Final Notice

On , the Financial Conduct Authority issued a Final Notice to Canara Bank

1

FINAL NOTICE

1.
ACTION

1.1.
For the reasons given in this Notice, the Financial Conduct Authority (“the

Authority”) hereby imposes on Canara Bank (”Canara”):

(1)
a financial penalty of £896,100; and

(2)
a restriction in terms that for a period of 147 days from the date of this

Final Notice, in respect of its regulated activities only, Canara shall not

accept deposits from customers who do not already hold a deposit account

with Canara at the date of the Final Notice.

1.2.
Canara agreed to settle at an early stage of the Authority’s investigation. Canara

therefore qualified for a 30% (Stage 1) discount under the Authority’s executive

settlement procedures. Were it not for this discount, the Authority would have

imposed on Canara:

(1)
a financial penalty of £1,280,175; and

2

(2)
a restriction in the terms outlined at paragraph 1.1(2) above of 210 days.

2.
SUMMARY OF REASONS

2.1.
Since 1 April 2013 the Authority has the operational objective of protecting and

enhancing the integrity of the UK financial system. Before that, the Authority had

the regulatory objective of maintaining confidence in the financial system.

Financial services firms are at risk of being abused by those seeking to launder

the proceeds of crime or to finance terrorism which undermines the integrity of

the UK financial services sector.

2.2.
In order to mitigate such risks, UK firms are required to implement appropriate

risk-based AML systems and controls and to comply with the legal obligations of

the Money Laundering Regulations 2007 (“the ML Regulations”). In this regard,

the Authority expects firms and its senior management to ensure that adequate

AML policies and procedures are in place and are operating effectively. Firms that

do not put in place robust and effective AML systems are not only exposed to the

risk of financial crime but may also have an unfair competitive advantage over

firms that are compliant, both because they save the costs involved in

implementing such systems and because they may attract customers who do not

wish to undergo the required customer due diligence (“CDD”) and enhanced due

diligence (“EDD”) checks.

2.3.
In order to fill senior management positions in the UK, Canara seconds staff from

its Head Office in India initially for a three year period. The Authority notes that

extensions to this initial time period are considered by Canara as needed. Whilst

the Authority does not prevent firms from doing so, in this case the Authority

considers that this practice has been a contributing factor to the significant

failings outlined in this Notice. This is because, as a result of this practice, some

of the individuals in question have lacked the necessary understanding of

applicable UK legal and regulatory AML requirements. This has resulted in the

consistent failure to implement adequate AML systems and controls throughout

Canara.

2.4.
In November 2012 and March 2013, Canara was visited by the Authority as part

of the Trade Finance Thematic Project (“the 2012/2013 visit”). The visit included

an assessment of the adequacy of Canara’s AML systems and controls in relation

to Canara’s trade finance operations. Following the visit, the Authority notified

Canara of a number of serious weaknesses in its AML systems and controls. As

such, Canara was on notice of the Authority’s concerns from that time. Canara

3

confirmed to the Authority after the visit that it had taken steps to remedy the

weaknesses identified.

2.5.
Canara was visited again, two years later, in April 2015 (“the 2015 visit”) as part

of the Authority’s pro-active AML programme which reviewed and tested the

adequacy of the systems and controls in place to manage the AML and sanctions

risk at Canara. During this visit it became apparent that remedial action taken by

Canara to rectify the issues originally identified in 2012 and 2013 was insufficient

and the visit demonstrated that Canara had failed to test the implementation and

effectiveness of the steps taken. Furthermore, additional significant weaknesses

in Canara’s AML and sanctions systems and controls were also identified by the

Authority, including a failure to embed a culture of compliance with regulatory

requirements throughout the firm.

2.6.
As a result of the lack of remedial action taken by Canara to address the control

gaps identified on the 2012/2013 visit and the additional serious failings identified

on the 2015 visit, a Skilled Person was appointed by the PRA on 30 September

2015, to carry out an assessment which was to include an “FCA element”

covering the adequacy and effectiveness of Canara’s AML and financial sanctions

systems and controls and other matters.

2.7.
The Skilled Person’s final report, dated 29 January 2016, highlighted a number of

significant deficiencies with respect to Canara’s AML systems and controls, the

oversight and monitoring of those controls and the general governance of

Canara’s risk control framework, including that:

(1)
Canara’s
organisational
and
corporate
governance
structure
and

arrangements were not adequately designed or effective;

(2)
Canara’s compliance and AML systems and controls were not appropriately

designed and its AML risk management and governance framework was

not fit for purpose; and

(3)
there was a lack of understanding of AML risk profile, a lack of monitoring

of AML risks and controls, an inability to identify or flag unusual

transactions and an inability to recognise PEPs.

2.8.
Between 26 November 2012 to 29 January 2016 (the “relevant period”), Canara

failed to implement adequate AML systems and controls and failed to rectify

identified weaknesses in its AML systems and controls. These failings were

endemic throughout Canara’s UK operations, affecting almost all aspects of its

business and suggested that Canara may not be fit and proper. Such weaknesses

potentially undermine the integrity of the UK financial system by significantly

increasing the risk that Canara could be used for the purposes of domestic and

international money laundering, terrorist financing and those seeking to evade

taxation or the implementation of sanction requirements.

2.9.
In particular, by failing to take reasonable care to manage its AML risks and

compliance in accordance with applicable regulatory and legal AML requirements,

including the failure to conduct timely and adequate remediation of weaknesses

identified by the Authority during the 2012/2013 visit and the continuation of

these inadequacies during the 2015 visit, Canara has breached Principle 3 during

the relevant period.

2.10. In light of the above failings the Authority hereby imposes a financial penalty on

Canara of £896,100 pursuant to section 206 of the Act. The Authority also,

pursuant to section 206A of the Act, imposes a restriction for a period of 147

days, that, in respect of its regulated activities only, it shall not accept deposits

from customers who do not already hold a deposit account with Canara at the

date of the Final Notice.

2.11. The Authority believes that imposing a restriction, in addition to a financial

penalty, will be a more effective and persuasive deterrent than a financial penalty

alone. The imposition of a restriction is appropriate because it will demonstrate

to firms that fail to address deficiencies in their AML systems and controls that

the Authority will take disciplinary action to suspend and/or restrict the firm’s

regulated activities.

2.12. The Authority acknowledges:

(1)
Canara has invested significant resource in improving its AML systems and

controls and compliance oversight, including appointing a new MLRO who

has previous AML experience, increasing the training for new senior

managers from India and retaining the services of external consultants to

assist in the remediation work;

(2)
the Skilled Person's report dated 13 April 2018 reflects that Canara has

designed and embedded enhanced systems and controls to remediate the

gaps identified by the Authority, the Skilled Person and the SYSC

Compliance Reviewer. The report also included some additional procedural

enhancements that can be made by Canara; and

5

(3)
Senior management at Canara have fully co-operated and engaged with

the Authority’s investigation.

3.
DEFINITIONS

3.1.
The definitions below are used in this Final Notice.

“the 2011 Thematic Review” means the FSA Banks’ management of high money-

laundering risk situations, Report published in June 2011;

“the 2012/2013 Visit” means the visits by the Authority to Canara in November

2012 and March 2013 in relation to the Trade Finance Thematic Project;

“the 2014 Thematic Review” means the Authority’s publication entitled “How

small banks manage money laundering and sanctions risk – Update, Thematic

Review” published in November 2014;

“the 2015 Visit” means the visit by the Authority to Canara in April 2015 in

relation to PAMLP;

“the Act” means the Financial Services and Markets Act 2000;

“AML” means anti-money laundering;

“the Authority” means the body corporate previously known as the Financial

Services Authority and renamed on 1 April 2013 as the Financial Conduct

Authority;

“Canara” means Canara Bank’s branch in London, UK;

“Canara’s AML Manual 2014” means Canara Bank – UK Operations: Anti Money

Laundering and Counter Terrorist Financing Manual, dated November 2014;

“Canara’s AML Manual 2015” means Canara Bank – UK Operations: Anti Money

Laundering and Counter Terrorist Financing Manual, dated August 2015;

“CDD” means customer due diligence measures, the measures a firm must take

to identify its customer and to obtain information on the purpose and intended

nature of the business relationship, as outlined in Regulation 5 of the ML

Regulations;

“Concurrent Audit” means the monthly internal check of the transactions and

other verifications, and compliance with Canara’s procedures carried out by the

Internal Auditors using a checklist provided by Canara;

6

“DEPP” means the Authority’s Decision Procedure and Penalties Manual;

“EDD” means enhanced due diligence, the measures a firm must take in certain

situations, as outlined in Regulation 14 of the ML Regulations;

“the Handbook” means the Authority’s Handbook of rules and guidance;

“Internal Auditors” means the external firms appointed by Canara to conduct
‘Concurrent Audits’ during the relevant period;

“JMLSG” means the Joint Money Laundering Steering Group, a group made up of

the leading UK trade associations in the financial services industry with the aim of

promulgating good practice in countering money laundering;

“the ML Regulations” means the Money Laundering Regulations 2007, which came

into force on 15 December 2007, and were superseded for behaviour commencing

after 26 June 2017 by the Money Laundering, Terrorist Finance and Transfer of

Funds (Information on the Payer) Regulations 2017;

