Public Statement Concerning The Regulatory Investigation Of The Isle of Man Financial Services Authority in Respect of Standard Bank Isle of Man Limited And The Associated Outcomes
PUBLIC STATEMENT CONCERNING THE IMPOSITION OF A DISCRETIONARY CIVIL PENALTY UNDER SECTION 16 OF THE FINANCIAL SERVICES ACT 2008 AND IN ACCORDANCE WITH THE FINANCIAL SERVICES (CIVIL PENALTIES) REGULATIONS 2015
Standard Bank Isle of Man Limited (“Standard”)
1.1 The Isle of Man Financial Services Authority (the “Authority”) makes this public statement in accordance with powers conferred upon it under section 13 of the Financial Services Act 2008 (the “Act”).
1.2 The making of such public statement supports the Authority’s statutory objectives of, among other things, securing an appropriate degree of protection for customers of persons carrying on a regulated activity, reducing financial crime and maintaining confidence in the Isle of Man’s financial services industry.
1.3 Following an investigation into Standard by the Authority, which identified certain serious regulatory failings, the Authority has deemed it appropriate, necessary and proportionate, in all the circumstances, that Standard be required to pay a discretionary civil penalty imposed under section 16 of the Act and in accordance with the Financial Services (Civil Penalties) Regulations 2015 in the sum of £353,320 discounted by 30% to £247,324 (the “Civil Penalty”).
1.4 The level of the Civil Penalty reflects the fact that Standard co-operated with the Authority and agreed settlement at an early stage, through the employment of the Authority’s Enforcement Decision-Making Process (“EDMP”). As with all discretionary civil penalties issued by the Authority, the level of the Civil Penalty is calculated as a percentage of Standard’s relevant income at the time that the failings noted within this public statement were identified. The absolute amount of the Civil Penalty relative to other civil penalties that have been issued by the Authority previously is not necessarily indicative of the seriousness of the failings and is determined each time on the facts of a particular matter. In this case, the Authority is assured that the failings were isolated in nature rather than being systemic across the business.
1.5 Standard has proactively brought about operational changes in an effort to address the issues identified and the concerns of the Authority.
2.1 Standard is licensed by the Authority in accordance with section 7 of the Act. Standard is licensed to undertake, among other things, Class 1 (Deposit Taking) regulated activity.
2.2 In April 2021 Standard discovered that, in September 2020, it had acted in breach of the terms of a Restraint Order issued by the Isle of Man Courts pursuant to the Proceeds of Crime Act 2008 (“the “Court Order”). The Court Order restrained, inter alia, the disposal, diminution, removal from the jurisdiction of, and dealing with, funds in respect of specified bank accounts (“the “Restrained Accounts”) in the name of a client of Standard. Standard immediately notified the Authority of this matter in relation to its obligations under Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) legislation, and the Financial Services Rule Book 2016.
2.3 The breach of the Court Order involved two stages: enabling the transfer of funds between the Restrained Accounts within Standard; and processing an instruction from the client for further transfer of funds out of the jurisdiction of the Isle of Man, albeit to another Standard Bank group entity.
2.4 The Authority, upon reviewing the notification alongside other information, determined that it should exercise powers under Schedule 2 to the Act to investigate Standard’s compliance with AML/CFT legislation. The commencement of such investigation by the Authority was notified to Standard in May 2021.
2.5 In June 2021 Standard submitted a full and detailed Incident Report to the Authority, following its own investigation. Standard continued its own root cause analysis, sharing its findings with the Authority, up to and including November 2021.
3. Investigation Conclusions
3.1 Standard operates procedures such that it can apply ‘locks’ either against a specific client and / or specific accounts. Such ‘locks’ and related controls are designed to, in certain cases, prevent transactions from being processed. For this purpose these ‘locks’ and related controls are referred to as “preventative controls”.
3.2 The preventative controls that were applied at the time of the breach of the Court Order were such that they differed between transactions involving banking entities not related to Standard (“third party transactions”), and those banking entities related to Standard (“intragroup transactions”). The breach of the Court Order arose because of some weaknesses in the preventative controls pertaining to intragroup transactions.
3.3 In addition to preventative controls, banks also operate what are commonly referred to as “detective controls”; these being designed to find issues quickly, including where preventative controls may have failed.
