The Netherland’s largest financial institution will pay Dutch authorities 775 million euros, or $900 million, in a historic settlement for broad failures in its financial crime compliance controls that allowed illicit groups to launder an estimated hundreds of millions of dollars for years.
ING Groep admitted Tuesday to “serious shortcomings” in its anti-money laundering (AML) programs that allowed criminals to launder money “for years,” according to bank statements and government documents. In the settlement agreement with the Dutch Public Prosecution Service, ING has agreed to pay a fine of €675 million and €100 million for disgorgement.
“As a bank we have the obligation to ensure that our operations meet the highest standards, especially where it comes to preventing criminals from misusing the financial system,” ING Chief Executive Officer Ralph Hamers said in a statement. “Not meeting those standards is unacceptable and ING takes full responsibility.”
The bank violated laws created to stop terror groups and illicit financiers “structurally” by failing to adequately investigate aberrant transactions highlighted by monitoring systems and by giving short-shrift to source of funds and beneficial ownership obligations chiefly through poor customer due diligence (CDD) policies between 2010 and 2016, according to the actions.
The bank listed a bevy of “broader shortcomings” of the AML compliance program, which it is pledging to correct, including:
· Fumbling files: CDD files missing or being incomplete.
· Risk ranking: Assignment of incorrect risk classifications.
· Out of order: Failure to have the periodic CDD review process in order.
· Timely exit: Failure to exit business relationships in a timely manner.
· Transaction tracking: Insufficient functioning of the post-transaction monitoring system.
· Segmentation frustration: Classifying clients in the wrong segments.
· Data doldrums: Insufficient availability of qualitative and quantitative human resources.
The penalty is not the bank’s first rodeo with authorities for AML and sanctions foibles, though ING added that it doesn’t expect the U.S. Securities Exchange Commission, the country’s top trading cop, to follow on with additional penalties.
In 2012, ING paid $619 million to U.S. authorities for moving billions of dollars through the American financial system for blacklisted Iranian and Cuban clients.
FINCRIME CORNER: KEY COMPLIANCE TAKEAWAYS FROM THE ING PENALTY
The record penalty against ING by Dutch authorities will reverberate through the Netherlands and beyond the European Union as it’s clearly an attempt by a non-U.S. regulator to levy a statement-making figure that shocks other institutions into line to take AML seriously. Here are some critical compliance takeaways from the fine to ensure your institution is safe:
- Follow the leader: For nearly a decade, the U.S. has levied the largest AML and sanctions penalties in the world, hitting at point $9 billion. During that time, many EU countries rarely hit penalties in the millions. Now that Dutch authorities have soared into the hundreds of millions of dollars, look for other jurisdictions to follow.
- Compliance competition: In a similar vein as above, when the U.S. hits a foreign bank, say in Europe or the United Kingdom, with a massive penalty, and the home country regulator doesn’t follow suit, or hands down one a fraction of the size, it can give the perception one jurisdiction is more committed and effective when it comes to countrywide compliance – something global watchdog groups will frown upon.
- What else is wrong?: It’s no surprise that an AML penalty for ING followed a corruption penalty – and one that was investigated by U.S. and Dutch authorities. The connection? When a regulator finds a risk management control weakness in one area, sometimes referred to in the U.S. as a “safety and soundness” issue, it’s an easy logical leap for examiners to want to check other financial crime controls, in this case reviewing the full AML program and finding systemic gaps.
- Not it: You might be wondering why Dutch investigators and regulators would feel pressure to show that their country has strong AML rules that are backed up by authoritative, effective and, hopefully, dissuasive enforcement. A likely reason: Many countries, including the United Kingdom, Germany, Malta, Canada and others have received national and international criticism for being weak on banks with lax AML programs or, worse, being a choice destination for criminal groups and corrupt oligarchs to launder money. As well, just two years ago, the Panama Papers leak focused negative attention on the use of Dutch anonymous shell firms by an array of shifty groups.
- Cheat sheet: Other banks across the Netherlands and rest of the EU for that matter should look at the ING order as a roadmap for what not to do in terms of mistakes and areas of focus to strengthen. The various gaps identified by authorities followed many of the historic and emerging AML compliance patterns ballyhooed by U.S. regulators, including inaccurate risk ranking left to languish, monitoring system missteps and alert caps and a general lack of required expertise at the top and throughout the whole of the compliance function.
Pledging to improve
Dutch authorities have been intensively investigating the bank the last two years, noting the bank has been formally warned more than a decade ago, but has not yet improved compliance functions to their expectations.
Dutch prosecutors cited a bevy of specific failures, including moving corruption-tinged assets for a telecommunications firm in a high-risk region.
The bank countered that it has taken steps to bolster compliance domestically and internationally and had taken formal actions against nearly a dozen employees, including “holdbacks of variable remuneration and suspension of duties.”
Specifically, the bank has detailed a host of in-process and planned improvements for its AML program, including:
- An enhancement programme to ensure compliance with ‘know your customer’ (KYC) and ‘client activity monitoring’ requirements. This includes enhancing management of customer information and improving effectiveness of the control framework applicable to the FEC domain, especially with respect to client activity monitoring capabilities.