“MLRO” means the Money Laundering Reporting Officer;

“PAMLP” means the Authority’s pro-active anti-money laundering programme;

“PEP” means a politically exposed person, as defined in Regulation 14(5) of the

ML Regulations;

“Principle” means one of the Authority’s Principles for Businesses;

“PRA” means Prudential Regulation Authority;

“PRA Attestation” means the attestation expected by the PRA in 2015 to be made

by non-EEA branches operating in the UK and described in paragraph [4.20];

“relevant period” means the period from 26 November 2012 to 29 January 2016

inclusive, unless otherwise indicated;

“SAR” means suspicious activity report, a report of suspected money laundering

to be made by any employee to the MLRO, as required by Part 7 of the Proceeds

of Crime Act 2002;

“the Senior Managers and Certification Regime” means the approval regime for

individuals that replaced the Authority’s Approved Persons regime in March 2016;

“the Skilled Person” means the skilled person appointed on 30 September 2015

pursuant to s.166 of the Act to assess and report upon Canara’s AML processes;

7

“the Skilled Person’s report” means the final report produced by the skilled person

on 29 January 2016;

“SUP” means the part of the Handbook entitled “Supervision”;

“SYSC” means the part of the Handbook entitled “Senior Management

Arrangements, Systems and Controls”;

“SYSC
Compliance
Review
Findings
Report”
means
the
report
dated

21 September 2015 produced by the SYSC Compliance Reviewer regarding

Canara’s compliance with SYSC and its work in relation to the PRA Attestation;

“SYSC Compliance Review” means the review conducted by the SYSC Compliance

Reviewer resulting in the SYSC Compliance Review Findings Report;

“the SYSC Compliance Reviewer” means the independent consultant engaged by

Canara to conduct the SYSC Compliance Review;

“the Tribunal” means the Upper Tribunal (Tax and Chancery Chamber); and

“World-Check” refers to a third-party database of Politically Exposed Persons

(PEPs) and heightened risk individuals and organisations, which is used by firms

to help to identify and manage financial, regulatory and reputational risk.

4.
FACTS AND MATTERS

4.1.
Canara is the UK branch of the Indian state owned bank of the same name,

headquartered in Bangalore, India. It has two branches in the UK in London and

Leicester.

4.2.
Canara’s UK customer base is relatively small. During the relevant period, Canara

had the following numbers of customers:

Period
Customers


liability products

Customers


asset products

Total customers

November 2012 to

April
2013
to

April
2014
to

April
2015
to

4.3.
Throughout the relevant period, Canara offered a wide range of regulated and

unregulated financial products and services in the UK including current accounts,

term deposits, remittances and corporate banking services.

Overview of AML legal and regulatory obligations

4.4.
Fighting financial crime is an issue of international importance and there has been

a regime in respect of AML in place in the UK since 1993. Authorised firms play a

key role in the UK’s fight against financial crime and must have in place effective,

proportionate and risk-based systems and controls to mitigate the risk of their

businesses being used for financial crime. The importance of firms’ systems and

controls in preventing financial crime has featured as one of the Authority’s

priorities in its Business Plans throughout the relevant period.

4.5.
Authorised firms are required by the ML Regulations and by the Authority’s Rules

to put in place policies and procedures to prevent and detect money laundering.

These include systems and controls to identify, assess and monitor money

laundering risk as well as conducting CDD, EDD and ongoing monitoring of both

business relationships and transactions to manage the risks identified.

4.6.
Firms have access to considerable guidance on how to comply with their duties.

Since 2011 the Authority has published guidance on the steps that firms should

take to reduce their financial crime risk together with examples of good and bad

practice.

4.7.
Since 1990, the JMLSG has published detailed written guidance on AML controls,

with the aim of promulgating good practice in countering money laundering and

giving practical assistance in interpreting the ML Regulations, regulatory

requirements in the Authority’s Handbook and evolving practice within the

financial services industry.

4.8.
Firms that do not put in place robust and effective AML systems may have an

unfair competitive advantage over firms that are compliant, both because they

save the costs involved in implementing such systems and because they may

attract customers who do not wish to undergo the required CDD and EDD checks.

Previous Assessments of Canara’s AML systems and controls

The 2012/2013 Visit

4.9.
In November 2012 and March 2013, Canara was visited by the Authority as part

of the Trade Finance Thematic Project. The visit formed part of a wider industry

review to assess the adequacy of controls designed to contain the risks of money

laundering, terrorist financing and sanctions breaches in regulated banks’ trade

finance operations.

4.10. Detailed written feedback was provided to Canara on 25 April 2013 by the

Authority in relation to failings in the trade finance business’ systems and

controls. The Authority found that:

(1)
there was limited evidence to suggest that money laundering risks were

being taken into account when processing trade finance transactions;

(2)
there was no evidence that risk assessments or sanctions checks had been

carried out for trade finance customers; and

(3)
there was limited evidence that trade based money laundering risks were

being considered and/or documented.

4.11. The Authority asked Canara to set out the action it proposed to take to remedy

the findings and specifically recommended that Canara should:

(1)
conduct a risk assessment remediation exercise for all clients, ensuring

money laundering risk considerations were taken into account;

(2)
confirm that sanctions checks were conducted for all relevant parties to a

transaction and ensure that details of any potential matches were kept in

the files;

(3)
evidence in the files where AML red flags had been considered and the

rationale for proceeding with a transaction where red flags were prevalent;

(4)
use open source research such as the EU list for dual use goods, websites

for conducting PEP checks, tracking shipping vessels and checking for

forged documents;

(5)
seek clarification, where appropriate, and request from customers a more

detailed description of the type of goods for which Canara was facilitating

payment; and

(6)
make it clear which staff were signing off on transactions.

4.12. These findings and recommendations, together with the Authority’s guidance

available at the time, should have alerted Canara to the need to ensure AML was

a main focus throughout its business and to ensure that compliance with UK legal

and regulatory requirements was prioritised.

4.13. On 22 May 2013, Canara wrote to the Authority and confirmed that it had taken

remedial action in relation to all of the above points. In particular, Canara

confirmed that any customer on-boarded since July 2012 had been given an

appropriate risk rating which was to be re-assessed after six months and that a

remediation exercise to risk rate all existing customers on-boarded prior to July

2012 was in progress.

The 2015 Visit

4.14. As part of the Authority’s supervision strategy, Canara was selected to take part

in the Authority’s PAMLP programme of visits. The Authority visited Canara in

April 2015 and the review included the assessment and testing of the adequacy of

the systems and controls in place to manage the AML and sanctions risks at

Canara.

4.15. Notwithstanding the remedial action Canara stated it had taken following the

2012/2013 visit, the Authority identified serious weaknesses in Canara’s AML

systems and controls. During a closing meeting on 9 April 2015, Canara’s

representatives agreed with all of the Authority’s findings. The Authority wrote to

Canara on 28 May 2015 to follow this up, setting out further detail and examples

of the failings identified. The Authority found that:

(1)
there was no evidence that AML risks were being taken into account and

managed at any level within Canara;

(2)
there was an ineffective three lines of defence model including:

(a)
AML and Sanctions considerations and tasks did not sit with front

line staff, whose remit was purely operational;

(b)
Senior management were unable to articulate the level of

understanding expected of requirements in relation to AML; and

(c)
a reliance on monthly audits conducted by an external firm which

followed a checklist approach and did not include testing of financial

crime systems and controls;

(3)
there was a failure to implement adequate AML controls in relation to

identifying higher risk customers, conducting EDD on higher risk

customers and conducting enhanced on-going monitoring for these

accounts;

(4)
the file testing conducted by the Authority highlighted a number of

significant control gaps including a failure to implement a documented

customer risk assessment, inconsistent quality of customer screening, a

lack of on-going monitoring, limited evidence of transaction monitoring

and inadequate consideration of unusual transactional activity;

(5)
there was no evidence that money laundering risks or adverse media

related to its customers were considered by senior management of Canara

during the on-boarding process or subsequently, even when identified;

(6)
AML/Financial Crime training had not been provided to Canara staff since

2012; and

(7)
there was an overall lack of an effective risk management framework for

AML and sanctions at Canara.

4.16. The Authority also noted that there had been a lack of remediation of the findings

from the 2012/2013 visit. In particular, Canara’s letter dated 22 May 2013

addressed to the Authority stated that all its existing customers on boarded prior

to July 2012 were being risk rated as a remedial exercise taking into account all

account activities and trading profiles. Almost two years later, the Authority

found, however, that this remedial exercise had not been completed.

4.17. As a result of these findings, the Authority informed Canara that it required a

skilled person be appointed under s.166 of the Act to report on the adequacy of

Canara’s AML and sanctions systems and controls. The Skilled Person was

ultimately appointed by the PRA on 30 September 2015, and incorporated those

elements into its review.

