Where Did UK-Operating Banks Stumble with AML & How Can They Improve?

Are UK banks lapsing when it comes to their AML responsibilities? And if so, what needs to be done to protect the banking sector?

Apr 3, 2023 - 5 min.

Anyone following financial news in the UK may have noticed a marked increase in fines levied by the Financial Conduct Authority (FCA). To be more specific, financial institutions have been fined more than GBP 137 million over the past 12 months. With regulators increasing the pressure on banks to implement strong anti-money laundering controls, we've taken a look at the expectations of the FCA, how banks often fail to comply, and what can be done to ensure adherence with local legislation.

The current AML situation in the UK

Pre-Brexit, the UK, like all EU Member States, had implemented the Anti-Money Laundering Directive (AMLD). The goal of the Directive is explicit: fight money laundering and financing of terrorism with consistent rules and regulations to be executed across the bloc and the UK. As recently as 2020, the UK was still adhering to the statutes set forth in the 5th version (5AMLD) of the Directive, which, among other things, expanded the scope of individuals and companies subject to the regulation. 

In December 2020, when the 6th revision (6AMLD) of the Directive was entered enforced, the UK decided to opt out. This was primarily because the authorities believed that the UK was already largely compliant with many of the regulations outlined by the 6AMLD. They also believed that the UK went even further in many regards.

According to the Financial Action Task Force (FATF), the global money laundering and terrorist financing watchdog, the UK ‘has a well-developed and robust system to effectively combat money laundering and terrorist financing. However, it needs to strengthen its supervision and increase the resources of its financial intelligence unit.’ This criticism of its oversight abilities stems from concerns that the UK Financial Intelligence Unit lacks the ‘operational independence’ and the resources to conduct analyses and collect information from reporting entities.

However, a quick comparison with Germany, an EU member and therefore bound by the 6AMLD, shows that the UK government is not wrong to believe its AML regulations supersede those imposed by the 6AMLD to some extent. Although Germany’s financial intelligence units are wholly compliant with FATF recommendations, the FATF ratings also reveal that Germany is only partially compliant in two significant areas highly associated with money laundering risks: ‘Targeted financial sanctions related to terrorism & terrorist financing’ and ‘correspondent banking.’ The UK, by contrast, is ‘largely compliant’ and ‘compliant’ in these areas respectively. 

What does this mean for banks operating in the UK? 

When comparing the FATF score sheets for Germany and the UK as well as other European countries, the UK is compliant with more recommendations than its counterparts. This is not to say that improvements to some critical infrastructures are not essential. However, banks operating in the UK can anticipate a highly and strictly regulated space.

As such, the first and foremost step for banks operating in the UK is to remain abreast of all regulatory changes involving financial transactions. This can be especially difficult for financial institutions as regulations are often in flux. In particular, the recommendations on monitoring the flow of virtual currencies and electronic money are regularly evolving. 

That said, the recent crackdown by the FCA on banks operating in the UK had little to do with a lack of understanding about oversight obligations. On the contrary, it was primarily the result of poor implementation of adequate and, in some cases, even robust practices. What exactly went wrong? 

Where did banks operating in the UK go wrong?

We would like to preface this glimpse into failed AML monitoring by stating that the banks mentioned, although recently fined, were accused of regulatory violations between 2012 to 2017. These banks have since made substantial improvements to their AML oversight practices.

Since the start of 2023, the UK has already imposed fines on two banks, Al Rayan and GT Bank, for failures that could contribute to money laundering and terrorism financing. In the case of Al Rayan, the bank had indeed been implementing regulations laid out by the Gulf Cooperation Council States instead of those set forth by the FCA. As such, there were weaknesses in its systems and controls for detecting suspicious banking activities. 

However, this is rather the exception than the rule. In fact, GT Bank and Santander, which received the highest AML fine (GBP 107.7 million) in 2022, were both penalised for very avoidable transgressions. Namely, poor customer due diligence (CDD) and enhanced due diligence (EDD). In the case of GT Bank, the institution failed to identify or verify customer identification documentation and the authenticity of customer information. 

