Final Notice
On , the Financial Conduct Authority issued a Final Notice to Mohammed Ataur Rahman Prodhan
FINAL NOTICE
Number:
MAP01293
1.
ACTION
1.1.
For the reasons given in this Final Notice, the Authority hereby publishes a
statement of Mr Prodhan’s misconduct. The statement will take the form of this
Final Notice which will be published on the Authority’s website.
1.2.
Were it not for the exceptional circumstances in this matter, the Authority would
have sought to impose a financial penalty of £76,400 on Mr Prodhan.
2.
SUMMARY OF REASONS
2.1.
By the Decision Notice dated 16 May 2018, the Authority notified Mr Prodhan that
it had decided to impose on him a financial penalty of £76,400.
2.2.
On 10 June 2018, Mr Prodhan referred the matter to which the Decision Notice
related to the Tribunal. On 4 November 2022, Mr Prodhan withdrew the Reference.
2.3.
Since the commencement of the investigation and, in particular, during the period
of four years and three months when the Reference was active in the Tribunal,
circumstances have changed in the following ways:
2
(1)
Mr Prodhan has returned to Bangladesh where he now resides. As
a consequence, Mr Prodhan has no residual links to, nor assets in,
the UK;
(2)
Mr Prodhan recently retired from employment;
(3)
Mr Prodhan has ongoing personal conditions which limit his ability
to travel to the UK, to participate in a hearing of the Reference or
otherwise; and
(4)
the length of time which has elapsed since Mr Prodhan’s misconduct
(some 10 years) contributes to an increasing risk of the Reference
not being able to be determined fairly.
The Authority considers that the combination of these circumstances is exceptional
and, accordingly, takes the action set out in this Final Notice on the basis of the
facts and matters set out below.
2.4.
The prevention of money laundering and financial crime is essential to maintaining
the integrity of the UK financial system. Banks and other financial services firms
are responsible for managing the risk that they might be used by those seeking to
launder the proceeds of crime and are subject to significant regulatory
requirements to maintain robust AML systems and controls.
2.5.
However, such controls will not be effective unless senior managers understand the
risks faced by the business for which they are responsible, create a culture which
supports effective regulation and take responsibility for overseeing systems for
which they are responsible.
2.6.
In April 2012, Mr Prodhan was appointed to be the CEO of SBUK after a lengthy
career in its parent bank in Bangladesh. He was approved to hold the CF1 (director)
and CF3 (chief executive) significant-influence controlled functions and was made
the senior manager responsible for the establishment and maintenance of effective
AML systems and controls.
2.7.
Throughout the Relevant Period (7 June 2012 to 4 March 2014), day-to-day
operational responsibility for SBUK’s AML systems and controls lay with SBUK’s
MLRO, who reported to Mr Prodhan. Mr Prodhan relied upon information and
assurances provided by the MLRO with respect to the operation of SBUK’s AML
systems and controls and failed to carry out any independent checks to ensure that
such systems and controls were working effectively.
3
2.8.
Mr Prodhan was aware that, in 2010, the Authority had identified serious failings in
SBUK’s AML systems and controls and that SBUK had undertaken to ensure that
financial crime issues were given further attention in the future. On several
occasions before and shortly after taking up his role, he was made aware of the
seriousness of AML issues.
2.9.
Despite this, and despite warnings from SBUK’s Internal Auditors, including those
contained in the Internal Auditors’ report of 7 June 2012, which raised particular
concerns with SBUK’s governance and AML transaction monitoring processes, Mr
Prodhan failed to take reasonable steps to ensure that AML risks were adequately
identified, assessed and documented. As a result, SBUK’s board was insufficiently
informed of the AML risks faced by SBUK and SBUK’s strategic planning failed to
take adequate account of AML risks.
2.10. Mr Prodhan also failed to take reasonable steps to assess or mitigate the AML risks
stemming from a culture of non-compliance among SBUK’s staff.
2.11. Further, Mr Prodhan failed to take reasonable steps to ensure that sufficient focus
was given to AML systems and controls within SBUK, that there was a clear
allocation of responsibilities to oversee SBUK’s branches and that he appropriately
oversaw, managed and adequately resourced SBUK’s MLRO function.
2.12. Due to these failures, SBUK’s operational staff failed to appreciate the need to
comply with AML requirements and the MLRO function was ineffective in monitoring
their compliance. This led to systemic failures in SBUK’s AML systems and controls
throughout the business.
2.13. On 12 October 2016 the Authority gave SBUK a Final Notice, imposing a financial
penalty of £3,250,600 and a restriction in respect of accepting deposits for failings
in relation to AML systems and controls. The SBUK Final Notice describes how,
among other breaches, SBUK breached Principle 3, which requires that a firm take
reasonable steps to ensure that it has organised its affairs responsibly and
effectively, with adequate risk management systems. On 12 October 2016 the
Authority also gave the MLRO a final notice, imposing on him a financial penalty of
£17,900 and an order prohibiting him from performing certain controlled functions.
2.14. As a result of the above, the Authority considers that Mr Prodhan breached
Statement of Principle 6 (exercising due skill, care and diligence in managing the
business of the firm for which he was responsible) and was knowingly concerned in
SBUK’s breach of Principle 3.
3.
DEFINITIONS
3.1.
The definitions below are used in this Final Notice.
“the 2010 Visit” means the visit by the Authority to SBUK on 26 and 27 July 2010;
“the 2014 Visit” means the visit by the Authority to SBUK on 28 and 29 January
2014;
“the Act” means the Financial Services and Markets Act 2000;
“AML” means anti-money laundering;
“the AML Staff Handbook” means the “Anti-money laundering and countering
terrorist financing Handbook for Management and Staff”, the document used by
SBUK to outline its AML processes and provided to its staff;
“APER” means the part of the Authority’s Handbook entitled “Statements of
Principle and Code of Practice for Approved Persons”;
“the Audit Committee” means the committee of SBUK’s board responsible for
monitoring operational controls;
“the Authority” means the body corporate previously known as the Financial
Services Authority and renamed on 1 April 2013 as the Financial Conduct Authority;
“CDD” means customer due diligence, the measures a firm must take to identify a
customer and to obtain information on the purpose and intended nature of the
business relationship, as outlined in regulation 5 of the ML Regulations;
“CEO” means Chief Executive Officer;
“the Decision Notice” means the decision notice given to Mr Prodhan in relation to
this matter on 16 May 2018;
“DEPP” means the Authority’s Decision Procedure and Penalties Manual;
“EDD” means enhanced customer due diligence, the measures a firm must take in
certain situations, as outlined in regulation 14 of the ML Regulations;
“the Internal Auditors” means the firm appointed by SBUK to conduct audits of its
systems and controls during the Relevant Period;
“the ML Regulations” means the Money Laundering Regulations 2007;
“MLRO” means money laundering reporting officer;
5
“MSB” means a money service bureau, a financial institution not regulated by the
Authority, offering bureau de change and/or money remittance services;
“PEP” means politically exposed person, as defined in regulation 14(5) of the ML
Regulations;
“Principle” means one of the Authority’s Principles for Businesses;
“the Reference” means the reference to the Tribunal, by Mr Prodhan, of the matter
to which the Decision Notice related;
“Relevant Period” means the period from 7 June 2012 to 4 March 2014;
“SAR” means suspicious activity report, a report of suspected money laundering to
be made by any employee to the MLRO, as required by Part 7 of the Proceeds of
Crime Act 2002;
“SBUK” means Sonali Bank (UK) Ltd (as it was during the Relevant Period);
“Skilled Person” means the skilled person appointed pursuant to section 166 of the
Act to assess and report upon SBUK’s AML processes;
“Statement of Principle” means one of the Statements of Principle for Approved
Persons set out in chapter 2 of APER;
“SYSC” means the part of the Handbook entitled “Senior Management
Arrangements, Systems and Controls”;
“the Tribunal” means the Upper Tribunal (Tax and Chancery Chamber); and
“Warning Notice” means the warning notice given to Mr Prodhan dated 27 April
2017.
4.
FACTS AND MATTERS
SBUK
4.1.
SBUK was, during the Relevant Period, the UK subsidiary of Sonali Bank Ltd, which
is incorporated in Bangladesh. SBUK was authorised to accept deposits and
provided banking services to the Bangladeshi community in the UK. During the
Relevant Period, SBUK operated six branches in the UK. It carried on the regulated
activities of providing personal and corporate deposit accounts and other,
unregulated, activities including money remittance services to Bangladesh
(conducted face-to-face and by telephone) and trade finance operations. Each of
these activities involved potentially significant money laundering risks.
6
4.2.
On 26 and 27 July 2010, as part of thematic work, the Authority visited SBUK to
assess its AML systems and controls. Subsequently, on 20 August 2010, the
Authority notified SBUK of a number of serious concerns. As a result of the 2010
Visit, SBUK agreed to implement a series of measures intended to rectify the issues
identified. In written communications with the Authority, SBUK’s senior
management committed to ensure that financial crime issues were given closer
attention in the future.
4.3.
Mr Prodhan is a national of Bangladesh, who joined Sonali Bank Ltd in 1984. Over
the course of his career with Sonali Bank Ltd prior to joining SBUK, he worked in
various roles at a number of branches in Bangladesh, rising to the position of
General Manager. In April 2012 he was appointed the CEO and company secretary
of SBUK, and relocated to the UK. On 8 May 2015 Mr Prodhan left SBUK and
subsequently relocated back to Bangladesh where he continued to work in senior
roles in the Bangladesh financial sector. Mr Prodhan retired in August 2022.
Mr Prodhan’s responsibilities
4.4.
Mr Prodhan held the CF1 (director) and CF3 (chief executive) controlled functions
throughout the Relevant Period. These were accountable significant-influence
functions within the meaning of APER. Prior to his appointment as CEO, Mr Prodhan
had no previous experience in UK financial services.
4.5.
As part of his role, Mr Prodhan was made the senior manager with responsibility
for the establishment and maintenance of effective AML systems and controls at
SBUK. The establishment of such a position is, by SYSC 6.3.8R, a regulatory
requirement.
4.6.
As the CEO and the senior manager responsible for AML systems and controls at
SBUK, Mr Prodhan’s duties included:
(1)
ensuring the proper establishment and maintenance of effective
AML systems and controls;
(2)
reporting to the board on the adequacy and suitability of the AML
systems and controls;
(3)
developing and maintaining an effective framework of internal
controls over risks in relation to all business activities;
7
(4)
developing processes and structures to ensure that all associated
risks to the shareholders’ investment were identified, documented
and compared with approved risk appetite and that appropriate
steps were taken to mitigate those risks;
(5)
providing management information that was accurate and ensuring
that AML systems and controls in place were robust;
(6)
ensuring that a commitment to regulatory compliance existed
within SBUK and that employees adhered to this duty of
compliance;
(7)
setting SBUK’s values, culture and standards and ensuring that its
obligations to its stakeholders and others were understood and
met; and
(8)
ensuring that SBUK’s business complied with all the necessary
regulatory requirements.
4.7.
As part of his role, Mr Prodhan was the chair of SBUK’s executive committee, which
was the primary body with operational responsibility for running the bank. Further,
he was a member of the board of directors and was an attendee at meetings of the
Audit Committee.
4.8.
Mr Prodhan was line manager to the MLRO and was responsible for ensuring that
the MLRO had a level of authority and independence within SBUK, and access to
resources and information, sufficient to enable him to carry out his responsibilities
as MLRO.
4.9.
When he was appointed CEO, Mr Prodhan was made aware of the Authority’s
concerns arising from the 2010 Visit and read the written communications between
SBUK and the Authority which followed it. This meant that Mr Prodhan knew of the
Authority’s previous concerns and of SBUK’s ongoing commitment to give close
attention to financial crime issues.
4.10. In carrying out the role of ensuring the establishment and maintenance of effective
AML systems and controls at SBUK, the Authority considers that Mr Prodhan should
(1)
ensured that he was sufficiently well-informed about the risks
affecting SBUK’s business, in particular those relating to AML;
(2)
considered and assessed the measures in place to mitigate these
risks and whether they were working effectively;
(3)
taken reasonable steps to ensure that the importance of robust AML
systems and controls was clearly and unambiguously articulated
throughout SBUK;
(4)
considered AML risks when making decisions regarding resourcing,
the appointment or dismissal of key personnel and before taking on
new business;
(5)
ensured that reports to the board were complete and accurate and
informed the board appropriately of the AML risks;
(6)
devoted appropriate oversight and line management support to the
MLRO; and
(7)
provided appropriate challenge to reports of the MLRO.
Failure to fulfil the responsibilities of his role
Failure to put in place a conduct risk framework
4.11. On 7 June 2012, a report of the Internal Auditors highlighted to Mr Prodhan and
other senior managers a lack of evidence to demonstrate that SBUK had identified
and considered the conduct risks to which it was exposed, that SBUK’s risk register
was not reflective of the risks faced and that there was a lack of any demonstrable
link to the tasks listed in SBUK’s compliance monitoring plan. The Internal Auditors
recommended that SBUK’s management establish a conduct risk appetite which
should be approved by the board and ensure that all risks were identified, assessed
and recorded within a risk register.
4.12. Despite this, in August 2013, the Internal Auditors reported that no conduct risk
appetite had been documented and that the risk register had not been updated. In
response, SBUK’s management asserted that its existing documentation was
sufficient and decided not to follow the recommendations of the Internal Auditors.
4.13. As a result, at a strategic level, SBUK did not adequately assess the risks to which
it was exposed, including those relating to AML and financial crime, and consider
how best to address them. It was the responsibility of Mr Prodhan to take
reasonable steps to ensure that risks were identified, documented and mitigated,
and that the relevant systems and controls were working effectively. It was also
his responsibility to take reasonable steps to ensure that the board was sufficiently
sighted of the risks to which SBUK was exposed.
Failure to inform himself of the AML risks
4.14. Mr Prodhan stated to the Authority that, at the time of his appointment, on the
basis of documentation provided to him and conversations with senior colleagues,
he considered that there were no concerns about SBUK’s AML controls.
4.15. Mr Prodhan’s management style was one of delegation and he delegated
responsibility for the maintenance of SBUK’s AML systems and controls to the
MLRO. Although he was entitled to delegate the day-to-day operational
management of SBUK’s AML systems and controls, he remained responsible for
ensuring that these systems and controls were properly established and
maintained, and should have taken reasonable steps to ensure that he had at all
times an adequate understanding of the AML risks and how they were being
addressed. Throughout the Relevant Period, he did not engage sufficiently in the
consideration of AML risks. He failed to hold sufficiently regular meetings with the
MLRO, contributed little to meetings at which AML issues were considered and did
not provide any effective challenge to reports from the MLRO.
4.16. As a result, Mr Prodhan did not appreciate the seriousness of the AML risks faced
by SBUK nor the importance of compliance with AML requirements.
4.17. Because of this lack of understanding and appreciation on Mr Prodhan’s part and
because he failed to take reasonable steps to ensure that the board and senior
management were sufficiently sighted of SBUK’s AML risks, SBUK’s strategic
planning failed to take sufficient account of AML risks and the need to mitigate
them. At no point during the Relevant Period did SBUK put in place a coherent
strategy to address AML risks.
4.18. In 2013, SBUK began offering banking services to MSBs; the offer to provide these
new services was made without adequate consideration of the additional AML risks
which would result or the extra resources which would be needed to address them.
Indeed, when SBUK drafted an updated business plan in late 2013, it failed to detail
any consideration of how AML issues affected SBUK’s ongoing business activities.
AML management reporting
4.19. Throughout the Relevant Period, the MLRO produced a monthly compliance and
financial crime report which was submitted to senior management, the Audit
Committee and the board. These monthly reports provided little analysis on the
effectiveness of systems and controls and failed to highlight particular risks or
issues for the immediate attention of management. Furthermore, the reports were
subject to little, if any, challenge by Mr Prodhan.
4.20. In addition, in January each year, the MLRO produced an MLRO report to assess
SBUK’s compliance with regulatory obligations and the operation and effectiveness
of the AML systems and controls over the previous year. Although the MLRO reports
did provide descriptions of the systems in place, they provided no adequate analysis
of the effectiveness of these systems. Moreover, they omitted or failed to report
accurately important findings of the Internal Auditors, including criticisms of the
AML transaction monitoring process. As such, despite certifying that controls were
sufficient, they were ineffective in providing comfort that systems were operating
effectively.
4.21. Despite being aware of the findings of the Internal Auditors, Mr Prodhan failed to
identify that the MLRO reports were inadequate. Moreover, he failed to provide any
challenge to the MLRO’s assessment that systems were operating effectively. As a
consequence, the management information presented to the board and Audit
Committee was inadequate and did not allow them to assess properly the
effectiveness of controls.
Failure to foster a culture of compliance
4.22. It was Mr Prodhan’s responsibility to set SBUK’s values, culture and standards and
he should have steered senior management towards ensuring that SBUK fostered
a culture throughout the firm which valued robust adherence to its regulatory
responsibilities. It was apparent to members of SBUK’s senior management and
board during the Relevant Period that SBUK’s staff did not always appreciate the
importance of regulatory compliance and that a culture persisted which was
resistant to changing methods of business in accordance with changing
requirements.
4.23. As a result, in July 2013, the board tasked SBUK’s senior management with
considering measures to introduce changes to the organisation in order to address
a lack of discipline in operational matters. Despite this and subsequent warnings,
Mr Prodhan did not take reasonable steps to address the cultural issues or to ensure
that appropriate focus was paid to regulatory compliance throughout SBUK.
4.24. While not limited to AML requirements, this failure impacted upon SBUK’s AML
systems and controls: the importance of complying with AML requirements was
neither sufficiently understood nor valued throughout SBUK. Other members of the
senior management team did not view AML requirements as part of their
responsibility and no adequate measures were taken to impress upon operational
staff the value of AML systems and controls.
Branch oversight
4.25. SBUK’s branches reported to its head office. However, the reporting lines were
confused and there was a lack of communication between head office and the
branches. This meant that little regular contact was made to ensure that the
branches were operating in compliance with the regulatory requirements and there
was little ongoing management focus on the effectiveness of AML systems and
controls within the branches. As a result, operational staff failed to appreciate the
need to comply properly with AML requirements.
4.26. The MLRO reports of 2012, 2013 and 2014 each outlined a recommendation for a
regular program of visits to be conducted by the MLRO to the branches to ensure
that AML controls were operating effectively. However, because the MLRO suffered
from resourcing shortages, no such visits took place until, following the 2014 Visit,
the Authority requested that an assessment be carried out of the AML controls in
operation at the branches.
4.27. Despite being alerted by the MLRO reports for three successive years to the need
for branch visits, and being aware that no such visits were being carried out, Mr
Prodhan failed to take reasonable steps to ensure that branch visits took place until
after the 2014 Visit.
4.28. When members of the senior management carried out branch visits in April 2014,
they identified a lack of adequate understanding of AML issues among branch
managers and staff.
Failure to manage and resource the MLRO adequately
4.29. Mr Prodhan’s responsibilities included exercising managerial oversight over the
MLRO. However, he failed to hold sufficiently regular meetings with, conduct
meaningful appraisals with or adequately challenge the MLRO.
4.30. During much of the Relevant Period the MLRO department did not have adequate
resources and was overstretched, which hampered its ability to carry out its
functions. Until mid-2014, in addition to his role overseeing the AML systems and
controls, the MLRO was required to act as compliance officer, document strategies,
arrange training (both compliance and non-compliance related), act as data
protection officer and undertake company secretarial work, including noting, and
subsequently typing up, minutes at board and Audit Committee meetings.
4.31. Despite being aware of concerns expressed by the Internal Auditors in June 2012
as to the level of AML transaction monitoring being undertaken by the MLRO
department, Mr Prodhan failed to identify that the MLRO department did not have
sufficient resources.
4.32. In January 2013, the MLRO requested further staffing. Although Mr Prodhan agreed
to the request, he did not take reasonable steps to ensure that the recruitment of
a suitable staff member was actioned in a timely way. The MLRO took several
months to draft the job description. In the event, a further staff member was not
appointed until January 2014, although part of the delay was caused by the
withdrawal of a preferred candidate late in the recruitment process.
4.33. Mr Prodhan should have taken reasonable steps to ensure that the resource gap
identified was addressed in a more timely manner, particularly because the lack of
adequate resource during this period impacted adversely on the monitoring carried
out by the MLRO function. At the time Mr Prodhan had agreed to take on MSBs as
customers which he knew would have significant resource implications for the MLRO
department. It was Mr Prodhan that had the responsibility and ability to ensure that
resource was adequate.