4.18. On 1 June 2015, Canara wrote to the Authority acknowledging the feedback letter

dated 28 May 2015 and stating that immediate corrective action would be taken

in order to comply with regulatory requirements. The letter also noted that the

Authority’s concerns had been escalated to Canara’s Head Office and confirmed

that Canara had taken the following steps:

(1)
it had formed an AML Committee which was now operational;

(2)
a staff training session had been conducted by an external training

provider on AML and combating terrorist finance;

(3)
it had modified its risk rating matrix and account review documents having

consulted with other banks in the UK;

(4)
it had installed the World-Check database for CDD, PEPs and sanctions

checking; and

(5)
account opening forms had been modified.

4.19. On 12 June 2015, Canara wrote to the Authority confirming that the Authority’s

request that all previously identified controllers/beneficiaries for Canara corporate

customers were screened against sanction lists had been completed.

SYSC Compliance review

4.20. In September 2014, the PRA published “SS10/14 – Supervising international

banks: The Prudential Regulation Authority’s approach to branch supervision”

which set out a new expectation for non-EEA branches in the UK to provide the

PRA with an attestation of compliance with SYSC.

4.21. Canara submitted its first PRA Attestation to the PRA on 31 March 2015.

4.22. Following that, in July 2015, Canara engaged the SYSC Compliance Reviewer to

conduct an independent review of the work completed by Canara leading to its

PRA Attestation and to advise Canara on any remedial steps necessary to ensure

its compliance with the requirements of SYSC.

4.23. The SYSC Compliance Findings Report was produced on 21 September 2015 and

identified a number of areas for remedial action in order for Canara to become

fully SYSC compliant, including, but not limited to, the following concerns:

(1)
there was insufficient evidence to demonstrate the existence of an

appropriately designed control framework as there was no Risk

Management Framework in place;

(2)
Canara relied on its Internal Auditors for independent audit assurance but

the Concurrent Audits did not test compliance with UK regulatory

requirements;

(3)
Canara did not have a compliance manual in place and its limited

compliance monitoring framework was insufficient;

(4)
there was insufficient clarity and formality regarding the role performed by

individual committees;

(5)
there was no evidence as to how management satisfied themselves that all

risks run by Canara were adequately identified and managed;

(6)
there were insufficient role descriptions for several key Approved Persons

and none at all for some functions; and

(7)
there were no formal objectives set for staff and there was no link between

performance and compliance with UK regulatory requirements.

4.24. A number of the findings in relation to Canara’s governance, risk management

framework, and audit were similar to and corroborated the concerns that had

been highlighted by the Authority’s 2015 visit and highlighted the fact that certain

failures originally identified during the 2012/2013 visit had not yet been

remedied.

Skilled Person’s report

4.25. As a result of concerns arising from the 2012/2013 and 2015 visits, and the PRA’s

concerns regarding compliance with SYSC, the Skilled Person was appointed by

Canara pursuant to the PRA’s Requirement Notice dated 10 August 2015. The

Notice made it clear that its scope had been discussed with the Authority and

included elements specific to the Authority’s concerns and that the Skilled

Person’s report would be shared with and could be relied upon by the Authority.

The Skilled Person’s report was to include, “…an assessment of the compliance of

the Firm with Senior Management Arrangements, Systems and Controls (“SYSC”)

on a review and recommend basis” for the PRA and “an assessment of the

adequacy and effectiveness of the Firm’s Anti-Money Laundering (“AML”),

financial sanctions systems...” for the Authority.

4.26. The Skilled Person finalised its report on 29 January 2016 and concluded that,

“Overall the Bank’s AML systems and controls are not appropriately designed and

our testing demonstrates these systems and controls are not effective, to the

extent that the Bank’s AML risk management framework is not fit for purpose.”

4.27. The report found, amongst other things, that:

(1)
Canara did not have an adequately designed or effective three lines of

defence structure;

(2)
Canara’s documented risk assessment was not appropriately designed nor

effective;

(3)
Canara’s AML manual 2015 was not fit for purpose in respect of ongoing

transaction monitoring; and

(4)
there was a lack of detailed understanding of the AML requirements and

the impact this had on Canara managing its AML risk at all levels, including

significant gaps with respect to risk assessing customers, conducting

customer due diligence and enhanced due diligence and on-going

monitoring.

4.28. The Skilled Person’s report was consistent with the Authority’s findings from its

2012/2013 and 2015 visits and the SYSC Compliance Review Findings Report.

The report also found that there was a lack of adequate remediation following the

Authority’s previous visits. Although Canara had told the SYSC Compliance

Reviewer that it had completed some remediation work in advance of receiving

the Skilled Person's report, the Skilled Person found that the remediation action

taken was inadequate and considered the deficiencies had still to be resolved.

4.29. Canara also stated that certain deficiencies had not been remedied due to advice

from both the SYSC Compliance Reviewer and Skilled Person in September 2015

to wait for the results of the Skilled Person’s visit before commencing remediation

in order to avoid duplication of effort. Although Canara could produce written

correspondence from the SYSC Compliance Reviewer in this regard it was,

however, unable to produce any written correspondence with the Authority

regarding this matter.

4.30. Based on the remediation that Canara had completed in response to the 2015

visit findings as at the date of the Skilled Person’s on-site review, the Skilled

Person concluded that Canara “…has fundamentally not understood the issues

highlighted by the FCA or remediated them adequately…Ultimately, the Bank has

an AML Framework that has fundamental shortcomings and is not fit for purpose.”

Deficiencies in Canara’s AML systems and controls

4.31. During the relevant period, Canara failed to maintain adequate systems and

controls to manage the risk of money laundering and financial crime. These

failures were systemic and affected almost all levels of its business and

governance structure. The main failings occurred in the following areas:

(1)
Senior Management;

(2)
Governance / Oversight;

(3)
Three Lines of Defence;

(4)
Money laundering reporting function; and

(5)
AML systems and controls.

4.32. Further details of the failings within each of these areas are set out below.

4.33. The Authority considers that it is the responsibility of authorised firms and their

senior management to ensure that they comply with regulatory responsibilities

and requirements. Accordingly the Authority considers that it was ultimately the

responsibility of Canara’s senior management to create a culture within Canara

which ensured that sufficient focus was given to AML issues at all levels of the

business. It was also their responsibility to ensure that AML systems and controls

were adequate to counter the risk that Canara might be used to further financial

crime and that all staff members were appropriately trained.

4.34. Canara’s staff, at every level of seniority, lacked an understanding and

appreciation of the AML risks and regulatory requirements to which Canara was

exposed through the services it provided to its clients. This lack of understanding

resulted in a failure to identify and manage the AML risks which occurred and

included:

(1)
a lack of monitoring of AML and financial crime risks and controls;

(2)
customer file reviews which were formulaic and checklist driven;

(3)
an inability to identify or flag unusual transactions or activities on

customer accounts; and

(4)
an inability to recognise PEPs in its customer population.

4.35. Accordingly, Canara’s senior management failed to establish a rigorous approach

to systems and controls for addressing AML and financial crime risks and as a

result Canara failed to embed a culture of compliance with its legal and regulatory

responsibilities. As a consequence of these failures, a culture of minimal

compliance, or non-compliance, was allowed to persist throughout the relevant

period.

4.36. The 2012/2013 visit found limited evidence that money laundering risks were

being considered and/or documented and the Authority was informed that

customer risk assessments had only commenced in July 2012. The Authority

stated its expectation that Canara would carry out a risk assessment remediation

exercise for all clients, ensuring money laundering risk considerations were taken

into consideration. During the 2015 visit, the Authority found that Canara had

not completed this task, despite Canara having assured the Authority almost two

years earlier that this was in progress.

4.37. An internal report from the money laundering reporting function for the period 1

January 2012 to 21 December 2012 makes reference to the Authority’s first visit

in November 2012 and states that, “The initial feedback from the FSA at the end

was positive only highlighting some minor procedural deficiencies which have

been set right”. Canara was of the opinion that it had “taken on board” the

recommendations of the Authority and had carried out the remediation

adequately.

4.38. Canara’s senior management did not review or test the remediation action taken

following the 2012/2013 visit in order to ensure that the required steps had been

taken or to ensure that the remediation was effective. A culture of minimal or

non-compliance was therefore allowed to persist within Canara.

4.39. The findings from the 2015 visit demonstrated the lack of an effective risk

management framework for AML and sanctions at Canara and indicated to the

Authority that senior management had not devoted adequate focus and resource

to ensure the AML risks to its business were mitigated. This conclusion was

supported by the finding that senior management were unable to articulate the

expected level of understanding of the specific AML and sanctions risks to which

Canara was exposed.

4.40. The SYSC Compliance Review corroborated this finding and identified that the lack

of a Risk Management Framework resulted in there being, “…insufficient evidence

to demonstrate the existence of an appropriately designed control framework…”

and that there was no evidence to demonstrate how Canara’s management

“…satisfies itself overall that all risks run by the branch are adequately identified

and managed.”

4.41. The Skilled Person’s report also found that senior management reporting lines

were unclear and that allocated areas of responsibility contradicted what actually

happened in practice.

4.42. The 2015 visit found that it was unclear what mechanism senior management

used to satisfy themselves as to the adequacy of AML and sanctions systems and

controls. There was no forum in which financial crime issues or compliance with

financial crime law and regulation was formally discussed. Senior management

therefore failed to ensure they were sufficiently aware of the risks to which

Canara was exposed.

