EXHIBIT 41A ~ FBME BANK
1 28 h September 2015
Via E-mail & By Hand
Ms. Chrystalla Georghadji Governor Central Bank of Cyprus 80 Kennedy Avenue Nicosia 1076
Madam,
Subject: On-site inspection of FBME Bank Ltd Cyprus Branch's procedures for the prevention of money laundering and terrorist financing - The Prevention and Suppression of Money Laundering Activities Law of 2007
We have been provided a copy of the Letter (the "Letter") of the Central Bank of Cyprus (the "CBC") dated 18 September 2015, addressed to Mr Andrew Andronikou - Special Administrator of the Cyprus Branch ("Cyprus Branch" or "Branch") of FBME Bank Ltd (also referred to as "Bank"). This letter relates to the on-site inspection by the CBC with the collaboration of PriceWaterhouseCoopers, of the procedures for the prevention of money laundering and terrorist financing adopted by the Cyprus Branch of FBME Bank Ltd.
The Letter covers nine subject matter areas as follows:
1. Risk Management Systems 2. Compliance Unit 3. Customer identification and due diligence procedures 4. AML IT System and Monitoring of Transactions 5. EU Regulation 1781/2006 on information on the payer accompanying transfers of funds (Electronic Funds Transfer) 6. Record Keeping 7. Staff awareness and training 8. Suspicious transaction recording 9. Internal control procedures
As the CBC will hopefully agree with us, globally recognised AML principles are meant to be preventive and are aspirational in nature, and as such are constantly evolving to addressing constantly changing areas of risk. This is noted very clearly in Section 3.3 ("High level findings on the level of compliance with the Cyprus Legal Framework") of the Report by Deloitte
Page 11
FBME Bank Ltd Head Off1ce FBME HOUSE, 85 Block K, Kmondom Road P 0 Box 8298 DarEs Salaam Tanzania Tel +255 22 2664761/2 Fax: +255 22 2664763 e-ma11 headoff1ce@fbme com www.fbme com Financial Advisory S.r.l. ("Deloitte Italy") produced for the CBC, the Ministry of Finance of the Republic of Cyprus (the "MoF") and the TROIKA of the International Monetary Fund ("IMF"), European Central Bank ("ECB") and the European Commission ("EC") in April I June 2013. As Deloitte Italy further notes in Section 3.3 of its Report " ... The practical impact is that in our extensive experience, no Institution can be expected to have a 100% perfect compliance record. In fact, on the basis of our experience, it is uncommon to find institutions in any jurisdiction that achieve 100% compliance across all customers, especially in jurisdictions where the AML legal framework has been enhanced relatively recently. Another key component of AML requirements is that they are meant to be "risk based" to allow a financial institution to focus on mitigating areas of greatest risk as determined by each institution's range of products and services, as well as unique customer base ... ".
FBME Bank Ltd considers that it has strived to have in place an Anti-Money Laundering culture, framework, policies and procedures, which, on a risk-based approach and under the overall guidance of its Senior Management and Board of Directors, focuses on the substance of anti money laundering principles, legislation and directives to eliminate the risk of the Bank being used for financial crime purposes.
We do not therefore agree to the assertion of the CBC stated on page 2 of the Letter that the failings of the Branch are considered serious and systemic. Furthermore, we question why the CBC has omitted to benchmark findings from its on-site investigation at our institution versus findings at other Cyprus banking institutions as set out in:
i. the Third Party Anti-Money Laundering Assessment of the Effective Implementation of Customer Due Diligence Measures with regards to Cyprus Deposits and Loans, issued by Deloitte Italy on behalf of the CBC and addressed to the CBC, the MoF and TROIKA in April and June 2013 (Attached) and
ii. the Special Assessment of the Effectiveness of Customer Due Diligence Measures in the Banking Sector in Cyprus prepared by the team of international experts under the auspices of the Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism ("MONEYVAL") in response to a request by the President of the Eurogroup Working Group, dated April 2013 (Attached)
In addition to our rejection of the assertion that the points raised by the CBC in the Letter constitute potentially serious and systemic matters in the AML framework, we also consider that the omission of the CBC to have regard to the practices in the banking sector of Cyprus, documented in the Reports by Deloitte Italy and MONEYVAL, potentially points to a purposefully distinctly different handling of the Bank and the Branch by the CBC versus peers. This further augments our view that the CBC and the Republic of Cyprus at large are in breach of the Bilateral Investment Treaty to the investment protection treaty between Cyprus and Lebanon.
As a matter of record, we need to also record the following:
i. The Letter of the CBC is addressed to the Special Administrator, appointed by the Resolution Authority comprising effectively the CBC. This for us constitutes a
Page I 2
FBME Bank Ltd. Head Off1ce FBME HOUSE 85 Block K, Kinondon1 Road. P 0 Box 8298 DarEs Salaam, Tanzan1a Tel· +255 22 2664761/2 Fax: +255 22 2664763 e-mail· headoff1ce@fbme com www fbme com detrimental handling of the Bank, its shareholders and the Branch. We question under what legal provision and to whom the Special Administrator has responsibility in responding to the CBC's findings set out in the Letter, and whether the Special Administrator would act, given his appointment by the Resolution Authority, to the best interests of the Bank and its stakeholders (including shareholders and employees).
ii. We further question as to whether the Special Administrator is in a capacity to respond to the Letter, given that his primary well-publicised task to date has been the effective liquidation I sale of the Branch.
iii. The on-site investigation was conducted between June to September 2014. We wonder if the matters raised in the Letter were of such important and systematic nature why the CBC did not see the reason for expedited communication to the Bank and the Branch and only does so after 12 months. It is also quite peculiar to note that despite the letter taking 12 months to be prepared after the on-site investigation, the CBC sets a framework of 7 days for a response.
iv. We are concerned why the Letter has not been shared with the Bank's Regulator in Tanzania.
v. There is no information set out in the Letter with respect to the Terms of Engagement of PriceWaterhouseCoopers and their relevant obligations, including whether they have issued a formal report on their work to the CBC. The Bank and the Branch reserve fully their rights in this respect.
vi. Crucially, the Report:
a. Fails to specify any specific cases I transactions where the Branch was used for facilitating money laundering;
b. Despite the action by FINCEN (admittedly of much more serious business impact to the Bank and for which legal proceedings have been initiated by the Bank in the United States of America) the CBC fails to comment in the Letter on any of the matters that FINCEN raise in their notice of findings. We wonder why the CBC has determined that the FINCEN matters should not be addressed and what its position on those matters is.
It is the position of the shareholders and management of the Bank and the Branch that our institution has always adopted a culture, policies and procedures for limiting and managing the risk of the Bank and the Branch being used for money laundering purposes. The Board of Directors and Senior Management of our institution have constantly placed emphasis on adhering to best global AML practices and to implementing the substance of the local AML legislation and CBC Directive, fostering at the same time a process and attitude of continuous improvement.
Having mentioned all the above, we believe that the attitude of our Cyprus regulators are for the least incomprehensibly vindictive and unfair.
Page I 3
FBME Bank Ltd, Head Off1ce FBME HOUSE, 85 Block K, Kinondoni Road. P.O. Box 8298 DarEs Salaam, Tanzania Tel: +255 22 2664761/2 Fax: +255 22 2664763 e-mail: headoff1ce@fbme com www fbme com Our team remain available to discuss our responses in detail with you and to offer any other explanations and clarifications that you may require.
Sincerely
Fadi M. Saab Chief Executive Director
--==--~~· __x_~- cc: The Board of Directors of Central Bank of Cyprus Bank of Tanzania Statutory Manager- FBME Bank limited
Page I 4
FBME Bank Ltd Head Office FBME HOUSE, 85 Block K, Kinondon1 Road, P.O Box 8298. DarEs Salaam, Tanzania Tel: +255 22 2664761/2 Fax: +255 22 2664763 e-mail headoffice@fbme com www.fbme.com
FBME Bank Limited reply to CBC letter of 18 September 2015
This is the reply (the “Reply”) of FBME Bank Limited (the “Bank”) to the report of the Central Bank of Cyprus (the “CBC”) regarding the “onsite inspection of FBME Bank Ltd Cyprus Branch’s (the “Branch”) procedures for the prevention of money laundering and terrorist financing – the Prevention and Suppression of Money Laundering Activities Law of 2007” dated 18 September 2015 (the “Report”).
References to the “Law”, the “CBC Directive” and the “EU Regulation” are as defined in the Report. Reference to the “MONEYVAL Report” means the MONEYVAL report “Special Assessment of the Effectiveness of Customer Due Diligence Measures in the Banking Sector of Cyprus” of 24 April 2013, (an initiative that the Bank welcomed and that included the Bank during its audit activity).
This Reply is divided into three parts:
PART 1 - The invalidity of the Report and failure by the CBC to comply with the law;
PART 2 - The Bank’s comments on the Report findings;
PART 3 - Putting the Report in its true context.
PART 1 - The invalidity of the Report and failure by the CBC to comply with the law
In its Report the CBC references only one examination conducted by the CBC in collaboration with PriceWaterhouseCoopers Ltd (“PwC”) in the period of June to September 2014. This is incorrect. The CBC, as in previous years, sent the Bank written notice on 29 May 2014 of its intention to conduct an onsite examination and stating the operative provisions of the law on which such examination was based. This examination (the “June Examination”) was comprised of 10 CBC/PwC persons and lasted 15 working days. On the last day, 4 July 2014, the CBC and PwC teams both informed the Bank’s Head of Compliance that the June Examination had concluded, that there were few if any issues identified, that there would be an exit meeting and that the Report would be finalised and sent to the Bank by the end of July 2014. This series of events was entirely consistent with previous CBC examinations that were conducted over one visit and with a report following within a matter of weeks after the examination concluded.
One critical event, however, occurred between the conclusion of the June Examination and the scheduled issuance of the June Examination report in July-August of that year – the issuance by the US Department of Treasury Financial Crimes Enforcement Network (“FinCEN”) of their Notice of Finding published on 17 July 2014. This was followed by the CBC’s decision on 21 July 2014 to put the Branch into resolution and which act is the subject of legal proceedings both in Cyprus and before the ICC in Paris.