Failure to consider warnings
4.34. Mr Prodhan received several clear indications during the Relevant Period of
significant issues with SBUK’s governance framework and AML systems and
controls. In June 2012, the Internal Auditors reported on the operation of SBUK’s
control framework. The Internal Auditors identified “a number of areas that require
actioning by Management which we consider expose SBUK to a high level of
regulatory risk”. The overall audit grade was ‘4’, indicating “Actual/potential very
significant implications for SBUK”, although the grade for AML and anti-fraud
measures was 2, indicating “Actual/potential implications where the risk/control
failure is considered to be moderate (ie an important implication at business area
(department level), but which does not warrant a grade of significant or low”. In
particular, the report identified:
(1)
a failure to identify and assess conduct risk and produce a conduct
risk appetite statement;
(2)
an inadequate risk register;
(3)
no demonstrable link between the compliance monitoring plan and
the risk register; and
(4)
an inadequate AML transaction monitoring process.
4.35. In August 2013, the Internal Auditors produced a further report. This found that
SBUK had still not documented its conduct risk, its risk register was still inadequate,
its compliance monitoring plan was still not risk-based and the AML transaction
monitoring process should be reviewed. Again, the overall audit grade was ‘4’,
although the grade for AML and anti-fraud measures remained at 2.
4.36. In October 2013, the Internal Auditors conducted a review of trade finance files.
They noted an 83% error rate in the documentation relating to CDD and fees and
identified that file monitoring by the MLRO had not been adjusted to reflect
increased business and had only taken place in two months of the year.
4.37. In each case, the reports of the Internal Auditors were subject to discussion at
board and senior management level. However, on each occasion, Mr Prodhan failed
to take any adequate measures to address the concerns of the Internal Auditors.
4.38. It was the responsibility of SBUK staff members to refer any suspicious activity to
the MLRO by completing a SAR. In each of the annual MLRO reports between 2012
and 2014, the MLRO described the lack of SARs referred to him by staff, particularly
in the trade finance part of the business, as “surprising”. Each report stated that
this “may well be attributable to the fact that the vast majority of counterparties to
the LCs [letters of credit] are familiar to the Trade Finance staff”.
4.39. Despite this indicator that staff may not have been reporting suspicious activity
appropriately, and despite the same suggested explanation being given each year
without any apparent investigation, Mr Prodhan did not take any steps to
investigate the apparently low level of SARs, to ensure that such an investigation
was carried out or to challenge the MLRO on the suggested explanation.
4.40. Following the review by the Skilled Person in 2014, SBUK reviewed its customer
files and a sample of its remittance transactions. As a result, an additional 141
SARs were submitted in respect of account holders and 102 SARs were submitted
in respect of remittance transactions. This is a clear indicator that staff had failed
to report suspicious activity appropriately. In failing to take reasonable steps to
ensure that the reasons for the low levels of referrals made were investigated and
that the rationale provided was reasonable, Mr Prodhan failed to identify a lack of
understanding of AML issues and application of relevant requirements by SBUK’s
staff.
4.41. On 28 and 29 January 2014, the Authority visited SBUK as part of follow-up
thematic work to assess AML controls in smaller banks. Notwithstanding the
measures taken as a result of the 2010 Visit, the Authority identified serious AML
failings.
4.42. The Authority requested that SBUK take a number of immediate actions to address
the risks posed by its AML weaknesses. These included lowering the remittance
threshold for obtaining source of funds information, screening its customers to
identify PEPs, conducting EDD on all PEPs and high risk customers and carrying out
visits to its branches to assess their AML systems and controls.
4.43. As a result of concerns arising from the 2014 Visit, the Skilled Person was appointed
to assess and report upon SBUK’s AML systems and controls. On 21 July 2014, the
Skilled Person reported its findings. It concluded that there were “systemic” AML
failings arising from “a lack of understanding and implementation of systems and
controls throughout the Bank”.
4.44. In a letter dated 4 March 2014 Mr Prodhan outlined SBUK’s response to the
Authority’s request for a number of immediate actions. SBUK conducted some
remediation activity following the 2014 Visit and put in place a formal remediation
plan after the review of the Skilled Person, although this was not approved by the
board until November 2014.
4.45. On 30 October 2014, Mr Prodhan’s job description was changed and he ceased to
be responsible for SBUK’s AML systems and controls. He continued in the role of
CEO until 8 May 2015 when he left SBUK and ceased to hold controlled functions.
The Authority’s investigation into SBUK
4.46. As a result of the findings of the Skilled Person, the Authority investigated SBUK’s
AML systems and controls during the period from 20 August 2010 to 21 July 2014.
The Authority concluded that SBUK failed to maintain adequate systems and
controls to manage the risk of money laundering and financial crime. These failures
were systemic, and affected almost all levels of its business and governance
structure. Details of the Authority’s findings are set out at Annex A. In particular,
there were significant issues with SBUK’s control systems at an operational level.
These issues are detailed at part A1, sections 6 to 14 of Annex A.
4.47. Although some of the issues predated Mr Prodhan’s appointment at SBUK, the
Authority considers that all of the failings persisted during the Relevant Period.
Moreover, the Authority considers that all of the failings were a direct consequence
of insufficient oversight of AML systems and controls by the board of directors and
senior management in general, and Mr Prodhan in particular.
5.
FAILINGS
5.1.
The regulatory provisions relevant to this Final Notice are referred to in Annex B.
5.2.
As a result of the conduct outlined above, the Authority considers that Mr Prodhan
is guilty of misconduct in that he breached Statement of Principle 6 and was
knowingly concerned in SBUK’s breach of Principle 3. The same evidence is relied
upon in respect of both forms of misconduct.
5.3.
Statement of Principle 6 requires an approved person performing an accountable
significant-influence function to exercise due skill, care and diligence in managing
the business of the firm for which he is responsible in his accountable function.
5.4.
Mr Prodhan breached this requirement during the Relevant Period in that he failed
to appreciate the need to give sufficient focus to regulatory compliance and to take
reasonable steps to ensure the adequacy of SBUK’s AML systems and controls to
prevent financial crime. In particular he failed:
(1)
to take AML risks into account sufficiently when planning SBUK’s
strategic direction and when making the decision to expand the
business of SBUK to MSBs;
(2)
to take reasonable steps to ensure that a culture of compliance
towards regulatory responsibilities existed throughout SBUK;
(3)
to take reasonable steps to ensure that the MLRO function was
adequately resourced in a timely way;
(4)
to take reasonable steps to ensure that SBUK’s branches were
subject to appropriate management oversight with clear reporting
lines and that AML issues were considered as part of the line
management process;
(5)
to investigate or request an explanation for continuously low levels
of SAR submissions;
(6)
to adequately discharge his responsibility to report to the board with
respect to the operation of AML systems and controls;
(7)
to provide adequate challenge to the MLRO’s assertions that AML
controls were effective; and
(8)
to take reasonable steps in a timely fashion to address serious
concerns expressed by the Internal Auditors about significant
failings
in
the
governance
processes
or
to
implement
recommendations of the Internal Auditors.
Knowingly concerned in SBUK’s breach of Principle 3
5.5.
Principle 3 requires that a firm take reasonable steps to ensure that it has organised
its affairs responsibly and effectively, with adequate risk management systems. As
a result of the facts and matters outlined in section A1 of Annex A, and for the
reasons outlined in section A2 of Annex A, SBUK breached this requirement
between 20 August 2010 and 21 July 2014. Mr Prodhan was knowingly concerned
in this breach during the Relevant Period in that he was:
(1)
responsible for ensuring that the importance of AML compliance was
ingrained throughout the business, aware of the warnings of the
culture of non-compliance and aware that SBUK was failing to take
adequate steps to address the issue;
(2)
responsible for ensuring that the board and senior management
were provided with sufficiently clear information to ensure that they
had adequate oversight of the AML risks faced by the business and
were able to assess how they were being addressed. Mr Prodhan
was aware of the information provided to the board and senior
management for this purpose and should have been aware that it
was inadequate;
(3)
aware of the warnings from the Internal Auditors of weaknesses in
SBUK’s governance systems and controls, responsible for ensuring
effective governance systems and aware that the warnings of the
internal auditors were not being acted upon;
(4)
responsible for ensuring the MLRO department was adequately
resourced and aware of a lack of adequate resourcing but failed to
take adequate measures to address the issue;
(5)
responsible for oversight of the MLRO department and failed to take
reasonable steps to ensure that oversight was adequate to confirm
that the MLRO department performed its role effectively;
(6)
responsible for the arrangements for managerial oversight of the
branches and failed to take reasonable steps to ensure that they
were clear and considered AML compliance adequately; and
(7)
aware of the numbers of SAR submissions and, despite having been
aware of the warnings that they were surprisingly low, failed to take
reasonable steps to address the issue.
6.
SANCTION
Public censure
6.1.
The Authority’s policy for imposing penalties is set out in Chapter 6 of DEPP. DEPP
6.4.1G states that the Authority will consider all the relevant circumstances when
deciding whether to impose a penalty or issue a public censure.
6.2.
The Decision Notice outlined the reasons for the Authority’s decision that the
appropriate sanction for Mr Prodhan’s misconduct was the imposition of a financial
penalty of £76,400. This figure was calculated by reference to the Authority’s
penalty policy, set out in DEPP 6.5B. The basis for calculating this figure is set out
at Annex C of this Final Notice.
6.3.
The Authority continues to consider that, absent the factors set out below, the
imposition of a financial penalty of £76,400 would be the appropriate penalty to
impose.
6.4.
Since the commencement of the investigation and, in particular, during the period
of four years and three months when the Reference was active in the Tribunal, Mr
Prodhan’s personal circumstances have changed in the following ways:
(1)
Mr Prodhan has returned to Bangladesh where he now resides. As a
consequence, Mr Prodhan has no residual links to, nor assets in, the UK;
(2)
Mr Prodhan recently retired from employment;
(3)
Mr Prodhan has ongoing personal conditions which limit his ability to
travel to the UK, to participate in a hearing of the Reference or
otherwise; and
(4)
The length of time which has elapsed since Mr Prodhan’s misconduct
(some 10 years) contributes to an increasing risk of the Reference not
being able to be determined fairly.
The Authority considers that the combination of these factors is exceptional.
6.5.
As a result of the above factors, and the exceptional circumstances that they create,
the Authority has decided that it is appropriate to replace the financial penalty
imposed on Mr Prodhan, and notified to him in the Decision Notice, with the
publication of a statement of his misconduct.
6.6.
The Authority therefore publishes this Final Notice as a statement of Mr Prodhan’s
misconduct.
7.
REPRESENTATIONS
7.1.
Annex D contains a brief summary of the key representations made by Mr Prodhan
to the Authority in response to the Warning Notice and how they were dealt with.
The Authority took into account all of the representations made by Mr Prodhan,
whether or not set out in Annex D, before deciding to give him the Decision Notice.
There has been no substantive change in the Authority’s consideration of these
representations.
8.
PROCEDURAL MATTERS
Decision maker
8.1. The decision which gave rise to the obligation to give this Final Notice was made
by the Settlement Decision Makers.
8.2. This Final Notice is given under and in accordance with section 390 of the Act. The
following statutory rights are important.
8.3.
Sections 391(4), 391(6) and 391(7) of the Act apply to the publication of
information about the matter to which this Final Notice relates. Under those
provisions, the Authority must publish such information about the matter to which
the notice relates as it considers appropriate. The information may be published in
such manner as the Authority considers appropriate. However, the Authority may
not publish information if such publication would, in the opinion of the Authority,
be unfair to the person in respect of whom the action was taken, prejudicial to the
interests of consumers or detrimental to the stability of the UK financial system.
8.4.
The Authority intends to publish such information about the matter to which this
Final Notice relates as it considers appropriate.
Authority contact
8.5.
For more information concerning this matter, contact William Walsh (direct line:
020 7066 5518) of the Enforcement and Market Oversight Division of the Authority.
Lauren Rafter
Enforcement and Market Oversight Division
ANNEX A
This Annex outlines the facts and matters which, in the view of the Authority, demonstrate
the weaknesses in SBUK’s governance and control systems and the reasons why SBUK
contravened Principle 3 during the period between 20 August 2010 and 21 July 2014. Mr
Prodhan commenced his role on 11 April 2012 and consequently part of the period during
which SBUK breached Principle 3 pre-dated his appointment. Moreover, the period of
failings which constituted the breach of Principle 3 extends beyond that in which Mr
Prodhan was knowingly concerned. The specific parts of the Principle 3 breach in which Mr
Prodhan was knowingly concerned, between 7 June 2012 and 4 March 2014, are outlined
at paragraph 5.5 above.
A1
Facts and Matters
SBUK’S GOVERNANCE SYSTEM
1.
Board of directors
1.1
The board failed to act cohesively and effectively. There was a lack of experience
and expertise in relation to regulatory and compliance matters and manifest
differences in opinion and approach to complying with regulatory requirements
which affected the board’s ability to operate effectively as a collective unit.
1.2
The board relied in part upon the knowledge of independent non-executive directors
yet failed to ensure that their recommendations were effected. For example, in
September 2010, the board’s attention was drawn to “a cultural mind-set which
needed to change” in relation to AML issues. Despite this, and similar expressions
of concern made to the board subsequently, the board took insufficient steps to
ensure that the importance of AML compliance was ingrained throughout the
business.
1.3
Although the board initially monitored the progress of the remediation measures
taken following the 2010 Visit, it made insufficient enquiry into the effectiveness of
the measures taken and, by March 2011, remediation measures did not feature on
the board agenda. This meant that the board was not able to satisfy itself that the
implemented measures were operating effectively. The board failed to consider,
assess, document and mitigate adequately the risks to which SBUK was exposed,
including that of AML compliance. In 2012, the Internal Auditors drew attention to
a lack of evidence to demonstrate that SBUK had identified and considered the
conduct risks to which it was exposed, that SBUK’s risk register was not reflective
of the risks faced and that there was a lack of any demonstrable link to the tasks
listed in SBUK’s compliance monitoring plan. They recommended that the board
approve a conduct risk appetite statement and that SBUK review its compliance
monitoring plan.
1.4
Despite this, in 2013, the Internal Auditors reported that no conduct risk appetite
had been documented, that the risk register had not been updated and that the
compliance monitoring plan remained insufficiently focussed on high-risk areas. As
a result, SBUK’s board failed to ensure that it was sufficiently sighted of the risks
to which it was exposed, including the risk of being used for money laundering or
other financial crime.
1.5
Further, the board failed to provide effective oversight of senior management
responsible for ensuring that systems and controls were robust and the board
routinely accepted without challenge management assurances on the effectiveness
of AML controls. Despite identifying from a report of the Internal Auditors in June
2012 that it was “clear that the management have failed in some areas”, the Audit
Committee accepted the recommendations of senior management and failed to
take steps to ensure that failures were remediated adequately.
1.6
Although the board received regular financial crime reports, it raised insufficient
challenge to the conclusions reached and failed to enquire adequately into the
oversight of the implemented systems.
2.
Senior Management Team
2.1
Following the 2010 Visit, SBUK’s senior management oversaw the plan to remediate
the identified failings. These measures were accepted as complete in December
2011 without sufficient testing of their implementation to determine whether the
required steps had been taken or how effective the systems introduced as a result
were operating.
2.2
At no time did SBUK’s senior management put in place a coherent strategy for
addressing AML risk. As identified above at paragraph 1.4, SBUK’s senior
management failed to act on the recommendations of the Internal Auditors to
ensure that all risks were identified, assessed and recorded within a risk register.
2.3
SBUK’s senior management received monthly Compliance and Financial Crime
reports from the MLRO. However, these were formulaic, provided insufficient
analysis on the effectiveness of systems and controls, failed to highlight particular
risks or issues for the immediate attention of senior management and were subject
to little challenge by the senior management team.
2.4
The senior management failed to take responsibility for ensuring that AML issues
were sufficiently prioritised throughout the business. Overall, senior management
was willing to accept assurances that compliant AML systems were in place without
conducting any adequate enquiry as to the effectiveness of these systems and
despite adverse reports from the Internal Auditors.
3.
Internal Audit
3.1
On 31 December 2010, SBUK informed the Authority that it had appointed an
external firm to carry out its internal audit functions and that it will “pay close
attention to whether the [AML] procedures are being correctly followed”.
3.2
On the basis of their work, the Internal Auditors produced regular reports,
relevantly in each of the years 2011 to 2013. Each report identified significant
weaknesses in SBUK’s AML control systems: several of these are outlined in this
Notice.
3.3
Overall, in 2011 the Internal Auditors graded the risks and controls associated with
SBUK’s governance and regulation activities as ‘3’, indicating ‘actual/potential
significant implications for SBUK as a whole or as a business area (say a
department)’.
3.4
In both 2012 and 2013, the grading was ‘4’ – the highest grade available, indicating
‘actual/potential very serious implications for SBUK’.
3.5
In respect of several failings, the Internal Auditors noted that they persisted in
subsequent years despite the assurances of senior management that they would
be remediated.
3.6
Despite these indicators, between 2011 and 2013, the number of days allocated by
the Internal Auditors to consideration of governance and regulation matters was
reduced from 18 days in 2011 to 8 days by 2013.
3.7
The failure of SBUK’s senior management to react appropriately to the adverse
findings of its own independent Internal Auditors and to improve adequately the
control framework is a clear indicator that senior management was insufficiently
focussed on compliance in general and AML systems in particular.
3.8
As a result, senior management failed to ensure that SBUK fostered a culture which
valued robust adherence to its regulatory responsibilities and allowed a culture of
minimal, or non-compliance to persist throughout the firm.
4.
MLRO function
4.1
The MLRO function was responsible for monitoring and ensuring SBUK’s compliance
with its AML responsibilities. It was therefore important that the MLRO function was
properly equipped with staff who had adequate skills and experience, and systems
which enabled effective monitoring.
4.2
In addition to his role overseeing the AML systems and controls, until 2014, SBUK
required its MLRO: to act as compliance officer; to act as line manager to staff; to
undertake responsibilities for training; and to undertake some company secretarial
work, including taking, and subsequently typing up, minutes at board and Audit
Committee meetings.
4.3
Having identified in March 2013 that the MLRO function required further staffing,
although steps were taken from the summer of 2013 onwards, SBUK did not recruit
another staff member until January 2014. The lack of adequate resource during
this period adversely affected the monitoring carried out by the MLRO function: for
example, in August 2013, the Internal Auditors noted that only 17 reviews of trade
finance files had been carried out, rather than the 75 mandated by SBUK’s
procedures.
4.4
In addition to staffing, SBUK failed to provide the MLRO department with adequate
resources. Despite the MLRO recommending membership of a commercial crime
information service in each of the MLRO reports for 2011 to 2013, SBUK failed to
purchase the suggested service or an alternative.
4.5
The MLRO also recommended software enhancements in each of the MLRO reports
for 2011 to 2014, in relation to sanctions screenings, which were implemented in
2015. In 2012, the MLRO recommended that upgrades to remittance software were
required to ensure that transactions were automatically screened against sanctions
lists. This was implemented in the second half of 2014. SBUK failed to implement
the necessary upgrades in a timely manner.
4.6
In 2011 SBUK started a project to replace its IT system which would have provided
enhanced AML functionality. As of August 2016, SBUK was still working on
implementation of this new system.
4.7
The Authority acknowledges that external factors have been involved in the delay
in implementing the new system. Nevertheless, senior management’s lack of
sufficient focus on AML systems meant that they did not respond adequately to the
delay. Therefore senior management failed to ensure that SBUK was equipped
properly to carry out its functions effectively.
5.
Oversight of branches
5.1
SBUK’s head office was based in London. It operated five additional branches,
providing retail banking and money remittance services to Bangladeshi
communities outside central London.
5.2
Reporting lines from the branches to SBUK’s head office were confused. While some
visits to branches were made by senior management, these were focused on the
administrative operations of the branches and did not consider compliance with
AML processes.
5.3
As a result, AML compliance was not embedded in the reporting lines of branch
staff or management and insufficient ongoing management attention was focussed
upon the effectiveness of AML systems within the branches, although half yearly
conferences were conducted for branch managers at which AML issues were
discussed.
5.4
The MLRO reports of 2012, 2013 and 2014 each outlined a recommendation for a
regular program of visits to be conducted by the MLRO to the branches. As a result
of a lack of resources in the MLRO department, these visits did not take place until
after the Authority’s feedback from the 2014 Visit. Despite being alerted by the
MLRO reports for three successive years to the need for branch visits, SBUK’s senior
management took no steps to ensure that they took place.
5.5
Instead, AML oversight of the branches was conducted by the (already under-
resourced) MLRO department’s transaction monitoring and by dealing with ad hoc
queries posed by branch staff. This led to a culture amongst branch staff of reliance
on the MLRO department to ensure that AML monitoring and reviews were
satisfactorily completed.