4.43. Canara formed an AML committee in May 2015 and a Compliance committee in

August 2015, but it was not until October 2015 that terms of reference for either

committee were drafted following the SYSC Compliance review’s finding that

there was insufficient clarity and formality about the role performed by Canara’s

individual committees.

4.44. The Skilled Person’s review in January 2016 noted further concerns regarding

Canara’s corporate governance, including that the corporate governance structure

did not accord with the UK Corporate Governance Code and that Canara’s

committees operated in silos with no formal escalation of issues.

4.45. Following attendance at the October 2015 Compliance committee meeting, the

Skilled Person observed the lack of discussion regarding the progress of the

section 166 review or the current state of remediation following the findings of

the 2015 visit and the SYSC Compliance review. They also noted that there was

no discussion with respect to emerging regulatory requirements or the results of

any compliance monitoring. Based on these observations and a review of

minutes from two previous Compliance committee meetings, the Skilled Person

concluded that Canara had failed to meet the following objective as set out in the

committee’s terms of reference: “To ensure total compliance of all regulatory and

legal guidelines pertaining to host and home countries.”

4.46. Similarly, the Skilled Person attended the November 2015 AML committee

meeting and noted the lack of management information provided to the

committee, confusion about the purpose and usefulness of a new customer

profiling system and a lack of challenge as to whether the steps taken to remedy

the findings of the 2015 visit were adequate.

4.47. Both the 2015 visit and the Skilled Person’s report noted that there was

inadequate senior management oversight of AML systems and controls at

Canara’s Leicester branch.

4.48. The Skilled Person also identified that findings from the review were not logged or

followed up and that the visit reports were not discussed at the AML or

Compliance committee meetings. Canara was also unable to identify the number

of active customers maintained by the Leicester Branch and it took almost two

weeks to provide the Skilled Person with a customer listing.

4.49. During the 2015 visit, the Authority found that there was an ineffective three lines

of defence model, the defects in which included the finding that that AML and

sanctions considerations and tasks were not carried out by the first line of

defence, front line staff, whose remit was purely operational. Such tasks were not

documented (for example, in a policy or in procedures). There was also no

monitoring or quality assurance of the tasks performed, in either the second line

of defence (e.g. Compliance) or third line (Internal Auditors).

4.50. The Authority concluded that senior management had failed to implement a

robust three lines of defence function and had failed to act cohesively and

effectively in order to have sufficient oversight and ownership of AML risks.

4.51. The Authority’s specific findings in relation to the second and third lines of

defence are set out below.

4.52. The SYSC Compliance Review found that Canara did not have a Compliance

Manual in place to serve as a central reference point for all staff in respect of

compliance matters.

4.53. A Compliance Monitoring checklist was introduced in April 2015. The SYSC

Compliance Reviewer found that the checklist was insufficient to demonstrate that

effective and consistent monitoring was being conducted by Compliance.

4.54. The checklist set out seven particular points to be checked under the heading

‘KYC/AML & CTF Regulatory Norms’. Canara provided the Authority with a copy of

the checklists from April 2015 to October 2016. All seven points in relation to

‘KYC/AML & CTF Regulatory Norms’ were marked as ‘complied’ in each month

(apart from October 2015 which did not include a checklist for this section and did

not provide any explanation for its omission). Four of the seven items which had

been ‘ticked’ as having been complied with were as follows:

(1)
KYC/CDD compliance for all the customers on-boarded through new

accounts opened during the month;

(2)
risk rating and review of all existing accounts due for the task during the

month;

(3)
EDD and review of all existing accounts classified as High Risk due for the

task during the month; and

(4)
screening against various sanction lists

4.55. Given the findings in relation to appropriate risk rating and the lack of CDD, EDD

and screening by the Authority, the SYSC Compliance Reviewer and the Skilled

Person, it appears to the Authority that it is likely that the checklists were an

inadequate ‘tick box’ approach to compliance monitoring during the relevant

period and nobody at Canara properly understood how important and rigorous its

approach to compliance monitoring needed to be.

4.56. Canara could not demonstrate to the Skilled Person that it had an effective

compliance monitoring plan in place or that it performed risk based compliance

reviews.

4.57. Canara held its first Compliance committee meeting in August 2015. Prior to that

there had been no official forum during which specific compliance matters were

discussed.

4.58. The Skilled Person attended the October 2015 Compliance committee meeting

and noted its concern that there was no discussion about the progress of the s166

review of initial emerging issues. They also noted that there was no discussion in

relation to the current state of remediation, emerging regulatory requirements

(for example, the Senior Managers and Certification Regime) or the results of any

compliance monitoring.

4.59. During the relevant period, therefore, there was no appropriate oversight and

review of Canara’s compliance with its regulatory responsibilities. Canara could

not demonstrate that it had put in place adequate measures and procedures to

minimise the risk of it failing to comply with its regulatory obligations.

4.60. A common finding from the 2015 visit, the SYSC Compliance Review and the

Skilled Person’s report was that Canara placed reliance for its third line of defence

on the monthly Concurrent Audits conducted by external firms who were engaged

as Internal Auditors. However, these monthly Concurrent Audits followed a

‘checklist’ approach which was designed by Canara’s own Head Office and did not

include testing of financial crime systems and controls or measure Canara’s

compliance with UK legal and regulatory requirements.

4.61. Canara’s senior management generally had no input into the design, format or

content of the checklist, but they had some input into the choice of Internal

Auditor.

4.62. Canara stated that meetings with the Internal Auditors were held to discuss any

exceptions that had been identified in the checklist. No evidence has been

provided of the dates of these meetings nor any record of what was discussed.

Following the concerns which had been raised by the 2015 visit and the Skilled

Person’s report, Canara’s senior management did not question or challenge the

monthly Concurrent Audit findings and in particular they did not question why the

Internal Auditors had failed to identify any of the issues highlighted by the

Authority’s visits, the SYSC Compliance Review or the Skilled Person’s review.

4.63. When interviewed by the Authority during the 2015 visit, the Internal Auditors in

place at that time confirmed that their remit was, “…based on a checklist so they

tend not to go further than that. The audit is designed to pick whether the

process has been followed not to look at the quality of the work completed”.

4.64. The 2015 visit also identified the fact that no AML training had been given to staff

since November 2012. However, the monthly Concurrent Audit Reports, produced

between April 2014 and February 2015, all suggested that Canara had informed

the Internal Auditors that annual in-house training was provided, together with

“ongoing” attendance at relevant external courses. This contradiction was neither

identified nor challenged by senior management even when an internal report of

December 2014 stated that the Concurrent Audit had not identified any “pending

AML issues” and confirmed that no training had been provided to staff since

4.65. At interview with the Authority, the Internal Auditor stated that the information in

relation to training of staff was obtained through discussion with senior staff but

noted that, “…this was not discussed every month.”

4.66. The Authority concluded that the Concurrent Audits were, “…a ‘tick box’ exercise

of a checklist provided by Canara Bank Head Office. There is reliance by the

auditors on verbal confirmation.”

4.67. Senior management did not question any of the Internal Audit providers during

the relevant period as to their level of understanding or knowledge of financial

crime legal and regulatory requirements. When interviewed by the Authority

during the 2015 visit, the Internal Auditor in place at the time confirmed that they

had had no specific training in relation to Canara’s business and had only received

standard AML training at their own firm. The Authority finds this concerning

given the reliance that Canara has placed on these external firms as their third

line of defence throughout the relevant period.

4.68. The Skilled Person’s report found that the Internal Audit function at Canara

“…cannot be considered to be an outsourced internal audit function when

assessed in terms of the Chartered Institute of Internal Auditors, Effective

Internal Audit in Financial Services Sector, Recommendations from the Committee

on Internal Audit for Financial Services, July 2013”, and concluded that Canara

was in breach of SYSC 6.2.1R due to not having an Internal Audit function in

place.

4.69. In April 2015 (after the concerns were first raised by the Authority) Canara

decided to change their Internal Auditors. However, no change was made to the

checklist approach. .

4.70. The Authority considers that the monthly Concurrent Audits conducted during the

relevant period were limited in scope and that the remit specified and instructions

provided by Head Office to the Internal Auditors was to conduct a ‘tick box’

review. This was insufficient to enable Canara to rely upon it as their third line of

defence.

Money laundering reporting

4.71. The money laundering reporting function in an authorised firm is responsible for

oversight of a firm’s compliance with the Authority’s rules on systems and

controls against money laundering and acts as the focal point for all activity

within the firm relating to AML. It is therefore important that the money

laundering reporting function is properly equipped with staff that have adequate

skills and experience, and systems which enable effective monitoring.

4.72. The Authority expressed concern during the 2012/2013 visit about the level of

knowledge possessed by key staff in relation to the requirements to mitigate AML

from a regulatory perspective. This remained a concern at the time of the 2015

visit.

4.73. In practice, the same staff within the money laundering reporting function carried

out both the first and second lines of defence at Canara. Senior management did

not consider that inappropriate. The Skilled Person’s report noted that Canara did

not have a financial crime monitoring plan in place and concluded that Canara did

not have effective quality assurance or oversight arrangements regarding its

financial crime risks and its first and second lines of defence.

