Bank of Scotland plc

1. On 12 January 2004 the FSA imposed a financial penalty of £1,250,000 on The Governor and Company of the Bank of Scotland (BoS) for breaches of Rules 7.3.2 and 2.1.1 of the FSA's Money Laundering Sourcebook (ML). 2. REASONS FOR THE ACTION Summary 2.1. In early 2002 the FSA conducted a review of anti-money laundering controls at major UK domestic retail firms, including HBOS plc (HBOS). Following the release of the findings of the review in August 2002, the FSA invited all major UK banks to conduct self-assessments of their anti-money laundering controls against those findings. 2.2. On 27 December 2002, BoS reported to the FSA the results of its testing of its ability to retrieve and confirm the adequacy of its customer identification verification records. This testing was also part of BoS's own planned testing of its anti-money laundering controls. The results showed evidence of unacceptably high levels of non-compliance with BoS's record keeping procedures across BoS's Retail, Corporate and Business Divisions, although the problems did not appear in other BoS Divisions. As a result on 14 March 2003 the FSA appointed investigators under section 168 of FSMA. 2.3. The investigation confirmed that BoS was unable to locate and retrieve customer identification records in relation to a significant proportion of accounts across its Retail, Corporate and Business Divisions. 2.4. As a result of the investigation, the FSA has concluded that BoS has contravened Rules 7.3.2 and 2.1.1 of ML. 2.5. In so doing BoS has demonstrated failings that demand a substantial financial penalty. These failings are viewed by the FSA as particularly serious in light of the following factors: (1) The very high failure rate - 55% - that occurred across three of BoS's main business divisions. (2) The widespread nature of the breaches - the absence of effective systems and controls in respect of its record keeping policies and procedures, highlighted by the inability of BoS to determine conclusively the areas in which the breakdowns in record keeping procedures occurred. (3) As a consequence of the widespread failures in its record keeping policies and procedures, BoS was unable adequately to monitor the effectiveness of the customer identification aspect of its anti-money laundering policies and procedures. (4) The widespread nature of the breaches and the high levels of non-compliance in the accounts sampled, together with BoS' size in the retail market in which it operates, meant that there was a serious risk that BoS would not have been able to satisfy any enquiries or court orders from the appropriate authorities seeking disclosure of customer identification evidence. (5) The failings occurred against a background where statutory requirements for firms to have in place anti-money laundering procedures, including procedures to keep records of customer identification documents, had been in place for over eight years and where, in anticipation of the FSA's new powers to make Rules relating to the prevention of money laundering with effect from 1 December 2001, there had been a greatly increased emphasis on preventing the use of the financial system for financial crime. 2.6. The FSA recognises the prompt and effective remedial action undertaken by BoS, the degree of co-operation demonstrated by BoS in relation to the FSA's investigation and BoS's efforts to resolve this matter expeditiously. These factors have resulted in the size of the financial penalty imposed being lower than it otherwise would have been. Facts and Matters Relied On Bank of Scotland's Actions 2.7. BoS is an authorised deposit taking institution undertaking both retail and corporate banking along with a wide range of other permitted activities. It is a wholly owned subsidiary of HBOS. The 2000 Audit 2.8. In September 2000 BoS Group Internal Audit (GIA) found that while know your customer requirements were generally being followed, BoS's record keeping needed to be improved. GIA found that business units were unclear as to what records should be sent for imaging at the Document Reception Centre (DRC), the prime repository of documents used to verify customer identity. 2.9. Following the audit a number of recommendations were made to address the issues, including that completed identification evidence checklists be forwarded with account applications to the DRC, which would monitor their completion. However, the DRC was neither involved in the formulation of the recommendations nor aware of their existence and as a result was not involved in any monitoring of the completed identification verification checklists. The 2002 Review 2.10. In October 2002, BoS's Group Regulatory Risk Department (GRR) undertook a review to 'establish a baseline' for BoS's anti-money laundering identification verification records and to check whether BoS could comply with the range of orders under the Proceeds of Crime Act 2002 (POCA), by retrieving information in a timely manner. The exercise was part of BoS's planned testing and a response to the FSA's review in early 2002. 2.11. The GRR review in October 2002 focused on the BoS identification verification records retained by the DRC for the Retail, Corporate and Business Divisions of BoS. The review found that in 55% of the sample of accounts tested, such records could not be located. 2.12. On 27 December 2002, BoS informed the FSA that the GRR review had suggested that there were difficulties in locating identification verification records for BoS customers of Retail, Corporate and Business Divisions and detailed results of the GRR testing were reported to the FSA on 23 January 2003. 2.13. The FSA considers that the facts and matters described above and the failure rate of 55% demonstrate that BoS did not retain either a copy of the customer's identification evidence nor a record of where a copy of the evidence could be obtained, contrary to ML 7.3.2. 