If a bank breaches its duty of care, this can lead to financial losses and corresponding liability. But that's not all. A breach of due diligence can also lead to active money laundering and aiding and abetting fraud. Then the line to a criminal act is crossed. Compliance with due diligence obligations and acting in accordance with regulatory and legal requirements is therefore not optional, but a must.
Duty of Care
A duty of care serves to protect a good. The breach of a duty of care leads to a risk to the good to be protected. If this endangerment then leads to damage, it is either own damage or third-party damage. In the case of third-party damage, liability arises. As a result, the third-party damage can become own damage. If a third-party loss is accepted with approval of consequences or even through implied conduct, this is considered contingent intent.
Basic Duties of Care of a Bank
The Bank for International Settlements (BIS) pointed out over 20 years ago that a bank should not only establish the identity of its customers, but also monitor account movements. An important reason for this arises from the aim of protecting both the reputation of banks and the integrity of the banking system. In particular, the aim is to reduce the likelihood of banks becoming a tool or victim of financial crime. In both cases, there is a threat of substantial harm. Risks should therefore be minimized as far as possible.
Risks
In the document linked above, the BIS points out that the primary risks are reputational, operational, legal and concentration, and notes that these risks are all interrelated. However, each of these risks can result in significant financial costs to banks.
- Reputational Risk
Reputational risk is all about reputation. Negative publicity about a bank's business conduct and relationships, whether true or not, can have a damaging effect on confidence in a bank's integrity. - Operational Risk
Operational risk is the risk of direct or indirect loss. It can arise "from the inadequacy or failure of internal processes, people and systems, or from external events. In the context of customer identification, operational risk typically takes the form of weaknesses in the implementation of the bank's programs, ineffective control procedures, and a lack of due diligence. - Legal Risk
“Legal risk is the possibility that lawsuits, judgments against the bank, or contracts that prove unenforceable could adversely affect the bank’s business or condition. A bank may be sued if it fails to comply with mandatory customer identification or due diligence requirements. For example, a bank may be fined, held criminally liable or have special sanctions imposed on it by the regulatory authority.”
Risk Mitigation Systems and Processes
The requirements and specifications for banks are extensive. Systems and processes are used to meet these requirements.
- Before an account is opened, the customer's identity must be established and verified. This includes addresses (physical and digital), phone number and expected account activity.
- Banks must ensure that they have appropriate systems and controls in place to combat money laundering and terrorist financing.
- During ongoing customer due diligence (CDD), they must identify any clear inconsistencies that may call into question the accuracy or adequacy of the information provided. In such a case, the bank must review in detail and supplement the information available to it on the customer in question.
- When processing transactions, they must take into account the purpose and expected activity of the accounts as recorded in the CDD.
- Identify, prevent or report transactions that, based on the information and documentation provided, do not make sense given the nature of the account and raise clear red flags of suspected money laundering or financial crime.
Theory and Practice
In theory, all banks are capable of meeting the requirements. The primary information available to them is the sender's name, bank and account number, the recipient's name, bank and account number, the recipient's KYC and account information and, upon request, the sender's CDD results, and the amount of the transfer. In certain countries, the purpose code (reason for payment) is also available. The threshold for transaction-based mandatory customer verification (CDD) varies from country to country.
Example from practice
The example is a case in the United Arab Emirates. Reputable local banks were involved – including Dubai Islamic Bank, Abu Dhabi Islamic Bank, Emirates NBD Bank and National Bank of Ras Al-Khaimah (Rakbank).
All these banks are members of the UAE Banks Federation and should follow its code of conduct. All these banks set up accounts for a large international criminal organization specializing in investment fraud and accepted funds for it in the United States. They then transferred these funds from their correspondent bank account in the US to the recipient's account in the United Arab Emirates. The on-site investigations revealed that the recipients were local front companies that did not have a license to conduct financial services.
The payments were declared as financial services transactions using a corresponding purpose code. The payment flows to these accounts were in US dollars and went through correspondent banks in the US. SWIFT was used for the payments. Account management and payment processing turned the local banks into tools for the criminal organization. However, the local banks were not just a tool; they actively colluded, in full consciousness of what they were doing.
Country-specific parameters
The United Arab Emirates has a country-specific guideline that the reason for payment (purpose code) must be specified when payments are made via SWIFT. In addition, for amounts of AED 55,000 or more (equivalent to around USD 15,000), there is an obligation to carry out transaction-oriented customer due diligence. This means that, in addition to customer information, the name of the sender, the sender's account, the name of the recipient, the recipient's account, the amount and the reason for payment are available as sources of information.
Based on this information, it is relatively easy to check whether the recipient is allowed to receive payments with the stated payment purpose.
Automating the screening process
With the exception of KYC, this type of screening can be automated relatively easily. No AI is required for this; a simple rule-based system is perfectly adequate. The prerequisite is knowledge of the necessary parameters. These are available on the one hand through the customer- and account-specific KYC and AML and on the other hand through the current and historical transaction data.
Such a rule-based process can be implemented with the existing infrastructure. In the United Arab Emirates, there is no lack of education or intelligence to accomplish this. The banks have the necessary resources, the amount of which is, furthermore, quite reasonable. Automation of this kind makes sense for both business and risk and compliance reasons.
