Indian banking fines: the wider impact
The Reserve Bank of India (RBI) imposed financial penalties on 13 banks in India for lapses in know your customer (KYC) management and violating the Foreign Exchange Management Act (FEMA). The financial penalties totalled 270 million Indian rupees (approximately £3.06 million). The penalised banks and their respective penalties were:
*As at July 29, 2016, 1 GBP is equivalent to approximately 88 INR and $1 is equivalent to approximately $67.
Aside from imposing financial penalties on these 13 banks, the RBI advised eight other banks to "put in place appropriate measures and review them from time to time" to ensure ongoing KYC and FEMA compliance.
The RBI's enforcement action arose out of a review into 21 banks in October and November 2015 based on 'inputs received from a public sector bank'. The RBI examined the effectiveness of the banks' systems and processes for the implementation of KYC/AML standards. Based on the findings of its review, the RBI issued a "show cause" notice to all the 21 banks that were found to have weaknesses in their internal control systems, management oversight and violation of RBI guidelines.
In arriving at its final decision, the RBI considered written and oral submissions including documentary evidence submitted by the 21 banks. The 13 banks that were penalised were found to have violations of a serious nature and deemed to have failed to take timely remedial measures.
What does this mean for UK firms?
The 13 banks that were penalised are all headquartered in India. Some, as a result of their UK operations are also regulated by the Financial Conduct Authority (FCA). We do not know at this stage whether, following the RBI's enforcement action, the FCA will take any action against the banks under its supervision.
In issuing the financial penalties, the RBI cautioned that the enforcement action was "based on deficiencies in regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank and its customers." While there is no need to revisit any transactions with the 13 banks or their customers, it would be prudent for firms to carry out a fresh risk assessment of their relationships with these banks, especially if they are correspondent banking clients.
Correspondent banking is defined in the UK's Joint Money Laundering Steering Group (JMLSG) Guidance as the provision of banking services by one bank (the correspondent) to an overseas bank (the 'respondent') to enable the respondent to provide its own customers with cross-border products and services that it cannot provide them with itself, typically due to a lack of an international network.
Weak customer due diligence (CDD) of respondent banks increases the likelihood of financial crime risk being introduced into the UK through correspondent banking. The FCA has long alerted firms of their duty to combat money laundering arising out of correspondent banking services provided here in the UK.
Current KYC norms in correspondent banking include due diligence on respondent banks carried out by correspondent banks. This includes deeper monitoring by the correspondent bank of the underlying correspondent banking transactions and possibly the identities of the originator and final beneficiary. This approach is informally referred to as "know your customer's customer" (or KYCC).
Guidance from the UK's Financial Conduct Authority states that when carrying out an assessment of respondent banks, correspondent banks should consider risk indicators both at the start of a relationship and on a continuing basis after that to determine the level of due diligence required.
The FCA expects firms to use an ongoing risk-based approach to identify respondent banks which pose high AML risk and has stressed that failing to assess new information gathered during continuing monitoring of relationships will be deemed poor practice.
New information includes notices of enforcement action by overseas regulators. The FCA has emphasised that firms should use publicly available information from relevant national governmental and non-governmental bodies, among various other sources of information, in assessing the risks posed by respondent banks.
Notices of overseas enforcement action can often go ignored because firms take the view that the enforcement action relates to a local regulatory issue and does not apply to them because they do not operate in that particular jurisdiction.
A study of AML and KYC violations identified by overseas regulators however should be a crucial component of any firm's compliance toolkit, particularly if they provide correspondent banking services to overseas banks.
All correspondent banking relationships with respondent banks must be subject to an appropriate level of due diligence. Firms should regularly assess a respondent bank's approach to CDD and ongoing monitoring systems and controls. Review periods should be driven by the risk rating of a particular relationship with high risk relationships reviewed more frequently. Correspondent banking relationships should be re-assessed when new information that changes the risk-profile of respondent banks surfaces.
When respondent banks have been subject to overseas enforcement action for KYC and AML enforcement, it would be prudent to carry out enhanced due diligence (EDD) on correspondent banking relationships with such banks. New risk categorisations should be assigned to ensure that the risk assessment for a particular respondent bank remains current. The FCA expects firms to consider AML concerns in relation to correspondent banking relationships thoroughly and exit relationships which give rise to unacceptable AML risk.
Aside from the RBI enforcement action discussed above, authorities in Singapore, Spain, Hong Kong, Philippines and Italy, to name a few, have within the last year taken action against banks for KYC and AML concerns, naming individual banks in their enforcement notices.
Compliance professionals should check whether their firms have correspondent banking relationships with such banks, reassess those relationships and exit the ones which pose high risk as part of an ongoing risk-based compliance function.