The Bank was then notified by the Special Administrator of the Branch that the CBC and PwC teams were re-entering the Branch to ‘continue’ the June Examination. The Bank has never been provided with any notice to this effect from the CBC, the Special Administrator deeming it sufficient simply to verbally inform the Bank’s legal counsel that the CBC would bring ‘as many people as necessary’ for ‘as long as necessary’. However, it transpired that the Bank was not alone in its surprise that there would be a ‘continuation’ of the June Examination - members of the CBC team confirmed to members of the Bank’s Compliance Dept. that they were informed only the night before that they were to re-enter the Branch for this continuation of the June Examination. All of the above- referenced statements are noted in contemporaneous, time-stamped notes of the relevant Bank staff. Further, when, in reaction to the issuance of the FinCEN Notice, the CBC took over
1 management of the Branch on 18 July 2014, one of the CBC’s directors, Mr. Kyriakos Zingas, confirmed to the Bank’s owners that the report of the June Examination had been completed and set out nothing of any concern.
The findings in the Report are perplexing; in the majority of cases, the Report identifies alleged failings from the period 2008-2012 however the 2014 examinations performed by the CBC/PwC were specifically stated as relating to the period 2013-2014 by which time any failings that may have existed from 2008-2012 had long since been rectified. In any event, the alleged failings identified in the Report, whether rectified or not, had been the subject of earlier examinations by the CBC who, at the time, had knowledge of, and found no issue with, any of the matters now alleged to be failings (to this point see Part 3 below – ‘Putting the Report in its true context’).
Contrary to the CBC’s statement in the Report that the Bank had provided explanations on the CBC’s findings, the Bank has been afforded no such opportunity. As above, the Bank’s staff had commented on various issues raised during the June Examination which the examination teams appeared satisfied with. At no time has the Bank been invited to comment on any findings from the June Examination, nor has an exit meeting been conducted to discuss such findings and there has been absolutely no consultation or even conversation on any matters arising out of the August examination – either during that examination or afterwards.
Therefore, and as is amply demonstrated in the Reply below, the Report is invalid due the CBC’s failure to:
(i) notify the Bank of the nature and scope of the August examination; (ii) state the operative provisions of the law relied upon for conducting the August examination; (iii) apply the operative provisions of the law correctly; (iv) consult with the Bank prior to reaching its findings or afford the Bank any opportunity to comment on the CBC’s preliminary findings, including clarifying any CBC misunderstandings; (v) conduct the audit and draft the Report with full and appropriate diligence and coordination; and (vi) appropriately benchmark, apply balance and act in good faith.
PART 2 - The Bank’s comments on the Report findings
Notwithstanding the invalidity of the Report as stated in Part 1, above, and without prejudice to this, the Bank comments on its finding following the same numbering and headings in the Report.
1. Risk Management Systems
(i) Risk identification, assessment and mitigation
The CBC alleges that the Bank has failed to apply enhanced customer due diligence measures in respect of certain FATF list countries and asserts that this is, prima facie, a breach of sections 58(d) and 64(2) of the Law and paragraphs 27 and 160 of the CBC Directive.
For good order’s sake, it should be noted that the CBC Directive cited by CBC was not in force at the time that two of the events, cited by the CBC as constituting a breach, took place.
In any event, the allegation fails to give due regard to the facts or benchmarks of common practice. Specifically, the CBC does not dispute that the Bank applied enhanced customer due diligence to all countries on the FATF Public Statement, as all such countries are listed on the Bank’s High Risk Policy
2 and enhanced due diligence is applied accordingly. The allegation centres around compliance treatment of those countries that, in 2013, formed a new distinct ongoing compliance list called “Improving Global AML/CFT Compliance: on-going process”, being countries that were formerly listed on the FATF Public Statement but that had, at the time, made a substantive political commitment to adhere to FATF standards. It should be noted that this new list was not referred to in the CBC instructions to the Bank relating to enhanced due diligence communicated in an email of 13 August 2013 and that the CBC itself in its periodic circulars to banks on the subject instructed MLCOs to apply enhanced due diligence to ‘…countries referred to in the public statement of the FATF’.
The MLCO proactively identified this FATF new list during regular compliance updates. The approach taken at the time was to treat these countries on the new list as being a distinct sub-category that was not part of the existing High Risk Approach Policy of the Bank but that required all staff “to tread with caution and exercise vigilance when processing new account applications”.
It should be noted that the Bank is a Tanzanian entity and the United Republic of Tanzania was a jurisdiction that in 2014 was removed from the FATF Public Statement and went on the FATF on- going compliance list. Indeed, later in 2014 the United Republic of Tanzania was successful in these efforts and was removed from the FATF compliance list all together. Attention is drawn to paragraph 117 of the MONEYVAL Report of 24 April 2013 which specifically identifies banks with a geographical connection to certain jurisdictions as being better able to assess country risk.
The approach taken by the MLCO at this time is consistent with international compliance standards. For example, the United Kingdom H.M. Treasury advisory notice on this subject in 2015 also allows for a distinct treatment.
Noting the importance the CBC attaches to both benchmarking and balance in its 23 May 2013 response to the MONEYVAL report (see Appendix 1), we respond that the CBC’s finding is inconsistent with their own criteria on balance and benchmarking and is, by those same criteria, not a systemic issue.
Moreover, and noting again the approach taken by other jurisdictions, we respond that the Bank’s approach to this issue does not constitute a breach of sections 58(d) and 64(2) of the Law and paragraphs 27 and 160 of the CBC Directive.
(ii) Hold mail services
The CBC’s findings on FBME’s hold-mail services are vague and not particularised and in any event simply wrong and demonstrate, at best, a complete lack of diligence on the part of the CBC given the actual knowledge CBC already has in respect of the Bank’s hold mail services from successive prior audits. The attached spread sheet (Appendix 2) shows very clearly that for the period 2012-2014 out of 1964 accounts utilising hold mail, only 8 would have the Bank’s address noted on any outgoing payment instructions and out of those, 5 account holders have a direct relationship (employment etc.) with the Bank (see Appendix 2). In other words, the hold mail service offered to clients was, in 99.6% of accounts simply provided as an administrative service to allow bank statements and other correspondence to be held at the Bank’s premises for collection by the account holder as and when convenient. It was not, as is alleged in the Report, a surreptitious means for enabling clients to mask their actual address when making payments. The Bank has at all times been entirely transparent in offering this service to its clients and, critically, the CBC has been fully informed of the availability of the service. Indeed, the hold mail service is quite clearly stated as being available on the Bank’s account opening forms and these forms were provided to the CBC and fully approved by them. Furthermore the hold mail service formed part of the 2012 CBC audit and the CBC was provided with and had examined all documents in this respect. Moreover the terms and conditions of the hold mail service are located in every single file that the CBC has ever examined. The CBC has never notified the Bank of any concern over it, or any other bank, offering hold mail services nor ever even
3 suggested that it is a fraud or high-risk indicator. There are perfectly legitimate reasons why an account holder may wish to avail itself of this administrative service (by way of example, some Cypriot company account holders use the hold mail service to allow their auditors in Cyprus to collect the bank account statements directly from the Bank at the end of the financial year in order to prepare their annual financial reports thereby avoiding having the Bank send the account statements abroad and the customer then have to send them back to Cyprus to their auditors). While the Bank’s address was historically used on accounts requesting hold mail services the customer’s address was always obtained, verified and captured. In late 2009, for such accounts, FBME implemented a new procedure to include either the customer’s operating or registered address in wire transaction in lieu of using the Bank’s address for correspondence. As of today the Bank’s address is attached only to accounts directly related to the Bank.
Whilst there is no requirement under the Directive for hold mail customers to be treated as high risk, it is the Bank’s policy that when the country of incorporation or operation of a customer is high risk, the customer is classified as high risk with all the enhanced due diligence measures emanating from the classification, such as close monitoring live transactions with HotScan and annual or more frequent (where applicable) periodic reviews according to the High Risk Policy of the Bank.
Therefore, the allegations in the Report that the Bank had failed to act in accordance with sections 58(d) and 64(2) of the Law and paragraph 27 of the CBC Directive are unfounded.
(iii) Risk Assessment Report
The CBC claims that the Risk Assessment Report prepared by the Branch’s money laundering compliance officer (“MLCO”) did not contain information related to the methodology used to identify and assess the risks borne by the Branch which is crucial to convey a complete picture of the risks borne by the credit institution.
The CBC is well aware that the MLCO submitted the first Risk Assessment Report on anti-money laundering and counter terrorist financing to the CBC in February 2014 pursuant to new regulatory requirements. There was no requirement to provide a methodology with the report under the new regulations.
On 27 November 2014, the CBC invited all MLCOs to attend a workshop with PwC Germany to discuss methodology to be used when preparing the Risk Assessment Report “in order for this tool to be more useful and effective in combating ML/TF risks” (see email of Stelios Georgakis of the CBC at Appendix 3). During the training, CBC representatives reiterated that the training was meant to assist MLCOs to understand the requirements and methodology to prepare the Risk Assessment Report. By its own admission, the CBC recognised that all Risk Assessment Reports submitted were incomplete and MLCOs needed guidance to provide the methodology used. Pursuant to the December 2014 training workshop, the Branch’s MLCO submitted the methodology applied when preparing the FY2014 Risk Assessment Report to the CBC in June 2015 (see Appendix 4).
Therefore, the allegations in the Report that the Bank had failed to act in accordance with section 58(d) of the Law and paragraphs 38 and 42 the CBC Directive are unfounded.
2. Compliance Unit
(i) Quarterly audit of new accounts
CBC claims that no responses from the Account Approval Unit of the Compliance Dept. (“AAU”) were provided to the quarterly self-audits on new accounts for Q3 and Q4 of 2013 as prepared by Compliance.
4 As the CBC is aware, each quarter a dedicated compliance officer of the Branch audits 10% of the new accounts and the answers and/or rectifications to deficiencies are recorded by the AAU in a shared spread sheet. The report and email chain show that the Compliance Dept. submitted its audit report for Q3 on 22 January 2014 and for Q4 on 4 June 2014. Respectively, AAU responded to Q3 report 10 days later by providing answers to each deficiency on 04 February 2014 and to Q4 report in July 2014 (see Appendices 5 and 6).