Santander’s list of accusations was a bit longer. It, too, was accused of insufficient know-your-customer (KYC) processes. However, among a long list of other violations, it also lacked a centralised database of customer risk ratings, properly trained staff to monitor its automated detection systems, and periodic suspicious activity monitoring. And far more seriously, its most egregious infraction against AML regulations was the lack of communication and monitoring that led to an account, which had already been flagged for suspicious activity, remaining open for over 1.5 years. This blunder allowed for the transfer of GBP 269 million.

How does the FCA expect banks to fulfil their AML obligations? 

Looking at the fines issued by the FCA over the past 12 months, a clear pattern of FCA priorities emerges customer due diligence and KYC, risk assessment, continuous monitoring, and adequate training and resources. Let’s take a deeper look at what this entails.

Customer Due Diligence (CDD) is one of the main processes of KYC. It involves ensuring that the bank has established the identity of its customers through a series of robust checks, which might include any combination of document verification, liveness/biometric facial checks, or proof of address. And with regard to business customers, this also means having clear knowledge about the nature of the customer's business and how it intends to use bank services. A risk assessment to determine any potential money laundering risks can only be performed after a customer's identity has been determined.

However, this is not the final step. If a risk has been detected, the account in question must be continuously monitored. This means monitoring all banking activities, including the consistency of transactions, for example, to determine whether they are in line with the business’ activities. The degree and regularity of the monitoring should be contingent on the risk level, with prompt reactions to mitigate any questionable activities.

Monitoring systems should be capable of identifying and assessing money laundering risks based on how consistent an account's activities are. This means the information collected during customer onboarding should include anticipated deposits, transactions, and other activities. Looking back at the case of Santander, we can now see why the lack of a comprehensive database listing customer risks would be a serious impediment to effective monitoring.

Nevertheless, should a bank have robust CDD, risk assessment, and monitoring processes yet lack the adequate resources and training to operate monitoring systems and conduct proper onboarding and assessments, the whole system collapses. 

How can CIAM help banks meet their AML obligations?

When customers open a bank account, a unique (digital) identity is created during the onboarding process. This identity encompasses all of the data customers provide about themselves (name, postal address, email address, etc.) and all relevant accumulated data (e.g., risk assessment and KYC data, including how the customer intends to use the account and bank services, and what types of transactions to anticipate). At this point, a stringent identity verification process ensures the customer is who he or she claims to be. All of this aggregated data ultimately amounts to a profile of a bank account holder. 

With this arsenal of information, banks can quickly determine if a transaction appears dubious. For example, relying on features like geolocation, a red flag might be triggered if a customer suddenly starts depositing funds from a new location. However, what happens next? In Santander's case, we already saw that simply recognising a problem is not sufficient. 

Vigorous CIAM systems like Nevis’ are equipped with interfaces to API gateways, which makes it possible to retrieve customer authorisation information and facilitate seamless authentication. Should a transaction trigger a red alert, the system will either require additional checks to verify the user’s identity or it will prevent the transaction from being completed all together. With Nevis’ CIAM system, any potential friction and delays in this process are eliminated by passing the user risk score information to back-end applications, including fraud detection systems.

Most importantly, a CIAM system ensures that this monitoring process is continuous and not simply performed during the login process. The Nevis CIAM monitors every single interaction (HTTP request) and assigns a risk rating. This continued threat detection makes it nearly impossible for accounts to be my malevolent players for illicit transactions. 

In conclusion…

Despite the exorbitant fines and loss of reputation associated with failed anti-money laundering practices, the most implicit threat of money laundering is the negative impact of misappropriated funds. It is of the utmost importance that banks employ all tools available and necessary to ensure that the source and allocation of funds are legitimate and that they are not contributing to illegal, questionable, and destabilising practices that stand to undermine not only the banking sector but also society as a whole.


Nevis Security Barometer #2