Regulation & Compliance

Banks: Liability Risks in the Event of Breaches of Due Diligence

man in a suit turns up the risk regulator

Compliance in theory and practice: The case presented in this article is real and took place as described.

If a bank breaches its duty of care, this can lead to financial losses and corresponding liability. But that's not all. A breach of due diligence can also lead to active money laundering and aiding and abetting fraud. Then the line to a criminal act is crossed. Compliance with due diligence obligations and acting in accordance with regulatory and legal requirements is therefore not optional, but a must.

Duty of Care

A duty of care serves to protect a good. The breach of a duty of care leads to a risk to the good to be protected. If this endangerment then leads to damage, it is either own damage or third-party damage. In the case of third-party damage, liability arises. As a result, the third-party damage can become own damage. If a third-party loss is accepted with approval of consequences or even through implied conduct, this is considered contingent intent.

Basic Duties of Care of a Bank

The Bank for International Settlements (BIS) pointed out over 20 years ago that a bank should not only establish the identity of its customers, but also monitor account movements. An important reason for this arises from the aim of protecting both the reputation of banks and the integrity of the banking system. In particular, the aim is to reduce the likelihood of banks becoming a tool or victim of financial crime. In both cases, there is a threat of substantial harm. Risks should therefore be minimized as far as possible.

Risks

In the document linked above, the BIS points out that the primary risks are reputational, operational, legal and concentration, and notes that these risks are all interrelated. However, each of these risks can result in significant financial costs to banks.

  • Reputational Risk
    Reputational risk is all about reputation. Negative publicity about a bank's business conduct and relationships, whether true or not, can have a damaging effect on confidence in a bank's integrity.
  • Operational Risk
    Operational risk is the risk of direct or indirect loss. It can arise "from the inadequacy or failure of internal processes, people and systems, or from external events. In the context of customer identification, operational risk typically takes the form of weaknesses in the implementation of the bank's programs, ineffective control procedures, and a lack of due diligence.
  • Legal Risk
    "Legal risk is the possibility that lawsuits, judgments against the bank, or contracts that prove unenforceable could adversely affect the bank's business or condition. A bank may be sued if it fails to comply with mandatory customer identification or due diligence requirements. For example, a bank may be fined, held criminally liable or have special sanctions imposed on it by the regulatory authority.”

Risk Mitigation Systems and Processes

The requirements and specifications for banks are extensive. Systems and processes are used to meet these requirements.

  • Before an account is opened, the customer's identity must be established and verified. This includes addresses (physical and digital), phone number and expected account activity.
  • Banks must ensure that they have appropriate systems and controls in place to combat money laundering and terrorist financing.
  • During ongoing customer due diligence (CDD), they must identify any clear inconsistencies that may call into question the accuracy or adequacy of the information provided. In such a case, the bank must review in detail and supplement the information available to it on the customer in question.
  •  When processing transactions, they must take into account the purpose and expected activity of the accounts as recorded in the CDD.
  • Identify, prevent or report transactions that, based on the information and documentation provided, do not make sense given the nature of the account and raise clear red flags of suspected money laundering or financial crime.

Theory and Practice

In theory, all banks are capable of meeting the requirements. The primary information available to them is the sender's name, bank and account number, the recipient's name, bank and account number, the recipient's KYC and account information and, upon request, the sender's CDD results, and the amount of the transfer. In certain countries, the purpose code (reason for payment) is also available. The threshold for transaction-based mandatory customer verification (CDD) varies from country to country.

Case Study

A case in an Arab emirate serves as an example. Well-known local banks set up accounts for a large international criminal organization specializing in investment fraud. These accounts were held through local front companies that were not licensed to conduct financial transactions. Payments to these accounts were made in US dollars through correspondent banks in the US. SWIFT was used to make the payments.  This account management turned the local banks into a tool for the criminal organization. However, the local banks were not just tools, but actively participated against their better judgment.