3.4 In this case, Standard did not have adequate detective controls in place. This is evidenced by the fact that the breach of the Court Order occurred in September 2020 but Standard did not identify the breach until April 2021 whereupon the funds were promptly returned in full to the Restrained Accounts. Further, Standard only identified the issue in April 2021 when the client requested a third party transaction.
3.5 Standard acknowledges that the failings arose because of a weakness in its operational controls and systems of ‘locks’ applied to customer accounts that are intended to ensure that monies cannot be moved from such accounts in particular circumstances. Standard also acknowledges that it did not have sufficient detective controls in place to identify the issue in a timely way.
3.6 The failings resulted in a number of breaches of the Financial Services Rule Book 2016 (the “Rule Book”) by Standard, namely:-
3.6.1. a breach of Rule 6.1 of the Rule Book in that Standard did not act with due skill, care and diligence in carrying on regulated activity;
3.6.2. a breach of Rule 6.5 of the Rule Book in that Standard carried on business in a way likely to bring the Island into disrepute or damage its standing as a financial centre; and
3.6.3. a breach of Rule 8.3(2) of the Rule Book. This Rule requires that “The responsible officers of a licenceholder must establish and maintain appropriate internal and operational controls, systems, policies and procedures relating to all aspects of its business to ensure appropriate safeguards to prevent and detect any abuse of the licenceholder’s services for money laundering, financial crime, the financing of terrorism, or the proliferation of weapons of mass destruction”.
3.7 Those same failings also resulted in Standard contravening paragraph 4(1)(a)(iii) of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (the “Code”) which requires Standard not to enter into or carry on a business relationship…unless Standard establishes, records, operates and maintains procedures and control in relation to internal controls and communication matters that are appropriate for the purpose of forestalling and preventing ML/TF.
3.8 The matters above are considered by the Authority to be serious regulatory failings.
The Authority is satisfied that the imposition of the Civil Penalty on Standard appropriately reflects the serious nature of the non-compliance by Standard and the importance the Authority places on all parties in the regulated sector, in particular banks who are critical gatekeepers, complying with all elements of AML/CFT legislation.
In accordance with the EDMP, Standard entered into settlement discussions with the Authority and, having accepted the conclusions of the Authority’s investigation, sought to finalise matters expeditiously.
5. Cooperation and Remediation
5.1 The Authority is satisfied that Standard cooperated fully and engaged positively with the EDMP.
5.2 The directors of Standard at the relevant time have taken full responsibility for the issues identified by the Authority.
5.3 At the date of the settlement agreement made between the Authority and Standard (namely, 6 January 2022), Standard has confirmed to the Authority that operational controls have been enhanced to prevent any similar breach occurring.
6. Key Learning Points for Industry
- All firms undertaking business in the regulated sector have an obligation to conduct their affairs in a manner that adequately mitigates the risks faced by them in order to ensure that the Isle of Man retains its reputation as a responsible, and well-regulated, international financial centre.
- Any weaknesses in the design, implementation and operation of AML/CFT controls, can expose a licenceholder to being exploited by persons who may wish to launder money or finance terrorism. The AML/CFT risks faced by banks is recognised in the Isle of Man Government’s National Risk Assessment 2020 which applies an overall risk rating of Medium High to both the international retail, and corporate and trust parts of the banking sector. Persons in this sector, such as Standard, will be required by the Authority to have and to maintain a very robust control environment at all times.
- The design and operation of any effective suite of AML/CFT controls, particularly any systems-driven solution, needs to appropriately reflect the risk environment faced by the particular business in terms of preventing and detecting breaches of the Island’s regulatory framework.
- As with all discretionary civil penalties imposed by the Authority, the level of any discretionary civil penalty imposed is calculated as a percentage of a licenceholder’s relevant income at the time that the relevant failings were identified. The amount of any civil penalty is determined each time on the facts of a particular matter and the Authority will have regard to the following factors when determining whether to impose a civil penalty: (a) whether or not the licenceholder reported the serious regulatory failing to the Authority; (b) whether or not the licenceholder was aware, or should have been aware, of the serious regulatory failing; (c) the potential financial consequences to the licenceholder, and to any third parties including customers and creditors of the licenceholder, of imposing such a penalty; and (d) penalties imposed by the Authority in other cases.