ANALYSIS: New Zealand’s first banking AML penalty provides key lessons for financial sector

The Reserve Bank of New Zealand (RBNZ) has wrapped up its first civil litigation under the anti-money laundering and counter-financing of terrorism (AML/CFT) regime, after securing a NZ$3.5 million penalty against TSB Bank. The High Court imposed the civil penalty on TSB for failings with its AML/CFT program, risk assessments, assurance processes and country screening.

The High Court’s penalty was based upon a statement of facts as agreed by TSB and the RBNZ, including a joint submission on the appropriate penalty. The court reduced the penalty to reflect TSB’s “acceptance” that it failed to comply with fundamental requirements of the AML/CFT Act.

“While TSB has now embarked on a remediation program, these proceedings were an escalated regulatory response by the Reserve Bank to ongoing non-compliance by TSB following a formal warning issued to TSB in 2016,” said Geoff Bascand, Reserve Bank deputy governor.

The RBNZ said the judgment would provide helpful guidance for reporting entities. The court accepted the parties’ submission that TSB’s failure to respond appropriately to a formal warning issued in 2016 was an aggravating factor. The judgment also provides guidance for the appropriate level of discount in cases where breaches are admitted.

“The AML/CFT Act came into effect eight years ago and we expect firms to be aware of, and to comply with, their obligations,” Bascand said.

Thomson Reuters Regulatory Intelligence (TRRI) interviewed leading New Zealand barrister Gary Hughes, of Akarana Chambers in Auckland, about the case. He said the agreed settlement process between the parties meant the case contained little in the way of fully argued legal principles. Even so, he said it held “five or six notable findings” for other reporting entities.

“The first two might be seen as institutional in nature, while the other features are more nuanced. They give an insight into what was going on and going badly in the banking back offices,” Hughes said.

This is the first AML/CFT civil penalty action ever undertaken by the Reserve Bank of New Zealand.

“That might reflect more of a supine approach of the central bank in years gone by, rather than evidence there were no issues in the banking sector worth investigating,” Hughes said.

The Financial Action Task Force criticised the RBNZ in its latest mutual evaluation follow-up report, saying the supervisor needed to take a more assertive enforcement stance.

Real estate in the crosshairs

The case relates to vulnerabilities in the banking and real estate sectors, touching upon the financial sector and the designated non-financial businesses and professions (DNFBPs), which were brought into the AML regime under the recent Phase 2 reforms.  

One of the 4 causes of action prosecuted in court was TSB’s failure to conduct a proper risk assessment. This related to a real estate agency business that TSB also ran for a period of time, and subsequently sold.  

“When AML coverage began for real estate agency transactions on January 1, 2019, TSB began doing customer onboarding (KYC) but it appears to have overlooked doing a proper risk assessment. It was almost treated with compliance disdain, with the supposed risk assessment consisting apparently of a mere two paragraphs tacked onto the banking assessments,” Hughes said.

The failure to update risk assessments following an acquisition or the launch of new products is a common failing. It was also seen as a driving factor in the major enforcement actions under the AML/CFT regime in Australia.

“Although TSB’s realty business was localised and small, not nationwide, there was also a degree of banking industry smugness evident. TSB considered its operation to be less risky than mainstream real estate agencies because it was attached to a bank. Ironically, it was a bank that was not training its staff, reporting to management or conducting proper reviews and assurance work,” Hughes said.

Shot across the bows for assurance testing

Hughes suggested there were three other defining aspects of the case that provide an insight to the catalogue of problems that led to this civil litigation. These were the importance of assurance testing, delays in the remediation of problems and overseas country risk. Although no binding precedents emerge from an agreed penalty outcome, these indicators will help reporting entities to understand how the courts may look at similar scenarios.

The two largest sets of compliance failures revealed a multitude of assurance, risk culture and communication breakdowns. For each of these failures the judge apportioned at least NZ$1 million in penalties.

The first component of breach was for assurance program failures, which are covered under section 57 of the AML/CFT Act 2009. This states that entities must monitor and manage their compliance with their procedures, policies and controls, including through internal communication and training.

Some aspects of TSB’s risk assessment and AML/CFT program were “inadequate and were not reviewed when they should have been,” the court found.

The findings reveal a raft of minor mishaps and internal disorganisation within TSB, Hughes said. The court found the bank did not have an assurance program in place by 2015. Even after an RBNZ warning in 2016, and a further auditors report in 2017, little was done to rectify the problems. 

“The TSB board was receiving progress reports, but they were not leading to faster action. A major miscommunication with the internal auditor led the board to believe it was fully compliant, despite plenty of paperwork identifying that it was not,” Hughes said. “In the space of one summer a large number of senior risk and compliance staff departed. In one role the new appointee received no handover or guidance from a predecessor.”

The bank conducted an audit which found that only 23% of some categories of client files had full customer due diligence (CDD) steps carried out.

“All of that meant there was a lack of documented assurance measures for about six years, the court held,” Hughes said.