5.6
When members of the senior management carried out branch visits in April 2014,
SBUK identified a lack of adequate understanding of AML issues among some
branch managers and staff, including unsatisfactory knowledge of CDD, EDD,
customer risk assessments and the circumstances in which a SAR was necessary.
6.
AML policies and procedures
6.1
SBUK maintained the AML Staff Handbook which contained its AML policy and
procedures. It was redrafted following the 2010 Visit with the assistance of external
consultants and subsequently approved by the board on an annual basis. The AML
Staff Handbook was a high level manual that provided insufficient practical
guidance to staff to assist them with carrying out their functions effectively. Staff
were provided with the AML Staff Handbook but were given limited further
documentary guidance on how to follow the AML processes. This meant that staff
were not provided with adequate guidance on how to comply with SBUK’s AML
processes.
6.2
For example, staff were instructed that prior to establishing a relationship or
opening an account, they were required to obtain “sufficient due diligence” but the
guidance did not specify what would be considered as “sufficient”.
6.3
Members of staff were required to obtain evidence of source of funds for cash
remittances of £9,000 and above (reduced to £2,000 and above in January 2014)
but no guidance was provided on what form this evidence should take. This was
despite cash remittances being a key risk area for the business. The lack of specific
guidance in this area led to staff processing very large cash remittance transactions
with little evidence of source of funds. For example, a cash remittance transaction
of £10,000 (a significant sum compared to the income of the remitter) was
processed where the only documented evidence of source of funds obtained
consisted of a withdrawal slip. It does not appear that adequate consideration was
given as to whether this was sufficient in such circumstances, or whether further
information, such as evidence of the activity that generated the funds, was
necessary.
6.4
The AML Staff Handbook was at times contradicted by the MLRO reports. For
example, from January 2012, the AML Staff Handbook provided for SBUK to treat
all new customers as high risk for the first six months. However, the 2012 and 2013
MLRO reports stated that SBUK’s policy was “not to conduct relationships with any
individual or organisation which it considers to be high risk or engages in high risk
activities, except for correspondent banking relationships”.
6.5
Moreover, the MLRO reports provided that all account applications for high risk
customers and subsequent reviews were required to be signed off by senior
management. However, this provision was not set out in the AML Staff Handbook
and consequently was not communicated to staff. It remained unclear how these
policies coincided with the classification of all new customers as high risk. In
practice, the requirement in the MLRO reports was not followed: while senior
management did sign off some categories of customer, they did not sign off all high
risk customers.
6.6
The first time a customer underwent a considered risk assessment was after the
initial six months when the customer was assessed as low, medium or high risk.
This review was largely limited to a manual paper exercise involving a paper diary
system because, until mid-2013, SBUK databases did not have the capability to
record review dates. This meant that the review after the initial six months was not
always conducted on time.
6.7
The AML Staff Handbook listed a number of factors to be used in making a risk
assessment of an individual customer but provided insufficient guidance on how
these factors interrelated or how staff should use them in an individual case.
Although the AML Staff Handbook required ongoing periodic reviews, it did not
provide details of what information these reviews should consider.
6.8
The AML Staff Handbook set out SBUK’s policy and procedural requirements for
carrying out EDD, but it did not explain adequately what EDD was, and did not
provide staff with guidance on how to carry out EDD.
AML CONTROL SYSTEMS
7.
Customer Due Diligence
7.1
Following the 2010 Visit, the Authority had alerted SBUK to deficiencies in its CDD
processes.
7.2
Despite this, when the Authority examined 16 files during the 2014 Visit, it found
a failure to carry out adequate CDD, including a lack of documented evidence of
the purpose and intended nature of the business relationship and information
relating to the expected turnover or transactional activity. As a consequence, these
files lacked suitable information to assess whether account activity was consistent
with the anticipated activity.
7.3
The Skilled Person found a systemic failure to carry out sufficient CDD. Failings
included scanned documentation which was unclear, out of date identification
documentation, incomplete account opening forms and insufficient information
about expected account activity.
7.4
Following the review of the Skilled Person, SBUK identified 2,457 live customer
accounts. Each file suffered from a lack of appropriate documentation.
8.
Enhanced Due Diligence
8.1
The ML Regulations require firms to carry out EDD in any situation which can
present a higher risk of money laundering. SBUK’s policies required it to carry out
EDD in respect of all high risk customers. The AML Staff Handbook reflected this
requirement. The classification of all new customers as high risk therefore required
SBUK to conduct EDD on all of these customers. In fact, SBUK routinely failed to
carry out EDD in respect of its new customers, on the basis that they were not in
fact high risk for these purposes.
8.2
The result of this was that SBUK failed to follow its own policies and failed to give
any meaningful consideration to whether the risks of a particular customer merited
carrying out EDD.
9.
Ongoing monitoring
9.1
The MLRO department did not review live customer accounts at all until a review in
2011. This review found that in most cases the customer information was not up
to date resulting in SBUK writing to 300 customers and requesting information.
These included customers whose account activity involved large cash transactions
or transactions which did not appear consistent with their customer profile. SBUK
did not undertake any subsequent periodic reviews of its customer files and in 2014
approximately 20% of live customer files were still found to be deficient,
demonstrating CDD was still not being carried out properly.
9.2
A sample review of customer files by the Skilled Person found that the reviews
undertaken by the MLRO department after the initial six months was flawed. For
example, the reasons for classifying a customer as high, medium or low risk were
not clearly documented.
9.3
After the initial six month review, SBUK failed to carry out ongoing monitoring of
customer relationships beyond the monitoring of certain transactions. This meant
that, after the initial six month review, insufficient consideration was given to the
AML risks posed by a particular customer unless he or she completed an individual
transaction which was subject to monitoring. This meant that there was a risk that
customers were not classified appropriately which would have impacted on the level
of due diligence undertaken on customers and the frequency of monitoring
determined. The decision whether to monitor a particular transaction was generally
made by reference to the transaction itself rather than by any consideration of the
risks posed by the customer.
9.4
For example, one customer who was identified by SBUK as a PEP, and whose
income had been noted in 2007 as £20,000 per annum, had made a number of
significant cash and cheque deposits. SBUK had failed to consider whether these
deposits were commensurate with his earnings and, accordingly, whether the
account activity posed increased AML risks.
9.5
Until February 2011, SBUK conducted no documented monitoring of transactions.
From February 2011, the MLRO department monitored transactions by reviewing a
series of daily reports which flagged transactions that fell outside pre-set criteria.
Of these, the MLRO department investigated transactions on a sample basis. The
basis for selecting the sample was unclear and the number of transactions
investigated depended on the resource available.
9.6
SBUK operated two separate systems for money remittances. However, the MLRO
department was unaware that it only received daily reports in respect of one of
these systems. As a result, a significant number of transactions were not subject
to monitoring.
9.7
In 2012, the Internal Auditors recommended that the parameters for the daily
reports be reviewed and that all transactions on the reports should be investigated.
However, SBUK did not follow this recommendation.
9.8
SBUK’s systems were unable to detect linked transactions or transactions from a
number of remitters to a single beneficiary. Moreover, individual branches could
not access the remittance history of a customer from other branches and the MLRO
department could not access remittance histories from branches other than the
Head Office.
9.9
This meant that SBUK failed to assess the overall risks posed by particular
customers. For example, the Skilled Person examined a remittance transaction of
£10,000. When assessing the risk of the transaction and of the customer, SBUK
failed to take into account that the customer’s stated income was £28,000 and that,
in less than 18 months, he or she had remitted over £25,000. As a result, the
transaction was not considered by SBUK to be suspicious and no documented
assessment of the risk posed by the customer was made.
10.1
Until 2014, SBUK did not conduct routine screening of its customer list to identify
PEPs. Although checks were carried out in respect of new customers, SBUK failed
to identify some customers who should have been assessed as PEPs. On other
occasions, information which suggested customers were PEPs was discounted
without any documented reasoning. This meant that SBUK risked failing to
appropriately identify PEPs.
10.2
Even when SBUK identified a customer as a PEP, it did not always carry out
adequate EDD. In particular, it failed to establish the source of particular funds or
the source of the customer’s wealth. Even when areas of concern or adverse
information were identified, these were not always sufficiently considered and the
associated risks identified and considered. There was a failure to document
adequately the rationale for the steps taken.
10.3
In one case, SBUK failed to identify that several PEPs sat on the board of one of its
customers and failed to consider publicly available information concerning
corruption investigations involving this customer. As a result, SBUK’s risk
assessment of this customer was seriously deficient.
11.
Suspicious Activity Reporting
11.1
It was the responsibility of SBUK staff members to refer any suspicious activity to
the MLRO by completing a SAR. Throughout the Relevant Period, SBUK staff made
very low levels of SAR submissions. In each of the annual MLRO reports between
2011 and 2014, the MLRO report described the lack of SARs referred by staff,
particularly in the trade finance part of the business, as “surprising”. Each report
stated that this “may well be attributable to the fact that the vast majority of
counterparties to the LCs [letters of credit] are familiar to the trade Finance staff”.
11.2
Despite this potential indicator that staff were not reporting suspicious activity
appropriately, no adequate investigation of the reasons for the low levels of
submissions was made and SBUK accepted the explanation given as sufficient
without any challenge.
11.3
Following the report of the Skilled Person, SBUK reviewed its customer files and a
sample of its remittance transactions. As a result, an additional 141 SARs were
30
submitted to the MLRO department in respect of account holders and 102 SARs in
respect of remittance transactions. This is a clear indicator that staff had previously
failed to report suspicious activity appropriately.
12.1
SBUK was notified following the 2010 Visit that its correspondent banking files
contained very poor records. In October 2012, the MLRO identified that the files
were “in a mess”. Despite this, a full review of correspondent banking relationships
was not carried out until December 2013 at which point four relationships with
correspondent banks were suspended as a result of AML issues.
12.2
Even when SBUK identified adverse information about its correspondent banks, it
did not always act upon this in a timely fashion or at all. On occasions, it relied
upon assurances from the correspondent bank that the information was baseless
or failed to provide documented reasons for reaching conclusions on the risks
posed.
12.3
Even when SBUK identified that directors or shareholders of correspondent banks
were PEPs, it failed to record this status on its PEP register.
13.1
Monitoring of trade finance transactions was undertaken by the MLRO department.
While some investigations were carried out, SBUK could not demonstrate that
effective CDD measures were undertaken adequately. Transactions were approved
by the MLRO department with insufficient evidence of any analysis and reasoning
was not always documented.
13.2
In 2013, the Internal Auditors identified that the level of monitoring of trade finance
files was not taking place to the extent provided by SBUK’s internal procedures.
This was as a result of a lack of resourcing in the MLRO department.
13.3
The Internal Auditors considered a sample of 35 trade finance files. They identified
an error rate of 83%, including insufficient CDD and a failure to gain approval from
the MLRO in respect of high risk transactions. It was noted that “high risk” was not
defined and a recommendation was made to update the trade finance manual.
SBUK did not follow this recommendation.
14.
Money Service Bureaux
14.1
In October 2013, SBUK agreed to provide banking services for seven MSBs, each
of which provided money remittance services. SBUK provided these services
despite identifying various deficiencies in the AML processes of some of the MSBs.
These included outdated process documentation, registration forms which lacked
full information or were not completed, staff with inadequate knowledge and
incomplete training records.
14.2
SBUK later terminated the relationships with six of the seven MSBs. It retained the
relationship with one on the basis that SBUK was satisfied that appropriate AML
systems and controls were in place.
As a result of the facts and matters outlined in this Annex, the Authority considers that
SBUK breached Principle 3 during the period between 20 August 2010 and 21 July 2014
in that:
(1)
it failed to take adequate steps to ensure that the importance of AML
compliance was ingrained throughout the business, despite receiving clear
warnings of a culture of non-compliance;
(2)
it did not ensure that the ongoing effectiveness of the measures introduced
following the 2010 Visit was monitored and assessed effectively;
(3)
it failed to ensure that its board and senior management were provided with
sufficiently clear information to ensure that they were adequately sighted of
the AML risks faced by the business and able to assess how they were being
addressed;
(4)
it ignored warnings from the Internal Auditors of weaknesses in its
governance systems and controls;
(5)
it failed to ensure that the MLRO department was adequately resourced;
(6)
it failed to implement adequate oversight of the MLRO department;
(7)
managerial oversight of its branches was confused and did not sufficiently
consider AML compliance;
(8)
its policies on AML compliance failed to provide adequate practical guidance
to staff;
(9)
its policy on the risk assessment of customers was unclear and
contradictory;
(10)
it failed to carry out adequate CDD when establishing a business relationship
and its systems failed to identify that CDD measures were inadequate;
(11)
it failed to carry out EDD in higher risk situations and its systems failed to
identify that EDD measures were inadequate;
(12)
it failed to conduct on-going monitoring of some customer relationships;
(13)
its AML transaction monitoring was conducted on a sample basis, the
rationale for which was unclear, omitted to consider some transactions, was
insufficiently documented and failed to consider all relevant information;
(14)
it failed to take adequate measures to identify PEPs and to apply adequate
EDD measures to those identified as PEPs; and
(15)
its staff failed to identify and report suspicious activity in appropriate
circumstances. SBUK received warnings that the number of SARs was
surprisingly low but failed to take any adequate steps to ascertain the
reasons for this and consequently failed to identify that staff were not
submitting SARs in appropriate circumstances.
ANNEX B
RELEVANT STATUTORY AND REGULATORY PROVISIONS
1.
RELEVANT STATUTORY PROVISIONS
1.1
Pursuant to sections 1B and 1D of the Act, one of the Authority’s operational
objectives is protecting and enhancing the integrity of the UK financial system.
1.2
Pursuant to section 66 of the Act, the Authority may take action against a person
if it appears to the Authority that he is guilty of misconduct and the Authority is
satisfied that it is appropriate in all the circumstances to take action against him.
Misconduct includes failing, while an approved person, to comply with a Statement
of Principle issued under section 64 of the Act and being knowingly concerned in a
contravention by the authorised person on whose application the approval was
given.
1.3
The action that may be taken by the Authority pursuant to section 66 of the Act
includes the imposition on the approved person of a penalty of such amount as the
Authority considers appropriate and the publication of a statement of his
misconduct (a public censure).
1.4
Section 388(3) of the Act provides that the Authority may, before it takes the action
to which a decision notice relates, give the person concerned a further decision
notice which relates to different action in respect of the same matter.
2.
RELEVANT REGULATORY PROVISIONS
2.1
In exercising its powers to publish a statement of Mr Prodhan’s misconduct, the
Authority has had regard to the relevant regulatory provisions published in the
Authority’s Handbook. The main provisions that the Authority considers relevant
are set out below.
The Statements of Principle for Approved Persons (“APER”)
2.2
APER sets out the fundamental obligations of approved persons and sets out
descriptions of conduct, which, in the opinion of the Authority, do not comply with
the relevant Statements of Principle. It also sets out, in certain cases, factors to be
taken into account in determining whether an approved person’s conduct complies
with a Statement of Principle.
2.3
APER 2.1A.3P, which applied from 1 April 2013, sets out Statement of Principle 6
which provides:
“An approved person performing an accountable significant-influence function must
exercise due skill, care and diligence in managing the business of the firm for which
he is responsible in his accountable function.”
2.4
APER 2.1.2P, which applied from 1 December 2001 to 31 March 2013, set out
Statement of Principle 6 which provided:
“An approved person performing a significant influence function must exercise due
skill, care and diligence in managing the business of the firm for which he is
responsible in his controlled function.”
2.5
APER 4.6.2E provided:
“In the opinion of the appropriate regulator [prior to 1 April 2013, the Financial
Services Authority], conduct of the type described in APER 4.6.3E, APER 4.6.5E,
APER 4.6.6E or APER 4.6.8E does not comply with Statement of Principle 6.”
2.6
APER 4.6.6E provided:
“Failing to take reasonable steps to maintain an appropriate level of understanding
about an issue or part of the business that he has delegated to an individual or
individuals (whether in-house or outside contractors) falls within APER 4.6.2E (see
APER 4.6.14G).”
2.7
APER 4.6.14G provided:
“Although an approved person performing a significant influence function may
delegate the resolution of an issue, or authority for dealing with a part of the
business, he cannot delegate responsibility for it. It is his responsibility to ensure
that he receives reports on progress and questions those reports where
appropriate. For instance, if progress appears to be slow or if the issue is not being
resolved satisfactorily, then the approved person performing a significant influence
function may need to challenge the explanations he receives and take action himself
to resolve the problem. This may include increasing the resource applied to it,
reassigning the resolution internally or obtaining external advice or assistance.
Where an issue raises significant concerns, an approved person performing a
significant influence function should act clearly and decisively. If appropriate, this
may be by suspending members of staff or relieving them of all or part of their
responsibilities (see APER 4.6.6E).”
Principles for Business (“Principles”)
2.8
The Principles are a general statement of the fundamental obligations of firms under
the regulatory system and are set out in the Authority’s Handbook.
2.9
Principle 3 provides:
“A firm must take reasonable care to organise and control its affairs responsibly
and effectively, with adequate risk management systems.”
2.10
During the Relevant Period, the following rules applied:
Senior Management Arrangements, Systems and Controls (“SYSC”)
2.11
SYSC 6.1.1R provided:
“A firm must establish, implement and maintain adequate policies and procedures
sufficient to ensure compliance of the firm including its managers, employees and
appointed representatives (or where applicable, tied agents) with its obligations
under the regulatory systems and for countering the risk that the firm might be
used to further financial crime.”
2.12
SYSC 6.3.1R provided:
“A firm must ensure that the policies and procedures established under SYSC
6.1.1R include systems and controls that:
(1) enable it to identify, assess, monitor and manage money laundering risk;
and
(2) are comprehensive and proportionate to the nature, scale and complexity of
its activities.”
2.13
SYSC 6.3.8R provided:
“A firm must allocate to a director or senior manager (who may also be the money
laundering reporting officer) overall responsibility within the firm for the
36
establishment and maintenance of effective anti-money laundering systems and
controls.”
Decision Procedure and Penalties Manual (“DEPP”)
2.14
Chapter 6 of DEPP, which forms part of the Authority’s Handbook, sets out the
Authority’s statement of policy with respect to the imposition of penalties under the
Act. DEPP 6.4.1G states that the Authority will consider all the relevant
circumstances of the case when deciding whether to impose a penalty or issue a
public censure. DEPP 6.5B sets out the five steps for penalties imposed on
individuals in non-market abuse cases. DEPP 6.4.2G states that the criteria for
determining whether it is appropriate to issue a public censure rather than impose
a financial penalty include those factors that the Authority will consider in
determining the amount of penalty in, inter alia, DEPP 6.5B.
2.15
The Enforcement Guide sets out the Authority’s approach to taking disciplinary
action. The Authority’s approach to penalties is set out in Chapter 7 of the
Enforcement Guide.
3.
RELEVANT PROVISIONS OF THE MONEY LAUNDERING REGULATIONS 2007
3.1
The ML Regulations provide a series of measures for the purposes of preventing
the use of the financial system for the purposes of money laundering. In particular,
they impose a set of requirements which all firms operating in the financial system
are obliged to follow.
3.2
Regulation 5 (Meaning of customer due diligence measures) of the ML Regulations
defines “customer due diligence measures” as:
(a)
identifying the customer and verifying the customer's identity on the basis
of documents, data or information obtained from a reliable and independent
source;
(b)
identifying, where there is a beneficial owner who is not the customer, the
beneficial owner and taking adequate measures, on a risk-sensitive basis,
to verify his identity so that the relevant person is satisfied that he knows
who the beneficial owner is, including, in the case of a legal person, trust or
similar legal arrangement, measures to understand the ownership and
control structure of the person, trust or arrangement; and
(c)
obtaining information on the purpose and intended nature of the business
relationship.
3.3
Regulation 7(1) to (3) (Application of customer due diligence measures) of the ML
Regulations provides:
(1)
Subject to regulations 9, 10, 12, 13, 14, 16(4) and 17, a relevant person
must apply customer due diligence measures when he—
(a)
establishes a business relationship;
(b)
carries out an occasional transaction;
(c)
suspects money laundering or terrorist financing;
(d)
doubts the veracity or adequacy of documents, data or information
previously obtained for the purposes of identification or verification.
(2)
Subject to regulation 16(4), a relevant person must also apply customer
due diligence measures at other appropriate times to existing customers
on a risk-sensitive basis.
(3)
A relevant person must—
(a)
determine the extent of customer due diligence measures on a risk-
sensitive basis depending on the type of customer, business
relationship, product or transaction; and
(b)
be able to demonstrate to his supervisory authority that the extent of
the measures is appropriate in view of the risks of money laundering
and terrorist financing…
3.4
Regulation 8 (Ongoing monitoring) of the ML Regulations provides:
(1)
A relevant person must conduct ongoing monitoring of a business
relationship.