*As at July 29, 2016, 1 GBP is equivalent to approximately 88 INR and $1 is equivalent to approximately $67.
Aside from imposing financial penalties on these 13 banks, the RBI advised eight other banks to "put in place appropriate measures and review them from time to time" to ensure ongoing KYC and FEMA compliance.
The RBI's enforcement action arose out of a review into 21 banks in October and November 2015 based on 'inputs received from a public sector bank'. The RBI examined the effectiveness of the banks' systems and processes for the implementation of KYC/AML standards. Based on the findings of its review, the RBI issued a "show cause" notice to all the 21 banks that were found to have weaknesses in their internal control systems, management oversight and violation of RBI guidelines.
In arriving at its final decision, the RBI considered written and oral submissions including documentary evidence submitted by the 21 banks. The 13 banks that were penalised were found to have violations of a serious nature and deemed to have failed to take timely remedial measures.
What does this mean for UK firms?
The 13 banks that were penalised are all headquartered in India. Some, as a result of their UK operations are also regulated by the Financial Conduct Authority (FCA). We do not know at this stage whether, following the RBI's enforcement action, the FCA will take any action against the banks under its supervision.
In issuing the financial penalties, the RBI cautioned that the enforcement action was "based on deficiencies in regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank and its customers." While there is no need to revisit any transactions with the 13 banks or their customers, it would be prudent for firms to carry out a fresh risk assessment of their relationships with these banks, especially if they are correspondent banking clients.
Correspondent banking is defined in the UK's Joint Money Laundering Steering Group (JMLSG) Guidance as the provision of banking services by one bank (the correspondent) to an overseas bank (the 'respondent') to enable the respondent to provide its own customers with cross-border products and services that it cannot provide them with itself, typically due to a lack of an international network.
Weak customer due diligence (CDD) of respondent banks increases the likelihood of financial crime risk being introduced into the UK through correspondent banking. The FCA has long alerted firms of their duty to combat money laundering arising out of correspondent banking services provided here in the UK.
Current KYC norms in correspondent banking include due diligence on respondent banks carried out by correspondent banks. This includes deeper monitoring by the correspondent bank of the underlying correspondent banking transactions and possibly the identities of the originator and final beneficiary. This approach is informally referred to as "know your customer's customer" (or KYCC).
Guidance from the UK's Financial Conduct Authority states that when carrying out an assessment of respondent banks, correspondent banks should consider risk indicators both at the start of a relationship and on a continuing basis after that to determine the level of due diligence required.
The FCA expects firms to use an ongoing risk-based approach to identify respondent banks which pose high AML risk and has stressed that failing to assess new information gathered during continuing monitoring of relationships will be deemed poor practice.
New information includes notices of enforcement action by overseas regulators. The FCA has emphasised that firms should use publicly available information from relevant national governmental and non-governmental bodies, among various other sources of information, in assessing the risks posed by respondent banks.
Notices of overseas enforcement action can often go ignored because firms take the view that the enforcement action relates to a local regulatory issue and does not apply to them because they do not operate in that particular jurisdiction.
A study of AML and KYC violations identified by overseas regulators however should be a crucial component of any firm's compliance toolkit, particularly if they provide correspondent banking services to overseas banks.
All correspondent banking relationships with respondent banks must be subject to an appropriate level of due diligence. Firms should regularly assess a respondent bank's approach to CDD and ongoing monitoring systems and controls. Review periods should be driven by the risk rating of a particular relationship with high risk relationships reviewed more frequently. Correspondent banking relationships should be re-assessed when new information that changes the risk-profile of respondent banks surfaces.
When respondent banks have been subject to overseas enforcement action for KYC and AML enforcement, it would be prudent to carry out enhanced due diligence (EDD) on correspondent banking relationships with such banks. New risk categorisations should be assigned to ensure that the risk assessment for a particular respondent bank remains current. The FCA expects firms to consider AML concerns in relation to correspondent banking relationships thoroughly and exit relationships which give rise to unacceptable AML risk.
Aside from the RBI enforcement action discussed above, authorities in Singapore, Spain, Hong Kong, Philippines and Italy, to name a few, have within the last year taken action against banks for KYC and AML concerns, naming individual banks in their enforcement notices.
Compliance professionals should check whether their firms have correspondent banking relationships with such banks, reassess those relationships and exit the ones which pose high risk as part of an ongoing risk-based compliance function.
Saqib Alam is an associate based in the London office of Debevoise & Plimpton LLP. Mr. Alam is a member of the firm’s white collar and regulatory defence group. The views expressed are his own.