11th March 2021

AML/CFT Enforcement in Australia; Bank AML/CFT Fine in France; Crypto Risks in the US

Experts expect a new wave of AML/CFT from AUSTRAC in 2021, ING reacts to an AML/CFT fine from the French regulator, and Coinbase alerts the US authorities to potential sanctions breaches. 

We share our financial crime regulatory highlights from the week of March 8, 2021.

AUSTRAC To Keep Up AML/CFT Pressure

The financial crime risk lead in one of Australia’s major professional services firms has recently predicted another year of intense enforcement activity by Australia’s Financial Intelligence Unit (FIU), the Australian Transactions Report and Analysis Centre (AUSTRAC). 

As reported by the Australian media outlet Financial Review, Peter Forwood of PwC told an Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) conference that regulated firms in Australia should prepare themselves for a year of escalating higher fines. 

He informed his audience that punitive measures were now a central plank of AUSTRAC enforcement policy following a series of fines against major Australian banks over recent years. In 2017, AUSTRAC censured Commonwealth Bank for AML/CFT failures and settled the case for just over A$700 million in 2018. The following year it also identified compliance failings at Westpac, which led to a A$1.3 billion settlement in September 2020.   

Mr. Forwood said that recent history suggested an upward trend in the scale of fines and settlements in Australia. He told the conference that “the pattern tends to be increasing fines….to ensure there is appropriate shock value associated with enforcement, and those kinds of numbers certainly generate shock value.” 

According to the report, Mr. Forwood said that the agency’s actions were being driven by a need to keep pace with other jurisdictions on the implementation of the Financial Action Task Force’s (FATF) AML/CFT standards, especially around Client Due Diligence (CDD) and Know Your Customer (KYC) requirements. 

FATF conducted a critical Mutual Evaluation Report (MER) of Australian AML/CFT measures 2015, which was followed by a further critical assessment in the Australian Attorney General’s Review of AML/CFT legislation in 2016. Over the last five years, the Australian federal government has thus sought to strengthen its AML/CFT regulatory framework and enforcement mechanisms (see our Regulatory Highlights, November 16, 2020).

Despite the authorities’ more aggressive posture, however, Mr. Forwood argued that so far, obligated Australian Financial Institutions (FIs) had not yet faced up to CDD/KYC problems that had affected major international, US, and European banks over the last decade. Reviewing his client-side experience at PwC, he said that AML/CFT upgrade programs had been limited and episodic at best. “There is increasing recognition that will have to change,” he said, “KYC is a good example…[of]…where remediation is going to be required over the medium to longer-term in Australia.”

Although Mr. Forwood’s comments were primarily focused on banks, he was careful to note the potential implications for the full range of AML/CFT obligated sectors in Australia.  Crown Casino Resorts is reported to be under investigation by AUSTRAC for AML/CFT failings, as too is the Australian arm of the world’s leading payment platform provider, PayPal

For those operating across the financial sector in Australia, therefore, it seems likely that the fines of the last few years were not aberrations, and are likely to continue. But this should not just be taken as a signal by legacy institutions, but newer providers too, potentially in Fintech. With the prospect of more intense interest from regulators, it is likely that an investment in effective and efficient AML/CFT systems now will pay dividends – rather than generate costs – in the future. 

French Regulator and Dutch Bank Reach Settlement

The Dutch multinational FI, Internationale Nederlanden Groep (ING), has recently agreed to pay the French authorities a €3 million settlement for AML/CFT weaknesses in its French business, ING France. In a statement released on March 2, 2021, France’s prudential regulator, the Autorité de Contrôle Prudentiel et de Résolution (ACPR), said that the problems were identified during an inspection in 2018, and required extensive remedial work. 

The ACPR statement outlined ten ‘complaints’ against ING’s AML/CFT framework in France, including inadequate CDD/KYC, ineffective transaction monitoring systems, and “inoperative” financial crime risk assessments. The regulator concluded that the problems of ING France constituted “significant deficiencies” and revealed a bank with an “AML-CFT system…[that]…was generally failing.”

This recent French fine comes after a series of adverse stories about the bank’s record on AML/CFT. In September 2018, ING’s home bank reached a  €775 million settlement with the Dutch Public Prosecution Service for compliance violations related to CDD/KYC, and in February 2020, ING Italy was fined €30 million by Italian authorities for compliance failures. The bank’s name has also been linked to details emerging from last year’s ‘FinCEN Files’ scandal, the leak of Suspicious Activity Reports (SARs) from the US Financial Crimes Enforcement Network (FinCEN), the US FIU. According to the leaked SARs, ING’s services had unwittingly been used by Russian serious organized crime to launder illicit funds via Netherlands, Cyprus, Latvia, Ukraine, and Poland

ING France made its own statement in response to the recent settlement, accepting the ACPR’s findings and outlined the bank’s willingness to take “all the necessary corrective measures to strengthen its processes and management of compliance risks.” The bank highlighted its ‘Global KYC Enhancement Programme,’ which involves the update and enhancement of KYC files, structural reforms within financial crime compliance, and improved technology and governance. 

