Malta: Business Decisions That Undermine The Compliance Culture – Part 5

When leading a financial services entity, in particular within the company service provision, one needs to be aware of the consequences of business decisions that could undermine the entity's business policies, systems and the overall compliance culture. In this 5-part series of articles, I will analyse 5 business decisions, through the legislative references such decisions could fall foul of, the impact on the organisation these decisions could have, and attempt to suggest a course of action.

Conducting appropriate CDD/KYC on clients

A strong and aggressive sales culture within a firm, possibly enabled by a change in senior management or a recent takeover by an international firm, may lead to an increased pressure for Compliance to lower the bar, particularly in conducting CDD/KYC.

Legislative/Competent Authorities' references

Regulation 7 of the PMLFTR sets out the CDD measures to be undertaken by subject persons in relation to their customers whilst regulation 8 sets out the timing when verification of identity measures is to be implemented. Regulation 10 and 11 set out instances when SDD may and EDD must be undertaken and Regulation 12 provides the possibility to rely on CDD carried out by other subject persons.¹

Main impact

Breaching any of these regulations carries administrative penalties that could range from €1,000 to €46,500 and which may be imposed not only on the subject person but also on the officers, including the MLRO. Of course, the impact on the firm in not conducting appropriate CDD/KYC goes way beyond the penalties contemplated in the relevant laws.

By disregarding CDD/KYC policies and procedures in place, the firm is exposing itself to onboarding clients that are not who they say they are. They could be PEPs or worse still, sanctioned persons, thereby exposing the firm to drastic consequences as contemplated by the Sanctions Monitoring Board or OFAC.

The 1^st line of defence, by succumbing to the pressures of onboarding at all costs, is not providing any defence at all. By failing to identify any underlying or overlying structures through adequate due diligence processes, a firm will be exposed to the risk of onboarding clients with UBOs who may have criminal records or are subjects of adverse media or worse still, UBOs with ML/FT suspicions or convictions. Even in the event where a firm is onboarding a legitimate customer with no such inherent risk, the fact that the subject person did not carry out required due diligence as a matter of procedure, exposes the firm to being sanctioned for systemic failings.

In such an instance, the firm would also not be assessing and obtaining appropriate information on the purpose and intended nature of the business relationship. It is also not obtaining source of wealth and funds and consequently, the firm is potentially exposing itself to onboarding clients who have obtained their wealth fraudulently or through money laundering, stemming from all sorts of predicate offences, including tax evasion. This is precluding the firm from really understanding the purpose and nature of the business, which could be primed to conceal ownership and control in order to carry out additional illegal activities of launder proceeds of crime and/or fund terrorism.

The 1^st line of defence, being client facing, could in breach of crucial on-going monitoring obligation. They could not be sensitive to or even aware of any changes to the business relationship, or whether the activities or transactions are triggering red flags and consequently the business relationship should be revaluated by escalating this to Compliance, as the 2^nd line of defence.

The disregard for CDD/KYC could be exposing an entity to an incremental reputational risk, since as the client list grows, so does the risk of encountering or facilitating ML/FT. The irreparable damage to the entity's reputation will inevitably impinge upon the operation, as genuine clients might leave, banks make opening bank accounts harder and legal costs suffered to defend the entity from the authorities grasp spiral, besides incurring substantial fines, levied both on the firm and on the officers personally.

Course of action

The Board needs to unequivocally ensure that the tone is set from the top and that senior management responsible for the sales force is aware of the obligations and importance in conducting CDD/KYC.

The 1^st line of defence needs to do just that. Senior management responsible for this team needs to make it clear that CDD/KYC can never be compromised. The AML division will assist in this by providing adequate training on conducting CDD and imprint the risks and repercussions that non-compliance subjects the firm and its officers to.

The Board would also be confident that fresh CDD/KYC is being obtained for active clients, as part of its ongoing monitoring obligations.

Outsourcing or automation of processes, especially related to on-going monitoring, could also free up valuable time for the 1^st line of defence team. The FIAU will however, always consider the subject person as being ultimately responsible for any processes being outsourced or automated, in compliance with its AML/CFT obligations.²

Conclusion

Commercial pragmatism makes one understand that the firm does not operate within a vacuum and is directly influenced by the competitive nature of the industry it is in. The Board needs to ensure that any aggressive growth strategy is in sync with the industry-standard. However, even if this is reaffirmed, any Board needs to diligently establish and maintain a culture of compliance.

Footnotes

1. FIAU, Implementing Procedures Part 1, Page 64-65.

2. FIAU, Implementing Procedures Part 1, Page 231.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.