Regulators around the world are showing a sustained increase in their willingness to take action against both traditional retail banks and newer market entrants for anti-money laundering (AML) failures.
In UAE earlier this year, Wise Nuqud Ltd, a subsidiary of UK-listed money transfer services provider Wise, found this out the hard way when Abu Dhabi Global Market’s Financial Services Regulatory Authority (FSRA) imposed a penalty of US$360,000 for AML-related failings (see boxout).The case holds a number of lessons around enhanced due diligence (EDD) that other companies subject to AML regulation would do well to bear in mind if they are not to fall foul of regulators.
Where customers are assessed as high risk and therefore subject to enhanced due diligence, this should involve identifying and verifying the source of funds and source of wealth for each customer, prior to undertaking any transactions for them.
This requirement cannot be offset or avoided by introducing volume-based payment thresholds or other risk controls as a ‘hurdle’ to be cleared before enhanced due diligence will be undertaken.
Where it is appropriate to introduce volume-based thresholds in a different context, those thresholds should be set at an appropriate level. If the threshold is set too high compared to the average transaction value, it would rarely be triggered in practice and would not therefore serve as an effective risk mitigant.
Thresholds should also be set taking into consideration the information gathered during the client due diligence process, which should be sufficient to calibrate expectations as to what volume and value of transactions would be expected in light of the intended nature of the customer relationship.
With any high risk customer, source of wealth and funds should be identified and verified before any transactions are undertaken
No excuses
Allowing transactions to be funded only through regulated bank accounts and debit cards, and not allowing customers to maintain account balances, are effective risk mitigants but do not excuse the breaching of applicable rules. Where rules impose an absolute requirement, such as conducting enhanced due diligence prior to undertaking transactions, that requirement must be met regardless of how well the consequences of breaching it might be mitigated by other measures.
While it can be permissible for senior management to outsource or delegate decisions on whether to accept high-risk customers, adequate governance of that arrangement must be in place and the approval must be obtained before the business relationship is commenced. Adequate governance will usually be lacking in the absence of a clear, written agreement that specifically covers the delegated actions.
It should also be remembered that delegation of a role does not amount to the abdication of responsibility. Having clear, recorded and monitored boundaries to the role(s) outsourced is critical.
Where rules specifically require the nationality of customers to be factored into the risk assessment process, considering similar information will not excuse a failure to meet that requirement.
The FSRA’s AML rules, for example, explicitly require the nationality of a customer and any beneficial owners to be identified and assessed when undertaking a risk-based assessment of that customer. Limiting assessment to a customer’s residence, address and IP location, while mitigating the risk somewhat, is not sufficient.
Where Wise Nuqud went wrong
The primary business of Wise (formerly known as TransferWise) is the provision of cross-border money transfers for personal and small business customers. The FSRA determined that its UAE subsidiary, Wise Nuqud Ltd, had failed to establish and maintain adequate AML policies, procedures, systems and controls to ensure compliance with AML regulations.
Wise was found to have breached the requirement to complete enhanced due diligence on some 1,532 assessed high-risk customers, prior to allowing them to conduct transactions.
It was also found to have failed to obtain senior management approval before onboarding high-risk customers (as a result of inadequate delegation arrangements); failed to assess or consider customers’ nationality in the due diligence process; and failed to obtain and assess expected transaction volumes when establishing customer relationships.
