrative Sanctions Procedure.

The Central Bank confirms its investigation into Intesa in respect of this matter is closed.

Notes

• The fine reflects the application of the maximum percentage settlement discount of 30%, as per the Early Discount Scheme set out in the Central Bank’s ‘Outline of the Administrative Sanctions Procedure’ linked here.
• This is the Central Bank’s 110^th settlement since 2006 under its Administrative Sanctions Procedure, bringing total fines imposed by the Central Bank to over €61 million.