(2)
“Ongoing monitoring” of a business relationship means—
38
(a)
scrutiny of transactions undertaken throughout the course of the
relationship (including, where necessary, the source of funds) to
ensure that the transactions are consistent with the relevant person's
knowledge of the customer, his business and risk profile; and
(b)
keeping the documents, data or information obtained for the purpose
of applying customer due diligence measures up-to-date.
(3)
Regulation 7(3) applies to the duty to conduct ongoing monitoring under
paragraph (1) as it applies to customer due diligence measures.
3.5
Regulation 14 (enhanced customer due diligence and ongoing monitoring) of the
ML Regulations provides:
(1)
A relevant person must apply on a risk-sensitive basis enhanced customer
due diligence measures and enhanced ongoing monitoring—
(a)
in accordance with paragraphs (2) to (4);
(b)
in any other situation which by its nature can present a higher risk of
money laundering or terrorist financing…
(4)
A relevant person who proposes to have a business relationship or carry
out an occasional transaction with a politically exposed person must—
(a)
have approval from senior management for establishing the business
relationship with that person;
(b)
take adequate measures to establish the source of wealth and source
of funds which are involved in the proposed business relationship or
occasional transaction; and
(c)
where the business relationship is entered into, conduct enhanced
ongoing monitoring of the relationship.
(5)
In paragraph (4), “a politically exposed person” means a person who is—
(a)
an individual who is or has, at any time in the preceding year, been
entrusted with a prominent public function by—
(i)
a state other than the United Kingdom;
(ii)
an EU institution; or
(iii)
an international body,
including a person who falls in any of the categories listed in
paragraph 4(1)(a) of Schedule 2;
(b)
an immediate family member of a person referred to in sub-
paragraph (a), including a person who falls in any of the categories
listed in paragraph 4(1)(c) of Schedule 2; or
(c)
a known close associate of a person referred to in sub-paragraph (a),
including a person who falls in either of the categories listed in
paragraph 4(1)(d) of Schedule 2.
(1)
For the purpose of deciding whether a person is a known close associate of
a person referred to in paragraph (5)(a), a relevant person need only have
regard to information which is in his possession or is publicly known.
3.6
Regulation 20(1) and (2) (Policies and procedures) of the ML Regulations provides:
(1)
A relevant person must establish and maintain appropriate and risk-
sensitive policies and procedures relating to—
(a)
customer due diligence measures and ongoing monitoring;
(b)
reporting;
(c)
record-keeping;
(d)
internal control;
(e)
risk assessment and management;
(f)
the monitoring and management of compliance with, and the internal
communication of, such policies and procedures,
in order to prevent activities related to money laundering and terrorist
financing.
(2)
The policies and procedures referred to in paragraph (1) include policies and
procedures—
(a)
which provide for the identification and scrutiny of—
(i) complex or unusually large transactions;
(ii) unusual patterns of transactions which have no apparent
economic or visible lawful purpose; and
(iii) any other activity which the relevant person regards as
particularly likely by its nature to be related to money laundering
or terrorist financing;
(b)
which specify the taking of additional measures, where appropriate,
to prevent the use for money laundering or terrorist financing of
products and transactions which might favour anonymity;
(c)
to determine whether a customer is a politically exposed person;
(d)
under which—
(i)
an individual in the relevant person's organisation is a
nominated officer under Part 7 of the Proceeds of Crime Act
2002 and Part 3 of the Terrorism Act 2000;
(ii)
anyone in the organisation to whom information or other
matter comes in the course of the business as a result of which
he knows or suspects or has reasonable grounds for knowing
or suspecting that a person is engaged in money laundering
or terrorist financing is required to comply with Part 7 of the
Proceeds of Crime Act 2002 or, as the case may be, Part 3 of
the Terrorism Act 2000; and
(iii)
where a disclosure is made to the nominated officer, he must
consider it in the light of any relevant information which is
available to the relevant person and determine whether it
gives rise to knowledge or suspicion or reasonable grounds for
knowledge or suspicion that a person is engaged in money
laundering or terrorist financing.
1.
In respect of conduct occurring on or after 6 March 2010, the Authority applies a
five-step framework to determine the appropriate level of financial penalty. DEPP
6.5B sets out the details of the five-step framework that applies in respect of
financial penalties imposed on individuals in non-market abuse cases.
2.
In calculating the appropriate financial penalty, the Authority considered the totality
of Mr Prodhan’s misconduct. Since the evidence underlying both Mr Prodhan’s
breach of Statement of Principle 6 and Mr Prodhan’s knowing concern in SBUK’s
breach of Principle 3 is the same, the Authority did not consider it appropriate to
impose separate financial penalties. Instead, it determined a single financial penalty
in respect of both forms of misconduct, calculated on the basis outlined below.
Step 1: disgorgement
3.
Pursuant to DEPP 6.5B.1G, at Step 1 the Authority seeks to deprive an individual
of the financial benefit derived directly from the breach where it is practicable to
quantify this.
4.
There was no direct financial benefit derived from the breaches. The Step 1 figure
therefore was £0.
Step 2: the seriousness of the breach
5.
Pursuant to DEPP 6.5B.2G, at Step 2 the Authority determines a figure that reflects
the seriousness of the breach. That figure is based on a percentage of the
individual’s relevant income. The individual’s relevant income is the gross amount
of all benefits received by the individual from the employment in connection with
which the breach occurred, and for the period of the breach.
6.
The period of Mr Prodhan’s breach of Statement of Principle 6 and knowing concern
of SBUK’s breach of Principle 3 was from 7 June 2012 to 4 March 2014. Accordingly,
the Authority calculated Mr Prodhan’s relevant income between 7 June 2012 and 4
March 2014. The Authority considered Mr Prodhan’s relevant income for this period
to be £254,967.
7.
In deciding on the percentage of the relevant income that forms the basis of the
Step 2 figure, the Authority considers the seriousness of the breaches and chooses
a percentage between 0% and 40%. This range is divided into five fixed levels
which represent, on a sliding scale, the seriousness of the breaches; the more
serious the breach, the higher the level. For penalties imposed on individuals in
non-market abuse cases there are the following five levels:
Level 1 – 0%
Level 2 – 10%
Level 3 – 20%
Level 4 – 30%
Level 5 – 40%
8.
In assessing the seriousness level, the Authority takes into account various factors
which reflect the impact and nature of the breaches, and whether they were
committed deliberately or recklessly. DEPP 6.5B.2G(12) lists factors likely to be
considered ‘level 4 or 5 factors’. Of these, the Authority considered the following
factor to be relevant:
i. the breach created a significant risk that financial crime would be
facilitated, occasioned or otherwise occur.
9.
The following factors were also considered when assessing the seriousness of the
i. as the CEO and the senior manager responsible for AML systems and
controls at SBUK, Mr Prodhan had overall responsibility for SBUK’s
compliance with AML requirements;
ii. Mr Prodhan’s breaches resulted in systemic failures of the AML
systems and controls throughout SBUK; and
iii. robust AML controls are extremely important in preventing money
laundering and financial crime. Consequently, breaches of regulatory
requirements are extremely serious.
10.
Taking all of these factors into account, the Authority considered the seriousness
of the breach to be level 4 and so the Step 2 figure is 30% of £254,967.
11.
Step 2 was therefore £76,490.
Step 3: mitigating and aggravating factors
12.
Pursuant to DEPP 6.5B.3G, at Step 3 the Authority may increase or decrease the
amount of the financial penalty arrived at after Step 2, but not including any
amount to be disgorged as set out in Step 1, to take into account factors which
aggravate or mitigate the breach.
13.
The Authority did not consider that any other factors served to aggravate or to
mitigate the breach. Accordingly, the penalty remained unchanged at Step 3.
14.
Step 3 was therefore £76,490.
Step 4: adjustment for deterrence
15.
Pursuant to DEPP 6.5B.4G, if the Authority considers the figure arrived at after Step
3 is insufficient to deter the individual who committed the breach, or others, from
committing further or similar breaches, then the Authority may increase the
penalty.
16.
The Authority considered that the Step 3 figure of £76,490 represented a sufficient
deterrent to Mr Prodhan and others, and so did not increased the penalty at Step
4.
17.
Step 4 was therefore £76,490.
Serious financial hardship
18.
Pursuant to DEPP 6.5D.2G, the Authority will consider reducing the amount of a
penalty if an individual will suffer serious financial hardship as a result of having to
pay the entire penalty. Mr Prodhan did not claim serious financial hardship.
Therefore the penalty was not reduced.
Step 5: settlement discount
19.
Pursuant to DEPP 6.5B.5G, if the Authority and the individual on whom a penalty is
to be imposed agree the amount of the financial penalty and other terms, DEPP 6.7
provides that the amount of the financial penalty which might otherwise have been
payable will be reduced to reflect the stage at which the Authority and the individual
reached agreement. The settlement discount does not apply to the disgorgement
of any benefit calculated at Step 1.
20.
No settlement discount applied. Step 5 was therefore £76,490.
21.
The Authority therefore decided to impose a total financial penalty of £76,400
(rounded down to the nearest £100) on Mr Prodhan for breaching Statement of
Principle 6 and for being knowingly concerned in SBUK’s breach of Principle 3.
ANNEX D
1.
Mr Prodhan’s representations (in italics), and the Authority’s conclusions in respect
of them, are set out below.
Personal culpability
2.
As set out in DEPP 6.2.6B, personal culpability occurs where a person’s behaviour
was below the standard which would be reasonable in all the circumstances at the
time of the conduct concerned. All the circumstances include the personal
circumstances of the person; hence it is appropriate to bring a subjective element
into the objective assessment. Therefore the fact that Mr Prodhan had no
experience of the UK regulatory environment when he took up his position at SBUK
has to be taken into account; all the more so because these factors were known to
the Authority when Mr Prodhan was authorised to exercise a senior management
position at a bank that had had serious regulatory issues in the past.
3.
The Authority accepts that the ways of meeting the reasonable standard mentioned
in DEPP can vary, depending on the circumstances. However, Mr Prodhan’s
inexperience in the UK regulatory environment is not an excuse for his failure to
exercise due skill, care and diligence in carrying out his duties. If Mr Prodhan had
been unsure that he could carry out his duties to a satisfactory standard due to his
lack of knowledge of the UK regulatory requirements, he should either have
declined to take up the position or have made sure that he received adequate
training, advice and continuing support in the areas where he lacked experience.
Principal responsibility of Mr Prodhan concerning AML systems and controls
4.
Mr Prodhan’s sole responsibility with regard to AML systems and controls was
oversight. Day-to-day operation of these systems and controls was delegated to
the MLRO. Mr Prodhan’s job was to oversee the MLRO’s activity and consider any
issues raised by him. Paragraph 150 of the Upper Tribunal’s decision in John
Pottage v FSA describes the nature of the obligations of a CEO very well: “[…] A
CEO is not required to design, create or implement controls personally: his is a role
of oversight. There is not an obligation on the CEO to do the job of an appropriately
appointed delegate of his of hers. […]” This means that Mr Prodhan was not
responsible for the overall running of the AML systems and controls in the wider
sense, contrary to the Authority’s contention.
5.
The Pottage case cited by Mr Prodhan relates to a breach of Statement of Principle
7 rather than that of Statement of Principle 6, as is the case here. It also looks at
different criteria and arrives at conclusions which cannot necessarily be applied in
this case. Mr Prodhan was the person with overall responsibility for the AML systems
and controls as a whole; it was thus essential for Mr Prodhan to understand the
functioning of these systems and controls and to be able to oversee them in an
effective manner. Mr Prodhan’s role was to take reasonable steps to ensure the
proper functioning of the AML systems and controls at the highest level by providing
proper oversight, which was a vital part of making the AML systems and controls
effective. He failed to do so.
Mr Prodhan’s conduct was reasonable in all the circumstances
6.
When Mr Prodhan took up his position in SBUK he received assurances from the
outgoing CEO, the then recently appointed MLRO and other members of the board
that previous AML issues had been resolved. He continued to receive assurances
from the MLRO throughout the Relevant Period that AML systems and controls were
in order and functioning properly. The MLRO was responsible for the day-to-day
running of these systems and controls and for ensuring compliance with the
relevant regulations, and also had responsibility for escalating any issues to Mr
Prodhan. The MLRO failed to discharge these responsibilities adequately, as
evidenced by the final notice given to him by the Authority. Mr Prodhan had no way
of recognising that the MLRO, appointed prior to his arrival specifically to carry out
the remediation exercise following the 2010 Visit and trusted by the board, was not
competent. Mr Prodhan was very engaged in AML issues and regarded them as a
priority. He was easily approachable, he had an “open door” policy and the MLRO
(as well as others) had every chance to raise issues with him.
7.
In order effectively to oversee the work of the MLRO and more widely the
functioning of SBUK’s AML systems and controls, Mr Prodhan would have needed a
general understanding of these systems and controls, as well as any areas of
particular concern. These responsibilities were clearly set out in Mr Prodhan’s job
description, and he was aware of them. Accepting the assurances without challenge
and relying on them so as to satisfy himself of the adequacy of the AML systems
and controls rendered Mr Prodhan’s oversight ineffective. Mr Prodhan should have
satisfied himself that the assurances given to him were correct, but he failed to
make any attempt to do so.
There were no red flags to alert Mr Prodhan
8.
Mr Prodhan received no information that could have put him on notice that there
were deficiencies in the AML systems and controls. Accordingly, the feedback
received after the 2014 Visit came as a shock to Mr Prodhan. The Internal Auditors’
reports must not be viewed in isolation, as they were only one of many pieces of
management information circulated to senior management. Other management
information, which (unlike the Internal Auditors’ reports) were AML-specific, did not
indicate problems. No member of management was challenging or criticising the
MLRO. The non-executive directors, who were experienced UK professionals, did
not alert Mr Prodhan to the AML issues or the lack of competence of the MLRO.
When the MLRO asked for additional resources, it was approved by senior
management straightaway. It was the MLRO who failed to write the job description
in a timely manner, which delayed the recruitment exercise.
9.
Mr Prodhan was not required to be an expert in all areas of AML. However, he was
required to identify and deal with risks, just as in his other areas of responsibility.
There were areas that should have been monitored and acted upon by Mr Prodhan,
even without them being specifically raised by the MLRO or anyone else, such as
the culture with respect to compliance among staff and the adequate resourcing of
the MLRO function. The Internal Auditors’ reports, the lack of SARs and the
insufficient oversight of branches were all indications which should have alerted Mr
Prodhan to these risks, or at least caused him to make further inquiry. The fact that
AML was not a consideration in the strategic planning, when the MSBs were on-
boarded, also shows that Mr Prodhan failed to allocate adequate focus to regulatory
compliance and in particular to AML systems and controls. These deficiencies were
systemic, which shows that they went beyond the responsibilities of the MLRO and
were due to Mr Prodhan’s inadequate exercise of his oversight function.
Lack of evidence against Mr Prodhan
10.
Most of the Authority’s allegations are substantiated by testimony given in
interviews by the MLRO and the non-executive directors of SBUK, one of whom
volunteered for the interview. Mr Prodhan was placed under investigation after this
voluntary interview, which shows that the interviewed person had an interest in
being first to present his narrative of the events. These testimonies cannot be
regarded as sound evidence because they were self-serving as the persons giving
them were trying to reduce their own liability at the expense of Mr Prodhan. In
addition the senior executives with a European background were biased against Mr
Prodhan for cultural reasons and because Mr Prodhan was not supportive of the
initiatives which they personally supported.
11.
None of the interviews conducted with the senior executives were voluntary.
Nevertheless, the Authority accepts that the risk of the senior executives being
partial exists with regard to some of the testimony given in these interviews.
However, having considered all the evidence with due regard to that risk, overall
the Authority considers that there is sufficient contemporaneous evidence to
support the findings it has made against Mr Prodhan.
Limitation
12.
It is important to stress that limitation is not invoked as a shield that is used against
the allegations, because Mr Prodhan disputes liability on substantive grounds.
However, it remains a fact that the proceedings brought against Mr Prodhan under
section 66 of the Act are time-barred.
13.
As set out in section 66(4), as in effect at the time of the Relevant Period, the
Authority was required to issue the Warning Notice within three years from the date
when it knew of the misconduct or had information from which the misconduct
could reasonably have been inferred.
14.
The breach alleged against Mr Prodhan is a single continuing course of misconduct
evidenced from different perspectives. Therefore, if the Authority knew of some of
the alleged failings or had information from which some of those failings could
reasonably be inferred more than three years prior to the date of issue of the
Warning Notice, the Authority is prevented from imposing any sanctions under
section 66 of the Act.
15.
From the correspondence relating to the 2014 Visit, including attendance notes of
interviews, internal memos and the Authority’s findings letter, it is clear that the
Authority had knowledge of Mr Prodhan’s alleged misconduct by, at the latest, 28
February 2014, i.e. significantly earlier than the cut-off date of 26 April 2014.
16.
The Authority clearly failed to progress the investigation within a reasonable time;
there have been unexplained and inordinate delays throughout the process. It is
specifically this sort of unreasonable delay that section 66(4) of the Act is designed
to prevent and therefore it should be strictly applied.
17.
The Authority notes Mr Prodhan’s views on the rationale behind section 66(4) of
the Act and confirms that the provision was strictly applied in this case. The
Authority accepts that it had some information relevant to Mr Prodhan’s conduct by
the cut-off date of 26 April 2014. However, possessing some information, even
information sufficient to justify the appointment of investigators, is not enough to
satisfy the test set out in section 66(4) of the Act. The reasonableness of the
inference for the purposes of demonstrating the Authority’s knowledge is not to be
considered in light of information acquired subsequently.
18.
The Upper Tribunal in its decision in Andrew Jeffery v FCA stated: “It is not sufficient
that the Authority has information in its hands that would give rise to a mere
suspicion. Nor is it enough that the information might suggest that there was
misconduct, but that the person in question has not been identified as the
apparently guilty party. The Authority must either know or be treated, by
reasonable inference, as knowing of the misconduct by a particular person. […] A
mere allegation or assertion unsupported by evidence would be unlikely to be
regarded as sufficient to amount to knowledge of misconduct or as information
from which it would be reasonable for the Authority to have inferred misconduct,
although it might be expected to give rise to further enquiry.”
19.
The information the Authority possessed before the cut-off date was not sufficient
for the Authority to know of the particular misconduct by Mr Prodhan, nor was it
sufficient such that the Authority could reasonably have inferred that misconduct.
The information gathered during the investigation subsequent to the cut-off date
was necessary for such inference reasonably to be drawn. Hence, the Authority is
not precluded by virtue of section 66(4) of the Act to take action against Mr Prodhan
under section 66.
Seriousness of the breach
20.
The Authority accepts that Mr Prodhan’s breach was not committed deliberately or
recklessly. Further it was the MLRO who was directly responsible for the day-to-
day running of the AML systems and controls, and for SBUK’s compliance with the
relevant regulations. If Mr Prodhan committed a breach, which is contested, it was
one that related to his oversight of the MLRO and this in turn has to be viewed in
light of the Authority’s findings that the MLRO failed to adequately inform
management of the AML issues. It follows that Mr Prodhan’s breach is much less
serious than that of the MLRO. The appropriate level of seriousness is level 2 or (at
a maximum) level 3, instead of level 4.
21.
Mr Prodhan’s breach, even though not deliberate or reckless, created a serious and
ongoing risk of financial crime being facilitated, as it resulted in the systemic failure
of the AML systems and controls. Mr Prodhan’s responsibilities were qualitatively
different from those of the MLRO and included responsibilities beyond oversight of
the MLRO function, and thus the MLRO’s failings do not diminish the seriousness of
those of Mr Prodhan.
Proportionality of the penalty
22.
The amount of the penalty must be proportionate. The penalty should reflect the
misconduct and should be in line with similar cases and in particular that of the
MLRO. The MLRO’s penalty before settlement discount was £25,000; that is directly
relevant to the penalty of the person who was responsible for his oversight. In other
oversight failings cases the penalty was also relatively low. In addition, considering
the present financial and employment circumstances of Mr Prodhan, the penalty
should not be such as would place him and his family in a precarious financial
situation, as that would disproportionate.
23.
Mr Prodhan’s financial penalty was reached applying the guidance set out in section
6.5B of DEPP. The Authority has carefully considered all the circumstances of the
case when fixing the amount. The Authority considers that, given the seriousness
of Mr Prodhan’s misconduct, the amount of penalty is not disproportionate. It is
also noted that Mr Prodhan has not claimed that as a result of the penalty he would
suffer serious financial hardship; hence the Authority does not consider it
appropriate to reduce the amount of penalty based on the amount of assets and
earnings of Mr Prodhan.