- Centralising and simplifying operational KYC activities into one ‘KYC Centre’ across divisions, introducing standard processes and tooling, allowing ING Netherlands to manage these activities more effectively.
- Set-up Client Risk Committees across business units, deciding on client on-boarding and exit escalations to ensure KYC risk mitigation.
- An engagement program to strengthen the internal compliance culture and awareness by better enabling employees to act in both the letter and the spirit of the law, empowered by their organization and supported (and enforced) by compliance departments.
- Active involvement in and contribution to a taskforce where Dutch authorities that have supervisory, control, prosecution or investigation tasks cooperate with financial sector actors to strengthen the integrity of the sector. It does this by taking preventive action to identify and combat threats to this integrity. ING also joined forces with Dutch authorities and the Dutch Banking Association (NVB) to harmonize efforts and knowledge in the fight against financial crime and actively participates in various taskforces and project teams in this field.
The bank also dropped relationships with thousands of clients it later found to be too risky or potentially engaged in illicit activities.
ING Netherlands “has taken various steps to enhance its compliance risk management and will further strengthen its compliance culture and awareness,” according to the bank, in a statement.
“ING is committed to conducting its business with integrity, which includes compliance with applicable laws, regulations and standards in each of the markets and jurisdictions in which it operates.”
Choosing business over compliance
The Dutch prosecutor’s documents also detail that that CDD failures were not limited to a specific client set.
“The shortcomings in the CDD files were not found to only occur within a specific client segment, but occurred in all segments at ING NL,” according to investigators, adding that these segments also included high-risk clients, possibly including politically-exposed persons (PEPs).
Moreover, compounding the problem is that these problems were allowed to fester.
“In a number of cases, ING NL did not carry out an extensive CDD review until years after the client acceptance had taken place, after which it was decided to cut ties with a client who, for example, turned out to pose an unacceptable risk to ING NL.”
The bank chose boosting business over conquering compliance.
“What played a role here was that ING NL wanted to offer its clients an attractive acceptance process that did not take sufficient account of the risks of doing business with undesirable clients,” according to investigators.
Because of that philosophy, the bank also rarely went back over a pre-set time period to double check if the ownership details had changed or original risk ranking was accurate – or even done at all.
The bank also missed chances related to customer-based events, or “signals,” to review and refresh risk rankings, including investigative authorities requesting information about the account or that the client was a frequent generator of aberrant alerts from the transaction monitoring system – all classic red flags that could require a deeper due diligence dive or even filing of a suspicious activity report (SAR).
But even when the bank engaged in the adequate depth of due diligence and properly risk attuned a client with the transaction monitoring system, that didn’t ensure accurate risk coverage for financial crime foibles.
Toil and (transaction) troubles
Investigators detailed several stumbles related to the transaction monitoring system – considered the brain of an AML compliance process – that hamstrung the program. The shortcomings identified by government investigators included:
- The monitoring system settings, as a result of which many accounts were only monitored to a limited extent;
- The monitoring system settings which, for certain categories of money laundering signals, limited the system to a predetermined (in some cases very limited) daily number of alerts;
- The fact that, under the aforementioned settings, only percentage deviations in respect of the account history were taken into account in the selection and sorting of accounts for further investigation and not the absolute size of the transactions;
- Monitoring took place at account level and not at client level;
- Incomplete input of relevant data into the monitoring system for proper (and risk-based) monitoring;
- Insufficient (qualitative and quantitative) personnel capacity for handling alerts.
As in the case of many high-profile U.S. AML penalties, the way ING tried to get around a lack of analyst resources was to “cap” alerts.
The transaction monitoring alert settings were “calibrated in such a way that many accounts were only monitored to a limited extent,” according to documents. “When monitoring transactions, ING NL’s method of limiting alerts was called ‘capping’ or ‘topping.’”
The system was “set up in such a way that each day, for certain categories of money laundering signals, after a predetermined maximum number of alerts (potential money laundering signals), the system stopped monitoring these categories of money laundering signals,” according to investigators.
The maximum number of alerts was “limited to only three per day for several relevant categories of money laundering signals.”
The scenarios for the monitoring system also had problems. The documents laid out this example:
- Transaction 1: if transactions for EUR 100 normally take place in an account and there is subsequently a transaction for EUR 10,000, the relative deviation is 100x;
- Transaction 2: if the normal transaction behavior of the account is EUR 1,000,000 and there is subsequently a transaction for EUR 99,000,000, there is a relative deviation is 99x. This system ranks Transaction 1 higher on the list of unusual transactions.
The Dutch government investigation “justified the suspicion that there had been a large number of unusual transactions that ING NL had not identified,” with the bank even referencing the rising tide of compliance complaints in an internal memorandum:
“For years we have only monitored the tip of the iceberg without taking samples of the remaining alerts, which could have given us an idea of the quality and effectiveness of our monitoring program and the risk views used in it, i.e. which could or should have led to adjustments to these risk views.”