UAE now requires banks to appoint an independent "skilled person" to check financial crime compliance.
The Central Bank of the UAE is to compel all banks and other licensed financial institutions to carry out annual "skilled person" reviews of their financial crime compliance systems, as Andrew Pimlott & James Tebbs explains:
Worried about the continued threat to the global financial system from money laundering and other crimes, the UAE authorities have just revealed details of a significant measure designed to combat the problem. The Central Bank of the UAE (CBUAE) announced in March that it is requiring all banks and other financial institutions to appoint a "skilled person" from a professional services firm to conduct annual reviews on the effectiveness of their financial crime compliance programs.
The rationale is that even the largest and most sophisticated banks in the UAE – local and international – struggle to comply with the multitude of laws and regulations designed to prevent financial crime, which remains a global problem.
The Financial Action Task Force (FATF), the inter-governmental body that develops standards and policies to combat financial crime, says that despite the efforts of governments and private sector entities around the world the situation remains serious. "Criminal organizations are becoming more sophisticated and taking advantage of gaps in the system," says FATF in its 2022 report Partnering in the fight against financial crime.
The UAE's financial crime laws and regulations are based on FATF's standards. The introduction of the annual skilled person reviews will help the country's financial sector conform to international best practices. It follows a number of other initiatives taken by the UAE in recent years to deal with the problem, including guidelines issued in January for financial institutions to use digital identification systems to meet customer due diligence/know-your-customer obligations.
On the face of it, financial institutions could regard the skilled person measure as an onerous and expensive requirement. But in reality, it is already in use in other jurisdictions and has the added benefit of providing access to expertise where the right consultant is selected. It should also give them peace of mind by ensuring their financial crime controls are effective and regulatory compliant. Failing to comply can result in huge fines and damaged reputations.
Earlier this year, the CBUAE fined an unnamed finance company Dh1.8m ($490,129) for breaching the country's laws on anti-money laundering and counter-terrorism financing. In other countries, fines can run into billions of dollars, as we saw with the $7.2bn in fines imposed by the U.S. and several other countries on Goldman Sachs in 2020 for breaking money laundering rules, and BNP Paribas' $8.9bn fine from the U.S. Department of Justice in 2014 for violating U.S. sanctions.
The UAE's Skilled Person Reviews
The UAE's skilled person reviews should therefore be welcomed by institutions as a useful aid in helping them meet their compliance obligations. The "Annual Skilled Person Reviews of Financial Crime Compliance Programs," to give it its full name, will be run by the CBUAE's Financial Crime Supervision Department. The reviews will cover the country's regulations and international standards to counter money laundering (ML), terrorist financing (TF), and proliferation financing (PF –financing the proliferation of weapons of mass destruction). The reviews will also cover targeted financial sanctions (TFS) which are designed to prevent TF and PF.
The CBUAE has provided a list of six approved consultancy firms that can provide skilled persons to carry out the reviews. However, financial institutions will be able to use other consultants as long as they meet the right criteria and the CBUAE's approval. They must complete the consultant selection process and notify the central bank by May 10. Once the CBUAE has given its approval, it will coordinate with the consultant and the financial institution on the review.
In creating these reviews, the UAE is following examples set in other countries, but going a lot further. Whereas the UK and Germany, for example, only require skilled person reviews to be conducted in rare circumstances where a firm is in obvious breach of regulations, the UAE will require reviews to be conducted on every financial institution every year. Reviews are costly for financial institutions in any country as they, not the regulator, have to pay.
The Review Process
The CBUAE has published a Review Requirements Document (RRD) which goes into detail, but a Frequently Asked Questions document summarizes the main points. For example, the review requirements may differ from institution to institution, with the CBUAE liaising with the consultant's skilled person on the precise requirements.
Where a consultant is not on the approved list, the institution must ensure it has "a well-established financial crime practice" with experience working with similar institutions in the UAE.
The CBUAE will engage with the consultant directly to discuss the scope of the review and will manage the reviews and the report. The financial institution is "not expected" to correspond with the consultant except when negotiating the initial contract.
It is clear, then, that the reviews will be conducted largely outside the control of the firm being reviewed. That is the intention. This level of external monitoring is designed to ensure that the institution's financial crime controls are adequate, meet international standards, and comply with domestic regulations. Mandatory annual skilled person reviews may seem onerous, but as well as protecting the financial system they reduce the likelihood of being fined.