The CBC further claims in its Report that the Compliance Dept. never provided to them a summary of weaknesses as was requested by them during the onsite inspection. Such request was never made by either the CBC or PWC during the onsite inspection. Prior to Internal Audit recommendations in March 2014, no summary was generated, unless a trend of deficiencies was identified. When deficiencies were linked to human error, these were immediately rectified after identification and the report of findings was updated by AAU. Since June 2014, a summary of weaknesses identified is now prepared by the Compliance Dept. and communicated to the AAU and communication between the AAU of the Compliance Dept. and the New Accounts Unit of Customer Service Department is enhanced for a proper follow up of the information required.
(ii) Monthly Screening for Politically Exposed Persons (“PEPs”)
The CBC’s findings on the monthly screening of PEPs demonstrate complete ignorance on how data (i) is collected and recorded in the banking industry and (ii) is then extracted from both the core banking system and excel spread sheet to run the screenings against World-Check.
Core banking systems are not automated. Customer data is manually recorded by Bank officers in core banking systems like Flexcube. The Bank officers who populate customer data in the core banking system also populate the Excel spread sheet with the details of the ultimate beneficial owners. This Excel spread sheet is kept on the Branch’s server.
Customer data and UBOs data is then extracted from both the core banking system and the Excel spread sheet to perform checks against the World-Check database. They are matched against each other in order to identify whether any positive match come against World-Check database.
Manual input entails a certain risk of human error however such risk exists both at the stage of populating the customer data in the core banking system and the UBOs data in excel spread sheets. This does not make the Excel spread sheet any lesser a system to record certain customer data.
The Directive does not provide a methodology on how to run the checks or on what percentage to use. It only sets out the frequency such checks must be performed. The Bank acknowledges that the query to match exact names was higher than would be optimum. The Bank has significantly improved the monthly screening since January 2015 whereby monthly screenings are now done on the basis of 90% name match checks. The new percentage match has been carefully assessed with the Bank’s IT department to allow checking linguistics differences, misspelling or incompleteness and to avoid bringing up too many false positives as this would otherwise not be a reliable commercial electronic monitoring tool.
Therefore, the allegations in the Report that the Bank had failed to act in accordance with section 64(1)(c) of the Law and paragraph 149(iii) the CBC Directive are unfounded.
3. Customer identification and due diligence procedures
(i) Identification of the Ultimate Beneficial Owner
5 The Report alleges that the Bank was, prima facie, in breach of 58, 61(1), 64(1) (c) and 68 C of the Law and paragraphs 87 – 117 and 149 of the CBC Directive.
It should be stressed that in 2013 the MLCO undertook a file review and identified an obligation under paragraph 55 of the CBC Directive to apply customer identification and due diligence procedures to complete the customer’s profile. The file was updated in full in 2013, and was in order prior to the date of the audit on which this Report is, apparently, based. The CBC is able to identify this exceptional and historic point because the MLCO has ensured that the evolution of the file history is transparent and documented in the file.
It should be noted that the UBO is a PEP with valid and heightened client confidentiality requirements which, however, did not impede the application of enhanced due diligence measures associated with the updated profile and during the file update a full review took place in accordance with the Law including an analysis of all transactions from 2008 (when the first accounts were opened) until 2013. At all times a dedicated client relationship officer managed the relationship. Taking into account the totality of circumstances in relation to this account there is neither a specific nor a systemic material weakness of systems and controls “that increases the risk that the branch’s services can be used by criminals for the purposes of money laundering and/or terrorist financing” as is alleged in the Report.
It should be further noted that neither the CBC, nor its then appointed Special Administrator, Mr. Dinos Christofides, experienced any difficulty in structuring transactions with the Onexim Group in 2014.
(ii) Construction of a Customer’s Business Profile
(1) Detailed information for specific business relationships listed on page 11 under paragraph ‘Construction of a Customer’s Business Profile’ sub paragraph 1 is provided in the enclosed spread sheet of Findings (see Appendix 7). To summarize, sufficient information was provided at the on- boarding stage and/or during the course of the relationship as part of periodic KYC reviews and updates and/or transaction monitoring process and/or annual transactional review of high risk customers (where applicable). All business profiles provide a clear description of the customers’ main business/professional activities. All required fields are completed and counterparties (expected origin of funds/expected destination of outgoing transfers/payments) are included and where available supported by online searches (i.e. website printouts, verification of licenses/authorizations through relevant authorities and/or independent databases for specific activities where applicable), more detailed information from the eligible third parties, from the customer directly or through agreements/invoices/contracts. In a few instances, the customer could only provide the country of origin/destination of funds or was unable to provide a particular example of counterparties at the account opening stage but the customer file provides supporting documentation for transactions or an updated business profile (as in the cases of Shinc Shipping Limited, Hailington Ltd, Glascom International Limited). There are also two instances where the customer did not provide names of recipients of future payments in the business profile but included the relevant agreement with the counterparty for outgoing transactions at on-boarding stage (Avalon Corporate Services Limited and Boward Construction Ltd). Very few business profiles do not provide financial data for the past year however in all such cases the company was a “start - up” incorporated only a few months prior to the account opening. Financial data would therefore not be available. Examples of such cases are Rydale International Holdings Ltd, Vermania Ltd, Cumulus Ltd and WW Consult BV.
Where applicable, an ownership/group structure is provided and held on the customer file which details the information on affiliated/associated and parent companies. For a very small number of customer files, information such as country of incorporation or main activities of the parent company, subsidiary companies and associated companies were not completed, however, in such
6 instances the needed information is either made available in an attached structure chart or refers to existing customers of the Bank and the “missing” information is held in their respective customer files.
In very few occasions it may have seemed that information obtained from the eligible third party or from the customer has not been challenged. However, it should be noted that this either refers to relationships on-boarded many years ago, when the on-boarding requirements were less stringent, or it is not documented in the customer file that public database searches were carried out, but because no contradicting data to that provided by the eligible third party was found the information could not be challenged; in these circumstances the fact that there was a “non-productive search result” for relevant information was not always documented. It could, and should have been, readily observed during the onsite examination in June 2014 from reviewing the list of declined accounts, that information provided is always challenged (even numerous times for certain applications) and if grounds exist for the Bank to conclude that information received from the eligible third party and/or customer contradicts the public database search and/or investigation results the Bank proceeds with declining the relevant application and/or taking further steps of terminating the relationship with the eligible third party depending on the severity of the case.
(2) Detailed information for specific business relationships listed on page 11 under paragraph ‘Construction of a Customer’s Business Profile’ sub paragraph 2 is provided in the enclosed spread sheet of Findings (see Appendix 7). To summarize, in all referenced customer files an acceptable proof of residential address for the ultimate beneficial owner and/or authorized signatory(ies) has been obtained and verified. In particular the Bank obtained a bank statement, utility bill or confirmation of address by a senior bank official. The Bank also relied on verification of address in form of a letter provided by a financial institution (bank) which has never been objected in prior audits by the CBC and confirms the address of the customer by a financial institution in the same manner as a bank statement. Such letters are either in original or certified as true copy of the original by an eligible third party or by a Bank official. There are also instances where the Bank relied on certified true copies of internal Russian or Ukrainian passports, which are acceptable proofs of address as per the CBC. There are some instances where, although an acceptable up-to-date proof of address is available on file, a brief translation into English of the address by the Bank is missing. Such a minor omission, however, cannot constitute a non-verification of customer’s residential address.
There is one instance, where indeed the address verification is not in line with the current rules. In particular, the case of Roman Consultancy Ltd. Roman Consultancy Ltd was on-boarded in 2004 and the address was verified in form of a UK driving license, certified by an eligible third party. The customer used the account last time in 2009 and has been dormant since. Under the dormancy procedure, if the customer were to attempt to transact, the customer file would be fully updated prior to authorizing any transaction (please also refer to the compliance internal process document).
(3) In regards to the CBC’s findings related to Mediafine Trading Ltd mentioned on page 11, the company is incorporated in Belize and an apostilled copy of the share certificate of registered shareholders was obtained by the Bank at the on-boarding stage (see Appendix 8)
(4) In regards to trust deeds/agreements between the nominee shareholder and the beneficiary of the account, it is mentioned that such agreements were not obtained. However, in all customer files referenced in paragraph (4) on page 11 of the Report, a trust deed/agreement and/or declaration of trust has been obtained if applicable according to the corporate structure. In some instances a declaration of trust has been obtained which states that registered shares in the name of the nominee are held on behalf of the true beneficial owner. Such declaration is executed by the nominee and certified as a true copy of the original by a Bank official or eligible third party or is held in original. In the instance of Edenbridge Directors Ltd, Vantouro Co Ltd or Trident Alliance Ltd, the company structure is such that a trust deed/agreement/declaration of trust is not required because
7 the shares are held directly by another company or foundation or the ultimate beneficial owner himself (see relevant supporting company documentation in Appendix 8).
There is one instance where although a trust deed/agreement has been obtained and required signing both by the nominee shareholder as well as the beneficial owner but was only signed by the nominee shareholder, akin more to a declaration of trust which discloses the ultimate beneficial owner than to a trust deed. However, notwithstanding the enforceability or otherwise of such a document between the parties, the Bank took steps to verify the beneficial ownership.
(5) In regards to the CBC’s comments referenced on page 12 paragraph (5), where the board of director’s resolution for opening an account and granting authority to those who will operate it has not been obtained for the customer Classic Elements Corp it should be noted that the application forms for opening the subject account were signed by the authorized account signatory who had been granted with a perpetual Power of Attorney executed by the company’s Director, which clearly states that he/she was authorized to open bank accounts and sign all kinds of documentation in connection with the account (see Appendix 8).