Number:
MAP01293
1.
ACTION
1.1.
For the reasons given in this Final Notice, the Authority hereby publishes a
statement of Mr Prodhan’s misconduct. The statement will take the form of this
Final Notice which will be published on the Authority’s website.
1.2.
Were it not for the exceptional circumstances in this matter, the Authority would
have sought to impose a financial penalty of £76,400 on Mr Prodhan.
2.
SUMMARY OF REASONS
2.1.
By the Decision Notice dated 16 May 2018, the Authority notified Mr Prodhan that
it had decided to impose on him a financial penalty of £76,400.
2.2.
On 10 June 2018, Mr Prodhan referred the matter to which the Decision Notice
related to the Tribunal. On 4 November 2022, Mr Prodhan withdrew the Reference.
2.3.
Since the commencement of the investigation and, in particular, during the period
of four years and three months when the Reference was active in the Tribunal,
circumstances have changed in the following ways:
2
(1)
Mr Prodhan has returned to Bangladesh where he now resides. As
a consequence, Mr Prodhan has no residual links to, nor assets in,
the UK;
(2)
Mr Prodhan recently retired from employment;
(3)
Mr Prodhan has ongoing personal conditions which limit his ability
to travel to the UK, to participate in a hearing of the Reference or
otherwise; and
(4)
the length of time which has elapsed since Mr Prodhan’s misconduct
(some 10 years) contributes to an increasing risk of the Reference
not being able to be determined fairly.
The Authority considers that the combination of these circumstances is exceptional
and, accordingly, takes the action set out in this Final Notice on the basis of the
facts and matters set out below.
2.4.
The prevention of money laundering and financial crime is essential to maintaining
the integrity of the UK financial system. Banks and other financial services firms
are responsible for managing the risk that they might be used by those seeking to
launder the proceeds of crime and are subject to significant regulatory
requirements to maintain robust AML systems and controls.
2.5.
However, such controls will not be effective unless senior managers understand the
risks faced by the business for which they are responsible, create a culture which
supports effective regulation and take responsibility for overseeing systems for
which they are responsible.
2.6.
In April 2012, Mr Prodhan was appointed to be the CEO of SBUK after a lengthy
career in its parent bank in Bangladesh. He was approved to hold the CF1 (director)
and CF3 (chief executive) significant-influence controlled functions and was made
the senior manager responsible for the establishment and maintenance of effective
AML systems and controls.
2.7.
Throughout the Relevant Period (7 June 2012 to 4 March 2014), day-to-day
operational responsibility for SBUK’s AML systems and controls lay with SBUK’s
MLRO, who reported to Mr Prodhan. Mr Prodhan relied upon information and
assurances provided by the MLRO with respect to the operation of SBUK’s AML
systems and controls and failed to carry out any independent checks to ensure that
such systems and controls were working effectively.
3
2.8.
Mr Prodhan was aware that, in 2010, the Authority had identified serious failings in
SBUK’s AML systems and controls and that SBUK had undertaken to ensure that
financial crime issues were given further attention in the future. On several
occasions before and shortly after taking up his role, he was made aware of the
seriousness of AML issues.
2.9.
Despite this, and despite warnings from SBUK’s Internal Auditors, including those
contained in the Internal Auditors’ report of 7 June 2012, which raised particular
concerns with SBUK’s governance and AML transaction monitoring processes, Mr
Prodhan failed to take reasonable steps to ensure that AML risks were adequately
identified, assessed and documented. As a result, SBUK’s board was insufficiently
informed of the AML risks faced by SBUK and SBUK’s strategic planning failed to
take adequate account of AML risks.
2.10. Mr Prodhan also failed to take reasonable steps to assess or mitigate the AML risks
stemming from a culture of non-compliance among SBUK’s staff.
2.11. Further, Mr Prodhan failed to take reasonable steps to ensure that sufficient focus
was given to AML systems and controls within SBUK, that there was a clear
allocation of responsibilities to oversee SBUK’s branches and that he appropriately
oversaw, managed and adequately resourced SBUK’s MLRO function.
2.12. Due to these failures, SBUK’s operational staff failed to appreciate the need to
comply with AML requirements and the MLRO function was ineffective in monitoring
their compliance. This led to systemic failures in SBUK’s AML systems and controls
throughout the business.
2.13. On 12 October 2016 the Authority gave SBUK a Final Notice, imposing a financial
penalty of £3,250,600 and a restriction in respect of accepting deposits for failings
in relation to AML systems and controls. The SBUK Final Notice describes how,
among other breaches, SBUK breached Principle 3, which requires that a firm take
reasonable steps to ensure that it has organised its affairs responsibly and
effectively, with adequate risk management systems. On 12 October 2016 the
Authority also gave the MLRO a final notice, imposing on him a financial penalty of
£17,900 and an order prohibiting him from performing certain controlled functions.
2.14. As a result of the above, the Authority considers that Mr Prodhan breached
Statement of Principle 6 (exercising due skill, care and diligence in managing the
business of the firm for which he was responsible) and was knowingly concerned in
SBUK’s breach of Principle 3.
3.
DEFINITIONS
3.1.
The definitions below are used in this Final Notice.
“the 2010 Visit” means the visit by the Authority to SBUK on 26 and 27 July 2010;
“the 2014 Visit” means the visit by the Authority to SBUK on 28 and 29 January
2014;
“the Act” means the Financial Services and Markets Act 2000;
“AML” means anti-money laundering;
“the AML Staff Handbook” means the “Anti-money laundering and countering
terrorist financing Handbook for Management and Staff”, the document used by
SBUK to outline its AML processes and provided to its staff;
“APER” means the part of the Authority’s Handbook entitled “Statements of
Principle and Code of Practice for Approved Persons”;
“the Audit Committee” means the committee of SBUK’s board responsible for
monitoring operational controls;
“the Authority” means the body corporate previously known as the Financial
Services Authority and renamed on 1 April 2013 as the Financial Conduct Authority;
“CDD” means customer due diligence, the measures a firm must take to identify a
customer and to obtain information on the purpose and intended nature of the
business relationship, as outlined in regulation 5 of the ML Regulations;
“CEO” means Chief Executive Officer;
“the Decision Notice” means the decision notice given to Mr Prodhan in relation to
this matter on 16 May 2018;
“DEPP” means the Authority’s Decision Procedure and Penalties Manual;
“EDD” means enhanced customer due diligence, the measures a firm must take in
certain situations, as outlined in regulation 14 of the ML Regulations;
“the Internal Auditors” means the firm appointed by SBUK to conduct audits of its
systems and controls during the Relevant Period;
“the ML Regulations” means the Money Laundering Regulations 2007;
“MLRO” means money laundering reporting officer;
5
“MSB” means a money service bureau, a financial institution not regulated by the
Authority, offering bureau de change and/or money remittance services;
“PEP” means politically exposed person, as defined in regulation 14(5) of the ML
Regulations;
“Principle” means one of the Authority’s Principles for Businesses;
“the Reference” means the reference to the Tribunal, by Mr Prodhan, of the matter
to which the Decision Notice related;
“Relevant Period” means the period from 7 June 2012 to 4 March 2014;
“SAR” means suspicious activity report, a report of suspected money laundering to
be made by any employee to the MLRO, as required by Part 7 of the Proceeds of
Crime Act 2002;
“SBUK” means Sonali Bank (UK) Ltd (as it was during the Relevant Period);
“Skilled Person” means the skilled person appointed pursuant to section 166 of the
Act to assess and report upon SBUK’s AML processes;
“Statement of Principle” means one of the Statements of Principle for Approved
Persons set out in chapter 2 of APER;
“SYSC” means the part of the Handbook entitled “Senior Management
Arrangements, Systems and Controls”;
“the Tribunal” means the Upper Tribunal (Tax and Chancery Chamber); and
“Warning Notice” means the warning notice given to Mr Prodhan dated 27 April
2017.
4.
FACTS AND MATTERS
SBUK
4.1.
SBUK was, during the Relevant Period, the UK subsidiary of Sonali Bank Ltd, which
is incorporated in Bangladesh. SBUK was authorised to accept deposits and
provided banking services to the Bangladeshi community in the UK. During the
Relevant Period, SBUK operated six branches in the UK. It carried on the regulated
activities of providing personal and corporate deposit accounts and other,
unregulated, activities including money remittance services to Bangladesh
(conducted face-to-face and by telephone) and trade finance operations. Each of
these activities involved potentially significant money laundering risks.
6
4.2.
On 26 and 27 July 2010, as part of thematic work, the Authority visited SBUK to
assess its AML systems and controls. Subsequently, on 20 August 2010, the
Authority notified SBUK of a number of serious concerns. As a result of the 2010
Visit, SBUK agreed to implement a series of measures intended to rectify the issues
identified. In written communications with the Authority, SBUK’s senior
management committed to ensure that financial crime issues were given closer
attention in the future.
4.3.
Mr Prodhan is a national of Bangladesh, who joined Sonali Bank Ltd in 1984. Over
the course of his career with Sonali Bank Ltd prior to joining SBUK, he worked in
various roles at a number of branches in Bangladesh, rising to the position of
General Manager. In April 2012 he was appointed the CEO and company secretary
of SBUK, and relocated to the UK. On 8 May 2015 Mr Prodhan left SBUK and
subsequently relocated back to Bangladesh where he continued to work in senior
roles in the Bangladesh financial sector. Mr Prodhan retired in August 2022.
Mr Prodhan’s responsibilities
4.4.
Mr Prodhan held the CF1 (director) and CF3 (chief executive) controlled functions
throughout the Relevant Period. These were accountable significant-influence
functions within the meaning of APER. Prior to his appointment as CEO, Mr Prodhan
had no previous experience in UK financial services.
4.5.
As part of his role, Mr Prodhan was made the senior manager with responsibility
for the establishment and maintenance of effective AML systems and controls at
SBUK. The establishment of such a position is, by SYSC 6.3.8R, a regulatory
requirement.
4.6.
As the CEO and the senior manager responsible for AML systems and controls at
SBUK, Mr Prodhan’s duties included:
(1)
ensuring the proper establishment and maintenance of effective
AML systems and controls;
(2)
reporting to the board on the adequacy and suitability of the AML
systems and controls;
(3)
developing and maintaining an effective framework of internal
controls over risks in relation to all business activities;
7
(4)
developing processes and structures to ensure that all associated
risks to the shareholders’ investment were identified, documented
and compared with approved risk appetite and that appropriate
steps were taken to mitigate those risks;
(5)
providing management information that was accurate and ensuring
that AML systems and controls in place were robust;
(6)
ensuring that a commitment to regulatory compliance existed
within SBUK and that employees adhered to this duty of
compliance;
(7)
setting SBUK’s values, culture and standards and ensuring that its
obligations to its stakeholders and others were understood and
met; and
(8)
ensuring that SBUK’s business complied with all the necessary
regulatory requirements.
4.7.
As part of his role, Mr Prodhan was the chair of SBUK’s executive committee, which
was the primary body with operational responsibility for running the bank. Further,
he was a member of the board of directors and was an attendee at meetings of the
Audit Committee.
4.8.
Mr Prodhan was line manager to the MLRO and was responsible for ensuring that
the MLRO had a level of authority and independence within SBUK, and access to
resources and information, sufficient to enable him to carry out his responsibilities
as MLRO.
4.9.
When he was appointed CEO, Mr Prodhan was made aware of the Authority’s
concerns arising from the 2010 Visit and read the written communications between
SBUK and the Authority which followed it. This meant that Mr Prodhan knew of the
Authority’s previous concerns and of SBUK’s ongoing commitment to give close
attention to financial crime issues.
4.10. In carrying out the role of ensuring the establishment and maintenance of effective
AML systems and controls at SBUK, the Authority considers that Mr Prodhan should
(1)
ensured that he was sufficiently well-informed about the risks
affecting SBUK’s business, in particular those relating to AML;
(2)
considered and assessed the measures in place to mitigate these
risks and whether they were working effectively;
(3)
taken reasonable steps to ensure that the importance of robust AML
systems and controls was clearly and unambiguously articulated
throughout SBUK;
(4)
considered AML risks when making decisions regarding resourcing,
the appointment or dismissal of key personnel and before taking on
new business;
(5)
ensured that reports to the board were complete and accurate and
informed the board appropriately of the AML risks;
(6)
devoted appropriate oversight and line management support to the
MLRO; and
(7)
provided appropriate challenge to reports of the MLRO.
Failure to fulfil the responsibilities of his role
Failure to put in place a conduct risk framework
4.11. On 7 June 2012, a report of the Internal Auditors highlighted to Mr Prodhan and
other senior managers a lack of evidence to demonstrate that SBUK had identified
and considered the conduct risks to which it was exposed, that SBUK’s risk register
was not reflective of the risks faced and that there was a lack of any demonstrable
link to the tasks listed in SBUK’s compliance monitoring plan. The Internal Auditors
recommended that SBUK’s management establish a conduct risk appetite which
should be approved by the board and ensure that all risks were identified, assessed
and recorded within a risk register.
4.12. Despite this, in August 2013, the Internal Auditors reported that no conduct risk
appetite had been documented and that the risk register had not been updated. In
response, SBUK’s management asserted that its existing documentation was
sufficient and decided not to follow the recommendations of the Internal Auditors.
4.13. As a result, at a strategic level, SBUK did not adequately assess the risks to which
it was exposed, including those relating to AML and financial crime, and consider
how best to address them. It was the responsibility of Mr Prodhan to take
reasonable steps to ensure that risks were identified, documented and mitigated,
and that the relevant systems and controls were working effectively. It was also
his responsibility to take reasonable steps to ensure that the board was sufficiently
sighted of the risks to which SBUK was exposed.
Failure to inform himself of the AML risks
4.14. Mr Prodhan stated to the Authority that, at the time of his appointment, on the
basis of documentation provided to him and conversations with senior colleagues,
he considered that there were no concerns about SBUK’s AML controls.
4.15. Mr Prodhan’s management style was one of delegation and he delegated
responsibility for the maintenance of SBUK’s AML systems and controls to the
MLRO. Although he was entitled to delegate the day-to-day operational
management of SBUK’s AML systems and controls, he remained responsible for
ensuring that these systems and controls were properly established and
maintained, and should have taken reasonable steps to ensure that he had at all
times an adequate understanding of the AML risks and how they were being
addressed. Throughout the Relevant Period, he did not engage sufficiently in the
consideration of AML risks. He failed to hold sufficiently regular meetings with the
MLRO, contributed little to meetings at which AML issues were considered and did
not provide any effective challenge to reports from the MLRO.
4.16. As a result, Mr Prodhan did not appreciate the seriousness of the AML risks faced
by SBUK nor the importance of compliance with AML requirements.
4.17. Because of this lack of understanding and appreciation on Mr Prodhan’s part and
because he failed to take reasonable steps to ensure that the board and senior
management were sufficiently sighted of SBUK’s AML risks, SBUK’s strategic
planning failed to take sufficient account of AML risks and the need to mitigate
them. At no point during the Relevant Period did SBUK put in place a coherent
strategy to address AML risks.
4.18. In 2013, SBUK began offering banking services to MSBs; the offer to provide these
new services was made without adequate consideration of the additional AML risks
which would result or the extra resources which would be needed to address them.
Indeed, when SBUK drafted an updated business plan in late 2013, it failed to detail
any consideration of how AML issues affected SBUK’s ongoing business activities.
AML management reporting
4.19. Throughout the Relevant Period, the MLRO produced a monthly compliance and
financial crime report which was submitted to senior management, the Audit
Committee and the board. These monthly reports provided little analysis on the
effectiveness of systems and controls and failed to highlight particular risks or
issues for the immediate attention of management. Furthermore, the reports were
subject to little, if any, challenge by Mr Prodhan.
4.20. In addition, in January each year, the MLRO produced an MLRO report to assess
SBUK’s compliance with regulatory obligations and the operation and effectiveness
of the AML systems and controls over the previous year. Although the MLRO reports
did provide descriptions of the systems in place, they provided no adequate analysis
of the effectiveness of these systems. Moreover, they omitted or failed to report
accurately important findings of the Internal Auditors, including criticisms of the
AML transaction monitoring process. As such, despite certifying that controls were
sufficient, they were ineffective in providing comfort that systems were operating
effectively.
4.21. Despite being aware of the findings of the Internal Auditors, Mr Prodhan failed to
identify that the MLRO reports were inadequate. Moreover, he failed to provide any
challenge to the MLRO’s assessment that systems were operating effectively. As a
consequence, the management information presented to the board and Audit
Committee was inadequate and did not allow them to assess properly the
effectiveness of controls.
Failure to foster a culture of compliance
4.22. It was Mr Prodhan’s responsibility to set SBUK’s values, culture and standards and
he should have steered senior management towards ensuring that SBUK fostered
a culture throughout the firm which valued robust adherence to its regulatory
responsibilities. It was apparent to members of SBUK’s senior management and
board during the Relevant Period that SBUK’s staff did not always appreciate the
importance of regulatory compliance and that a culture persisted which was
resistant to changing methods of business in accordance with changing
requirements.
4.23. As a result, in July 2013, the board tasked SBUK’s senior management with
considering measures to introduce changes to the organisation in order to address
a lack of discipline in operational matters. Despite this and subsequent warnings,
Mr Prodhan did not take reasonable steps to address the cultural issues or to ensure
that appropriate focus was paid to regulatory compliance throughout SBUK.
4.24. While not limited to AML requirements, this failure impacted upon SBUK’s AML
systems and controls: the importance of complying with AML requirements was
neither sufficiently understood nor valued throughout SBUK. Other members of the
senior management team did not view AML requirements as part of their
responsibility and no adequate measures were taken to impress upon operational
staff the value of AML systems and controls.
Branch oversight
4.25. SBUK’s branches reported to its head office. However, the reporting lines were
confused and there was a lack of communication between head office and the
branches. This meant that little regular contact was made to ensure that the
branches were operating in compliance with the regulatory requirements and there
was little ongoing management focus on the effectiveness of AML systems and
controls within the branches. As a result, operational staff failed to appreciate the
need to comply properly with AML requirements.
4.26. The MLRO reports of 2012, 2013 and 2014 each outlined a recommendation for a
regular program of visits to be conducted by the MLRO to the branches to ensure
that AML controls were operating effectively. However, because the MLRO suffered
from resourcing shortages, no such visits took place until, following the 2014 Visit,
the Authority requested that an assessment be carried out of the AML controls in
operation at the branches.
4.27. Despite being alerted by the MLRO reports for three successive years to the need
for branch visits, and being aware that no such visits were being carried out, Mr
Prodhan failed to take reasonable steps to ensure that branch visits took place until
after the 2014 Visit.
4.28. When members of the senior management carried out branch visits in April 2014,
they identified a lack of adequate understanding of AML issues among branch
managers and staff.
Failure to manage and resource the MLRO adequately
4.29. Mr Prodhan’s responsibilities included exercising managerial oversight over the
MLRO. However, he failed to hold sufficiently regular meetings with, conduct
meaningful appraisals with or adequately challenge the MLRO.
4.30. During much of the Relevant Period the MLRO department did not have adequate
resources and was overstretched, which hampered its ability to carry out its
functions. Until mid-2014, in addition to his role overseeing the AML systems and
controls, the MLRO was required to act as compliance officer, document strategies,
arrange training (both compliance and non-compliance related), act as data
protection officer and undertake company secretarial work, including noting, and
subsequently typing up, minutes at board and Audit Committee meetings.
4.31. Despite being aware of concerns expressed by the Internal Auditors in June 2012
as to the level of AML transaction monitoring being undertaken by the MLRO
department, Mr Prodhan failed to identify that the MLRO department did not have
sufficient resources.
4.32. In January 2013, the MLRO requested further staffing. Although Mr Prodhan agreed
to the request, he did not take reasonable steps to ensure that the recruitment of
a suitable staff member was actioned in a timely way. The MLRO took several
months to draft the job description. In the event, a further staff member was not
appointed until January 2014, although part of the delay was caused by the
withdrawal of a preferred candidate late in the recruitment process.
4.33. Mr Prodhan should have taken reasonable steps to ensure that the resource gap
identified was addressed in a more timely manner, particularly because the lack of
adequate resource during this period impacted adversely on the monitoring carried
out by the MLRO function. At the time Mr Prodhan had agreed to take on MSBs as
customers which he knew would have significant resource implications for the MLRO
department. It was Mr Prodhan that had the responsibility and ability to ensure that
resource was adequate.