The Consequences of Non-compliance
Fines and penalties for financial crime compliance failures can be huge and reputationally damaging. Financial Crime News, a UK company controlled by John Cusack, one of the world's most experienced experts in this field, who used to work for UBS and Standard Chartered Bank, recently published a report called Financial crime bank fines in the 21st century. "For better or worse, much of the world measures the success or lack of it in the fight against financial crime through the prism of reporting on ever larger fines and penalties handed out to the world's largest banks," stated the report.
It studied all 96 material fines (those above $10m) for Anti Money Laundering (AML) failings and sanctions violations since 2000, which were levied on 57 banks in 17 countries. The total value of those fines was $38.47bn – $21.47bn for AML and $16.9bn for sanctions –a yearly average of $1.7bn.
For AML compliance failings, the highest fines were $7.2bn imposed by several countries on Goldman Sachs in 2020 relating to its role in the corruption scandal involving Malaysia's sovereign wealth fund; $2.6bn imposed by the U.S. government on JP Morgan in 2014 for its role in Bernie Madoff's fraudulent investment scheme; and$1.9bn imposed by the U.S. authorities on HSBC in 2012 for its role in serving as a middleman for Mexican drug cartels.
For sanctions violations, the highest fines were $8.9bn levied by the U.S. Department of Justice on BNP Paribas in 2014 for illegally processing transactions in countries subject to sanctions; $1.45bn imposed by U.S. authorities on Commerzbank in 2015 for violating sanctions against businesses in Iran and Sudan; and $938m imposed by the U.S. on Standard Chartered Bank in 2019 for breaking sanctions against Iran.
UK Skilled Person Reviews Leading to Fines
In the UK, already this year two banks have been fined by the Financial Conduct Authority (FCA), in both cases following skilled person reviews. Al Rayan Bank, the UK subsidiary of a Qatar Islamic bank, was fined £4m for breaches of financial crime rules in the retail banking sector. The FCA imposed a skilled person requirement on Al Rayan in 2018 after detecting deficiencies in AML controls, and although this led to the bank making improvements it was fined and is still subject to business restrictions pending further improvements.
Guaranty Trust Bank, a subsidiary of Guaranty Trust Bank Nigeria, was fined £7.7m for beaches of financial crime rules in the wholesale banking sector. The FCA carried out a visit in 2017 and found weaknesses in its AML, sanctions, and terrorist financing systems and controls. A skilled person was appointed and in 2018 reported "a number of significant deficiencies with respect to GT Bank's AML systems and controls." The FCA placed restrictions on the bank's business in 2018, lifted them in 2021, and levied the fine this year.
It is not just lesser-known banks that have been found lacking by the UK authorities. Last year, the FCA fined Santander £107.8m and Barclays £783, 800 for breaches of financial crime rules in the retail banking sector and corporate banking sector respectively.
The FCA and Prudential Regulation Authority (PRA) introduced skilled person reviews some years ago, under the Financial Services and Markets Act (FSMA), as amended by the 2012 Act. They can be used if the regulator is concerned about any aspect of a regulated firm's activities, not just financial crime controls. The way they are set up and operate is being followed by the UAE, except that in the UK they are used only occasionally whereas in the UAE annual reviews of financial crime compliance programs will be mandatory for every financial institution. For example, in the period July to October 2022, the FCA commissioned only 11 skilled person reports, and only two related to concerns about compliance with financial crime regulations. The others related to concerns about client assets, controls and risk management frameworks, and conduct of business.
How Should a UAE Financial Institution Prepare for a Review?
Although UAE institutions could regard skilled person reviews as "fishing exercises" by the authorities looking for errors to pounce on, in reality, they imply no wrong-doing or compliance failure since every institution will be subject to one every year. Yes, weaknesses in controls could be found by a review, but such an event could be regarded as a positive outcome because it would provide an opportunity for remedial action. However, it would be far better for an institution to identify any problems before the review takes place.
So, although the first obvious step for a financial institution is to appoint a consultant to provide a skilled person, it is just as important to undertake an internal health check of its financial crime compliance program before the skilled person starts. The aim is to spot any vulnerabilities in advance and remedy them quickly. Because, as with any ailing system, prevention is better than cure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.