FSRA Impose First Fine for Breaches of AML Rules
On 25 August 2022, the Abu Dhabi Global Market regulator, the Financial Services Regulatory Authority (FSRA), issued a Final Notice against Wise Nuqud Ltd (Wise) imposing a fine of $360,000 for contraventions of anti-money laundering (AML) requirements.
This is the first Final Notice published by the FRSA for breaches of the Anti-Money Laundering and Sanctions Rules and Guidance Rulebook (“AML Rules”). A deeper look into the terms of the Final Notice provides some useful information for firms operating within the ADGM, and the UAE more broadly, which is seeing an increase in anti-money laundering regulation and enforcement.
Before we consider the key takeaways we will first look at the background to this Final Notice.
Wise is a licenced money service provider operating in the Abu Dhabi Global Market. It has been incorporated and registered with the ADGM Registration Authority since May 2019 and is a subsidy of the larger Wise Group. The company facilitates domestic and cross border money transfers for personal and small business customers. In terms of its business model, Wise does not maintain balances in client accounts and its customers were required to register and use a regulated bank account for transactions.
What did the FSRA find?
The FSRA determined that Wise failed to establish and maintain adequate AML systems and controls to ensure full compliance with its AML obligations. Wise:
- did not identify and verify the source of funds and wealth as part of the Enhanced Customer Due Diligence (EDD) it performed on customers it had identified as high risk before undertaking transactions on behalf of those customers;
- did not properly obtain the approval of Senior Management to establish business relationships with a category of customers that it had identified as high risk;
- did not consider customer nationality as part of its risk-based assessment of its customers; and
- did not obtain and consider adequate information on the intended nature of business for a category of its customers before establishing a business relationship with the customer.
While conscious that much will depend on the facts of each case, the following is a brief look at seven key takeaways from the FSRA’s approach that may be relevant for businesses assessing their own AML compliance framework:
Complete your EDD before entering a transaction with a high-risk customer
The AML Rules required Wise to undertake a risk-based assessment of every customer and to assign a risk rating relevant to the assessed money laundering risks associated to that customer. Those customers considered High Risk Customers or Exposed Persons (PEP) were required to be subject to Enhanced Customer Due Diligence (EDD). Importantly, the AML Rules required that EDD be completed prior to undertaking a transaction with the business.
Wise had in place procedures for completing EDD prior to undertaking a transaction for those customers identified as PEPs, but not for High-Risk Customers. Instead, Wise only completed the EDD when these customer’s payments met a certain “threshold” over a rolling 28-day period. The reason for this is not clear, but the FSRA were clear that such a policy fell short of the requirements expected under the AML Rules. In short, it is imperative that companies complete the full EDD for all High-Risk Customers before entering into any sort of transaction with or on their behalf. No distinction between High Risk and PEPs is possible.
Thresholds as a risk mitigator
Interestingly, the FSRA considered Wise’s approach of using a threshold before initiating the full EDD on High-Risk Customers was an ineffective risk mitigant. This was because the threshold was too high when compared to the average transaction amount for those customers. This suggests that in principle a policy of having a threshold approach to some areas of AML procedures and controls may be acceptable as a risk mitigator to the regulator, so long as that threshold is a realistic one that properly reflects the average transaction amount of customers under consideration.
Maintaining customer account balances will always attract more risk
Wise’s business model of not holding customer balances and only accepting transactions from regulated banks was considered an important risk mitigator by the FSRA. This is an important issue for FinTech start-ups, particularly when they come to evaluate the level (and cost) of AML risk controls and procedures that will need to be factored into particular business models.
Caution when outsourcing AML checks
The FSRA were comfortable with Wise outsourcing EDD on High-Risk Customers within the broader Wise Group entity, so long as it was to a suitably qualified individual or committee. Where Wise failed was in ensuring that they had adequate arrangements in place to govern this process. Specifically, Wise failed to ensure that the team conducting the EDD sought Senior Management Approval before signing off on a business relationship with a High-Risk Customer – a key regulatory requirement under the AML Rules. Whoever conducts the EDD (and third-party vendors are an increasing part of the AML process), it will remain the responsibility of the regulated entity to ensure that there are systems in place to ensure that all AML regulatory requirements are adhered to.
Nationality: legacy issue or risk factor?
The AML Rules require risk-based assessments to identify and consider, amongst other things, the customer’s county of origin, residence, nationality, place of incorporation and place of business. The FSRA found that Wise had not been considering nationality as part of its risk-based assessment of its customers. This was the one area that Wise pushed back on, arguing that the nationality of a customer was a ‘legacy’ factor not relevant to an assessment of money laundering risk, particularly as they were considering the customer’s country or origin, residence and IP address. While the FSRA disagreed, this is a potentially divisive issue which touches on issues of discrimination and, in the modern world where travel and dual nationalities are prevalent, its continuing relevance to risk.
Importance of a baseline for all customers
The AML Rules make clear the importance of understanding the nature of the customer’s business as well as their intentions in commencing the business relationship. One way of doing this is by obtaining information on the expected volume of business with the customer, which can then be used as a baseline from which to assess future anomalous or out of character behaviour. Wise had a process in place for obtaining such information from its business customers. However, no such process was in place for its personal customers. The regulator saw no reason to distinguish between customers on basic AML risk factors.
Cooperate and remediate – sharpish
Companies should aim to cooperate and remediate. To be clear, this does not mean laying down and accepting whatever the regulator is alleging without understanding the issues and obtaining proper legal advice. However, the expediency with which a company can acknowledge faults in its processes and procedures and rectify them will have a huge impact on how the regulator perceives and deals with the company. It is also likely to impact the public perception of the company and mitigate financial loss. Here, Wise received praise from the FSRA for their transparency and timely responses to requests for information. Importantly, by the time the settlement was agreed and the Final Notice came to be published, Wise had corrected the identified wrongs and had even stopped taking on new customers while the remediation steps were put in place. It also helped that no instances of money laundering had been identified by the FSRA. This all contributed to the 20% discount on the imposed fine, and the press release for Wise made for much better reading.
Overall, it appears that whilst Wise did make a conscious effort at implementing adequate processes and procedures to mitigate AML risk, these were not enough to comply with the meticulous approach required under the AML Rules in the eyes of the FSRA. This is unlikely to be the last AML Rules Final Notice issued by the FSRA and businesses would be well advised to have their own AML compliance procedures checked for compatibility with the relevant regulatory requirements in order to avoid further legal costs and financial pain later down the line.