4.74. Senior management did not receive and did not request regular reports from the

money laundering reporting function. An annual report was submitted at the end

of each year and, until 2015, there was no forum at which its conclusions could

be sufficiently challenged. As noted above, even when the AML committee was

formed, senior management routinely accepted without challenge internal

assurances on the effectiveness of AML controls and therefore failed to ensure

systems and controls were robust.

4.75. There is no evidence that Canara carried out a regular assessment of the

adequacy of their systems and controls to ensure that they assessed, monitored

and managed money laundering risk.

AML systems and controls

4.76. Throughout the relevant period, the Authority, the SYSC Compliance Reviewer

and the Skilled Person found a general lack of documentation in relation to AML

procedures and therefore were unable to verify whether or not certain controls,

which Canara stated were in place, actually were in place. There was no audit

trail of evidence that money laundering risks were considered by Canara, even if

they had been identified. Further detail is set out in the following paragraphs.

AML Policies and Procedures

4.77. During the relevant period, there were four versions of Canara’s AML Manual.

The first two versions, dated August 2009 and May 2013 respectively, were

drafted by a third party consultant and approved by Canara’s Head Office in India.

The third version, dated November 2014, only had minor and non-substantive

changes to the May 2013 version. After the Authority’s 2015 visit Canara’s AML

Manual was revised with the assistance of an external consultant and a fourth

version was produced in August 2015.

4.78. The 2015 visit found that Canara’s AML Manual 2014 did not comply with the ML

Regulations. It did not contain any, or any adequate, detailed procedures for the

following areas:

(1)
A relevant person must establish and maintain appropriate and risk-

sensitive policies and procedures relating to:

(a)
CDD and on-going monitoring;

(b)
risk assessment and management;

(c)
monitoring and management of compliance with, and

the internal communication of, such policies and

procedures, in order to prevent activities related to

money laundering and terrorist financing;

in order to prevent activities related to money laundering and terrorist

financing

(2)
The policies and procedures referred to in (1) include policies and

procedures,

(a)
which provide for the identification and scrutiny of:

i) complex or unusually large transactions;

ii) unusual patterns of transactions which have no

apparent economic or visible lawful purpose; and

iii) any other activity which the relevant person regards

as particularly likely by its nature to be related to

money laundering or terrorist financing; and

(b)
to determine whether a customer is a politically exposed

person.

4.79. Canara’s AML Manual 2014 also did not contain any detailed procedures for EDD.

4.80. The Skilled Person reviewed Canara’s AML Manual 2015 and found that it did

address the key points required by the JMLSG from a policy perspective.

However, the Skilled Person also reported that the documented procedures were

not fit for purpose as “…they don’t provide clarity on the procedures to be

undertaken by the user. The fragmented nature of the manual, vague language

used, lack of supplementary guidance and formatting errors, detrimentally affects

the usability of the manual.” For example, the Skilled Person found that Canara’s

(1)
was silent on CDD / EDD to be conducted for buyer’s credit customers;

(2)
did not require beneficial owners or individuals in positions of control or

influence to be checked for sanctions compliance; and

(3)
did not set out the process by which PEPs and sanctions alerts were to be

investigated and approved.

4.81. The Skilled Person also found that Canara’s separate remittance operations policy

lacked detail with regards to the CDD requirements for remittance customers and

contained a number of inconsistencies, for example, there was no explicit

requirement to identify beneficial owners owning or controlling over 25% of an

entity.

4.82. During the relevant period, Canara’s AML policy and procedures were not fit for

purpose and did not provide sufficient guidance to staff to enable them to conduct

AML assessments properly. This left Canara exposed to incorrect and inconsistent

procedures being followed and the risk that financial crime or money laundering

might occur.

Customer Due Diligence

4.83. Firms are required by SYSC 6.3.1R to “ensure the policies and procedures

established under SYSC 6.1.1R include systems and controls that: enable it to

identify, assess, monitor and manage money laundering risk…”. The ML

Regulations requires firms to conduct CDD including identifying the customer

and/or beneficial owner, verifying their identity and ascertaining the purpose and

intended nature of the business relationship.

4.84. If a customer is not properly risk assessed then the appropriate level of CDD is

unlikely to be conducted on that customer. Consequently the firm will be unaware

of the risk that the customer presents to its business and the risk of undetected

financial crime is greater.

4.85. During the 2012/2013 visit, the Authority found no evidence that risk

assessments had been carried out for trade finance customers. In 2015, the

Authority’s file review highlighted a lack of evidence of risk assessment across all

customer types including insufficient information on the purpose and intended

nature of the business relationship and a lack of basic identification and

verification documents.

4.86. The Skilled Person identified further concerns with regards to Canara’s CDD as

(1)
buyer’s credit customers were not considered from an AML perspective,

placing reliance on the correspondent banks to conduct CDD on the end

customer;

(2)
there was no monitoring of “walk-in” remittance customers with the result

that Canara could not identify linked transactions. This led to the risk that

linked transactions which could constitute a business relationship pursuant

to the ML Regulations could have been missed;

(3)
there was inconsistency in how PEP and sanctions checks were conducted

and investigated and, where a PEP had been identified, there was no

evidence of any conclusion resulting from an investigation being recorded

on the file;

(4)
There was no or inconsistent recording of details in relation to:

(a)
the purpose and intended nature of the business relationship;

(b)
the identification and verification of beneficial owners;

(c)
evidence of adverse allegation media searches;

(d)
the source of wealth or funds; and

(e)
The rationale behind opaque company structures.

4.87. The Skilled Person concluded that, “The results of our review of the sample of

AML files suggest that the Bank is not consistently meeting its own policies with

regards to CDD/EDD as well as meeting it [sic] regulatory requirements”.

4.88. Remittance transactions conducted in London and Leicester during the relevant

period were recorded separately and therefore transactions across the two

branches could not be linked. As a result, there was a risk that customers with

whom the bank had a business relationship would not be recognised and

adequate CDD would not be applied to those customers.

4.89. During the relevant period, there was limited evidence that Canara was able to

ensure that the full risks presented by their customers were understood, that

sufficient due diligence was performed on their customers and therefore that the

risks of financial crime were mitigated adequately and effectively. Canara has

therefore not met its obligations in relation to CDD.

Enhanced Due Diligence

4.90. Firms are required by SYSC 6.3.1R to “ensure the policies and procedures

established under SYSC 6.1.1R include systems and controls that: enable it to

identify, assess, monitor and manage money laundering risk…”. Regulation 14 of

the ML Regulations requires firms to carry out EDD and enhanced on-going

monitoring on customers that present a higher risk of money laundering.

4.91. During the relevant period, Canara’s failure to conduct appropriate risk

assessments and CDD created the risk that the due diligence undertaken on

higher risk customers was inadequate. This increased the risk that financial crime

or money laundering might occur.

4.92. During a feedback meeting following the 2012/2013 visit, Canara stated that it

did not ”on-board” high risk customers as this did not reflect its risk tolerance.

4.93. Despite Canara’s assertion that it did not on-board high risk customers, the

Authority’s file review during the 2015 visit found eight high risk files which had

originally been on-boarded as standard risk and reclassified to high risk. The

reason for the change in risk rating was not clear from the files and there was no

evidence that EDD had been conducted.

4.94. Notwithstanding the fact that there were no detailed procedures for EDD in

Canara’s AML Manual 2014, it did state that “higher risk accounts will be subject

to additional on-going scrutiny and monitoring….” However, the 2015 visit found

no evidence of on-going scrutiny or monitoring for high risk customers.

4.95. The Skilled Person reviewed the Canara AML Manual 2015. This was the first

manual to include additional sections on EDD, which included:

(1)
examples of situations where EDD procedures must be carried out;

(2)
EDD measures for high risk customers who were not physically present or

who were not met during the identification process and other high risk

situations;

(3)
EDD measures for PEPs;

(4)
the source of funds;

(5)
the source of wealth; and

(6)
a table containing a non-exhaustive list of examples of sources of wealth.

4.96. The Skilled Person’s report also found that Canara was not applying EDD to files

which it had classified as high risk. Of the four files it reviewed, marked as high

risk, it found that none had EDD measures applied at account opening and the

one file that subsequently had EDD measures applied, contained gaps in the

application
of
general
due
diligence
including
a
failure
to
certify
ID

documentation. A review of a further three files which were marked as standard

risk but which, according to Canara’s records, should have been classified as high

risk showed that the EDD which had been carried out was incomplete.

4.97. In failing to conduct adequate EDD on its high risk customers, Canara’s conduct

fell short of the standard required by the ML Regulations and increased the risk

that financial crime and money laundering might occur.

PEPs and Sanctions Screening

4.98. The ML Regulations require that additional measures are taken where the firm

proposes to have a business relationship or carry out an occasional transaction

with a PEP, including establishing the source of wealth and source of funds.

4.99. During 2012, Canara itself identified that it did not have automated software or a

structured system for identifying PEPs and noted that it needed to put this in

place and ensure that any identified PEPs were treated as higher risk. Canara

informed the Authority about the absence of an automated means of identifying

PEPs during the 2012/2013 visit. When the Authority asked whether basic

internet searches were used to ascertain if a client/beneficiary was a PEP Canara

stated that it did not do this as it already knew who its clients were.