SWIFT
US correspondent banks come into play for transfers in US dollars that take place via SWIFT from a European country to the United Arab Emirates. The transaction passes from the sender bank via one or two correspondent banks to the recipient's account. It is the recipient bank that transfers the money from its account at its correspondent bank in the US to the account of the recipient in the Arab emirate.
Only the recipient bank knows both the purpose code and the customer. Therefore, it is also the recipient bank that has the necessary compliance information and can decide whether the transfer is permissible. If it is not, the receiving bank is not actually allowed to accept the funds. If it does so anyway, it is not allowed to transfer the funds from its correspondent account to its customer and credit the funds to the customer's account. Instead, it would have to return the funds to the sending bank for the benefit of the sender.
Transaction-oriented customer due diligence
From an amount of AED 55,000, the recipient bank in the United Arab Emirates must conduct a customer due diligence (CDD) and verify whether the payment and the customer match. The purpose code is additional information and support in this process. This makes it very easy to determine whether a corporate customer is even allowed to conduct financial transactions and receive funds for them. If the customer does not have the appropriate license, then they are not allowed to do so. And if they are not allowed to do so, the bank must not accept the payment or credit it to the unauthorized customer. The compliance report must be negative.
Insufficient customer information
If the corporate customer does not exist at the domicile provided and cannot be reached by phone at the company number provided, this must be noticed at the latest during a customer due diligence. However, this should be noticed when the account is opened, when the KYC information is regularly checked and when the account is monitored as standard, including for money laundering.
The normal consequence would be to block the account and report it to the relevant authorities, followed by a detailed review of the account's payment transactions. If this confirms that unauthorized payments have been received, these payments must be reversed. At the very latest, this must be done when the sender requests a reversal through his bank.
Deliberate deception of the correspondent bank and the sender
If, nevertheless, a positive compliance report is issued implicitly or explicitly by the recipient bank to the correspondent bank and the sender, this is a pretence of false facts, a fraudulent misrepresentation.
There are two underlying facts: (1) a serious breach of due diligence due to a lack of review, or (2) misrepresentation contrary to the results of the review. The deceit is either in relation to the compliance check that was carried out or in relation to its result.
In both cases, the deceit is intentional. The recipient bank deceives both the correspondent bank and the sender. The correspondent bank is unwittingly used to facilitate fraud and money laundering. The recipient - the recipient bank's customer - benefits and the sender of the transfer is deprived of his money. This results in the liability of the recipient bank to the sender.
Aiding and abetting fraud and money laundering
The UAE recipient banks had access to information about the customer, the account and the purpose code. It is obvious that the recipient accounts were used for both fraud and money laundering. The financial loss occurred when the recipient bank transferred the funds from the account at the US correspondent bank to the recipient's account. The recipient bank actively aided and abetted the fraud.
The money laundering also began with this transfer, as the currency was converted from USD to AED, and it must have been clear to the recipient bank that this money came from illegal activity. The receiving bank was active on its own initiative, because only it alone had the power of disposition over its correspondent bank account and could make the transfer from its correspondent bank account in the United States to the receiving account in the United Arab Emirates.
The aiding and abetting of fraud and money laundering occurred through an account in the United States, which can result in American law and American jurisdiction. Subsequently, the bank tolerated and supported further money laundering by the criminal customer. If funds were laundered from the customer account back into US dollars, the corresponding transfer was again made via the American correspondent bank.
The recipient bank had access to the criminal customer's account, the transaction and is purpose code, this was more than enough under local regulatory requirements to detect the fraud and money laundering. In doing so, local laws and regulations were also violated. As a result, the bank can be prosecuted in both the US and the Arab emirate.
In the emirate, the local lawyers acted contrary to the interests and instructions of the client. Due to undeclared conflicts of interest, they blocked local action against the banks and any action that would have involved the banks.
Outbound account transaction information relating to the recipient is available in both the US, due to the recipient bank's account with the correspondent bank, and in the Arab emirate at the recipient bank. This information also helps to identify all transactions between the correspondent bank account and the beneficiary's account in the United Arab Emirates.
Money laundering in the United States should be avoided at all costs, both on principle and for cost reasons, because the fine is double the amount of the laundered money, and that applies to every route that leads through US accounts. Since the Americans know that they are missing out on a lot of fines due to a lack of the necessary information and evidence, the US Department of Justice (DOJ) recently launched a whistleblower program for money laundering. Similar programs already exist for “financial misconduct”.
Damage limitation
In such cases, the recipient banks have a clear self-interest in finding an amicable solution with the injured parties for reasons of risk and compliance and in reporting the incident to the financial supervisory authority. At the same time, the systems and processes should be reviewed to determine why this could happen. It often also turns out that such a criminal organization had enablers within the bank itself. On the one hand in account opening, on the other in compliance. The reputational risks are not only present for the banks concerned, but can quickly spread to the financial center and the country.
In this case, the banks involved were not even willing to reverse the transactions at the request of the sender bank. This indicates a severe lack of interest in damage limitation.