(6) In regards to the CBC’s comments on page 12 paragraph (6), where the certificate of directors was not obtained by the Branch it should be noted that each customer file referenced in the Report under the above paragraph contains the relevant document appointing the director of the company. In jurisdictions such as Gibraltar, British Virgin Islands etc. the “Certificate of Directors” as it is known for Cyprus companies is substituted depending on each country’s local company law by the “appointment of first director by the incorporator/subscriber”. Please see copies of relevant resolutions enclosed in Appendix 8. In the instance of Vantouro Co Ltd which is a company incorporated in Cyprus, it should be understood that the company underwent changes in management in 2013 and the Bank obtained the form HE4 which is required by the Cyprus Registrar of Companies to effect management changes in their databases. The form is supported by the receipt, which was obtained when the documents were submitted to the aforementioned Registrar. It takes a considerable time to receive the new Certificate of Directors from the Companies Registrar in Cyprus and therefore the management changes were effected based on the aforementioned documents. The Certificate of Directors for the Director at the on-boarding stage had been obtained and certified as true copy of the original by a Bank official.
(7) In regards to the CBC’s comments referenced on page 12 paragraph (7), where the Branch did not carry out any checks via public databases (i.e. World-Check) to identify whether the customer or the UBO is a politically exposed person or whether negative information exists in the press or the internet, it should be noted that for all customer files (except one) referenced in the above paragraph, World-Check was carried out. It should be noted that World-Check was introduced by the Bank as a customer identification/verification tool in January 2008.
For the exceptional case, M.D. Software, it should be mentioned that the customer was an eligible third party based in Limassol and was on-boarded in 2001 (prior to the introduction of World-Check to the Bank). The customer has not used the account since March 2005.
In other cases referenced in the CBC’s Report under the same paragraph a World-Check has been carried out and where a PEP match was identified, the customer was approved and on-boarded in line with the relevant CBC Directive and the Bank’s internal procedures. In the case of Lewis Calcutt, the customer file contains online printouts about the company mentioned in the “employer details” section, which happened to be his own company, and the World-Check does not reveal a match. In the cases of Alexander Shishkin (Rusbiotech Intl Ltd) or Avicta Limited (Igor Balenko), it should be noted that both beneficial owners have PEP status, as per the World-Check carried out at the on- boarding stage, which in both cases is enclosed in the customer file. The World-Check bears the signature of the MLCO for approval granted for the on boarding of the aforementioned relationships. The customer file also contains a PEP Enhanced Due Diligence Profile form which lists
8 in details the source of wealth and source of funds and the educational/professional background of the PEPs, supporting documentation from various online sources on the beneficial owners’ businesses, net worth and the PEP status. In the case of Charalambos Fellas, who was on-boarded in 2008, a World-Check was carried out but did not reveal a PEP match. Further the activity profile of the customer indicates that subject person is an accountant who acted as an eligible third party to the Bank, however the relationship was terminated in 2010. For all cases referenced in the Report, it therefore cannot be concluded that checks via public databases or World-Check have not been carried out. Please refer to the enclosed documentation for each referenced customer at Appendix 8 and also to the information stated in the enclosed spread sheet of Findings at Appendix 7.
(iii) Enhanced Due Diligence Measures
(1) In regards to the CBC’s comments in 3 (iii) sub paragraph (1), where the Report alleges that in a number cases of high risk customers referenced in the Report the MLCO’s comment/opinion and/or senior management approval was missing for on-boarding the customer, the following should be clarified: some of the customers named in the Report were on-boarded prior to the issuance of the latest AML Directive which requires the MLCO’s comment/opinion for on-boarding every high risk customer or increasing the risk of customer from normal to high. For the instances where the relationship is a PEP relationship, the MLCO’s approval was granted at all times at the on boarding stage by signing the World-Check of the respective customer as “ok to proceed”. The said customers were on-boarded as “High Risk PEP” and the annual reviews were carried out respectively. A summary note of each review is held on the customer file and signed by management for continuation of the relationship. Starting from January 2014, for each PEP relationship an enhanced due diligence PEP profile was prepared in addition to the summary note for transactional review. This lists in detail the source of wealth, source of funds and the educational/professional background of PEPs along with supporting documentation from various online sources on the beneficial owners’ businesses, net worth and the PEP status. Each profile is assessed by the MLCO or, in the absence of the MLCO by the Alternate MLCO, and signed for continuation of relationship and a comment is made as to whether any other action is required to be taken. Please find enclosed the aforementioned World-Checks and annual reviews relating to the PEP customers referenced in the Report at Appendix 8.
It should be noted that in a few cases the customers named in the Report were on-boarded after the issuance of the AML Directive in December 2013 which was circulated to banks in January 2014. In regards to such customers it should be clarified that the changes to the Compliance MoPP pertaining to the issuance of the new AML Directive were approved by the Executive Committee and ratified by the Board of Directors in May 2014 and enacted thereafter. There are a number of customers which are referenced in the Report which were on-boarded between January 2014 and May 2014 and therefore the opinion/comment of the MLCO was not obtained (here it should be noted though that the final approval of all accounts in the Bank is done by a Unit of Compliance Department that reports to the MLCO). This refers mainly to customers which fall under the category of high risk other (geography or activity risk as per the banks High Risk Approach policy) or high risk - foundation. Please see detailed comments enclosed in the spread sheet of Findings for each customer (see Appendix 7). The aforementioned customers are considered as existing relationships and as per paragraph 124 of the AML Directive the MLCO’s approval is obtained “during the review process”. The above are non-exhaustive examples; please refer to the enclosed spread sheet of Findings for clarifications on all customers referenced in the Report under the relevant section (see Appendix 7). However to summarize, none of the high risk customers mentioned were on-boarded in breach of the AML Directive as alleged in the Report.
9 (2) (i) In regards to the CBC’s comments made on page 12 sub paragraph (2i) for “accounts in the names of companies whose shares are in the form of bearer” it can be summarized that all referenced customers have the annual reviews for each year following the on-boarding included in the customer file. There are some instances where the annual review of 2014 for the FY2013 were not yet carried out at the time of the onsite examination, however, during the course of the year all referenced customers were reviewed from the perspective of continuation of relationship as per the AML Directive. For reference, all annual reviews are enclosed for each respective year at Appendix 8. The summary includes comments about the customers’ transactions, the turnover and requirements which relate to customer KYC update or transactions, if applicable.
(ii) In regards to the customer names mentioned in paragraph (2) sub section (ii) which relates to obtaining from the third person who introduced the customer or the director a written confirmation that the capital base and the shareholding structure of the company or that of its holding company, as the case may be, has not been altered by the issue of new bearer shares or the cancellation of existing ones, it should be clarified that the required annual confirmation was either obtained at a later stage in 2014 and a copy of such confirmation is enclosed, or in a few cases has yet to be obtained however these particular customers are marked with a relevant No Debit/No Credit Marker 1 which indicates that the customer is due to provide aforementioned confirmation before it can transact. For Starwood Investments Limited, the company is incorporated in Seychelles and the local companies law in Seychelles was changed in December 2013 such that bearer shares were no longer allowed. The customer provided relevant corporate documentation to reflect the changes from bearer shares to registered shares. Therefore the confirmation that capital base and the shareholding structure have not changed is no longer applicable and supporting documentation to that effect are held on file.
3 (i) In regards to the CBC’s comments on page 13 paragraph (3) sub section (i) relating to the relationship with Igor Balenko (the owner of 2nd largest supermarket chain in Ukraine comprising more than 100 supermarkets), where the CBC states that the accounts and the business profile of the customer was not subject to annual review in order to determine whether to allow the account to continue operating, it should be clarified that the accounts related to Igor Balenko accounts were always classified as High Risk PEP since the on-boarding of the relationship and relevant annual reviews and decision for continuation of relationship signed by the MLCO were held on files. The annual review of 2014 for FY2013 had not been carried out at the time of the onsite examination however it was carried out during the second half of the year. For reference, copies of the annual reviews of transactions together with copies of the annual reviews of the customer identification data are enclosed, including signed World-Checks by the MLCO to continue the relationship at Appendix 8. The business profiles remained up to date throughout the relationship.
(ii) In regards to the CBC’s findings on page 13 paragraph (3) sub section (ii) where the CBC alleges that the Bank did not prepare a note summarizing the results of the review, or submit to the senior management the said review for consideration and approval, we refer to the comments made in the previous paragraph as they refer to the same customer ‘Igor Balenko (Avicta Limited). In regards the CBC’s comments related to Vladimir Smirnov, including the corporate account Bailey Ventures, which is owned by the wife of the former, it should be noted that the relationship was classified as high risk PEP at the time of the on-boarding. The summaries with comments on the annual review have been carried out respectively and are signed by the MLCO or a senior compliance officer/supervisor of the unit. The World-Checks for each year’s review is signed by the MLCO, copies of which are enclosed at Appendix 8. During the review for the FY2013, a PEP enhanced due diligence profile was prepared, and based on additional information identified from the public databases on Vladimir Smirnov, it was concluded that the subject does not classify as PEP anymore due to his status as a former senior executive of a state-owned enterprise for the last 6 years. The de-risking from high risk PEP to normal risk was recommended by the investigating officer and was
10 approved by the MLCO (see the enclosed PEP enhanced due diligence profile which recommended the change at Appendix 8).
(iii) In regards to the CBC’s comments made in paragraph (3) sub section (iii) where it is alleged that the Bank did not take adequate measure to establish the source of wealth of the customer, it should be clearly mentioned that all referenced names no longer classify as PEPs, however, in all respective customer files the PEP enhanced due diligence profile continues to exist (which among other things gives details of the source of wealth and source of funds and the educational/professional background of the PEP, supporting documentation from various online sources on the businesses, net worth and the wealth status) concluding that the subject person no longer classifies as PEP, based on the facts stated in the profile and the MLCO approval was obtained for changing the risk status as per the requirements of the AML Directive. Copies of the aforementioned profiles are enclosed at Appendix 8. The CBC error on this point arises because the MLCO has ensured that the evolution of the file history is transparent and documented in the file (thus identifying historical PEP status) and because the CBC audit was superficial and/or lacking sufficient objectivity to identify and give appropriate treatment to the documented downgrade from PEP status.