4.100. The 2015 visit found that Canara was still not using a PEP database screening tool

for individuals. Whilst Canara stated that this was a manual process, the

Authority did not find any evidence of this during its file review.

4.101. The file review conducted during the 2012/2013 visit did not find any evidence in

the files that sanctions checks had been taking place. During that visit Canara

had stated that sanctions screening was completed on customers and

transactions but it had only been since July 2012 that staff stamped each

file/transaction to evidence that a manual sanctions check had been carried out.

4.102. The Authority also noted the following during the 2015 visit in relation to PEPs

and sanctions screening:

(1)
there was limited evidence of PEP screening for corporates and no

evidence that PEP checks were conducted on connected parties;

(2)
there was no sanctions screening for individuals at on-boarding nor during

the customer life-cycle at the London branch;

(3)
there was no evidence that connected parties to corporate customers

were sanctions screened; and

(4)
sanctions screening for both inward and outward SWIFT payments were

conducted using the Swift sanction screening tool, but there was no

evidence of any quality assurance process for internal reviews and

approval of any payments which had been identified for screening.

4.103. The Authority also noted that it had taken almost four years for Canara to detect

that sanctions screening of customers in Leicester had not been conducted.

4.104. The Skilled Person’s report found that Canara did not have any customers

classified as PEPs in its customer listing and Canara confirmed that it did not have

any PEP customers. Following its file review, the Skilled Person found one

customer file which noted that the customer was a PEP. There was no

appropriate senior management sign off in relation to this PEP. Additionally, the

Skilled Person found a further five possible PEP matches and, whilst Canara stated

that all matches had been investigated, there was no evidence of the conclusion

of these reviews on the files.

4.105. The report also noted that PEP and sanctions screening was inconsistent across

the different types of remittance customers and evidence of these checks was

also inconsistent.

4.106. None of the versions of Canara’s AML Manual required any screening of beneficial

owners or individuals in positions of control or influence for PEPs or sanctions to

be conducted. However, the Skilled Person did find some evidence of screening,

albeit carried out on an inconsistent basis.

4.107. Canara’s buyer’s credit portfolio was not subject to CDD, and end customers of

these transactions were not being PEP or sanctions screened by Canara. The

Skilled Person found World-Check searches had been conducted on three out of

four correspondent banks. However, only 29 out of 75 transactions reviewed had

World-Check searches evidenced on file.

4.108. The Skilled Person concluded that, sanctions and PEP screening was, ”…found to

be both inconsistent in the approach taken across customer types and inadequate

in the amount of procedural detail relayed to staff…Where we found procedures to

be applied in practice, these were generally unreliably followed by staff members,

implying that they [sic] procedures were not fully understood or that staff

members do not have the expertise to carry them out.”

On-going monitoring, Periodic and Event Drive Reviews

4.109. The ML Regulations require that firms conduct on-going monitoring of a business

relationship, to ensure the transactions are consistent with the customer’s

business and risk profile, and that CDD documentation is kept up to date.

4.110. The 2012/2013 visit did find some evidence of mid-year and annual reviews of

customer files. However, the Authority found that the reviews were conducted by

the Credit Department and were focussed on credit risk and there was no

evidence that financial crime matters were considered. Canara believed that AML

considerations had not been considered during these reviews.

4.111. The 2012/2013 visit found no evidence that AML red flags were being considered

or documented during transaction reviews. The Authority noted that an example

of this were back to back Letters of Credit which should have alerted Canara to

30

conduct further enquiries in order to satisfy itself about the legitimacy of the

transactions. Another example was clients being on-boarded as low risk and not

being risk assessed or assigned an elevated risk rating where a change in the

client’s circumstances indicated that the risk profile of the customer had changed.

4.112. The Authority expressed its expectation that Canara would evidence in its

customer files where AML red flags were considered and the rationale for

proceeding with transactions where red flags were prevalent. However, the 2015

visit still did not find any evidence that Canara was conducting on-going

monitoring and, additionally, that it did not have an event driven review process.

There was some evidence that periodic reviews of customer files had been

conducted on a limited number of accounts, but this review was inadequate and

failed to include an assessment of any material changes in AML risk indicators, a

due diligence refresh or a review of the customer risk rating and contained

minimal commentary regarding transactional activity. Generally there was a lack

of information to evidence what had actually been reviewed.

4.113. Canara confirmed during the 2015 visit that it relied upon operational staff to

identify unusual or suspicious transactions. However, the Authority noted, “We

were unable to establish that sufficient oversight is in place within the business to

ensure this is happening in practice.” The Authority also noted that operational

staff had not been provided with any financial crime related training including how

to recognise and deal with suspicious transactions since November 2012. As a

result the Authority was concerned that staff were not sufficiently equipped to

identify suspicious or unusual activity.

4.114. The file review conducted by the Skilled Person found that there was minimal

evidence of the monitoring of transactions by Canara in the form of printed

statements on the AML files. These however were not present on all files and in

no instance, including where large transactions were evident, was scrutiny

applied. The file review also found instances that were indicative of suspicious

activity which appeared not to have been flagged or escalated during Canara’s

own internal review.

4.115. Canara’s AML Manual 2015 also stated that all remittances were input into a

system which could link transactions for monitoring purposes. The Skilled Person

found that no such system existed and that remittances were inputted into

separate manual ledgers for each branch which were not then consolidated and

therefore were unable to be compared properly.

4.116. The Skilled Person observed that no SARs were reported prior to October 2013

and that, based on the volume of transactions, this seemed unusual. The

suspicious activity identified in October 2013 was identified by another bank and

Canara submitted two SARs (in October and November 2013) in response to the

information passed onto it on that occasion.

4.117. The Skilled Person also found that not all customers identified as high risk were

reviewed as frequently as set out in Canara’s AML Manual 2015 and, when they

were reviewed, there was no consideration as to whether transactions were in line

with Canara’s expectation of the customer.

4.118. Canara’s apparently retrospective approach to the review of transactions during

the relevant period meant that the rationale for a transaction was not considered

at the time the transaction took place and therefore any suspicious activity was

not identified in ‘real time’. Canara’s staff were not properly equipped to identify

suspicious activity whilst conducting periodic reviews with the result that

suspicious transactions during the relevant period may not have been identified,

investigated or reported in accordance with legal and regulatory requirements.

4.119. The ML Regulations state that a firm must take appropriate measures so that all

relevant employees are made aware of the law in relation to money laundering

and terrorist financing and that they are regularly given training in how to

recognise and deal with transactions which may be related to money laundering

and terrorist financing.

4.120. The 2015 visit identified that no AML or sanctions training had been delivered to

all staff, including new starters, since November 2012. After the Authority’s

feedback, training was provided in May 2015 and October 2015 by an external

provider. Operational staff involved in on-boarding customers and processing

customer transactions therefore had not been provided with training for up to two

and half years prior to the 2015 visit which, had it been delivered, should have

enabled them to recognise and deal with AML red flags or suspicious transactions.

4.121. The Skilled Person’s report stated that the two training sessions provided in 2015

provided the basic concepts of the ML Regulations and the JMLSG but concluded

that, “…there is an absence of a detailed understanding of what the AML

requirements mean in practice and how the Bank applies or should apply these

requirements.” The report also highlighted that this lack of understanding also

existed at a senior level within Canara.

4.122. Canara confirmed that for staff coming from an Indian branch (including Head

Office), reliance was placed on the Indian branch to provide AML training and

there was accordingly no oversight of the quality or content of the training

material.

4.123. The 2015 visit and the SYSC Compliance Review found no formal objectives for

staff and no link between performance and compliance with UK Regulatory

requirements. Staff appeared to be more focused on credit risk rather than AML

or sanctions risks. The absence of a link between compliance with UK regulatory

requirements and the assessment of employees’ performance contributed to the

poor culture of regulatory compliance across Canara.

4.124. The Authority notes that whilst certain more senior individuals received the

required training Canara did not ensure that all staff with direct responsibility for

considering AML and financial crime risks, such as operational front line staff,

were provided with adequate training. This left Canara exposed to the risk that

staff did not have the relevant skills, experience and qualifications necessary to

conduct their role properly and to identify AML risks with the result that Canara

was left exposed to the risk of financial crime or money laundering occurring.

4.125. All visits conducted by the Authority, and the Skilled Person, found that customer

files were poorly structured and records were unclear or incomplete.

4.126. The failures and omissions identified above meant that Canara was unable to

evidence its compliance with the requirements of SYSC and the ML Regulations

with the result that it was exposed during the relevant period to an increased risk

of being used to facilitate financial crime, sanctions breaches and money

laundering.