Country specific Parameters

The United Arab Emirates has country-specific guidelines that require the purpose code to be specified when making a payment via SWIFT. In addition, transaction-based customer due diligence is required for amounts over AED 55,000 (approximately USD 15,000). This means that in addition to customer information, the sender's name, sender's account, receiver's name, receiver's account, amount and reason for payment are available as sources of information. The beneficiary's bank therefore knows the reason for payment.

SWIFT

US correspondent banks come into play when a US dollar transfer is made via SWIFT from a European country to an Arab emirate. The transaction goes from the sender's bank through one or two correspondent banks to the recipient's account. It is the recipient's bank that transfers the money from its account at the correspondent bank in the U.S. to the recipient's account in the Arab emirate.  Only the beneficiary bank knows both the purpose code and the customer. Therefore, it is the beneficiary bank that provides the correspondent bank with the necessary compliance information to determine whether the transfer is permissible.

Transactional Customer Due Diligence

Above AED 55,000, the receiving bank in the United Arab Emirates must perform customer due diligence (CDD) and verify that the payment is a match to the customer. The purpose code provides additional information and assistance. This makes it very easy to determine whether a corporate customer is authorized to conduct a transaction such as "buying and selling shares abroad" and to receive funds for it. If they do not have the appropriate license, they are not allowed to do so. And if he is not allowed to do so, the bank cannot accept or credit the payment. The compliance report must be negative.

Insufficient Customer Information

If the corporate customer does not exist at its stated domicile and cannot be reached by telephone at the stated company number, this must be discovered at the latest during a customer due diligence. However, this should already be noticed when the account is opened, when the KYC information is regularly checked and during the standard monitoring of the account, e.g. for money laundering. The normal consequence would be a report to the relevant authorities, the freezing of the account, followed by a detailed review of the account's payment transactions. If this confirms that unauthorized payments have been accepted, those payments must be returned.

Intentional Deception of the Correspondent Bank

If the beneficiary bank nevertheless submits a positive compliance report to the correspondent bank, this is a misrepresentation of false facts, a deception. There are two underlying facts: (1) serious breach of due diligence due to lack of verification, or (2) misrepresentation contrary to the results of the verification.  The misrepresentation is either with respect to the compliance check performed or with respect to its result. In both cases, the misrepresentation is intentional. The correspondent bank is deceived by the beneficiary bank. The recipient benefits and the sender of the transfer is harmed. This results in a liability risk for the beneficiary bank.

Aiding and Abetting Fraud and Money Laundering

The recipient bank had the customer, account, and purpose code information.  It is clear that the beneficiary's account was used for both fraud and money laundering. The financial loss occurred when the beneficiary bank transferred the funds from the U.S. correspondent's account to the beneficiary's account. The beneficiary bank actively aided and abetted the fraud.

The money laundering also began with that transfer. The beneficiary bank acted on its own initiative. Both transfers were made through an account in the U.S., which may give rise to U.S. law and jurisdiction. It then tolerated and supported further money laundering by the criminal customer. When funds were laundered back into US dollars from the customer's account, the transfer was again made through the US correspondent bank. Although the receiving bank only had access to the criminal customer's account, this was more than sufficient under local regulatory requirements to detect the fraud and money laundering. Local laws and regulations of the United Arab Emirates were also violated. As a result, the bank may be prosecuted in both the U.S. and the United Arab Emirates. Account information about the beneficiary is available both in the U.S., through the beneficiary bank's account at the correspondent bank, and in the U.A.E., at the beneficiary bank.

Money laundering in the U.S. should be avoided at all costs because the fine is double the amount of money laundered and this applies to any route that goes through U.S. accounts. Because Americans know that they are missing out on many fines due to a lack of information and evidence, the U.S. Department of Justice (DOJ) recently launched a money laundering whistleblower program. Similar programs already exist for financial misconduct.

Damage Limitation

In such cases, banks have an obvious self-interest in finding an amicable solution with the aggrieved parties and reporting the incident to the financial regulator. At the same time, systems and processes should be reviewed to determine how this could have happened. It often turns out that the criminal organization had help from within the bank itself. On the one hand when opening the account, on the other hand in compliance. The reputational risks are not only for the banks involved, but can quickly spread to the financial center and the country as a whole.