The bank further stated it was encouraging better training and education around financial crime risks across the bank. “The measures taken at ING in France are in line with ING’s efforts since 2017 to further enhance the management of compliance risks and embed stronger awareness across the whole organization,” it said. Nonetheless, the tone of the bank’s statement was cautious about current progress, with recognition of “satisfactory outcomes in some cases,” from its KYC program, but other instances that could “require appropriate remedial action by ING or other consequences.” 

Although not alluded to in the statement, ING has been one of the leading advocates in European banking for improved joint-working between banks against financial crime. The bank is amongst the consortium known as ‘Transaction Monitoring Netherlands’ (TMNL), seeking to create a shared monitoring utility in the country, and last November, ING Belgium joined several other Belgian banks in requesting changes to Belgian law to allow more financial crime-related information sharing across the private sector. 

Collaborative initiatives across the obligated sector are likely to be a significant part of the future for an improved AML/CFT framework, and the involvement and support of major FIs are important. Working together is a major help in fighting against the complex and fluid reality of financial crime. However, the current experience of ING also drives home the need for FIs to get the basics of CDD/KYC, monitoring, and reporting right as well. As the ACPR finding indicates, even benign neglect can have major financial and reputational consequences for firms.    

US Crypto Giant Reports Sanctions Issues

Coinbase Global Inc., one of the largest cryptocurrency exchanges in the US, has recently reported that its services might have been used by individuals and businesses subject to US sanctions. It said it had reported these potential violations to the Department of Treasury’s (DoT) sanctions administration, the Office of Foreign Assets Control (OFAC), and had responded to further subpoenas from the agency. 

The statement appeared in the firm’s recent prospectus, filed with the Securities and Exchange Commission (SEC), the US federal stock market regulator, as part of the firm’s application to go public. According to the document, the company has not faced financial penalties or other enforcement actions related to the disclosures or subpoenas, but it does not provide further details about the potential infringements. Both Coinbase and the DoT refused to make any comment when questioned about the case by The Wall Street Journal, and the DoT further noted it would neither confirm nor deny whether an investigation existed.

The firm’s prospectus did state that mitigating measures were in place for handling sanctions risks, noting that the company’s compliance framework included the monitoring of Internet Protocol (IP) addresses in prohibited jurisdictions, as well as blockchain accounts that had been designated by OFAC or where there were reasonable suspicions of links to a designated person or entity. 

The company also said it had recently added additional screening and monitoring measures, and believed it had “a reasonable risk-based program in place.” However, it struck a note of caution too, arguing that the nature of blockchain technology and the services that Coinbase provided made it “technically infeasible” to prevent all transactions with designated entities and individuals.  

The announcement from Coinbase came in the wake of a higher tempo of crypto-linked activity by OFAC in the last few months. In February, BitPay, a Georgia-based cryptocurrency payments platform, agreed to pay just over $500,000 in settlement for sanctions violating transactions worth approximately $129,000. According to OFAC, the 2000+ transactions involved counter-parties in Crimea, Cuba, North Korea, Iran, Sudan, and Syria, the IP addresses of which were available to the firm. At the end of 2020, OFAC announced a settlement of $94,000 with another cryptocurrency services provider, BitGo, for similar failures. 

In both cases, OFAC noted that the fines could have been considerably more severe – the basic civil monetary penalty is $2.2 million – but that the cooperation of the firms and their willingness to take remedial actions on CDD/KYC and services provisions had been taken into account. Nonetheless, OFAC made it clear that the relatively lenient settlements did not indicate a ‘soft line’ with regard to crypto-linked sanctions violations. In its statement on the BitPay settlement, the agency emphasized that “OFAC obligations apply to all U.S. persons, including those involved in providing digital currency services.”

All three of these cases – Coinbase, BitPay, and BitGo – have demonstrated how important it is for cryptocurrency service providers to take a responsible approach to work with government agencies when potential sanctions violations occur. However, what they further suggest is that the risks of inattention on CDD/KYC can be financially significant. Although some crypto service providers might see investment in up-to-date compliance platforms as an unnecessary burden, these recent cases suggest the value of taking a proactive approach to the financial crime before violations happen.