2.14. During December 2002 the Retail, Corporate and Business Divisions of BoS undertook further reviews to confirm whether the results of the GRR testing were accurate. All three Divisions confirmed that there was serious and widespread non-compliance with record keeping requirements. The reasons for the failings were summarised in a HBOS GIA report issued in February 2003. 2.15. The GIA report was graded red, signifying an inadequate control environment. In summary, the report identified that the major failing was the many processes by which customer identification checklists progressed from the point of origination to point of completion of imaging. The report also concluded that there was an absence of effective controls to verify the adequate completion of checklists and that all relevant paper is ultimately imaged. Throughout all Divisions reviewed, there were no instances found of any audit trails to control the movement of paper from the point of origination to the point of processing and on to receipt and subsequent imaging at the DRC. BoS was therefore unable to be conclusive about the exact area(s) in which the breakdowns occurred. 2.16. The FSA considers that the conclusions of the GIA report regarding the reasons for the inadequate record keeping, together with the high proportion of accounts with inadequate records of customer identification evidence, demonstrate that BoS has failed to set up and operate arrangements to ensure that it is able to comply with the rules in ML, contrary to Rule 2.1.1 of ML. Remedial Action undertaken by BoS 2.17. BoS has acknowledged that the rates of compliance with account opening identification and related record keeping procedures in certain parts of BoS were unacceptably low. BoS has implemented action plans to address the shortcomings identified in its record keeping and customer identification procedures. 2.18. In December 2002 each Division was given responsibility to devise a set of initiatives to resolve the problems identified in respect of anti-money laundering record keeping. These initiatives were overseen by GRR and action plans for each Division were developed by the end of January 2003. 2.19. Since January 2003, BoS has regularly reported to the FSA its compliance rates in respect of the ongoing remedial actions. Overall the compliance rates in respect of its customer identification and record keeping procedures have improved considerably. The FSA is satisfied that the remedial action plan has appropriately addressed the problem. FACTORS RELEVANT TO DETERMINING THE SANCTION 2.20. In determining that a financial penalty is appropriate and that the amount imposed is proportionate to BoS's breaches, the FSA considers the following factors to be particularly relevant. The duration, frequency and nature of the breaches 2.21. BoS's GRR review in October 2002 revealed evidence of high rates of non-compliance across BoS's Retail, Corporate and Business Divisions. 2.22. The subsequent review in January 2003 by HBOS GIA revealed that the record keeping breaches were caused by widespread weaknesses in BoS's customer identification record keeping processes, procedures and controls; evidenced (and exacerbated) by the fact that GIA was unable even to determine conclusively the areas in which the breakdowns occurred. 2.23. The widespread nature of the breaches meant that BoS was unable adequately to monitor the effectiveness of the customer identification aspect of its anti-money laundering policies and procedures. 2.24. The widespread nature of the weaknesses and the high levels of non-compliance, together with the size of BoS in the retail market in which it operates, meant that there was a serious risk that BoS would not have been able to satisfy any enquiries or court orders from the appropriate authorities seeking disclosure of customer identification evidence. The FSA accepts, however, that there is no evidence to indicate that any such enquiries or court orders were frustrated by BoS's failings. 2.25. In September 2000, BoS GIA identified problems in respect of customer identification record keeping that were very similar in nature to those problems identified by the BoS GRR review in October 2002. This demonstrates that record keeping problems had existed for at least two years. If the recommendations made following the 2000 Audit had been fully implemented, it is likely that the subsequent problems would not have occurred to the same extent. Conduct following the contravention 2.26. The FSA notes that BoS has devoted considerable resources to the issues identified and promptly and effectively implemented a robust remedial action plan across the whole of HBOS. The FSA is satisfied that the remedial action plan is addressing appropriately the weaknesses identified in BoS's customer identification record keeping processes, procedures and controls. 2.27. BoS afforded the FSA very good co-operation during the investigative phase of this matter, in particular in responding promptly to document requests. BoS also involved GIA to review its document searches to verify that it supplied the FSA with all relevant information concerning its anti-money laundering procedures. 2.28. BoS has taken steps to settle this matter. This has helped the FSA work expeditiously toward its regulatory objectives, which include reducing financial crime. Previous action taken by the FSA 2.29. The FSA has had regard to previous cases involving breaches of ML. The FSA considers that the failure rates in this case are considerably higher than those previous cases. However, the FSA considers that some of the aggravating factors present in those cases are not evident in this case to the same degree. CONCLUSION 2.30. Taking into account the seriousness of the contraventions and the risk they posed, but also having regard to the remedial steps taken and the co-operation shown, the FSA has decided to impose a financial penalty of £1,250,000.