Failure to consider warnings
4.34. Mr Prodhan received several clear indications during the Relevant Period of
significant issues with SBUK’s governance framework and AML systems and
controls. In June 2012, the Internal Auditors reported on the operation of SBUK’s
control framework. The Internal Auditors identified “a number of areas that require
actioning by Management which we consider expose SBUK to a high level of
regulatory risk”. The overall audit grade was ‘4’, indicating “Actual/potential very
significant implications for SBUK”, although the grade for AML and anti-fraud
measures was 2, indicating “Actual/potential implications where the risk/control
failure is considered to be moderate (ie an important implication at business area
(department level), but which does not warrant a grade of significant or low”. In
particular, the report identified:
(1)
a failure to identify and assess conduct risk and produce a conduct
risk appetite statement;
(2)
an inadequate risk register;
(3)
no demonstrable link between the compliance monitoring plan and
the risk register; and
(4)
an inadequate AML transaction monitoring process.
4.35. In August 2013, the Internal Auditors produced a further report. This found that
SBUK had still not documented its conduct risk, its risk register was still inadequate,
its compliance monitoring plan was still not risk-based and the AML transaction
monitoring process should be reviewed. Again, the overall audit grade was ‘4’,
although the grade for AML and anti-fraud measures remained at 2.
4.36. In October 2013, the Internal Auditors conducted a review of trade finance files.
They noted an 83% error rate in the documentation relating to CDD and fees and
identified that file monitoring by the MLRO had not been adjusted to reflect
increased business and had only taken place in two months of the year.
4.37. In each case, the reports of the Internal Auditors were subject to discussion at
board and senior management level. However, on each occasion, Mr Prodhan failed
to take any adequate measures to address the concerns of the Internal Auditors.
4.38. It was the responsibility of SBUK staff members to refer any suspicious activity to
the MLRO by completing a SAR. In each of the annual MLRO reports between 2012
and 2014, the MLRO described the lack of SARs referred to him by staff, particularly
in the trade finance part of the business, as “surprising”. Each report stated that
this “may well be attributable to the fact that the vast majority of counterparties to
the LCs [letters of credit] are familiar to the Trade Finance staff”.
4.39. Despite this indicator that staff may not have been reporting suspicious activity
appropriately, and despite the same suggested explanation being given each year
without any apparent investigation, Mr Prodhan did not take any steps to
investigate the apparently low level of SARs, to ensure that such an investigation
was carried out or to challenge the MLRO on the suggested explanation.
4.40. Following the review by the Skilled Person in 2014, SBUK reviewed its customer
files and a sample of its remittance transactions. As a result, an additional 141
SARs were submitted in respect of account holders and 102 SARs were submitted
in respect of remittance transactions. This is a clear indicator that staff had failed
to report suspicious activity appropriately. In failing to take reasonable steps to
ensure that the reasons for the low levels of referrals made were investigated and
that the rationale provided was reasonable, Mr Prodhan failed to identify a lack of
understanding of AML issues and application of relevant requirements by SBUK’s
staff.
4.41. On 28 and 29 January 2014, the Authority visited SBUK as part of follow-up
thematic work to assess AML controls in smaller banks. Notwithstanding the
measures taken as a result of the 2010 Visit, the Authority identified serious AML
failings.
4.42. The Authority requested that SBUK take a number of immediate actions to address
the risks posed by its AML weaknesses. These included lowering the remittance
threshold for obtaining source of funds information, screening its customers to
identify PEPs, conducting EDD on all PEPs and high risk customers and carrying out
visits to its branches to assess their AML systems and controls.
4.43. As a result of concerns arising from the 2014 Visit, the Skilled Person was appointed
to assess and report upon SBUK’s AML systems and controls. On 21 July 2014, the
Skilled Person reported its findings. It concluded that there were “systemic” AML
failings arising from “a lack of understanding and implementation of systems and
controls throughout the Bank”.
4.44. In a letter dated 4 March 2014 Mr Prodhan outlined SBUK’s response to the
Authority’s request for a number of immediate actions. SBUK conducted some
remediation activity following the 2014 Visit and put in place a formal remediation
plan after the review of the Skilled Person, although this was not approved by the
board until November 2014.
4.45. On 30 October 2014, Mr Prodhan’s job description was changed and he ceased to
be responsible for SBUK’s AML systems and controls. He continued in the role of
CEO until 8 May 2015 when he left SBUK and ceased to hold controlled functions.
The Authority’s investigation into SBUK
4.46. As a result of the findings of the Skilled Person, the Authority investigated SBUK’s
AML systems and controls during the period from 20 August 2010 to 21 July 2014.
The Authority concluded that SBUK failed to maintain adequate systems and
controls to manage the risk of money laundering and financial crime. These failures
were systemic, and affected almost all levels of its business and governance
structure. Details of the Authority’s findings are set out at Annex A. In particular,
there were significant issues with SBUK’s control systems at an operational level.
These issues are detailed at part A1, sections 6 to 14 of Annex A.
4.47. Although some of the issues predated Mr Prodhan’s appointment at SBUK, the
Authority considers that all of the failings persisted during the Relevant Period.
Moreover, the Authority considers that all of the failings were a direct consequence
of insufficient oversight of AML systems and controls by the board of directors and
senior management in general, and Mr Prodhan in particular.
5.
FAILINGS
5.1.
The regulatory provisions relevant to this Final Notice are referred to in Annex B.
5.2.
As a result of the conduct outlined above, the Authority considers that Mr Prodhan
is guilty of misconduct in that he breached Statement of Principle 6 and was
knowingly concerned in SBUK’s breach of Principle 3. The same evidence is relied
upon in respect of both forms of misconduct.
5.3.
Statement of Principle 6 requires an approved person performing an accountable
significant-influence function to exercise due skill, care and diligence in managing
the business of the firm for which he is responsible in his accountable function.
5.4.
Mr Prodhan breached this requirement during the Relevant Period in that he failed
to appreciate the need to give sufficient focus to regulatory compliance and to take
reasonable steps to ensure the adequacy of SBUK’s AML systems and controls to
prevent financial crime. In particular he failed:
(1)
to take AML risks into account sufficiently when planning SBUK’s
strategic direction and when making the decision to expand the
business of SBUK to MSBs;
(2)
to take reasonable steps to ensure that a culture of compliance
towards regulatory responsibilities existed throughout SBUK;
(3)
to take reasonable steps to ensure that the MLRO function was
adequately resourced in a timely way;
(4)
to take reasonable steps to ensure that SBUK’s branches were
subject to appropriate management oversight with clear reporting
lines and that AML issues were considered as part of the line
management process;
(5)
to investigate or request an explanation for continuously low levels
of SAR submissions;
(6)
to adequately discharge his responsibility to report to the board with
respect to the operation of AML systems and controls;
(7)
to provide adequate challenge to the MLRO’s assertions that AML
controls were effective; and
(8)
to take reasonable steps in a timely fashion to address serious
concerns expressed by the Internal Auditors about significant
failings
in
the
governance
processes
or
to
implement
recommendations of the Internal Auditors.
Knowingly concerned in SBUK’s breach of Principle 3
5.5.
Principle 3 requires that a firm take reasonable steps to ensure that it has organised
its affairs responsibly and effectively, with adequate risk management systems. As
a result of the facts and matters outlined in section A1 of Annex A, and for the
reasons outlined in section A2 of Annex A, SBUK breached this requirement
between 20 August 2010 and 21 July 2014. Mr Prodhan was knowingly concerned
in this breach during the Relevant Period in that he was:
(1)
responsible for ensuring that the importance of AML compliance was
ingrained throughout the business, aware of the warnings of the
culture of non-compliance and aware that SBUK was failing to take
adequate steps to address the issue;
(2)
responsible for ensuring that the board and senior management
were provided with sufficiently clear information to ensure that they
had adequate oversight of the AML risks faced by the business and
were able to assess how they were being addressed. Mr Prodhan
was aware of the information provided to the board and senior
management for this purpose and should have been aware that it
was inadequate;
(3)
aware of the warnings from the Internal Auditors of weaknesses in
SBUK’s governance systems and controls, responsible for ensuring
effective governance systems and aware that the warnings of the
internal auditors were not being acted upon;
(4)
responsible for ensuring the MLRO department was adequately
resourced and aware of a lack of adequate resourcing but failed to
take adequate measures to address the issue;
(5)
responsible for oversight of the MLRO department and failed to take
reasonable steps to ensure that oversight was adequate to confirm
that the MLRO department performed its role effectively;
(6)
responsible for the arrangements for managerial oversight of the
branches and failed to take reasonable steps to ensure that they
were clear and considered AML compliance adequately; and
(7)
aware of the numbers of SAR submissions and, despite having been
aware of the warnings that they were surprisingly low, failed to take
reasonable steps to address the issue.
6.
SANCTION
Public censure
6.1.
The Authority’s policy for imposing penalties is set out in Chapter 6 of DEPP. DEPP
6.4.1G states that the Authority will consider all the relevant circumstances when
deciding whether to impose a penalty or issue a public censure.
6.2.
The Decision Notice outlined the reasons for the Authority’s decision that the
appropriate sanction for Mr Prodhan’s misconduct was the imposition of a financial
penalty of £76,400. This figure was calculated by reference to the Authority’s
penalty policy, set out in DEPP 6.5B. The basis for calculating this figure is set out
at Annex C of this Final Notice.
6.3.
The Authority continues to consider that, absent the factors set out below, the
imposition of a financial penalty of £76,400 would be the appropriate penalty to
impose.
6.4.
Since the commencement of the investigation and, in particular, during the period
of four years and three months when the Reference was active in the Tribunal, Mr
Prodhan’s personal circumstances have changed in the following ways:
(1)
Mr Prodhan has returned to Bangladesh where he now resides. As a
consequence, Mr Prodhan has no residual links to, nor assets in, the UK;
(2)
Mr Prodhan recently retired from employment;
(3)
Mr Prodhan has ongoing personal conditions which limit his ability to
travel to the UK, to participate in a hearing of the Reference or
otherwise; and
(4)
The length of time which has elapsed since Mr Prodhan’s misconduct
(some 10 years) contributes to an increasing risk of the Reference not
being able to be determined fairly.
The Authority considers that the combination of these factors is exceptional.
6.5.
As a result of the above factors, and the exceptional circumstances that they create,
the Authority has decided that it is appropriate to replace the financial penalty
imposed on Mr Prodhan, and notified to him in the Decision Notice, with the
publication of a statement of his misconduct.
6.6.
The Authority therefore publishes this Final Notice as a statement of Mr Prodhan’s
misconduct.
7.
REPRESENTATIONS
7.1.
Annex D contains a brief summary of the key representations made by Mr Prodhan
to the Authority in response to the Warning Notice and how they were dealt with.
The Authority took into account all of the representations made by Mr Prodhan,
whether or not set out in Annex D, before deciding to give him the Decision Notice.
There has been no substantive change in the Authority’s consideration of these
representations.
8.
PROCEDURAL MATTERS
Decision maker
8.1. The decision which gave rise to the obligation to give this Final Notice was made
by the Settlement Decision Makers.
8.2. This Final Notice is given under and in accordance with section 390 of the Act. The
following statutory rights are important.
8.3.
Sections 391(4), 391(6) and 391(7) of the Act apply to the publication of
information about the matter to which this Final Notice relates. Under those
provisions, the Authority must publish such information about the matter to which
the notice relates as it considers appropriate. The information may be published in
such manner as the Authority considers appropriate. However, the Authority may
not publish information if such publication would, in the opinion of the Authority,
be unfair to the person in respect of whom the action was taken, prejudicial to the
interests of consumers or detrimental to the stability of the UK financial system.
8.4.
The Authority intends to publish such information about the matter to which this
Final Notice relates as it considers appropriate.
Authority contact
8.5.
For more information concerning this matter, contact William Walsh (direct line:
020 7066 5518) of the Enforcement and Market Oversight Division of the Authority.
Lauren Rafter
Enforcement and Market Oversight Division
ANNEX A
This Annex outlines the facts and matters which, in the view of the Authority, demonstrate
the weaknesses in SBUK’s governance and control systems and the reasons why SBUK
contravened Principle 3 during the period between 20 August 2010 and 21 July 2014. Mr
Prodhan commenced his role on 11 April 2012 and consequently part of the period during
which SBUK breached Principle 3 pre-dated his appointment. Moreover, the period of
failings which constituted the breach of Principle 3 extends beyond that in which Mr
Prodhan was knowingly concerned. The specific parts of the Principle 3 breach in which Mr
Prodhan was knowingly concerned, between 7 June 2012 and 4 March 2014, are outlined
at paragraph 5.5 above.
A1
Facts and Matters
SBUK’S GOVERNANCE SYSTEM
1.
Board of directors
1.1
The board failed to act cohesively and effectively. There was a lack of experience
and expertise in relation to regulatory and compliance matters and manifest
differences in opinion and approach to complying with regulatory requirements
which affected the board’s ability to operate effectively as a collective unit.
1.2
The board relied in part upon the knowledge of independent non-executive directors
yet failed to ensure that their recommendations were effected. For example, in
September 2010, the board’s attention was drawn to “a cultural mind-set which
needed to change” in relation to AML issues. Despite this, and similar expressions
of concern made to the board subsequently, the board took insufficient steps to
ensure that the importance of AML compliance was ingrained throughout the
business.
1.3
Although the board initially monitored the progress of the remediation measures
taken following the 2010 Visit, it made insufficient enquiry into the effectiveness of
the measures taken and, by March 2011, remediation measures did not feature on
the board agenda. This meant that the board was not able to satisfy itself that the
implemented measures were operating effectively. The board failed to consider,
assess, document and mitigate adequately the risks to which SBUK was exposed,
including that of AML compliance. In 2012, the Internal Auditors drew attention to
a lack of evidence to demonstrate that SBUK had identified and considered the
conduct risks to which it was exposed, that SBUK’s risk register was not reflective
of the risks faced and that there was a lack of any demonstrable link to the tasks
listed in SBUK’s compliance monitoring plan. They recommended that the board
approve a conduct risk appetite statement and that SBUK review its compliance
monitoring plan.
1.4
Despite this, in 2013, the Internal Auditors reported that no conduct risk appetite
had been documented, that the risk register had not been updated and that the
compliance monitoring plan remained insufficiently focussed on high-risk areas. As
a result, SBUK’s board failed to ensure that it was sufficiently sighted of the risks
to which it was exposed, including the risk of being used for money laundering or
other financial crime.
1.5
Further, the board failed to provide effective oversight of senior management
responsible for ensuring that systems and controls were robust and the board
routinely accepted without challenge management assurances on the effectiveness
of AML controls. Despite identifying from a report of the Internal Auditors in June
2012 that it was “clear that the management have failed in some areas”, the Audit
Committee accepted the recommendations of senior management and failed to
take steps to ensure that failures were remediated adequately.
1.6
Although the board received regular financial crime reports, it raised insufficient
challenge to the conclusions reached and failed to enquire adequately into the
oversight of the implemented systems.
2.
Senior Management Team
2.1
Following the 2010 Visit, SBUK’s senior management oversaw the plan to remediate
the identified failings. These measures were accepted as complete in December
2011 without sufficient testing of their implementation to determine whether the
required steps had been taken or how effective the systems introduced as a result
were operating.
2.2
At no time did SBUK’s senior management put in place a coherent strategy for
addressing AML risk. As identified above at paragraph 1.4, SBUK’s senior
management failed to act on the recommendations of the Internal Auditors to
ensure that all risks were identified, assessed and recorded within a risk register.
2.3
SBUK’s senior management received monthly Compliance and Financial Crime
reports from the MLRO. However, these were formulaic, provided insufficient
analysis on the effectiveness of systems and controls, failed to highlight particular
risks or issues for the immediate attention of senior management and were subject
to little challenge by the senior management team.
2.4
The senior management failed to take responsibility for ensuring that AML issues
were sufficiently prioritised throughout the business. Overall, senior management
was willing to accept assurances that compliant AML systems were in place without
conducting any adequate enquiry as to the effectiveness of these systems and
despite adverse reports from the Internal Auditors.
3.
Internal Audit
3.1
On 31 December 2010, SBUK informed the Authority that it had appointed an
external firm to carry out its internal audit functions and that it will “pay close
attention to whether the [AML] procedures are being correctly followed”.
3.2
On the basis of their work, the Internal Auditors produced regular reports,
relevantly in each of the years 2011 to 2013. Each report identified significant
weaknesses in SBUK’s AML control systems: several of these are outlined in this
Notice.
3.3
Overall, in 2011 the Internal Auditors graded the risks and controls associated with
SBUK’s governance and regulation activities as ‘3’, indicating ‘actual/potential
significant implications for SBUK as a whole or as a business area (say a
department)’.
3.4
In both 2012 and 2013, the grading was ‘4’ – the highest grade available, indicating
‘actual/potential very serious implications for SBUK’.
3.5
In respect of several failings, the Internal Auditors noted that they persisted in
subsequent years despite the assurances of senior management that they would
be remediated.
3.6
Despite these indicators, between 2011 and 2013, the number of days allocated by
the Internal Auditors to consideration of governance and regulation matters was
reduced from 18 days in 2011 to 8 days by 2013.
3.7
The failure of SBUK’s senior management to react appropriately to the adverse
findings of its own independent Internal Auditors and to improve adequately the
control framework is a clear indicator that senior management was insufficiently
focussed on compliance in general and AML systems in particular.
3.8
As a result, senior management failed to ensure that SBUK fostered a culture which
valued robust adherence to its regulatory responsibilities and allowed a culture of
minimal, or non-compliance to persist throughout the firm.
4.
MLRO function
4.1
The MLRO function was responsible for monitoring and ensuring SBUK’s compliance
with its AML responsibilities. It was therefore important that the MLRO function was
properly equipped with staff who had adequate skills and experience, and systems
which enabled effective monitoring.
4.2
In addition to his role overseeing the AML systems and controls, until 2014, SBUK
required its MLRO: to act as compliance officer; to act as line manager to staff; to
undertake responsibilities for training; and to undertake some company secretarial
work, including taking, and subsequently typing up, minutes at board and Audit
Committee meetings.
4.3
Having identified in March 2013 that the MLRO function required further staffing,
although steps were taken from the summer of 2013 onwards, SBUK did not recruit
another staff member until January 2014. The lack of adequate resource during
this period adversely affected the monitoring carried out by the MLRO function: for
example, in August 2013, the Internal Auditors noted that only 17 reviews of trade
finance files had been carried out, rather than the 75 mandated by SBUK’s
procedures.
4.4
In addition to staffing, SBUK failed to provide the MLRO department with adequate
resources. Despite the MLRO recommending membership of a commercial crime
information service in each of the MLRO reports for 2011 to 2013, SBUK failed to
purchase the suggested service or an alternative.
4.5
The MLRO also recommended software enhancements in each of the MLRO reports
for 2011 to 2014, in relation to sanctions screenings, which were implemented in
2015. In 2012, the MLRO recommended that upgrades to remittance software were
required to ensure that transactions were automatically screened against sanctions
lists. This was implemented in the second half of 2014. SBUK failed to implement
the necessary upgrades in a timely manner.
4.6
In 2011 SBUK started a project to replace its IT system which would have provided
enhanced AML functionality. As of August 2016, SBUK was still working on
implementation of this new system.
4.7
The Authority acknowledges that external factors have been involved in the delay
in implementing the new system. Nevertheless, senior management’s lack of
sufficient focus on AML systems meant that they did not respond adequately to the
delay. Therefore senior management failed to ensure that SBUK was equipped
properly to carry out its functions effectively.
5.
Oversight of branches
5.1
SBUK’s head office was based in London. It operated five additional branches,
providing retail banking and money remittance services to Bangladeshi
communities outside central London.
5.2
Reporting lines from the branches to SBUK’s head office were confused. While some
visits to branches were made by senior management, these were focused on the
administrative operations of the branches and did not consider compliance with
AML processes.
5.3
As a result, AML compliance was not embedded in the reporting lines of branch
staff or management and insufficient ongoing management attention was focussed
upon the effectiveness of AML systems within the branches, although half yearly
conferences were conducted for branch managers at which AML issues were
discussed.
5.4
The MLRO reports of 2012, 2013 and 2014 each outlined a recommendation for a
regular program of visits to be conducted by the MLRO to the branches. As a result
of a lack of resources in the MLRO department, these visits did not take place until
after the Authority’s feedback from the 2014 Visit. Despite being alerted by the
MLRO reports for three successive years to the need for branch visits, SBUK’s senior
management took no steps to ensure that they took place.
5.5
Instead, AML oversight of the branches was conducted by the (already under-
resourced) MLRO department’s transaction monitoring and by dealing with ad hoc
queries posed by branch staff. This led to a culture amongst branch staff of reliance
on the MLRO department to ensure that AML monitoring and reviews were
satisfactorily completed.
