‘Bin bags full of cash’ NatWest fined £264m for AML failures

Branch safes literally overflowed with ill-gotten gains

In the first criminal prosecution of a financial institution by the Financial Conduct Authority (FCA), a litany of failings took place at NatWest which enabled black bin liners stuffed with cash to be deposited, literally bursting out of floor-to-ceiling branch safes.

The trial centred on a textbook case of money laundering by a supposed jeweller, Fowler Oldfield. Their predicted turnover was around £15m when the bank took them on as a client, but they ended up depositing over £365m over a five year period, with the vast majority being in hard cash.

Some bin bags even burst

Criminal couriers for the front business walked through high streets across the UK carrying bags of cash, with one branch receiving over £40m. Concerningly, this case highlights AML failures at not just one branch but across the entire NatWest network. Some bin bags even burst, forcing the cash couriers to stuff the money into sacks.

Fowler Oldfield was NatWest’s largest regional customer, with Britain’s largest bank consistently failing to investigate numerous warnings by its financial crime systems. The investigation found the bank had miscategorised the business as lower risk than it was, and staff did not have the sufficient AML knowledge or KYC expertise to detect any problems. The bank even deactivated a suspicious activity alert because too many were being received.

Large amounts of musty-smelling, Scottish bank notes

The report found a litany of failures and naked examples of money laundering. Fowler Oldfield deposited nearly £400,000 into an account of a hair extension and cosmetic business, before the funds were then transferred to a pub, then to a money transfer business. Direct cash deposits were recorded as cheques by the bank without further scrutiny, and the jewellery businesses’ account was never meant to be for cash deposits. The National Crime Agency also raised concerns about the large quantity of Scottish banknotes being deposited around central England, which it said was a potential indicator of criminal activity. Individual branches even raised concerns about the ‘musty smell’ of the old banknotes likely due to long-term storage than actual business use. 

Many individual staff members did pick up on the activity, with one employee who’d been working for decades saying it was the most suspicious activity they’d seen in their career. Ultimately, the court found, the bank did not miss this. The criminality was spotted time and time again, but the systems and adequacy of the scrutiny failed. 

A separate investigation by West Yorkshire Police led to 11 people pleading guilty to the cash deposits and another three cash couriers being charged. A further 13 people await trial. NatWest pled guilty to the charges, with Southwark crown court fining the bank £264,772,620, with a further £4.2m in costs and a £460,047 confiscation order. 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.