For various reasons (obesession, mainly) I’ve just been reading the FSA’s Notices on Habib Bank and its MLRO Syed Itrat Hussain. In case you missed it, on 4 May 2012 the FSA fined the bank £525,000 and the MLRO £17,500 for “failure to take reasonable care to establish and maintain adequate anti-money laundering (AML) systems and controls”, furthermore commenting that “the failings at Habib lasted almost three years and exposed the firm to an unacceptable risk of laundering money”. There were numerous errors made, but one of the worst was the bank’s failure to conduct enhanced due diligence for high risk customers.
To set the scene, Habib also made some boo-boos with its list of high risk jurisdictions – downgrading some on the simple basis that the bank had a branch there, even though (in the words of the FSA) “the higher risk of money laundering they presented was not negated by Habib’s physical presence in those countries or any specialist knowledge of them”. Despite paring the list in this way, the bank did still end up with some customers that it admitted were high risk – but then “the EDD conducted was inadequate, and/or EDD had not been conducted prior to transactions occurring on the account”.
Sometimes firms can get so tied up in the mechanics of researching, designing, reviewing and generally polishing to a high shine their risk-based approach that they overlook the whole purpose of it: to allow the application of differentiated due diligence. Mis-categorising clients – in this case, calling them normal risk when they were in fact high risk – can be explained (if not excused) as misinterpretation. But actually putting the red spot on a client, showing that you recognise them as high risk, and then not doing EDD – well, that’s plain daft. Although I am amused to see the FSA falling back on my word of the month – adequate/inadequate….