(iv) Misclassification of risk
In regards to the CBC’s comments mentioned on page 13 paragraph 3 (iv) where it was observed that the customers were categorized as normal risk instead of high risk, it should be noted that none of the referenced customers were wrongly classified. For example, Valery Kogan was incorrectly classified as PEP by World-Check due to his alleged family relationship to a PEP (brother) (this was identified as a false positive following the Bank’s further investigation which identified that the father’s name differs, and the birthplace of Valery Kogan as flagged by World-Check is Ukraine whereas our customer, Valery Kogan, was born in Tajikistan) and Larisa Drozdova (wife of Vladimir Smirnov – see comment above in paragraph 3 (iii)). These no longer classify as PEPs as per the explanations provided above and detailed in the enclosed enhanced due diligence PEP profiles at Appendix 8. The profiles in each case contain particular facts which led to the conclusion to change the risk status from high risk to normal risk and were presented to the CBC/PwC examiners during the course of the examination. It is not clear why this information was not, therefore, given due weight in the Report.
There are other instances which are referenced in the Report which may relate to misclassification due to activity risk and/or geography risk as per the Bank’s High Risk Approach Policy and these need to be clarified: in the case of Lionman Energy Ltd, the customer has been classified as high risk according to the Bank’s High Risk Approach policy (oil and gas related activities) since the on- boarding stage. Supporting information regarding the forecasted turnover and details provided by the customer on the purpose of the account were provided, background checks on the company and the beneficial owner were also carried out and are enclosed in the customer file. The copies thereof are enclosed at Appendix 8. In the case of WGVC Ltd and Solitento Ltd, it is understood, absent any explanation from CBC, that the names are mentioned in the “misclassification of risk” section due to their possible exposure to Belarus. The said exposure we believe is explained due to both companies having an association with Wargaming PLC (one of the largest shareholders of a systemic bank in Cyprus and therefore, presumably, well known to the CBC and in good standing) which initially had its important hub in Belarus, however, today it has its main quarters in Cyprus and it operates in more than 16 countries. In the case of WGVC Ltd the company entered into a joint venture with Wargaming PLC, and in the case of Solitento Ltd, the customer is a holding company holding shares in Wargaming PLC. The beneficial owner of both companies has dual citizenship (Belarus/Cyprus) and permanently resides in Cyprus. Although we consider that the customer has no direct exposure
11 to Belarus, as detailed above, based on the fact that the latter is included in the Bank’s High Risk Approach policy, we will reconsider the risk classification.
In the instance of Leaf Tobacco Ltd and A. Michaelides SA it needs to be explained that the CIF has been opened in the system for a syndicate loan where Deutsche Bank was acting as the lead arranger and the Bank was acting as a syndicate member. The relationship of the Bank is with Deutsche Bank and not with Leaf Tobacco (the funds were lent to Deutsche Bank). No current account exists for the customer, meaning no transaction could be carried out on behalf of Leaf Tobacco. Due to the aforementioned facts the customer has been classified as normal risk (as opposed to high for tobacco-related activity). Deutsche Bank had, until recently a long standing correspondent banking relationship with the Bank and, we understand, continues to be the principal correspondent Bank for CBC.
Further in the instance of Joseph Nazih Karam it should be noted that the risk classification of the customer was changed from normal to high risk in November 2011 when the account was approved by the MLCO as investment/private banking services account, in line with the Bank’s High Risk Approach policy and the AML Directive, therefore it is, again, not clear why he was mentioned in the Report given the information available to CBC in this regard.
The remaining two customers referenced in the Report also do not qualify as high risk (Cleda Ltd and Mineworks Ltd) as the beneficial owner of these companies (Tatiana Regan) does not classify as a PEP for at least the last 30 years following her divorce from her PEP ex-husband. World-Check does not reveal a match on the aforementioned person and the countries of operation/incorporation and/or activities of both companies do not fall into any of the categories of the Bank’s High Risk Approach policy. Please also refer to the enclosed spread sheet of Findings and documentation which provide further information on the subject customers (see Appendix 7).
In each of these instances above sufficient information was readily available to CBC/PwC examiners to avoid the erroneous conclusions drawn. It is not clear why this information was not, therefore, given due weight in the Report.
(v) Review/updating of business and risk profile
The review procedure of 2010 as instructed by the CBC and referenced in the Report and which commenced in December 2009 was completed before the end of 2010 (see enclosed the last progress report of the project dated 17th December 2010 which shows 93 files (or 1.14%) of the total existing files remaining to complete the project as Appendix 9). It should be noted that status of the review project of 2010 was not raised during the November 2011 examination (being the first on-site examination after the imposition of the administrative fine) nor was it mentioned in the on- site examination report issued thereafter as a finding. In view of the extensive and onerous exercise carried out by the Bank in 2010 to a tight timeframe imposed by the CBC, and in order to both avoid future disruption of Bank operations and to ensure an ongoing process of reviewing and updating customer identification records, the Bank created a new unit called KYC Due Diligence Update Unit within the Compliance Department in June 2011. This unit consisted of 7 (seven) employees and was tasked with reviewing and updating customer identification records of high risk customers annually and all normal risk customers (and not only those opened prior to 2010) once every three years in line with paragraph 54 of the CBC Directive. It is noted that the CBC Directive does not specify a timeframe during which the regular review, examination and update of the customer identification data should be conducted and gives credit institutions discretion to determine such timeframe.
The information depicted on the screenshots named “Progress – File Review of High Risk Accounts” and “Progress – File Review of Normal Risk Accounts” dated 27 June 2014 is the monthly reporting of the said Unit to the Head of Compliance on the progress of the review of accounts both in the high risk and normal risk categories. In case of the former it refers to all accounts classified as high
12 risk, as all high risk accounts are due for review every year and in case of the latter it refers to the accounts which are due for review by the Unit in any particular year (in 2014 the target for review was 2340 out of the total 8801 accounts in the normal risk category. As it can be observed as of end of June 2014 the target for review of accounts in the normal risk category in year 2014 was already met by the Unit and the review of 1183 high risk accounts was well underway).
It should also be noted that the clients in certain high risk categories, namely accounts with bearer shares, e-gaming/gambling clients, client accounts and PEP accounts are reviewed twice a year; once for updating the identification records and second time for a thorough transactional review and sign- off by the Head of Compliance/Alternate MLCO for the continuation of the relationship.
It is worth mentioning that, as a risk-based approach and in accordance with paragraph 53 of the CBC Directive and article 62 (6) of the AML Law, the application of customer identification and due diligence procedures was “at appropriate times to existing customers, depending on the level of risk of being involved in money laundering or terrorist financing activities”. The priority in the selection of normal risk accounts due for periodic review in any particular year was given to active customers as opposite to customers who were dormant and had not used their accounts for a number of years (for example in case of Mediafine Trading Ltd and Charalambos Fellas specified in the Report since 2009 and 2010 respectively).
In this context it should be stressed that separate dormancy procedures exist and are detailed in the Compliance MoPP and in the enclosed Internal Process Document for the Compliance Monitoring Unit at Appendix 10. These procedures require stopping debit/credit transactions of customers classified as dormant by the system and applying the update procedures before the transaction can take place. In regards to Marker 8, the Internal Process Document for the KYC Update Unit (enclosed at Appendix 11) clearly lists cases where such Marker should be used, (i.e. when no response is received from the customer within the deadline specified in the email sent to the customer and depending on what information is missing or requires updating, etc.).
It should be appreciated that the certification requirements of the CBC Directive create onerous logistical challenges in cases where clients reside in countries which are not signatories to the Hague Convention and where the client does not use the services of the eligible third party past the introduction stage. In this situation weeks are often spent on communication alone between the Bank and such clients before a solution for appropriate certification of documents is found. In addition to the aforesaid, statements in the Report such as “the branch failed to monitor the outcome of such requests” or “such requests remained unanswered” are misstatements, as there are spread sheets and databases which are used to monitor each and every review, and the requirements sent to the customers, as well as the information/documentation received and the progress made. The said databases were further enhanced to be a better monitoring tool with the assistance of the Internal Audit Unit as noted in the Report and it should be noted that, client communication is by no means limited to email communication and, therefore, absence of an electronic response from clients does not, by default, support the conclusion that the client has not communicated with the Bank in regards to the update of their identification records.
Lastly and in order to address the concerns in section (v) 3, the review does cover the transactional behaviour of customers, as requests for up-to-date business profiles are based on transactional reviews in addition to having an aim to update the financial figures, business activities and other information covered in the Bank’s Business Profile form. Moreover, out of 58 customers mentioned in the referenced section, 38 are high risk customers, therefore they are not only subject to an annual thorough transactional review required for customers in certain high risk categories in order to continue the relationship but also their names were uploaded in the department’s real-time screening/filtering software (HotScan) and every single transfer no matter how large or small was reviewed by Compliance Dept. before processing as per the internal procedure.
13 Therefore, the allegations in the Report that the Bank had failed to act in accordance with sections 58, 61(1), 64(1) (c) and 68 C of the Law and paragraphs 87 – 117 and 149 of the CBC Directive are unfounded. It should be further noted that the findings set out in this section of the report disregard information either already in the actual knowledge of the CBC or otherwise available to a diligent audit, and additionally fails to give due weight to CBC’s own criteria on benchmarking and balance as set out in its 23 May 2013 response to the MONEYVAL report.
4. AML IT System and monitoring of transactions
4.1 (i) Mantas is one of the automated monitoring systems used by the Bank to monitor and investigate transactions. It is based on a very sophisticated system of thresholds and parameters so that transactions can be flagged as bearing a higher risk for money laundering and/or terrorist financing. Alerts are generated post factum and thus the system is a risk mitigation tool. The Bank also relies on HotScan which is a live automated monitoring system linked to SWIFT with the ability to stop transactions if thresholds are met or matches are found between the transaction details and watch-lists uploaded by the Bank in the system. The Bank also relies on around 30 manual markers which have particular monitoring purposes and ensure that before any transaction can be processed it should be first reviewed and approved by the Compliance Dept. The CBC alleges that the Bank has wittingly designed its Mantas monitoring system (limiting the parameters and thresholds) in such way for large number of transactions to be excluded from the monitoring. This assertion is made in bad faith notwithstanding (i) EY and KPMG reports confirming the efficiency of the automated monitoring systems in place whilst recognising the need for certain enhancements (such as incorporating a new scenario) and (ii) MLCO providing all supporting clarifications and explanations as to the parameters on scenarios, backlogs and auto suppression alerts. The Bank has been using Mantas as a monitoring tool for many years and the scenarios were submitted to the CBC in the MLCO annual report every year. The CBC never made any recommendations to incorporate new scenarios.