5.
FAILINGS

5.1.
The regulatory provisions relevant to this Final Notice are referred to in Annex A.

5.2.
Principle 3 requires that a firm take reasonable steps to ensure that it has

organised its affairs responsibly and effectively, with adequate risk management

systems. Canara breached this requirement in that, during the relevant period:

(1)
it failed to take appropriate remedial action to rectify the weaknesses in its

AML and sanctions systems and controls identified by the Authority at the

2012 / 2013 visit;

(2)
it failed to take steps to ensure that the importance of AML compliance

was ingrained throughout the business, despite receiving clear warnings of

a culture of non-compliance;

(3)
it failed to implement adequate oversight of the money laundering

reporting function;

(4)
managerial oversight of the Leicester branch did not consider AML

compliance;

(5)
its policies on AML compliance failed to provide adequate practical

guidance to staff;

(6)
it failed to carry out adequate CDD and failed to carry out EDD in higher

risk situations;

(7)
it failed to conduct on-going monitoring of some customer relationships;

(8)
its transaction monitoring was conducted on a sample basis, the rationale

for which was unclear, it omitted to consider some transactions, it was

insufficiently documented and it failed to consider all relevant information;

(9)
it failed to take adequate measures to identify PEPs and to apply adequate

EDD measures to those customers identified as a PEP;

(10)
it had an ineffective three lines of defence model; and

(11)
it did not have quality assurance in place with respect to risk management.

6.
SANCTION

Financial Penalty – Breach of Principle 3

6.1.
The Authority’s policy for imposing a financial penalty is set out in Chapter 6 of

DEPP. In respect of conduct occurring on or after 6 March 2010, the Authority

applies a five-step framework to determine the appropriate level of financial

penalty. DEPP 6.5A sets out the details of the five-step framework that applies in

respect of financial penalties imposed on firms.

Step 1: disgorgement

6.2.
Pursuant to DEPP 6.5A.1G, at Step 1 the Authority seeks to deprive a firm of the

financial benefit derived directly from the breach where it is practicable to

quantify this.

6.3.
The Authority has not identified any financial benefit that Canara derived directly

from its breach.

6.4.
Step 1 is therefore £ nil.

Step 2: the seriousness of the breach

6.5.
Pursuant to DEPP 6.5A.2G, at Step 2 the Authority determines a figure that

reflects the seriousness of the breach. Where the amount of revenue generated

by a firm from a particular product line or business area is indicative of the harm

or potential harm that its breach may cause, that figure will be based on a

percentage of the firm’s revenue from the relevant products or business area.

6.6.
The Authority considers that the revenue generated by Canara is indicative of the

harm or potential harm caused by its breach. The Authority has therefore

determined a figure based on a percentage of Canara’s relevant revenue.

Canara’s relevant revenue is the revenue derived by Canara during the relevant

period. The Authority considers Canara’s relevant revenue for this period to be

£7,112,081.75.

6.7.
In deciding on the percentage of the relevant revenue that forms the basis of the

Step 2 figure, the Authority considers the seriousness of the breach and chooses

a percentage between 0% and 20%. This range is divided into five fixed levels

which represent, on a sliding scale, the seriousness of the breach: the more

serious the breach, the higher the level. For penalties imposed on firms there are

the following five levels:

Level 1 – 0%

Level 2 – 5%

Level 3 – 10%

Level 5 – 20%

6.8.
The Principle 3 failings in this case are in relation to Canara’s failure to have

adequate AML systems and controls in place.

6.9.
Principle 3 requires that a firm take reasonable steps to ensure that it has

organised its affairs responsibly and effectively, with adequate risk management

systems. Canara breached this requirement in that:

(1)
Canara had significant deficiencies with respect to its AML systems and

controls, the oversight and monitoring of these controls and the general

governance of its risk control framework, including that:

 Canara’s organisational and corporate governance structure and

arrangements were not adequately designed or fit for purpose;

 Canara’s compliance and AML systems and controls were not

appropriately designed and its AML risk management and governance

framework was not fit for purpose; and

 there was a lack of understanding of AML risk profile, a lack of

monitoring of AML risks and controls, an inability to identify or flag

unusual transactions and an inability to recognise PEPs;

(2)
As such, throughout the relevant period, Canara has failed to implement

adequate AML systems and controls and has failed to rectify identified

weaknesses in its AML systems and controls. These failings were endemic

throughout Canara’s operations, affecting almost all aspects of its business

and have raised concerns that Canara may not be fit and proper. Such

weaknesses significantly increase the risk that Canara could be used for

the purposes of money laundering or terrorist financing, or by financial

sanctions targets.

6.10. In assessing the seriousness level, the Authority takes into account various

factors which reflect the impact and nature of the breach, and whether it was

committed deliberately or recklessly. DEPP 6.5A.2G (11) lists factors likely to be

considered level 4 or 5 factors. Of these, the Authority considers the following

factors to be relevant:

(1)
the breach revealed systemic weaknesses in Canara’s AML and financial

crime systems and controls. These systems and controls applied to nearly

all of Canara’s business; and

(2)
the breach created a risk that financial crime would be facilitated,

occasioned or otherwise occur.

6.11. The financial crime and AML systems and controls failings are systemic and

significant, affecting nearly all business lines and all levels of management. The

Authority’s investigation, has not found any instances of actual money laundering,

but the failings indicate poor financial crime systems and controls and are

indicative of the culture of Canara in respect to the application of financial crime

systems and controls.

36

6.12. Taking all of these factors into account, the Authority considers the seriousness of

the breach to be level 4 and the Step 2 figure is therefore 15% of total revenue,

being £1,066,812.

Step 3: mitigating and aggravating factors

6.13. Pursuant to DEPP 6.5A.3G, at Step 3 the Authority may increase or decrease the

amount of the financial penalty arrived at after Step 2, but not including any

amount to be disgorged as set out in Step 1, to take into account factors which

aggravate or mitigate the breach.

6.14. The Authority considers that the following factors aggravate the breach:

(1)
in 2012/2013 FCID visited Canara as part of the Trade Finance Thematic

Project, resulting in a remediation exercise, however, there had been a

lack of remediation of the findings from the 2012/2013 visit. In particular,

Canara’s 22 May 2013 letter to the Authority stated that all existing

customers on boarded prior to July 2012 were being risk rated as a

remedial exercise taking into account all account activities and trading

profiles, however, the remedial exercise had still not been completed

almost two years later; and

(2)
Canara had access to considerable guidance on how to comply with

regulatory requirements. The Authority has published guidance on the

steps firms can take to reduce their financial crime risk and provided

examples of good and bad practice since 2011. The Authority has also

published a number of Final Notices including Habib Bank AG Zurich on 4

May 2012, Turkish Bank (UK) Limited on 26 July 2012 and EFG Private

Bank Ltd on 28 March 2013. Since 1990, the JMLSG has published

detailed written guidance on AML controls. During the relevant period the

JMLSG provided guidance on compliance with the legal requirements of the

ML Regulations, regulatory requirements in the Handbook and evolving

practice within the financial services industry.

6.15. The Authority has considered the aggravating factors above, which results in a

Step 3 uplift of 20%. Therefore, the Step 3 figure is £1,280,175.

Step 4: adjustment for deterrence

6.16. Pursuant to DEPP 6.5A.4G, if the Authority considers the figure arrived at after

Step 3 is insufficient to deter the firm who committed the breach, or others, from

committing further or similar breaches, then the Authority may increase the

penalty.

6.17. The Authority considers that the Step 3 figure is sufficient to be a credible

deterrent therefore no adjustment has been made to the Step 3 figure for

deterrence. The Step 4 figure is £1,280,175.

Step 5: settlement discount

6.18. Pursuant to DEPP 6.5A.5G, if the Authority and the firm on whom a penalty is to

be imposed agree the amount of the financial penalty and other terms, DEPP 6.7

provides that the amount of the financial penalty which might otherwise have

been payable will be reduced to reflect the stage at which the Authority and the

firm reached agreement.

6.19. The Authority and Canara reached agreement at stage 1 and so a 30% discount

applies to the Step 4 figure.

6.20. The figure at Step 5 is therefore £896,122 which has been rounded down to

£896,100.

Restriction

6.21. The Authority’s policy for imposing a suspension or restriction is set out in

Chapter 6A of DEPP.

6.22. When determining whether a restriction is appropriate, the Authority is required

to consider all the circumstances of the case. The Authority will impose a

restriction where it believes that such action will be a more effective and

persuasive deterrent than the imposition of a financial penalty alone. This is likely

to be the case where the Authority considers that direct and visible action in

relation to a particular breach is necessary. DEPP 6A.2.3G specifies examples of

circumstances where the Authority may consider it appropriate to impose a

restriction.

6.23. The Authority considers the following factors are relevant:

(1)
the Authority has previously taken action in respect of Canara’s failures to

put in place adequate AML and financial crime systems and controls.

Despite this, industry standards, as demonstrated by the findings of the

2011 Thematic Review of bank’s management of higher AML risk situations

38

followed by the 2014 Thematic Review, required improvement, especially

within smaller banks; and

(2)
Canara’s misconduct is systemic, and there has been a general failure to

implement appropriate AML and financial crime systems and controls. In

particular these have been systemic failures in Canara’s retail banking

business and the individuals who work in that business.

6.24. The Authority considers this is an appropriate case to impose a restriction in

relation to Canara’s regulated deposit taking activity. To ensure that it does not

impact upon current deposit account holders, the Authority considers it

appropriate to restrict Canara’s activities by preventing it from accepting deposits

from new customers only. Thus, Canara shall not accept deposits from customers

who do not already hold a deposit account with Canara at the date of the Final

Notice.

