Multi-million pound money laundering fine against financial services firm levied by FCA

Lack of risk assessments and outdated policies contributed to failings

ADM Investor Services International Limited, a commodities services broker, have been hit with a significant £6.47 million fine by the Financial Conduct Authority (FCA) for inadequate anti-money laundering systems and controls. 

The fine was especially large given that ADM’s client base presented significant levels of money laundering risk due to the global nature of its businesses and a roster of politically exposed persons as clients. ADM’s services included potentially high risk products including base metals, foreign exchange and cocoa, with over 180 million contracts a year.

The FCA first raised its concerns about inadequate money laundering procedures as far back as 2014, but on a subsequent visit a few years later, ADM still did not have a firm-wide risk assessment and its AML policies referenced outdated and repealed legislation.

The FCA said the company’s anti-money laundering policy had been revised in 2012 and 2013, but was identical to the 2003 version despite the law changing in that time. The FCA said: “This meant the policy referred to regulations which were around 12 years out-of-date and had since been replaced twice. This was important.”

The firm had inadequate procedures to identify high risk countries of clients. Despite having a ‘jurisdiction red list’ which the company was told not to solicit clients from the countries on that list, ADM had 37 open accounts with clients linked to those ‘red list’ jurisdictions.

Internal auditors had repeatedly wanted of inadequacies, and ADM told the FCA that it had engaged external compliance consultants to undertake a thorough review, which did not happen. 

ADM did not dispute the findings, and received a 30% discount from the full £9.2 million penalty. Originally, the FCA had decided to fine ADM 15% of its relevant revenue, £16.8 million, which was later halved after being seen as disproportionately high.

What were the failings?

  • A lack of a formal process to classify customer risk at onboarding
  • Processes that were ‘inadequate in design and implementation’ and failed to assess financial crime risk
  • Little evidence of ongoing monitoring
  • No firm-wide risk assessment
  • Outdated policies and procedures

What are the compliance lessons?

Firms are required to implement suitable risk-based anti-money laundering systems and controls. The FCA and other regulators expect firms will take reasonable steps to ensure that adequate AML systems are in place and functioning effectively.

This is because firms that fail to implement adequate AML systems and controls are exposed to the risk of financial crime. Not only, they could commercially benefit over compliant firms because they save on costs involved in implementing systems, and could be more attractive to customers who wish to bypass effective due diligence. The FCA will take a dim view on those who try to attempt such a thing. 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.