5.6
When members of the senior management carried out branch visits in April 2014,
SBUK identified a lack of adequate understanding of AML issues among some
branch managers and staff, including unsatisfactory knowledge of CDD, EDD,
customer risk assessments and the circumstances in which a SAR was necessary.
6.
AML policies and procedures
6.1
SBUK maintained the AML Staff Handbook which contained its AML policy and
procedures. It was redrafted following the 2010 Visit with the assistance of external
consultants and subsequently approved by the board on an annual basis. The AML
Staff Handbook was a high level manual that provided insufficient practical
guidance to staff to assist them with carrying out their functions effectively. Staff
were provided with the AML Staff Handbook but were given limited further
documentary guidance on how to follow the AML processes. This meant that staff
were not provided with adequate guidance on how to comply with SBUK’s AML
processes.
6.2
For example, staff were instructed that prior to establishing a relationship or
opening an account, they were required to obtain “sufficient due diligence” but the
guidance did not specify what would be considered as “sufficient”.
6.3
Members of staff were required to obtain evidence of source of funds for cash
remittances of £9,000 and above (reduced to £2,000 and above in January 2014)
but no guidance was provided on what form this evidence should take. This was
despite cash remittances being a key risk area for the business. The lack of specific
guidance in this area led to staff processing very large cash remittance transactions
with little evidence of source of funds. For example, a cash remittance transaction
of £10,000 (a significant sum compared to the income of the remitter) was
processed where the only documented evidence of source of funds obtained
consisted of a withdrawal slip. It does not appear that adequate consideration was
given as to whether this was sufficient in such circumstances, or whether further
information, such as evidence of the activity that generated the funds, was
necessary.
6.4
The AML Staff Handbook was at times contradicted by the MLRO reports. For
example, from January 2012, the AML Staff Handbook provided for SBUK to treat
all new customers as high risk for the first six months. However, the 2012 and 2013
MLRO reports stated that SBUK’s policy was “not to conduct relationships with any
individual or organisation which it considers to be high risk or engages in high risk
activities, except for correspondent banking relationships”.
6.5
Moreover, the MLRO reports provided that all account applications for high risk
customers and subsequent reviews were required to be signed off by senior
management. However, this provision was not set out in the AML Staff Handbook
and consequently was not communicated to staff. It remained unclear how these
policies coincided with the classification of all new customers as high risk. In
practice, the requirement in the MLRO reports was not followed: while senior
management did sign off some categories of customer, they did not sign off all high
risk customers.
6.6
The first time a customer underwent a considered risk assessment was after the
initial six months when the customer was assessed as low, medium or high risk.
This review was largely limited to a manual paper exercise involving a paper diary
system because, until mid-2013, SBUK databases did not have the capability to
record review dates. This meant that the review after the initial six months was not
always conducted on time.
6.7
The AML Staff Handbook listed a number of factors to be used in making a risk
assessment of an individual customer but provided insufficient guidance on how
these factors interrelated or how staff should use them in an individual case.
Although the AML Staff Handbook required ongoing periodic reviews, it did not
provide details of what information these reviews should consider.
6.8
The AML Staff Handbook set out SBUK’s policy and procedural requirements for
carrying out EDD, but it did not explain adequately what EDD was, and did not
provide staff with guidance on how to carry out EDD.
AML CONTROL SYSTEMS
7.
Customer Due Diligence
7.1
Following the 2010 Visit, the Authority had alerted SBUK to deficiencies in its CDD
processes.
7.2
Despite this, when the Authority examined 16 files during the 2014 Visit, it found
a failure to carry out adequate CDD, including a lack of documented evidence of
the purpose and intended nature of the business relationship and information
relating to the expected turnover or transactional activity. As a consequence, these
files lacked suitable information to assess whether account activity was consistent
with the anticipated activity.
7.3
The Skilled Person found a systemic failure to carry out sufficient CDD. Failings
included scanned documentation which was unclear, out of date identification
documentation, incomplete account opening forms and insufficient information
about expected account activity.
7.4
Following the review of the Skilled Person, SBUK identified 2,457 live customer
accounts. Each file suffered from a lack of appropriate documentation.
8.
Enhanced Due Diligence
8.1
The ML Regulations require firms to carry out EDD in any situation which can
present a higher risk of money laundering. SBUK’s policies required it to carry out
EDD in respect of all high risk customers. The AML Staff Handbook reflected this
requirement. The classification of all new customers as high risk therefore required
SBUK to conduct EDD on all of these customers. In fact, SBUK routinely failed to
carry out EDD in respect of its new customers, on the basis that they were not in
fact high risk for these purposes.
8.2
The result of this was that SBUK failed to follow its own policies and failed to give
any meaningful consideration to whether the risks of a particular customer merited
carrying out EDD.
9.
Ongoing monitoring
9.1
The MLRO department did not review live customer accounts at all until a review in
2011. This review found that in most cases the customer information was not up
to date resulting in SBUK writing to 300 customers and requesting information.
These included customers whose account activity involved large cash transactions
or transactions which did not appear consistent with their customer profile. SBUK
did not undertake any subsequent periodic reviews of its customer files and in 2014
approximately 20% of live customer files were still found to be deficient,
demonstrating CDD was still not being carried out properly.
9.2
A sample review of customer files by the Skilled Person found that the reviews
undertaken by the MLRO department after the initial six months was flawed. For
example, the reasons for classifying a customer as high, medium or low risk were
not clearly documented.
9.3
After the initial six month review, SBUK failed to carry out ongoing monitoring of
customer relationships beyond the monitoring of certain transactions. This meant
that, after the initial six month review, insufficient consideration was given to the
AML risks posed by a particular customer unless he or she completed an individual
transaction which was subject to monitoring. This meant that there was a risk that
customers were not classified appropriately which would have impacted on the level
of due diligence undertaken on customers and the frequency of monitoring
determined. The decision whether to monitor a particular transaction was generally
made by reference to the transaction itself rather than by any consideration of the
risks posed by the customer.
9.4
For example, one customer who was identified by SBUK as a PEP, and whose
income had been noted in 2007 as £20,000 per annum, had made a number of
significant cash and cheque deposits. SBUK had failed to consider whether these
deposits were commensurate with his earnings and, accordingly, whether the
account activity posed increased AML risks.
9.5
Until February 2011, SBUK conducted no documented monitoring of transactions.
From February 2011, the MLRO department monitored transactions by reviewing a
series of daily reports which flagged transactions that fell outside pre-set criteria.
Of these, the MLRO department investigated transactions on a sample basis. The
basis for selecting the sample was unclear and the number of transactions
investigated depended on the resource available.
9.6
SBUK operated two separate systems for money remittances. However, the MLRO
department was unaware that it only received daily reports in respect of one of
these systems. As a result, a significant number of transactions were not subject
to monitoring.
9.7
In 2012, the Internal Auditors recommended that the parameters for the daily
reports be reviewed and that all transactions on the reports should be investigated.
However, SBUK did not follow this recommendation.
9.8
SBUK’s systems were unable to detect linked transactions or transactions from a
number of remitters to a single beneficiary. Moreover, individual branches could
not access the remittance history of a customer from other branches and the MLRO
department could not access remittance histories from branches other than the
Head Office.
9.9
This meant that SBUK failed to assess the overall risks posed by particular
customers. For example, the Skilled Person examined a remittance transaction of
£10,000. When assessing the risk of the transaction and of the customer, SBUK
failed to take into account that the customer’s stated income was £28,000 and that,
in less than 18 months, he or she had remitted over £25,000. As a result, the
transaction was not considered by SBUK to be suspicious and no documented
assessment of the risk posed by the customer was made.
10.1
Until 2014, SBUK did not conduct routine screening of its customer list to identify
PEPs. Although checks were carried out in respect of new customers, SBUK failed
to identify some customers who should have been assessed as PEPs. On other
occasions, information which suggested customers were PEPs was discounted
without any documented reasoning. This meant that SBUK risked failing to
appropriately identify PEPs.
10.2
Even when SBUK identified a customer as a PEP, it did not always carry out
adequate EDD. In particular, it failed to establish the source of particular funds or
the source of the customer’s wealth. Even when areas of concern or adverse
information were identified, these were not always sufficiently considered and the
associated risks identified and considered. There was a failure to document
adequately the rationale for the steps taken.
10.3
In one case, SBUK failed to identify that several PEPs sat on the board of one of its
customers and failed to consider publicly available information concerning
corruption investigations involving this customer. As a result, SBUK’s risk
assessment of this customer was seriously deficient.
11.
Suspicious Activity Reporting
11.1
It was the responsibility of SBUK staff members to refer any suspicious activity to
the MLRO by completing a SAR. Throughout the Relevant Period, SBUK staff made
very low levels of SAR submissions. In each of the annual MLRO reports between
2011 and 2014, the MLRO report described the lack of SARs referred by staff,
particularly in the trade finance part of the business, as “surprising”. Each report
stated that this “may well be attributable to the fact that the vast majority of
counterparties to the LCs [letters of credit] are familiar to the trade Finance staff”.
11.2
Despite this potential indicator that staff were not reporting suspicious activity
appropriately, no adequate investigation of the reasons for the low levels of
submissions was made and SBUK accepted the explanation given as sufficient
without any challenge.
11.3
Following the report of the Skilled Person, SBUK reviewed its customer files and a
sample of its remittance transactions. As a result, an additional 141 SARs were
30
submitted to the MLRO department in respect of account holders and 102 SARs in
respect of remittance transactions. This is a clear indicator that staff had previously
failed to report suspicious activity appropriately.
12.1
SBUK was notified following the 2010 Visit that its correspondent banking files
contained very poor records. In October 2012, the MLRO identified that the files
were “in a mess”. Despite this, a full review of correspondent banking relationships
was not carried out until December 2013 at which point four relationships with
correspondent banks were suspended as a result of AML issues.
12.2
Even when SBUK identified adverse information about its correspondent banks, it
did not always act upon this in a timely fashion or at all. On occasions, it relied
upon assurances from the correspondent bank that the information was baseless
or failed to provide documented reasons for reaching conclusions on the risks
posed.
12.3
Even when SBUK identified that directors or shareholders of correspondent banks
were PEPs, it failed to record this status on its PEP register.
13.1
Monitoring of trade finance transactions was undertaken by the MLRO department.
While some investigations were carried out, SBUK could not demonstrate that
effective CDD measures were undertaken adequately. Transactions were approved
by the MLRO department with insufficient evidence of any analysis and reasoning
was not always documented.
13.2
In 2013, the Internal Auditors identified that the level of monitoring of trade finance
files was not taking place to the extent provided by SBUK’s internal procedures.
This was as a result of a lack of resourcing in the MLRO department.
13.3
The Internal Auditors considered a sample of 35 trade finance files. They identified
an error rate of 83%, including insufficient CDD and a failure to gain approval from
the MLRO in respect of high risk transactions. It was noted that “high risk” was not
defined and a recommendation was made to update the trade finance manual.
SBUK did not follow this recommendation.
14.
Money Service Bureaux
14.1
In October 2013, SBUK agreed to provide banking services for seven MSBs, each
of which provided money remittance services. SBUK provided these services
despite identifying various deficiencies in the AML processes of some of the MSBs.
These included outdated process documentation, registration forms which lacked
full information or were not completed, staff with inadequate knowledge and
incomplete training records.
14.2
SBUK later terminated the relationships with six of the seven MSBs. It retained the
relationship with one on the basis that SBUK was satisfied that appropriate AML
systems and controls were in place.
As a result of the facts and matters outlined in this Annex, the Authority considers that
SBUK breached Principle 3 during the period between 20 August 2010 and 21 July 2014
in that:
(1)
it failed to take adequate steps to ensure that the importance of AML
compliance was ingrained throughout the business, despite receiving clear
warnings of a culture of non-compliance;
(2)
it did not ensure that the ongoing effectiveness of the measures introduced
following the 2010 Visit was monitored and assessed effectively;
(3)
it failed to ensure that its board and senior management were provided with
sufficiently clear information to ensure that they were adequately sighted of
the AML risks faced by the business and able to assess how they were being
addressed;
(4)
it ignored warnings from the Internal Auditors of weaknesses in its
governance systems and controls;
(5)
it failed to ensure that the MLRO department was adequately resourced;
(6)
it failed to implement adequate oversight of the MLRO department;
(7)
managerial oversight of its branches was confused and did not sufficiently
consider AML compliance;
(8)
its policies on AML compliance failed to provide adequate practical guidance
to staff;
(9)
its policy on the risk assessment of customers was unclear and
contradictory;
(10)
it failed to carry out adequate CDD when establishing a business relationship
and its systems failed to identify that CDD measures were inadequate;
(11)
it failed to carry out EDD in higher risk situations and its systems failed to
identify that EDD measures were inadequate;
(12)
it failed to conduct on-going monitoring of some customer relationships;
(13)
its AML transaction monitoring was conducted on a sample basis, the
rationale for which was unclear, omitted to consider some transactions, was
insufficiently documented and failed to consider all relevant information;
(14)
it failed to take adequate measures to identify PEPs and to apply adequate
EDD measures to those identified as PEPs; and
(15)
its staff failed to identify and report suspicious activity in appropriate
circumstances. SBUK received warnings that the number of SARs was
surprisingly low but failed to take any adequate steps to ascertain the
reasons for this and consequently failed to identify that staff were not
submitting SARs in appropriate circumstances.
ANNEX B
RELEVANT STATUTORY AND REGULATORY PROVISIONS
1.
RELEVANT STATUTORY PROVISIONS
1.1
Pursuant to sections 1B and 1D of the Act, one of the Authority’s operational
objectives is protecting and enhancing the integrity of the UK financial system.
1.2
Pursuant to section 66 of the Act, the Authority may take action against a person
if it appears to the Authority that he is guilty of misconduct and the Authority is
satisfied that it is appropriate in all the circumstances to take action against him.
Misconduct includes failing, while an approved person, to comply with a Statement
of Principle issued under section 64 of the Act and being knowingly concerned in a
contravention by the authorised person on whose application the approval was
given.
1.3
The action that may be taken by the Authority pursuant to section 66 of the Act
includes the imposition on the approved person of a penalty of such amount as the
Authority considers appropriate and the publication of a statement of his
misconduct (a public censure).
1.4
Section 388(3) of the Act provides that the Authority may, before it takes the action
to which a decision notice relates, give the person concerned a further decision
notice which relates to different action in respect of the same matter.
2.
RELEVANT REGULATORY PROVISIONS
2.1
In exercising its powers to publish a statement of Mr Prodhan’s misconduct, the
Authority has had regard to the relevant regulatory provisions published in the
Authority’s Handbook. The main provisions that the Authority considers relevant
are set out below.
The Statements of Principle for Approved Persons (“APER”)
2.2
APER sets out the fundamental obligations of approved persons and sets out
descriptions of conduct, which, in the opinion of the Authority, do not comply with
the relevant Statements of Principle. It also sets out, in certain cases, factors to be
taken into account in determining whether an approved person’s conduct complies
with a Statement of Principle.
2.3
APER 2.1A.3P, which applied from 1 April 2013, sets out Statement of Principle 6
which provides:
“An approved person performing an accountable significant-influence function must
exercise due skill, care and diligence in managing the business of the firm for which
he is responsible in his accountable function.”
2.4
APER 2.1.2P, which applied from 1 December 2001 to 31 March 2013, set out
Statement of Principle 6 which provided:
“An approved person performing a significant influence function must exercise due
skill, care and diligence in managing the business of the firm for which he is
responsible in his controlled function.”
2.5
APER 4.6.2E provided:
“In the opinion of the appropriate regulator [prior to 1 April 2013, the Financial
Services Authority], conduct of the type described in APER 4.6.3E, APER 4.6.5E,
APER 4.6.6E or APER 4.6.8E does not comply with Statement of Principle 6.”
2.6
APER 4.6.6E provided:
“Failing to take reasonable steps to maintain an appropriate level of understanding
about an issue or part of the business that he has delegated to an individual or
individuals (whether in-house or outside contractors) falls within APER 4.6.2E (see
APER 4.6.14G).”
2.7
APER 4.6.14G provided:
“Although an approved person performing a significant influence function may
delegate the resolution of an issue, or authority for dealing with a part of the
business, he cannot delegate responsibility for it. It is his responsibility to ensure
that he receives reports on progress and questions those reports where
appropriate. For instance, if progress appears to be slow or if the issue is not being
resolved satisfactorily, then the approved person performing a significant influence
function may need to challenge the explanations he receives and take action himself
to resolve the problem. This may include increasing the resource applied to it,
reassigning the resolution internally or obtaining external advice or assistance.
Where an issue raises significant concerns, an approved person performing a
significant influence function should act clearly and decisively. If appropriate, this
may be by suspending members of staff or relieving them of all or part of their
responsibilities (see APER 4.6.6E).”
Principles for Business (“Principles”)
2.8
The Principles are a general statement of the fundamental obligations of firms under
the regulatory system and are set out in the Authority’s Handbook.
2.9
Principle 3 provides:
“A firm must take reasonable care to organise and control its affairs responsibly
and effectively, with adequate risk management systems.”
2.10
During the Relevant Period, the following rules applied:
Senior Management Arrangements, Systems and Controls (“SYSC”)
2.11
SYSC 6.1.1R provided:
“A firm must establish, implement and maintain adequate policies and procedures
sufficient to ensure compliance of the firm including its managers, employees and
appointed representatives (or where applicable, tied agents) with its obligations
under the regulatory systems and for countering the risk that the firm might be
used to further financial crime.”
2.12
SYSC 6.3.1R provided:
“A firm must ensure that the policies and procedures established under SYSC
6.1.1R include systems and controls that:
(1) enable it to identify, assess, monitor and manage money laundering risk;
and
(2) are comprehensive and proportionate to the nature, scale and complexity of
its activities.”
2.13
SYSC 6.3.8R provided:
“A firm must allocate to a director or senior manager (who may also be the money
laundering reporting officer) overall responsibility within the firm for the
36
establishment and maintenance of effective anti-money laundering systems and
controls.”
Decision Procedure and Penalties Manual (“DEPP”)
2.14
Chapter 6 of DEPP, which forms part of the Authority’s Handbook, sets out the
Authority’s statement of policy with respect to the imposition of penalties under the
Act. DEPP 6.4.1G states that the Authority will consider all the relevant
circumstances of the case when deciding whether to impose a penalty or issue a
public censure. DEPP 6.5B sets out the five steps for penalties imposed on
individuals in non-market abuse cases. DEPP 6.4.2G states that the criteria for
determining whether it is appropriate to issue a public censure rather than impose
a financial penalty include those factors that the Authority will consider in
determining the amount of penalty in, inter alia, DEPP 6.5B.
2.15
The Enforcement Guide sets out the Authority’s approach to taking disciplinary
action. The Authority’s approach to penalties is set out in Chapter 7 of the
Enforcement Guide.
3.
RELEVANT PROVISIONS OF THE MONEY LAUNDERING REGULATIONS 2007
3.1
The ML Regulations provide a series of measures for the purposes of preventing
the use of the financial system for the purposes of money laundering. In particular,
they impose a set of requirements which all firms operating in the financial system
are obliged to follow.
3.2
Regulation 5 (Meaning of customer due diligence measures) of the ML Regulations
defines “customer due diligence measures” as:
(a)
identifying the customer and verifying the customer's identity on the basis
of documents, data or information obtained from a reliable and independent
source;
(b)
identifying, where there is a beneficial owner who is not the customer, the
beneficial owner and taking adequate measures, on a risk-sensitive basis,
to verify his identity so that the relevant person is satisfied that he knows
who the beneficial owner is, including, in the case of a legal person, trust or
similar legal arrangement, measures to understand the ownership and
control structure of the person, trust or arrangement; and
(c)
obtaining information on the purpose and intended nature of the business
relationship.
3.3
Regulation 7(1) to (3) (Application of customer due diligence measures) of the ML
Regulations provides:
(1)
Subject to regulations 9, 10, 12, 13, 14, 16(4) and 17, a relevant person
must apply customer due diligence measures when he—
(a)
establishes a business relationship;
(b)
carries out an occasional transaction;
(c)
suspects money laundering or terrorist financing;
(d)
doubts the veracity or adequacy of documents, data or information
previously obtained for the purposes of identification or verification.
(2)
Subject to regulation 16(4), a relevant person must also apply customer
due diligence measures at other appropriate times to existing customers
on a risk-sensitive basis.
(3)
A relevant person must—
(a)
determine the extent of customer due diligence measures on a risk-
sensitive basis depending on the type of customer, business
relationship, product or transaction; and
(b)
be able to demonstrate to his supervisory authority that the extent of
the measures is appropriate in view of the risks of money laundering
and terrorist financing…
3.4
Regulation 8 (Ongoing monitoring) of the ML Regulations provides:
(1)
A relevant person must conduct ongoing monitoring of a business
relationship.