6.25. The restriction is directly linked to the Principle 3 breach, namely the systemic

failure of Canara to put in place adequate AML system and controls, including

those systems and controls governing the on-boarding of new depositors. The

restriction will be limited to new depositors as deposit taking is the main

regulated activity of Canara that is relevant to the breach.

6.26. When determining the length of the restriction that is appropriate for the breach

concerned, and also the deterrent effect, the Authority will consider all the

relevant circumstances of the case. DEPP 6A.3.2G sets out factors that may be

relevant in determining the appropriate length of the restriction. The Authority

considers that the following factors are particularly relevant in this case.

Deterrence (DEPP 6A.3.2G(1))

6.27. When determining the appropriate length of the restriction, the Authority has

regard to the principal purpose for which it imposes sanctions, namely to promote

high standards of regulatory and/or market conduct by deterring persons who

have committed breaches from committing further breaches and helping to deter

other persons from committing similar breaches, as well as demonstrating

generally the benefits of compliant business.

The Authority considers that the length of the restriction it imposes will deter

Canara and other firms from committing similar breaches and demonstrate the

benefits of compliant business.

The seriousness of the breach (DEPP 6A.3.2G(2))

6.28. When assessing the seriousness of the breach, the Authority takes into account

various factors (which may include those listed in DEPP 6.5A.2G(6) to (9)) which

reflect the impact and nature of the breach, and whether it was committed

deliberately or recklessly.

6.29. When considering the seriousness of the breach, the Authority has taken into

account the factors listed at paragraphs 6.8 and 6.9 above.

Aggravating and mitigating factors (DEPP 6A.3.2G(3))

6.30. The Authority will have regard to various factors (which may include those listed

in DEPP 6.5A.3G(2)) which may aggravate or mitigate a breach. The Authority

has taken into account the factors outlined at paragraph 6.13 to 6.15 above.

Impact of restriction on Canara (DEPP 6A.3.2G(4))

6.31. When assessing the impact of the restriction on Canara, the Authority has taken

into account the following:

(1)
Any financial impact on Canara from not being able to carry out the

restricted activity;

(2)
potential economic costs, for example, the payment of salaries to

employees who will not work or will have reduced work during the period

of restriction; and

(3)
the effect on other areas of Canara’s business.

Impact of restriction on persons other than Canara (DEPP 6A.3.2G(5))

6.32. The restriction will only impact new, potential depositors. It should not adversely

affect Canara’s existing customers. Whilst the restriction is in place, the Authority

considers there are alternative banks which these potential new customers could

use.

6.33. Having taken the above into account, the Authority considers the appropriate

length of the restriction to be 210 days.

6.34. Having taken into account all the circumstances of the case, including the

considerations set out at DEPP 6A.3.3G, the Authority does not consider it

appropriate to delay the commencement of the period of restriction.

Settlement discount

6.35. Canara agreed to settle at an early stage of the Authority’s investigation. Canara

therefore qualified for a 30% (stage 1) discount to the length of the restriction

under the Authority’s executive settlement procedures, reducing the length of the

restriction to 147 days.

6.36. The Authority has therefore imposed a total financial penalty of £896,100 on

Canara for breaching Principle 3.

6.37. The Authority also has imposed a restriction in that, for a period of 147 days from

the date of the issue of this Final Notice, in respect of its regulated activities only,

Canara shall not accept deposits from customers who do not already hold a

deposit account with Canara at the date of the Final Notice.

7.
PROCEDURAL MATTERS

Decision maker

7.1
The decision which gave rise to the obligation to give this Notice was made by the

Settlement Decision Makers.

7.2
This Final Notice is given under, and in accordance with, section 390 of the Act.

Manner of and time for payment

7.3
The financial penalty must be paid in full by Canara to the Authority by no later

than 20 June 2018, 14 days from the date of this Final Notice.

If the financial penalty is not paid

7.4
If all or any of the financial penalty is outstanding on 21 June 2018, the Authority

may recover the outstanding amount as a debt owed by Canara and due to the

Authority.

7.5
Sections 391(4), 391(6), 391(7) of the Act apply to the publication of information

about the matter to which this notice relates. Under those provisions, the

Authority must publish such information about the matter to which this notice

relates as the Authority considers appropriate. The information may be published

in such a manner as the Authority considers appropriate. However, the Authority

may not publish information if such a publication would, in the opinion of the

Authority, be unfair to Canara or prejudicial to the interest of consumers or

detrimental to the stability of the UK financial system.

7.6
The Authority intends to publish such information about the matter to which this

Final Notice relates as it considers appropriate.

Authority contacts

7.7
For more information concerning this matter generally, contact Paul Howick

(direct line: 020 7066 7954)/ John Tutt (direct line: 020 7066 1240) of the

Enforcement and Market Oversight Division of the Authority.

Financial Conduct Authority, Enforcement and Market Oversight Division

ANNEX A

RELEVANT STATUTORY AND REGULATORY PROVISIONS

1.
RELEVANT STATUTORY PROVISIONS

1.1
Pursuant to sections 1B and 1D of the Act, one of the Authority’s operational

objectives is protecting and enhancing the integrity of the UK financial system.

1.2
Pursuant to section 206 of the Act, if the Authority considers that an authorised

person has contravened a requirement imposed on it by or under the Act, it may

impose on that person a penalty in respect of the contravention of such amount

as it considers appropriate.

1.3
Pursuant to section 206A of the Act, if the Authority considers that an authorised

person has contravened a requirement imposed on it by or under the Act, it may

impose on that person, for such period as it considers appropriate (not exceeding

12 months), such limitations or other restrictions in relation to the carrying on of

a regulated activity by that person as it considers appropriate.

2.
RELEVANT REGULATORY PROVISIONS

2.1
In exercising its powers to impose a financial penalty and to impose a restriction

in relation to the carrying on of a regulated activity, the Authority has had regard

to the relevant regulatory provisions published in the Authority’s Handbook. The

main provisions that the Authority considers relevant are set out below.

Principles for Business (“Principles”)

2.2
The Principles are a general statement of the fundamental obligations of firms

under the regulatory system and are set out in the Authority’s Handbook.

2.3
Principle 3 provides:

“A firm must take reasonable care to organise and control its affairs responsibly

and effectively, with adequate risk management systems.”

Senior Management Arrangements, Systems and Controls (“SYSC”)

2.4
SYSC 6.1.1R provides:

“A firm must establish, implement and maintain adequate policies and procedures

sufficient to ensure compliance of the firm including its managers, employees and

appointed representatives (or where applicable, tied agents) with its obligations

under the regulatory system and for countering the risk that the firm might be

used to further financial crime.”

2.5
SYSC 6.2.1R provides:

“A common platform firm and a management company must, where appropriate

and proportionate in view of the nature, scale and complexity of its business and

the nature and range of its financial services and activities, undertaken in the

course of that business, establish and maintain an internal audit function which is

separate and independent from the other functions and activities of the firm and

which has the following responsibilities:

(1) to establish, implement and maintain an audit plan to examine and evaluate

the
adequacy
and
effectiveness
of
the firm's systems,
internal
control

mechanisms and arrangements;

(2) to issue recommendations based on the result of work carried out in

accordance with (1);

(3) to verify compliance with those recommendations;

(4) to report in relation to internal audit matters in accordance with SYSC 4.3.2

R.”

2.6
SYSC 6.3.1R provides:

“A firm must ensure the policies and procedures established under SYSC 6.1.1R

include systems and controls that:

(1)
enable it to identify, assess, monitor and manage money laundering risk;

and

are comprehensive and proportionate to the nature, scale and complexity

of its activities.”

2.7
SYSC 6.3.3R provides:

“A firm must carry out a regular assessment of the adequacy of these systems

and controls to ensure that they continue to comply with SYSC 6.3.1 R.”

2.8
SYSC 6.3.7G provides:

“ A firm should ensure that the systems and controls include:

(1) appropriate training for its employees in relation to money laundering;”.

2.9
SYSC 7.1.2R provides:

“A common platform firm must establish, implement and maintain adequate risk

management policies and procedures, including effective procedures for risk

assessment, which identify the risks relating to the firm's activities, processes and

systems, and where appropriate, set the level of risk tolerated by the firm.”

2.10
SYSC 7.1.3R provides:

“A common platform firm must adopt effective arrangements, processes and

mechanisms to manage the risk relating to the firm's activities, processes and

systems, in light of that level of risk tolerance.”

Decision Procedure and Penalties Manual (“DEPP”)

2.11
Chapter 6 of DEPP, which forms part of the Authority’s Handbook, sets out the

Authority’s statement of policy with respect to the imposition and amount of

financial penalties under the Act. In particular, DEPP 6.5A sets out the five steps

for penalties imposed on firms.

2.12
Chapter 6A of DEPP sets out the Authority’s statement of policy with respect to

the imposition of suspensions or restrictions, and the period for which those

suspensions or restrictions are to have effect.

2.13
The Enforcement Guide sets out the Authority’s approach to taking disciplinary

action. The Authority’s approach to financial penalties and suspensions (including

restrictions) is set out in Chapter 7 of the Enforcement Guide.


© regulatorwarnings.com

Regulator Warnings Logo