The Bank has incorporated 6 Mantas scenarios with specific thresholds and parameters which are commensurate to the nature and scale of the business transactions of the Bank. As referred above, EY report recommended the Bank incorporate a new scenario (structuring detection scenario) which is specifically for USD transaction in line with US industry practice and US regulatory expectations. No recommendations were made regarding any other additional scenario to comply with local requirements, different thresholds or parameters to improve the alert monitoring.
(ii) The CBC’s assertions on how Compliance officers of the Bank review findings and alerts show a complete lack of understanding, or refusal to understand, how the system operates and the fact that other monitoring tools are used in conjunction with the overall monitoring and investigating process. Alerts generate historical transactions of the customers with the relevant counterparty and behavioural patterns. The AML investigating officer does not “randomly select[s] large transactions to review” but rather reviews the relevant transactions in line with a) the historical transactions with the same counterparty b) the pattern of the transactional behaviour of the client and c) the supporting documentation already provided to the Bank to support the earlier transactions with the same counterparty. It is also noted that Mantas alerts is only one of the monitoring tools used by investigating officers when transactions are monitored. HotScan is a live monitoring tool and due to its live nature, and as a risk-mitigation tool, a four-eye principle is applied to all alerts as opposite to Mantas which is a post-factum monitoring tool and as such does not need a four-eye principle as a) alerts can be reopened and reinvestigated any time and b) the investigation of alerts is performed by rotation of officers. HotScan is used in conjunction with Mantas and is very efficient as reported in the KPMG report which noted that for the two months under review 99% of the total number of Branch’s transactions executed each day in January 2013 and 92% in February
14 2013 were caught; this is well above the industry norm. Therefore the CBC’s allegation that ‘…large number of transactions [to be excluded] from the monitoring’ is unfounded.
The system auto-suppresses alerts when they do not meet the scenario thresholds. The MLCO provided the manual of the system administrator to the CBC during the inspection on 4 July 2014 (see email at Appendix 12 and extract of the Manual at Appendix 13) and directed the CBC to the relevant section on pages 199-200 on closing alerts. In particular, the Manual provides that “Oracle Mantas regularly runs an auto-suppression process to determine if there are alerts that meet the suppression criteria. The alerts that the scenario generates for the specific focus and that meet the suppression criteria do not display for a user’s action. Instead, Oracle Mantas automatically closes them”. The criteria can only be set by the system administrator and is triggered by the system rather than manually. Suppressed alerts can be reopened if required. It is therefore incorrect to state that alerts can be suppressed intentionally. There is a manual suppression option with a possibility to reopen but is very rarely used and only for alerts with counterparties that have been thoroughly investigated or are clearly false positives.
The CBC questions the efficiency of the Mantas system due to important backlog of alerts and the duplicate alerts. It is standard for Mantas alerts to be investigated few weeks or even months after they are generated given that they occur post factum. It is not uncommon for blue chips banks (for example the Bank’s and CBC’s former common correspondent, Deutsche Bank) to send Mantas enquiries with up to 6 months after the transaction occurred, and in this respect CBC fail to benchmark appropriately to industry practice of which they have actual knowledge. It should be noted that the allegations that, as of June 2014, “there were 2000 open alerts still in the system without being investigated” is unfounded. In fact, open alerts in many cases meant that the alerts were opened and investigated, however, they remained open until customers would provide the supporting documents as requested by the investigating officer, or in some other instances were duplicate alerts. The issue of duplicate alerts was reported to Oracle by the Bank’s IT department and by other Mantas users and was being investigated for rectification (see Appendices 14 and 15).
The automated monitoring systems are designed to catch high number of transactions to ensure due monitoring. As recommended in the MONEYVAL report, “Banks should review the resources allocated to the monitoring of high risk international business and where necessary to increase resources of compliance departments to fully investigate and properly review all alerts raised on high risk accounts.” In this regard, HotScan captures and stops all transactions related to all high risk accounts which is a preventative risk-based measure and ensures thorough monitoring of high risk relationships. KPMG recognised in their report that the Bank’s Compliance department was able to review high number of alerts due to substantial staffing.
We contend that the allegations in the Report that the Bank had failed to act in accordance with section 58(e) and 61(1)(d) of the Law and paragraph 162-167 of the CBC Directive are unfounded and, given the manifest lack of balance, benchmarking or systemic impact, can only be construed as being made in bad faith.
4.2. and 4.3.
Paragraph 167 of the CBC Directive requires “…comparing on a regular basis the actual movement of the account with the expected turnover as declared when opening the account…”. It further goes on to state that “Significant deviations must be further investigated and the relevant findings recorded in the appropriate memo which should be kept in the customer’s file”.
In line with the above requirements the Bank has implemented procedures for the identification of significant turnover deviations quarterly and investigation of such on an individual basis, recording of findings in the relevant database and on a Turnover Deviation Form completed for each customer
15 and filed in the customer file, as well as contacting customers for obtaining clarification and/or supporting documentation and/or new business profile, if required.
As the above-referenced paragraph does not define the term “significant deviation”, due to the nature of the Bank’s business being non-retail and the Bank’s customers being predominantly corporate entities, the 100% deviation was considered as being “significant” (meaning that for a corporate client who declared EUR 50,000 estimated account turnover in year 2013 a turnover of EUR 100,000 would be investigated as part of the turnover deviation procedure and explanations/supporting documentation would be obtained to justify the increased turnover). As it can be appreciated, it is easier for a natural person to forecast a more accurate annual income based on the employment terms than it is for legal persons to forecast exact sales 2-3 years in advance, which, coupled with economic downturns, becomes an even more difficult task.
Similarly, the above paragraph of the CBC Directive does not specify that both the upward and the downward deviations should be reviewed as part of the process, nor this was never brought up during any of the prior on-site inspections when the turnover deviation procedures as well as the practical implementation of the same were thoroughly examined by the CBC’s examiners. Furthermore, at no point has a requirement to investigate downward turnover deviations been mentioned in any of the prior on-site examination reports of the CBC.
As to the CBC’s point regarding large number of accounts being “excluded” from the review due to considering only positive (upward) deviation, it wouldn’t be an overstretched assumption that the majority of customers who would be flagged for investigation for downward deviation, had such been carried out, would be dormant customers i.e. customers inactive for 12 months and over (at least 9 such customers were mentioned in the table provided on page 20 of the Report “the Table”) and in that respect it should be mentioned that the Bank has clearly defined dormancy procedures in place which require review and update of customer business profiles and identification records, these are triggered by a debit or credit transaction of any amount.
Regarding the CBC’s allegation in relation to declared turnover not being based on financial decisions but being “set too high in order to avoid such investigations”, as we have difficulty finding out which particular case this refers to we would explain it on the example of one of the clients mentioned in the Table, namely Language Link Ltd. The financial statements filed in the customer file show a negative profit for FY 2011 and positive profit of approximately £604K for FY2012. The declared turnover on the other hand for the first year of account operation (2013) was stated as £984K. However, what the examiners presumably failed to consider is that Language Link Ltd was a credit client (as stated on the business profile) and the amount declared on the business profile was exactly the amount of the credit facility granted by the Bank and should not have been compared with the financial data stated on the financial statements provided by the client. Given that the former Special Administrator, Dinos Christofides and the CBC were extensively involved in the eventual repayment of this exposure and had extensive access to the file and, indeed the clients, it is astonishing to see Language Link Ltd cited in this manner.
Below is an extract from the Internal Process Document for Compliance Monitoring Unit which shows that the information provided by clients to justify the turnover deviation is challenged, that deviation cases are investigated and, where grounds exist, a report is filed with MOKAS on the basis of such investigation.
“Reports with customers with turnover deviations are forwarded accordingly to the CRM team (CRM portfolio clients), Moscow Representative Office (MRO clients), KYC Due Diligence Update Unit (clients without expected turnover for the year) and Front Office (the remaining clients) for contacting customers in order to obtain clarifications/supporting documents/business profiles on deviations as deemed necessary
16 If the information received is not satisfactory, further explanations are requested. In cases the Compliance team is not satisfied with the information provided and suspicion is raised, customer is reported to the MLCO as an Internal Suspicion. After careful evaluation the MLCO decides whether suspicion exists and it is warranted to report the customer to MOKAS or closes the case”
The Bank responds that any allegation of breach of paragraph 186 of the CBC Directive is unfounded. The Bank does, however, acknowledge that a material and deliberate breach of the Law and the CBC Directive took place in relation to the Language Link Ltd account at the initiative of the former Special Administrator, Dinos Christofides, and with the co-operation of the CBC. This is detailed later in the Reply. Its omission from the Report given the erroneous identification by the CBC of breaches of obligations in relation to Language Link Ltd is selective and partial reporting and evidences, again, a lack of balance, benchmarking and good faith on the part of the CBC.
5. EU Regulation 1781/2006 – on information on the payer accompanying transfers of funds (Electronic Funds Transfers)
As with the allegations in section 1(ii) (Hold mail), the allegations in this section that the Bank facilitated customers by anonymising transactions is incorrect and again shows a complete lack of diligence by the CBC in its examination of these issues. The ‘indicative examples’ are indeed account holders using the hold mail service and as has been explained in some detail on section 1(ii) above, this simply meant that they were collecting their statements from the Bank instead of having it posted to them (See Appendix 16). From 2012 onwards out of the 1964 account holders who utilised the hold mail service only 0.4% or 8 clients made outward payments with the Bank’s address, and these were either parties directly related/associated with the Bank or accounts dormant for a considerable period of time and thus subject to the Bank’s dormancy procedures. There were only three hold mail customers as at the time of the June Examination out of the 8 mentioned above who do not fall under any of the categories mentioned above and who transacted with the Bank’s address on outward payments during the period under review, however those were unintentional omissions from the corrective action taken by the Bank in 2009. In view of the foregoing, customers mentioned as indicative examples under this section are either parties directly related to the Bank, or closed accounts, or the abovementioned three cases which were left out of the project by human error. Therefore there was no mal-intention on the part of the Bank and had never been, as the CBC is trying to portray, action ‘to facilitate the lack of traceability’ or ‘enhanc[ing] the anonymity of certain transactions’. Had the CBC made a proper investigation this fact would have been fully apparent to them. Therefore, there is no breach of Articles (4) and (5) of the referenced Council Regulation or indeed any other applicable law or regulation.