(2)
“Ongoing monitoring” of a business relationship means—
38
(a)
scrutiny of transactions undertaken throughout the course of the
relationship (including, where necessary, the source of funds) to
ensure that the transactions are consistent with the relevant person's
knowledge of the customer, his business and risk profile; and
(b)
keeping the documents, data or information obtained for the purpose
of applying customer due diligence measures up-to-date.
(3)
Regulation 7(3) applies to the duty to conduct ongoing monitoring under
paragraph (1) as it applies to customer due diligence measures.
3.5
Regulation 14 (enhanced customer due diligence and ongoing monitoring) of the
ML Regulations provides:
(1)
A relevant person must apply on a risk-sensitive basis enhanced customer
due diligence measures and enhanced ongoing monitoring—
(a)
in accordance with paragraphs (2) to (4);
(b)
in any other situation which by its nature can present a higher risk of
money laundering or terrorist financing…
(4)
A relevant person who proposes to have a business relationship or carry
out an occasional transaction with a politically exposed person must—
(a)
have approval from senior management for establishing the business
relationship with that person;
(b)
take adequate measures to establish the source of wealth and source
of funds which are involved in the proposed business relationship or
occasional transaction; and
(c)
where the business relationship is entered into, conduct enhanced
ongoing monitoring of the relationship.
(5)
In paragraph (4), “a politically exposed person” means a person who is—
(a)
an individual who is or has, at any time in the preceding year, been
entrusted with a prominent public function by—
(i)
a state other than the United Kingdom;
(ii)
an EU institution; or
(iii)
an international body,
including a person who falls in any of the categories listed in
paragraph 4(1)(a) of Schedule 2;
(b)
an immediate family member of a person referred to in sub-
paragraph (a), including a person who falls in any of the categories
listed in paragraph 4(1)(c) of Schedule 2; or
(c)
a known close associate of a person referred to in sub-paragraph (a),
including a person who falls in either of the categories listed in
paragraph 4(1)(d) of Schedule 2.
(1)
For the purpose of deciding whether a person is a known close associate of
a person referred to in paragraph (5)(a), a relevant person need only have
regard to information which is in his possession or is publicly known.
3.6
Regulation 20(1) and (2) (Policies and procedures) of the ML Regulations provides:
(1)
A relevant person must establish and maintain appropriate and risk-
sensitive policies and procedures relating to—
(a)
customer due diligence measures and ongoing monitoring;
(b)
reporting;
(c)
record-keeping;
(d)
internal control;
(e)
risk assessment and management;
(f)
the monitoring and management of compliance with, and the internal
communication of, such policies and procedures,
in order to prevent activities related to money laundering and terrorist
financing.
(2)
The policies and procedures referred to in paragraph (1) include policies and
procedures—
(a)
which provide for the identification and scrutiny of—
(i) complex or unusually large transactions;
(ii) unusual patterns of transactions which have no apparent
economic or visible lawful purpose; and
(iii) any other activity which the relevant person regards as
particularly likely by its nature to be related to money laundering
or terrorist financing;
(b)
which specify the taking of additional measures, where appropriate,
to prevent the use for money laundering or terrorist financing of
products and transactions which might favour anonymity;
(c)
to determine whether a customer is a politically exposed person;
(d)
under which—
(i)
an individual in the relevant person's organisation is a
nominated officer under Part 7 of the Proceeds of Crime Act
2002 and Part 3 of the Terrorism Act 2000;
(ii)
anyone in the organisation to whom information or other
matter comes in the course of the business as a result of which
he knows or suspects or has reasonable grounds for knowing
or suspecting that a person is engaged in money laundering
or terrorist financing is required to comply with Part 7 of the
Proceeds of Crime Act 2002 or, as the case may be, Part 3 of
the Terrorism Act 2000; and
(iii)
where a disclosure is made to the nominated officer, he must
consider it in the light of any relevant information which is
available to the relevant person and determine whether it
gives rise to knowledge or suspicion or reasonable grounds for
knowledge or suspicion that a person is engaged in money
laundering or terrorist financing.
1.
In respect of conduct occurring on or after 6 March 2010, the Authority applies a
five-step framework to determine the appropriate level of financial penalty. DEPP
6.5B sets out the details of the five-step framework that applies in respect of
financial penalties imposed on individuals in non-market abuse cases.
2.
In calculating the appropriate financial penalty, the Authority considered the totality
of Mr Prodhan’s misconduct. Since the evidence underlying both Mr Prodhan’s
breach of Statement of Principle 6 and Mr Prodhan’s knowing concern in SBUK’s
breach of Principle 3 is the same, the Authority did not consider it appropriate to
impose separate financial penalties. Instead, it determined a single financial penalty
in respect of both forms of misconduct, calculated on the basis outlined below.
Step 1: disgorgement
3.
Pursuant to DEPP 6.5B.1G, at Step 1 the Authority seeks to deprive an individual
of the financial benefit derived directly from the breach where it is practicable to
quantify this.
4.
There was no direct financial benefit derived from the breaches. The Step 1 figure
therefore was £0.
Step 2: the seriousness of the breach
5.
Pursuant to DEPP 6.5B.2G, at Step 2 the Authority determines a figure that reflects
the seriousness of the breach. That figure is based on a percentage of the
individual’s relevant income. The individual’s relevant income is the gross amount
of all benefits received by the individual from the employment in connection with
which the breach occurred, and for the period of the breach.
6.
The period of Mr Prodhan’s breach of Statement of Principle 6 and knowing concern
of SBUK’s breach of Principle 3 was from 7 June 2012 to 4 March 2014. Accordingly,
the Authority calculated Mr Prodhan’s relevant income between 7 June 2012 and 4
March 2014. The Authority considered Mr Prodhan’s relevant income for this period
to be £254,967.
7.
In deciding on the percentage of the relevant income that forms the basis of the
Step 2 figure, the Authority considers the seriousness of the breaches and chooses
a percentage between 0% and 40%. This range is divided into five fixed levels
which represent, on a sliding scale, the seriousness of the breaches; the more
serious the breach, the higher the level. For penalties imposed on individuals in
non-market abuse cases there are the following five levels:
Level 1 – 0%
Level 2 – 10%
Level 3 – 20%
Level 4 – 30%
Level 5 – 40%
8.
In assessing the seriousness level, the Authority takes into account various factors
which reflect the impact and nature of the breaches, and whether they were
committed deliberately or recklessly. DEPP 6.5B.2G(12) lists factors likely to be
considered ‘level 4 or 5 factors’. Of these, the Authority considered the following
factor to be relevant:
i. the breach created a significant risk that financial crime would be
facilitated, occasioned or otherwise occur.
9.
The following factors were also considered when assessing the seriousness of the
i. as the CEO and the senior manager responsible for AML systems and
controls at SBUK, Mr Prodhan had overall responsibility for SBUK’s
compliance with AML requirements;
ii. Mr Prodhan’s breaches resulted in systemic failures of the AML
systems and controls throughout SBUK; and
iii. robust AML controls are extremely important in preventing money
laundering and financial crime. Consequently, breaches of regulatory
requirements are extremely serious.
10.
Taking all of these factors into account, the Authority considered the seriousness
of the breach to be level 4 and so the Step 2 figure is 30% of £254,967.
11.
Step 2 was therefore £76,490.
Step 3: mitigating and aggravating factors
12.
Pursuant to DEPP 6.5B.3G, at Step 3 the Authority may increase or decrease the
amount of the financial penalty arrived at after Step 2, but not including any
amount to be disgorged as set out in Step 1, to take into account factors which
aggravate or mitigate the breach.
13.
The Authority did not consider that any other factors served to aggravate or to
mitigate the breach. Accordingly, the penalty remained unchanged at Step 3.
14.
Step 3 was therefore £76,490.
Step 4: adjustment for deterrence
15.
Pursuant to DEPP 6.5B.4G, if the Authority considers the figure arrived at after Step
3 is insufficient to deter the individual who committed the breach, or others, from
committing further or similar breaches, then the Authority may increase the
penalty.
16.
The Authority considered that the Step 3 figure of £76,490 represented a sufficient
deterrent to Mr Prodhan and others, and so did not increased the penalty at Step
4.
17.
Step 4 was therefore £76,490.
Serious financial hardship
18.
Pursuant to DEPP 6.5D.2G, the Authority will consider reducing the amount of a
penalty if an individual will suffer serious financial hardship as a result of having to
pay the entire penalty. Mr Prodhan did not claim serious financial hardship.
Therefore the penalty was not reduced.
Step 5: settlement discount
19.
Pursuant to DEPP 6.5B.5G, if the Authority and the individual on whom a penalty is
to be imposed agree the amount of the financial penalty and other terms, DEPP 6.7
provides that the amount of the financial penalty which might otherwise have been
payable will be reduced to reflect the stage at which the Authority and the individual
reached agreement. The settlement discount does not apply to the disgorgement
of any benefit calculated at Step 1.
20.
No settlement discount applied. Step 5 was therefore £76,490.
21.
The Authority therefore decided to impose a total financial penalty of £76,400
(rounded down to the nearest £100) on Mr Prodhan for breaching Statement of
Principle 6 and for being knowingly concerned in SBUK’s breach of Principle 3.
ANNEX D
1.
Mr Prodhan’s representations (in italics), and the Authority’s conclusions in respect
of them, are set out below.
Personal culpability
2.
As set out in DEPP 6.2.6B, personal culpability occurs where a person’s behaviour
was below the standard which would be reasonable in all the circumstances at the
time of the conduct concerned. All the circumstances include the personal
circumstances of the person; hence it is appropriate to bring a subjective element
into the objective assessment. Therefore the fact that Mr Prodhan had no
experience of the UK regulatory environment when he took up his position at SBUK
has to be taken into account; all the more so because these factors were known to
the Authority when Mr Prodhan was authorised to exercise a senior management
position at a bank that had had serious regulatory issues in the past.
3.
The Authority accepts that the ways of meeting the reasonable standard mentioned
in DEPP can vary, depending on the circumstances. However, Mr Prodhan’s
inexperience in the UK regulatory environment is not an excuse for his failure to
exercise due skill, care and diligence in carrying out his duties. If Mr Prodhan had
been unsure that he could carry out his duties to a satisfactory standard due to his
lack of knowledge of the UK regulatory requirements, he should either have
declined to take up the position or have made sure that he received adequate
training, advice and continuing support in the areas where he lacked experience.
Principal responsibility of Mr Prodhan concerning AML systems and controls
4.
Mr Prodhan’s sole responsibility with regard to AML systems and controls was
oversight. Day-to-day operation of these systems and controls was delegated to
the MLRO. Mr Prodhan’s job was to oversee the MLRO’s activity and consider any
issues raised by him. Paragraph 150 of the Upper Tribunal’s decision in John
Pottage v FSA describes the nature of the obligations of a CEO very well: “[…] A
CEO is not required to design, create or implement controls personally: his is a role
of oversight. There is not an obligation on the CEO to do the job of an appropriately
appointed delegate of his of hers. […]” This means that Mr Prodhan was not
responsible for the overall running of the AML systems and controls in the wider
sense, contrary to the Authority’s contention.
5.
The Pottage case cited by Mr Prodhan relates to a breach of Statement of Principle
7 rather than that of Statement of Principle 6, as is the case here. It also looks at
different criteria and arrives at conclusions which cannot necessarily be applied in
this case. Mr Prodhan was the person with overall responsibility for the AML systems
and controls as a whole; it was thus essential for Mr Prodhan to understand the
functioning of these systems and controls and to be able to oversee them in an
effective manner. Mr Prodhan’s role was to take reasonable steps to ensure the
proper functioning of the AML systems and controls at the highest level by providing
proper oversight, which was a vital part of making the AML systems and controls
effective. He failed to do so.
Mr Prodhan’s conduct was reasonable in all the circumstances
6.
When Mr Prodhan took up his position in SBUK he received assurances from the
outgoing CEO, the then recently appointed MLRO and other members of the board
that previous AML issues had been resolved. He continued to receive assurances
from the MLRO throughout the Relevant Period that AML systems and controls were
in order and functioning properly. The MLRO was responsible for the day-to-day
running of these systems and controls and for ensuring compliance with the
relevant regulations, and also had responsibility for escalating any issues to Mr
Prodhan. The MLRO failed to discharge these responsibilities adequately, as
evidenced by the final notice given to him by the Authority. Mr Prodhan had no way
of recognising that the MLRO, appointed prior to his arrival specifically to carry out
the remediation exercise following the 2010 Visit and trusted by the board, was not
competent. Mr Prodhan was very engaged in AML issues and regarded them as a
priority. He was easily approachable, he had an “open door” policy and the MLRO
(as well as others) had every chance to raise issues with him.
7.
In order effectively to oversee the work of the MLRO and more widely the
functioning of SBUK’s AML systems and controls, Mr Prodhan would have needed a
general understanding of these systems and controls, as well as any areas of
particular concern. These responsibilities were clearly set out in Mr Prodhan’s job
description, and he was aware of them. Accepting the assurances without challenge
and relying on them so as to satisfy himself of the adequacy of the AML systems
and controls rendered Mr Prodhan’s oversight ineffective. Mr Prodhan should have
satisfied himself that the assurances given to him were correct, but he failed to
make any attempt to do so.
There were no red flags to alert Mr Prodhan
8.
Mr Prodhan received no information that could have put him on notice that there
were deficiencies in the AML systems and controls. Accordingly, the feedback
received after the 2014 Visit came as a shock to Mr Prodhan. The Internal Auditors’
reports must not be viewed in isolation, as they were only one of many pieces of
management information circulated to senior management. Other management
information, which (unlike the Internal Auditors’ reports) were AML-specific, did not
indicate problems. No member of management was challenging or criticising the
MLRO. The non-executive directors, who were experienced UK professionals, did
not alert Mr Prodhan to the AML issues or the lack of competence of the MLRO.
When the MLRO asked for additional resources, it was approved by senior
management straightaway. It was the MLRO who failed to write the job description
in a timely manner, which delayed the recruitment exercise.
9.
Mr Prodhan was not required to be an expert in all areas of AML. However, he was
required to identify and deal with risks, just as in his other areas of responsibility.
There were areas that should have been monitored and acted upon by Mr Prodhan,
even without them being specifically raised by the MLRO or anyone else, such as
the culture with respect to compliance among staff and the adequate resourcing of
the MLRO function. The Internal Auditors’ reports, the lack of SARs and the
insufficient oversight of branches were all indications which should have alerted Mr
Prodhan to these risks, or at least caused him to make further inquiry. The fact that
AML was not a consideration in the strategic planning, when the MSBs were on-
boarded, also shows that Mr Prodhan failed to allocate adequate focus to regulatory
compliance and in particular to AML systems and controls. These deficiencies were
systemic, which shows that they went beyond the responsibilities of the MLRO and
were due to Mr Prodhan’s inadequate exercise of his oversight function.
Lack of evidence against Mr Prodhan
10.
Most of the Authority’s allegations are substantiated by testimony given in
interviews by the MLRO and the non-executive directors of SBUK, one of whom
volunteered for the interview. Mr Prodhan was placed under investigation after this
voluntary interview, which shows that the interviewed person had an interest in
being first to present his narrative of the events. These testimonies cannot be
regarded as sound evidence because they were self-serving as the persons giving
them were trying to reduce their own liability at the expense of Mr Prodhan. In
addition the senior executives with a European background were biased against Mr
Prodhan for cultural reasons and because Mr Prodhan was not supportive of the
initiatives which they personally supported.
11.
None of the interviews conducted with the senior executives were voluntary.
Nevertheless, the Authority accepts that the risk of the senior executives being
partial exists with regard to some of the testimony given in these interviews.
However, having considered all the evidence with due regard to that risk, overall
the Authority considers that there is sufficient contemporaneous evidence to
support the findings it has made against Mr Prodhan.
Limitation
12.
It is important to stress that limitation is not invoked as a shield that is used against
the allegations, because Mr Prodhan disputes liability on substantive grounds.
However, it remains a fact that the proceedings brought against Mr Prodhan under
section 66 of the Act are time-barred.
13.
As set out in section 66(4), as in effect at the time of the Relevant Period, the
Authority was required to issue the Warning Notice within three years from the date
when it knew of the misconduct or had information from which the misconduct
could reasonably have been inferred.
14.
The breach alleged against Mr Prodhan is a single continuing course of misconduct
evidenced from different perspectives. Therefore, if the Authority knew of some of
the alleged failings or had information from which some of those failings could
reasonably be inferred more than three years prior to the date of issue of the
Warning Notice, the Authority is prevented from imposing any sanctions under
section 66 of the Act.
15.
From the correspondence relating to the 2014 Visit, including attendance notes of
interviews, internal memos and the Authority’s findings letter, it is clear that the
Authority had knowledge of Mr Prodhan’s alleged misconduct by, at the latest, 28
February 2014, i.e. significantly earlier than the cut-off date of 26 April 2014.
16.
The Authority clearly failed to progress the investigation within a reasonable time;
there have been unexplained and inordinate delays throughout the process. It is
specifically this sort of unreasonable delay that section 66(4) of the Act is designed
to prevent and therefore it should be strictly applied.
17.
The Authority notes Mr Prodhan’s views on the rationale behind section 66(4) of
the Act and confirms that the provision was strictly applied in this case. The
Authority accepts that it had some information relevant to Mr Prodhan’s conduct by
the cut-off date of 26 April 2014. However, possessing some information, even
information sufficient to justify the appointment of investigators, is not enough to
satisfy the test set out in section 66(4) of the Act. The reasonableness of the
inference for the purposes of demonstrating the Authority’s knowledge is not to be
considered in light of information acquired subsequently.
18.
The Upper Tribunal in its decision in Andrew Jeffery v FCA stated: “It is not sufficient
that the Authority has information in its hands that would give rise to a mere
suspicion. Nor is it enough that the information might suggest that there was
misconduct, but that the person in question has not been identified as the
apparently guilty party. The Authority must either know or be treated, by
reasonable inference, as knowing of the misconduct by a particular person. […] A
mere allegation or assertion unsupported by evidence would be unlikely to be
regarded as sufficient to amount to knowledge of misconduct or as information
from which it would be reasonable for the Authority to have inferred misconduct,
although it might be expected to give rise to further enquiry.”
19.
The information the Authority possessed before the cut-off date was not sufficient
for the Authority to know of the particular misconduct by Mr Prodhan, nor was it
sufficient such that the Authority could reasonably have inferred that misconduct.
The information gathered during the investigation subsequent to the cut-off date
was necessary for such inference reasonably to be drawn. Hence, the Authority is
not precluded by virtue of section 66(4) of the Act to take action against Mr Prodhan
under section 66.
Seriousness of the breach
20.
The Authority accepts that Mr Prodhan’s breach was not committed deliberately or
recklessly. Further it was the MLRO who was directly responsible for the day-to-
day running of the AML systems and controls, and for SBUK’s compliance with the
relevant regulations. If Mr Prodhan committed a breach, which is contested, it was
one that related to his oversight of the MLRO and this in turn has to be viewed in
light of the Authority’s findings that the MLRO failed to adequately inform
management of the AML issues. It follows that Mr Prodhan’s breach is much less
serious than that of the MLRO. The appropriate level of seriousness is level 2 or (at
a maximum) level 3, instead of level 4.
21.
Mr Prodhan’s breach, even though not deliberate or reckless, created a serious and
ongoing risk of financial crime being facilitated, as it resulted in the systemic failure
of the AML systems and controls. Mr Prodhan’s responsibilities were qualitatively
different from those of the MLRO and included responsibilities beyond oversight of
the MLRO function, and thus the MLRO’s failings do not diminish the seriousness of
those of Mr Prodhan.
Proportionality of the penalty
22.
The amount of the penalty must be proportionate. The penalty should reflect the
misconduct and should be in line with similar cases and in particular that of the
MLRO. The MLRO’s penalty before settlement discount was £25,000; that is directly
relevant to the penalty of the person who was responsible for his oversight. In other
oversight failings cases the penalty was also relatively low. In addition, considering
the present financial and employment circumstances of Mr Prodhan, the penalty
should not be such as would place him and his family in a precarious financial
situation, as that would disproportionate.
23.
Mr Prodhan’s financial penalty was reached applying the guidance set out in section
6.5B of DEPP. The Authority has carefully considered all the circumstances of the
case when fixing the amount. The Authority considers that, given the seriousness
of Mr Prodhan’s misconduct, the amount of penalty is not disproportionate. It is
also noted that Mr Prodhan has not claimed that as a result of the penalty he would
suffer serious financial hardship; hence the Authority does not consider it
appropriate to reduce the amount of penalty based on the amount of assets and
earnings of Mr Prodhan.