Bank slapped with €310,000 administrative penalty
A bank in Malta has been slapped with an administrative penalty of €310,217, a reprimand, and a remediation directive by the FIAU.
The FIAU said that ECCM Bank plc had drafted its Business Risk Assessment (BRA) in March 2019, "over a year after the requirement to carry out a BRA first came into place. Moreover, the BRA failed to make any references to the National Risk Assessment (NRA) or to the Supranational Risk Assessment (SNRA). The Committee considered that the services offered by the bank are mainly the granting of credit facilities in terms of loans, overdrafts, guarantees and the provision of current and term deposit accounts and payment services and that it does not service customers operating in any highrisk sectors identified in the EC reports. It further considered that the bank does not transact cash and that all inflows and outflows are processed from bank to bank. It also noted that the bank does not provide internet banking, credit cards, and/or other peculiar services. In view of this, it highlighted that the bank was exposed to less risks than other credit institutions. Nonetheless, the bank still had an obligation to carry out a comprehensive BRA in a timely manner."
In terms of Customer Risk Assessments (CRA), the FIAU noted deficiencies in relation to the jurisdiction risk analysis methodology.
In addition, "the Committee noted that the bank had failed to clearly outline the risks emanating from the business relationship in the CRA for all the client files reviewed. The CRAs held on file a note which merely stated that the Bank held detailed knowledge on the ownership of the corporate customers, the controlling members," and a couple of other things.
"However, this information was not reflected in the client files reviewed. Moreover, the compliance review revealed that most of the Banks customers are risk rated as presenting a moderate/standard risk, or a low risk of ML/FT. However, the conclusion reached by the Committee is that the assigned risk ratings do not reflect the ML/FT risks posed to the subject person especially when considering the corporate structures involved including a foundation, the undisclosed beneficiaries, voluminous transactions performed, the connected jurisdictions and the limited information held on the customers' BOs. The Committee highlighted that considering that the clients' model reflects a higher degree of risk due to the nature of the structures' complexity, the Bank was required to establish in detail the purpose and objectives of the customers, how the wealth of the BOs was accumulated and the source of wealth to be injected in the client accounts during the business relationship. The complexity of the client's structure should be considered in the CRA carried out, to ensure a proper and comprehensive understanding of ML/FT risks and adopt robust measures to minimise the heightened risks emanating from the business relationships." The Committee held that the risk ratings assigned by the Bank to its customers, were not comprehensive in considering all the risk factors and therefore this could have resulted in a distorted understanding of risk and in the incorrect application of controls.
In addition, the FIAU said that the bank was not collecting adequate and comprehensive information on the business activity of its customers. "This shortcoming was noted in two files, with the Committee observing that the only information held by the Bank indicated that these customers were holding investments, with no other supporting rationale obtained. In its representations the Bank submitted that it obtains details on the nature of the customer's business activity when carrying out transaction monitoring. Committee members however, noted that no supporting documentation was provided both during the examination and at representations stage to substantiate such argument."
Among other things, during the compliance examination a number of transactions were identified wherein the information held on file was insufficient, the FIAU said.
"Three transactions were reviewed: one incoming transaction amounting to circa €100 million and two outgoing transactions, one of over €1 million and the other of €1 million. As a means of supporting documentation, minutes of an extraordinary general meeting, which do not make specific reference to the mentioned transactions were provided. With its representations, the Bank provided a copy of minutes evidencing that the €100 million plus were to be used towards investments. According to the bank this document indicates what the transaction represents, the value involved and that this is in line with the company's business profile. However, the Committee took into consideration the fact that these minutes were not amongst the documentation submitted by the bank during the compliance review but were only provided with the representations. Moreover, upon reviewing the minutes, it was noted that these did not indicate from where the money was deriving and how these were generated, but simply outlined the purpose of use. With regards to the two outgoing transactions, the bank held that both related to a share capital increase by the customer shareholders and it acknowledged that the minutes provided did not make specific reference to these two payments but to the full amount payable only. To this effect, the bank retrieved the original payment requests sent by customers at the time, however, the Committee noted that there was no indication regarding the source from where the money was deriving and how these were generated. It is pertinent to clarify that simply knowing that the funds derived from the shareholder is not sufficient, since this shows the flow of funds but not their source. With respect to the transactions concerning this customer file, the Committee reiterated that the bank must be aware not only of the reason behind a particular transaction but should also have knowledge of the source of funds, that is, how the amount in question was derived."
The Committee decided to impose an administrative penalty of €310,217 in view of the bank's failure to abide with its obligations in terms of regulations.
Moreover, the Committee determined to reprimand the Bank for its failure to carry out a CRA prior to engaging in a business relationship in respect of four customer files, among other things.
In addition to the above, the Committee also served the Subject Person with a Remediation Directive. "The aim of this Remediation Directive is to direct the subject person to take the necessary remedial actions to ensure that it understands the risks surrounding its operations and that it has implemented sufficient controls to mitigate the identified risks. Furthermore, it aims to ensure that the Subject Person is effectively addressing the breaches."