6. Record Keeping
(1) Section (1) of paragraph 6 of the Report states that records are required to be kept for a period of at least five years relating to (i) copies of customer identification evidence, (ii) the relevant evidence and details of all business relationships and transactions, including documents for the recording of transactions in the accounting book and (iii) the relevant documents and correspondence with customers and other persons with whom a business relationship is maintained. As is in the actual knowledge of the CBC according to the Bank’s Manual of Policies and Procedures such records are required to be kept throughout the whole account relationship and at least for 10 years after the closure of the account. Paragraph 6 of the Report further references observations made in paragraph 4 of the Report regarding certain documents which the Branch “has not
17 obtained”. This appears to be an erroneous reference and is presumably intended to relate to paragraph 3 of the Report instead, which covers “Customer identification and due diligence procedures”. As already commented in the relevant section (Section 3) and as per the details in the enclosed spread sheet of Findings (supported by copies from the relevant customer files) for each referenced customer relating to the CBC’s findings under “Customer identification and due diligence procedures”, in the majority of cases the CBC’s findings are unjustified (see Appendix 7).
(2) In respect of the CBC’s comments made in paragraph 6 sub paragraph (2) of the Report, where in some cases, from the evidence available to the CBC, it appears that customers’ identification documents were not certified or not properly certified. The Report mentions indicative examples of such customer files however opposite to the CBC’s findings our records show that in a large number of cases the identification documents were indeed properly certified. In a few instances the customer identification documents were certified by an eligible third party at the on-boarding stage however at the time of the onsite examination the relationship with such eligible third parties was either terminated (in case of certifications provided by Turner Little or Global Financial Consulting K/S) or the name of the eligible third party had changed since (in case of Companies Plus Limited formerly Bloomsbury Management Services Ltd). During the onsite examination, cases where the names of parties who appeared to have provided certification of customer identification documents, but their names did not appear in the current list of the Bank’s Approved Third Parties (ATP), an explanation was provided to the examiners of PwC and the CBC (including showing the files of those terminated ATP relationships). There are other instances where identification documents were clearly stamped as “copied from nominee file” which contains either the original or an acceptable certified true copy of the original. In other cases officials of banks located in the EU or the Banks own officials or eligible third parties certified the customer identification documents. There are a few instances were although the customer was on-boarded long before the issuance of the first AML Directive in 2008 when no strict certification requirements existed, it is rightly identified that such certification is not in line with the current AML Directive however these particular customers have been dormant for around 10 years and more, and according to the Bank’s dormancy procedures, if the said customers attempt to transact their respective identification documents would be updated in line with the current certification standards before executing any transaction. A detailed summary of each customer file referenced under paragraph 6 is enclosed in the spread sheet of Findings (see Appendix 7).
7. Staff awareness and training
(i) We note the CBC’s reference to one of the recommendations made by EY at pages 11-12 of their report of 22 September 2014 to have a consolidated training register. In addition to any registers maintained by the Head of Compliance, the Training Manager of the Branch maintains a Bank-wide register for all internal trainings since 2011 (see Appendix 17). The Bank agreed with EY that, with respect to external trainings, the Training Manager will update more regularly the register to cover all external trainings with immediate effect.
(ii) The CBC claims that certain employees did not attend/complete the trainings provided by Compliance in 2012 and 2013. These failures are not systemic and it is unclear how the CBC reached that conclusion. Training records are subject to errors (such as IT issues as reported by a number of employees who undertook AML test but did not receive their results or their confirmation sheet) sometimes incorrect as in the case of Head of Credit who attended all AML and Compliance training and test in 2013 (as shown in the appended to training records at Appendix 15). It should also be noted that staff of the Branch are highly diligent, proactive and regularly ask, such as in the case of Head of Credit, ad hoc questions to the MLCO to ensure that they stay abreast of the latest AML regulatory development (as most recently on FATCA regulatory requirements). CBC is also aware that in the latter half of 2013, the Bank began documenting informal ways of information sharing
18 (i.e. where a customer-facing employee spends a day or an afternoon in the Compliance Department to learn more about routine operations) via a departmental register. The EY report noted that, for example, FBME had conducted supplemental training for those in customer-facing departments, and that employees maintain a “training passport” to document their participation. The training passport, created in 2010, is a training book issued in the name of each employee where are all internal trainings are recorded.
(iii) The CBC statement that the AML training material does not cover the legislation in depth is vague, unsubstantiated and in fact incorrect. EY report found that the MLCO has implemented an annual education and training plan, as required by the CBC Directive. EY obtained the relevant training materials to determine whether they are comprehensive, address key regulatory requirements, and are appropriately tailored to the risk profile of the institution. EY did not find that the training material was inaccurate or insufficient but recommended that an annual AML/sanctions awareness e-training be provided yearly. The Bank agreed that a formal training should be conducted for the BoD members and refresher trainings each following year. The EC members take part in the annual awareness trainings.
Therefore, the allegations in the Report that the Bank had failed to act in accordance with section 58(f) and (g) of the Law and paragraph 214 the CBC Directive are unfounded. Additionally the specious nature of the observations and selective regard for information within the actual knowledge of CBC demonstrates a manifest lack of balance, benchmarking or regard to systemic impact, and can only be construed as being made in bad faith.
8. Suspicious transaction reporting
(i) Toreros Capital International LLC
The Report relies on the Bank’s proactive identification and closure of the Toreros Capital International LLC account to allege that the Bank, prima facie, failed to act in accordance with the provisions of paragraph 18 (ix) of the CBC Directive.
On 26 June 2012 the Head of Trade Finance made an internal report to the MLCO identifying suspicions relating to Toreros Capital International LLC and the intention to deposit a USD 100,000 letter of credit based on a sample of an LC document that was both seemingly fraudulent and inconsistent with previous business activity.
The MLCO filed an Internal evaluation report dated 26 June 2012 deciding closure of the account and deciding that a MOKAS report was not necessary in this instance.
This decision not to report is better understood when examined side alongside the response of the regulatory authorities to other similar issues that were identified.
For example, on 23 May 2011 the MLCO submitted a report to MOKAS in relation to the deposit of a forged cheque deposited with the Bank. On 20 November 2011 MOKAS replied. They advised that they had searched against all databases that they had access to and stated that they had no information or evidence that would allow them to further investigate. They further stated that considering this, and the fact that the client and the Bank had reached an agreement to compensate sums no further action could be taken, but advised that any concerns about fraudulent cheques could be reported to the Police. Despite the lack of interest MOKAS demonstrated in pursuing this matter the Bank did in fact report this matter to the police and indeed also proactively engaged with the police liaison in a relevant overseas embassy to further alert the authorities in that jurisdiction of the problem.
19
For example, on 17 January 2012 the MLCO submitted a report on Bandor Group Corp. The report related to a fraudulent letter of guarantee for USD 2, 385,000 purportedly issued by ATF bank. The Bank checked with ATF Bank and confirmed that the letter of guarantee was a fraud. Additionally a further request was submitted for a credit line of USD 100,000,000 secured against another fraudulent letter of guarantee purportedly issued by Ekaterinslavisky Commercial Bank.
On 22 February 2012 the following response was received by MOKAS.
“We have examined your report and we consider that since no money laundering offences were committed, the company is registered in Belize and the beneficial owners are foreigners that reside abroad, thus there is no natural or legal presence in Cyprus, we are not in a position to proceed with the case.
The information you provided, as well as any other additional information obtained during the course of our investigations, will be kept in our databases for any possible future reference and in the case will be considered closed.” (sic)
The Bank had frozen the account as of 12 January 2012 and subsequently closed it.
For example, on 2 November 2012 the MLCO proactively informed Maria Themistocleous Strouthou of the CBC Banking Supervision & Regulation Department of her concerns at a series of patently fraudulent communications purporting to be from Citibank and purporting to utilise the Bank as an intermediary for clearing. The MLCO also directly informed Citibank of their concerns by SWIFT.
On 2 November 2012 Maria Themistocleous Strouthou advised that a report be made to MOKAS and the Cyprus police authorities. The MLCO filed a report to MOKAS on 2 November 2012 and the same day filed a report with the police. No reply was ever received by the police, but a letter was received from MOKAS on 9 November 2012 advising that the MLCO notify the CBC. No further action was taken by the CBC or MOKAS.
The above examples are far from exhaustive but serve to provide context for the decision of the MLCO not to make a MOKAS report in the case of Toreros Capital International LLC. This was based on earlier lack of interest of MOKAS for similar cases where there were no transactions and they responded saying that “no money laundering offences were committed.” It is self-evident that the regulatory authorities neither prioritised nor encouraged reports of this nature.
Any alleged failure of the Bank to comply with paragraph 18 (ix) of the CBC Directive in relation to Toreros Capital International LLC fails to take into account the importance the CBC attaches to both benchmarking and balance in its 23 May 2013 response to the MONEYVAL Report. We contend that this unjustified focus on Toreros Capital International LLC coupled with the proactive measures taken by the Bank in similar circumstances and the authorities’ response in those cases demonstrates a specious focus and lack of balance and benchmarking. The Bank does not trivialise the obligations set out in the CBC Directive. However given the Bank’s proactive approach and noting the CBC’s own criteria we would contend that, the issues lie at a regulatory level rather than with the supervised institutions.
(ii) Lucino Investments Ltd & Delfina International
It is unclear why this particular case falls within the scope of the Report bearing in mind that it occurred in 2010-2011 and the accounts have all been closed, but the Bank welcomes the opportunity to address the matters identified.
20 On 12 March 2009 the Bank proactively reported to MOKAS a company called Logitech Investment Inc. for fraudulent activities. MOKAS replied on 13 March 2009 that it will proceed with the investigation of the case and will inform the Bank accordingly.
