In a rare decision on the Money Laundering (Jersey) Order 2008 (MLO) the Royal Court (Court) has underscored the critical importance of firms establishing and maintaining effective anti-money laundering (AML) policies and procedures. In imposing a £475,000 fine, the Court also made clear that the focus is on risk of harm, and not whether that risk goes on to crystallise.
The case involved an international bank (the Bank) with a substantial presence in the Middle East, and an overall profit after tax in 2018 of approximately £1 billion.
The prosecution's focus was on the Bank's conduct between 29 July 2013 and 5 February 2019. In that period, the Bank did not offer retail banking in Jersey, and had between five and nine Jersey-based employees only. Further, the Bank's main office dealt with (amongst other things) relationship management, the maintenance of customer accounts and processing of customer transactions. As the Court noted, the Jersey branch "was not, therefore, in terms of its size, a substantial operation".
There was effectively no limit on the amount of cash that a Jersey customer could withdraw over the counter in the UAE, but increasingly senior sign-off was required as the value of the transaction increased. The Bank could review and monitor those transactions in two ways:
- The first was manual. It involved Branch employees viewing reports sent from the UAE relating to the previous day’s transactions. Internal policy required that any transaction above £25,000 be identified and reviewed for suspicious activity, comparing it against the expected activity on the account. The Branch employee was expected to contact the Bank's head office if further explanation was required.
- The Branch also had an automated system, which flagged suspicious or unusually large transactions for review. This unit conducted its work in the UAE, but they were required to re-assign alerts involving activity taking place in the customers’ Jersey accounts to Compliance. However, the Court saw no evidence this happened in this case (and noted UAE employees could clear the alerts without notifying Jersey colleagues).
It is notable that the prosecution focused on only two customers:
- Following the opening of Mr A's account, account activity was initially as expected. However, the activity changed: there was a pattern of transfers between onshore and offshore accounts that were withdrawn in cash for no obvious reason. It is not clear that the Bank investigated this change, or the substantial number of cash withdrawals. On an occasion when an employee queried a withdrawal with head office, no action was taken following head office's unsatisfactory response.
- Mr B has had difficulty communicating from January 2015 due to health issues (of which the Bank did not become aware for some time). However, the activity on his accounts changed from that date: substantial amounts of payments out took place, again with no apparent explanation. The Court gave as an example the transfer in to Mr B’s cash settlement account of US$200,000 in September 2018, with the Bank failing to prevent the withdrawal the next day of US$220,000 in cash.
As regards these two customers, the Court formed the view that "little if any effective monitoring was carried out by the Bank in either of these matters, unsatisfactory explanations were accepted or not acted upon, and even when certain transactions were being investigated or considered, the Bank permitted further transactions to take place. Both of the accounts in question changed in their mode of operation from the expectation set out when they were set up".
The Court held that the Bank "failed to maintain appropriate and consistent policies and procedures relating to customer due diligence measures and risk assessment and management in respect of bank accounts in the names of … Mr A and Mr B".
The defence sought to argue in mitigation that this was not a case concerning a systemic breach, but related to only two customers. However, the Court's view on the evidence before it was that, whilst the Bank had AML policies and procedures in place, "they were inadequate and inconsistently applied and therefore to a substantial effect ineffective".
The defence also sought to argue that "this was a policies and procedures offence and not an offence of money laundering". Unsurprisingly, this found no sympathy with the Court – its response is worth noting in full:
"We accept that this is, as said by the defence, a “policies and procedures” offence. That does not in our view mean that it is not serious. The importance of having effective consistent policies and procedures to combat money-laundering cannot be overstated. It should be obvious that if a financial institution does not have those procedures, the fact that it is not as a direct result assisting the laundering of money is a matter more of luck than judgment. The absence of such effective procedures means that money can and inevitably at some point will, be laundered through the financial system. That will be injurious to this Island’s reputation as a finance centre with proper and effective standards of financial conduct and probity and would injuriously affect the finance industry, and hence the Island as a whole."
The Court also stated that the fact that "the amounts involved were relatively modest compared to money flows in the finance industry" is again a matter of luck, and so not a mitigating factor.
In determining the level of the fine, the Court drew on the principles behind the UK FCA's approach to setting financial penalties in regulatory matters, namely:
- seeking to deprive the firm being sanctioned of any financial benefit;
- identifying a figure that represents the seriousness of the breach;
- allowing for any aggravating or mitigating factors; and
- adjusting to reflect the importance of deterrence.
The Court decided that the starting point for the fine in this case was £800,000, reflecting the seriousness of the offence and the Bank's financial substance. After a deduction for a guilty plea and other mitigation (such as co-operation), the Court imposed a £475,000 fine and £25,000 costs order.
This is an important judgment. The Court has made clear the high expectation on firms to ensure they are fully compliant with Jersey's AML regime, and that there is a low tolerance for failure.
The Court went out of its way to make clear (quite rightly) that firms ensure that they establish, implement and maintain effective AML policies and procedures – i.e. both on paper and in practice. It is important that firms understand that the focus of the regulatory regime is on mitigating risk: that harm does not in fact crystallise in a given case is of (at best) secondary importance.
This judgment should prompt all firms to review their AML policies and procedures as a matter of priority, to ensure they satisfy the MLO. However, firms must go further: they must satisfy themselves that in practice those policies and procedures are implemented effectively. Issues that firms will wish to consider include:
- The sufficiency and expertise of their Compliance resource.
- Whether they have identified (and mitigated) the AML risks to which their business is exposed.
- That the MLCO and MLRO have sufficient resources, expertise and authority within the firm to perform their roles.
- The adequacy of their AML governance arrangements. For example, does the Board receive adequate and timely MI to conduct its oversight function?
In imposing this substantial fine, the Court made clear that it was giving "the appropriate signal to the financial services industry of the seriousness with which the Court approaches matters of this nature". The cost to any firm that fails to heed that signal will be high.