Price of inaction

Another major theme in the case is how damaging it can be if reporting entities are slow to deal with identified problems. In TSB’s case, this meant there was a failure to review, maintain and update its compliance program. 

“The other NZ$1 million component of the court penalty traces back to the failure to make a timely review of its program and fix any issues. This included staff in customer-facing roles not receiving training, a long-delayed shift to a better account monitoring system, and discussions at board level that either mis-stated the problems or did not lead to more priority being given to important work streams,” Hughes said.

In many cases, internal deadlines to remediate compliance issues were missed — sometimes by as long as 22 months.

The failure to remediate problems quickly is common to banking sector AML/CFT cases worldwide, Hughes said. Common failures include failure to review or update policies, or identify a breach but not report it upwards and set a timetable to fix it. 

“Too often banks pay handsomely for an external accounting report to put some gloss over things, only to drag the chain for many months on implementing its findings. These are failings of decision-making and governance. The main difference with the big AUSTRAC cases in Australia might be the scale, and the presence of real money laundering there — drug dealers on milk crates, or wire payments to paedophiles,” Hughes said.

Geographical risk

TSB failed to manage the risks associated with customers from several potentially high-risk countries. Those countries were Botswana, Ghana, Serbia, Sri Lanka and Trinidad & Tobago, the court said.

“The parties and the judge agreed this was proportionately the lesser of the 4 areas of compliance breaches,” Hughes said. “When reviewing its risk assessments, TSB failed to identify five out of the 77 overall countries which the bank ‘had and was reasonably expected to continue to have’ some kind of dealings with.”  

Lots of penalties, few real precedents

For lawyers in New Zealand and Australia, the case is yet another example of complex litigation ending up in a court-sanctioned negotiated settlement. In terms of sentencing, the court stated clearly that its role in this matter was “not to embark on its own enquiry of what would be an appropriate penalty, but rather to consider whether the proposed penalty is within the proper range.”

Hughes said these settlement cases focus on evaluating the components of the penalty, with little advancement of the AML legal principles in substance. Here, the judge did in some respects disagree with the joint figures being put to her, which was unusual for New Zealand courts.

“In the past, it seems Australian judges have been much more inclined to question the recommended penalty sums than in New Zealand,” Hughes said.

Justice Mallon decided that a greater discount should be allowed to reflect TSB’s early cooperation and admission of liability. She also thought the agreed starting points nominated for some aspects of the AML/CTF breaches were too high.

“The RBNZ might therefore be disappointed that the court wound its joint agreed sum downwards by NZ$350,000. It appears RBNZ had already decided not to formally seek an award of costs also. But the court was, quite sensibly, mindful of not locking in some idea of a ‘tariff’ or expectation of only a 20% discount for that mitigating feature, as it could work injustice for future defendants coming before the court,” Hughes said. 

“You might also be forgiven for wondering if the TSB defence rolled over too easily, if the judge stepped away from the joint sum saying it felt too high,” he said.

A paltry penalty?

From an Australian perspective, the penalty of NZ$3.5 million for such serious and extensive failures may seem low. At the same time, the regulator took into account the fact that there was no evidence of laundering activity as a result of the failures. The case also highlights the benefits of having AML/CTF supervision and enforcement consolidated into a single, dedicated agency, such as AUSTRAC.

Even so, Hughes said the litigation saga was a “disastrous outcome” for a proudly New Zealand-owned bank.

“TSB is our seventh largest bank and has a growing nationwide profile. It is now the first to be publicly hung out to dry in this way,” he said.

“There is still going to be a significant whack of its own legal costs, and a more expensive ongoing and massive remediation program to correct all the compliance problems that have been identified. Those internal costs may continue as an ongoing drain on the bank.”

The cost of these failures will have a broader impact beyond the potential facilitation of illicit finance. TSB is owned by a local community trust, which will now suffer from a drag on the many good community initiatives that the trust finances.  

“If it were a privately-owned or even listed business, shareholders would be quite entitled to ask searching questions about why so many people — and processes — were arguably asleep at the wheel during this period. Especially after being served with an earlier public warning by the regulator in 2016. Most reporting entities realise they are then marked for future indiscretions,” Hughes said.

Related:
How launderers exploit Australia’s lax real estate laws to infiltrate banks
Transaction monitoring must sit at heart of AML compliance, says top enforcement lawyer

Nathan Lynch is an experienced writer, public speaker, manager and technology enthusiast in the field of financial regulation and risk management. At Thomson Reuters, Nathan leads a team of experts who provide breaking news, deep analysis and practical guidance to risk practitioners in the global financial services sector.
Nathan manages Thomson Reuters’ award-winning Regulatory Intelligence team across the Asia-Pacific region, tracking developments in financial services law, regulation, financial crime and risk management.
Nathan has been involved in building innovative, tech-based businesses in the financial services “regtech” sector — including Complinet Australia and the Thomson Reuters Risk business.

Leave a Reply

Subscribe to Business Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.