On 3 November 2009 following the receipt of letters from Eurocontrol, the Bank reported to MOKAS a company called Y&M Investment Co for fraudulent activities including an attempt to defraud Eurocontrol’s clients. The Bank noted in the report a connection between Logitech Investment Inc and Y&M Investment Co. Specifically on 1 December 2008 Y&M Investment Co had transferred funds to Logitech Investment Inc. On 29 October 2010, a year after the Bank submitted its report, MOKAS replied that the beneficial owner, Mazen Chaer and Y&M Investment Co are known to the Unit from several cases reported from other banks. Moreover Mazen Chaer was the subject of investigations conducted by foreign law enforcement authorities for his possible involvement in unlawful activities. They went on to say that “due to the fact that Y&M Investment Co is not registered in Cyprus, its beneficial owner is foreigner and resides in Lebanon and since the business relationship with your bank is terminated, no further action can be taken on the part of the Unit. Nevertheless the Unit has informed accordingly the countries that are competent to investigate the offences.”
On 23 December 2010 the Bank received a letter from MOKAS regarding Lucino Investments Ltd and Ali Nasser Eddine. MOKAS stated that it was assisting IATA in informing banks in Cyprus and would undertake to inform banks of problem accounts. MOKAS requested that the Bank investigate further. The Bank responded that it was already aware of the cases due to letters received by IATA and it had taken appropriate action (the Bank had frozen the accounts on 10 December 2010) and it then proceeded to close these accounts in January 2011.
On 10 January 2011 MOKAS sent another letter to the Bank asking it to take any necessary actions in relation a list of accounts attached to the letter, noting that it was reacting to Suspicious Transaction Reports received. Accounts listed included among them Y&M Investment Co (already reported by the Bank more than a year ago), Lucino Investments Ltd and Ali Nasser-Edine. In April 2011 the Bank identified that there was another account linked to the above matter and proceeded to close it, namely Delfina International Limited.
In October 2011 the Bank was notified by Eurocontrol of another account (IDEAL GROUP SERVICES LTD) engaged in fraudulent activities. On 17 November 2011 the Bank filed a MOKAS report and on 22 May 2012 the Bank received a reply from MOKAS that during their investigation they had contacted, among others, the Canadian FIU and provided the necessary information regarding the beneficiary for their own possible actions. They also said that for the same company they received a report from another bank. In filing the case serious consideration was given to the fact that the bank accounts of the company had been closed. We understand that the report that we provided remained in MOKAS’ records for future reference.
The Report relies on the Bank’s proactive identification and closure of the Delfina International Limited account to allege that the Bank, prima facie, failed to act in accordance with the provisions of paragraph 18 (ix) of the CBC Directive.
The Report identifies that MOKAS took some steps to coordinate what was a well-planned and systematic fraud utilising numerous front companies and banks in the Republic of Cyprus. However, the Report fails to identify the prior correspondence from MOKAS of 10 October 2009 that stated that MOKAS was not taking further action, fails to credit the early proactive reporting to MOKAS by the Bank in respect of Y&M Investment Co. (3 November 2009), Logitech (12 March 2009) and Ideal Group Services Limited (17 November 2011 that, a year later formed part of the coordinated response that MOKAS finally sought to implement, and indeed fails to credit the proactive
21 monitoring efforts of the Bank that resulted in identification and closure by the Bank of Delfina International Limited not included in the lists circulated by MOKAS.
We would stress that this series of frauds that sought to utilise institutions in the Republic spanned a period of at least 3 years, MOKAS response times to reports were slow (taking approximately a year in each instance if any response was received at all) and were far from proactive in taking action or coordinating any approach to the various frauds. We would further stress that the Bank took a proactive role in monitoring and reporting the issues as they were identified.
Any alleged failure of the Bank to comply with paragraph 18 (ix) of the CBC Directive in relation to Delfina International Limited is, by any standard including the CBC’s own criteria, not a systemic issue. Moreover, noting again the importance the CBC attaches to both benchmarking and balance in its 23 May 2013 response to the MONEYVAL Report, we contend that this focus on Delfina International Limited to the exclusion of the proactive measures taken by the Bank demonstrates a specious focus and lack of balance.
We would further contend that there is a lack of benchmarking and that the Bank’s actions would compare favourably with other banking institutions, and indeed the Cyprus regulatory authorities, not only in dealing with this particular widespread and coordinated series of frauds but in proactively addressing issues as they arise.
The Bank has a demonstrable commitment to the probity of the financial sector and to taking tangible and proactive action to tackle the issues underlying suspicious transactions. This can be readily evidenced by instances, already within the actual knowledge of the CBC, where it has taken action at considerable time and financial cost, even where the Cyprus regulatory authorities have proved unwilling or unable to pursue matters and where filing of a suspicious transaction report would have been sufficient to discharge the Banks obligations under the Law and the CBC Directive.
9. Internal Control Procedures
As the CBC is well aware, EY noted in the summary of observations on page 4 of its assessment of FBME’s AML/Sanction Compliance Program dated 22 September 2014 that “FBME has developed, administered, and maintained an AML / sanctions compliance program (“Compliance Program” or “Program”). The Program incorporates the requirements of both the CBC 4th Directive and the EU 3rd Directive (collectively, the “Directives”) and there are protocols in place that allow the Bank to continuously keep the program aligned with these legal requirements. The Bank has designated an MLCO and Alternate MLCO, and established a system of AML policies, procedures, and related internal controls, including: implementing an employee training program, conducting risk-based due diligence on new and existing customers, and monitoring for potentially suspicious transactions.
Organizationally, the MLCO maintains overall responsibility for the Bank’s Compliance Program. Collectively, the MLCO and Alternate MLCO have several years of pertinent experience and continue to stay abreast of emerging regulatory requirements by attending industry conferences and seminars. Additionally, the Bank utilizes commercial-grade technology solutions to facilitate compliance with applicable regulatory requirements (e.g., World-check for sanctions/PEP/negative news screening, URU by GB Group Plc for identity checks, HotScan for sanctions/payment interdiction, Mantas for suspicious activity monitoring). The Bank is also in the process of implementing various measures to improve or strengthen its compliance program (based on recommendations made in prior audits).” The CBC’s statement that the Senior Management of the Branch has not ensured the implementation of the relevant regulatory requirements or exercised the appropriate management oversight is incorrect as substantiated by the EY assessment report.
22 Therefore, the allegations in the Report that the Bank had failed to act in accordance with section 58 of the Law and paragraphs (2) and (3) of the CBC Directive are entirely unfounded.
PART 3 – Putting the Report in its true context
The Bank’s very clear position is that neither the timing nor content of Report are coincidental.
As has been explained above, the Report comes more than one year after the examinations to which it relates. The Bank was clearly advised that the June Examination had been concluded and was also advised at various points by the CBC staff that there were no findings of any significance against the Bank. Shortly after the issuance of the FinCEN Notice, and after the Bank has initiated legal proceedings challenging the CBC’s decision to place the Branch in resolution, the CBC then, in August 2014, sent in a CBC/PwC team to perform a further examination under the guise of a ‘continuation’ of the June Examination. In October 2014, the Bank’s owners commenced proceedings against the Republic of Cyprus before the ICC in Paris for breach of their rights under the Lebanon-Cyprus Bilateral Investment Treaty. In addition, in August 2015, the Bank initiated legal action against FinCEN in the United States District Court for the District of Columbia on the grounds that the Final Rule issued by FinCEN violated FBME’s procedural and due process rights. On 27 August 2015 the Bank obtained an injunction in that case that temporarily stopped FinCEN’s Final Rule from going into effect pending final adjudication of FBME’s challenge. On 10 September 2015 the Arbitral Tribunal of the ICC issued a decision in favour of the Bank’s owners accepting jurisdiction, meaning that the matter will now move to a full hearing on the merits. Only after all of those legal actions and more than one year and numerous written requests from the Bank and its international legal counsel to the CBC requesting that it release the Report prepared immediately after the June Examination, the CBC produces a 27 page Report attacking the Bank’s AML procedures. It is interesting to note that the last examination report provided by the CBC to the Bank (for year 2011) totalled 3 pages and was provided to the Bank within around 8 weeks of conclusion of the examination.
As stated in Part 1, above, the Report targets alleged failings in the majority of cases related to a period (2008-2012) entirely outside of the scope of the examinations. That is, the legal basis for the June Examination and the so-called ‘continuation’ of it was specifically stated by the CBC as relating to the period 2013-2014 and which failings, to the extent any existed, were in any event rectified long before the examination period to which the Report relates.
The Report is contrived, post factum to justify their supervening mal fides acts to resolve the Branch and create unwarranted and justifiable pressure on the Bank and its owners, and no doubt with the legal proceedings in Cyprus, Paris and the United States at the forefront of their thinking.
The Report fails to demonstrate balance, benchmarking or systemic impact. In particular we question why the CBC has omitted to benchmark findings from its on-site investigation at our institution versus findings at other Cyprus banking institutions and holds the Bank to different standards to those applied to other financial institutions on the island and the standards that the CBC holds itself to.
The Report fails for lack of a legal basis on which the examinations were carried out, for the CBC’s failure to consult with the Bank or allowing it to address or clarify any issues seemingly identified by the CBC. Further, and irrespective of the failure of the Report on a legal basis and the failure to demonstrate balance, benchmarking or systemic impact as is clearly demonstrated above, the Report is fundamentally selective and inaccurate in its findings in almost every issue identified. The examinations undertaken by the CBC and PwC were superficial and in many cases simply relied on points taken in abstract from audit reports (commissioned by the Bank) voluntarily provided by the Bank to the CBC. As is evident from the content of this Reply, in most instances, had the CBC and
23 PwC been minded to investigate the issues more carefully and liaise with the Bank’s staff when potential issues were identified most such issues could not, reasonably, have formed part of any report prepared in good faith.
The Bank also notes with interest that despite the Branch having been under the direct control of the CBC-appointed Special Administrator for more than one year now, not a single account in the Branch is blocked on compliance grounds and no transaction or internal transfer has been refused on compliance grounds. The Bank finds it impossible to reconcile this position with the picture painted in the Report that the Branch operates under flaws in AML procedures. Indeed, for the examinations period covered by the Report to date, the Bank is only aware of one deliberate breach of the AML Law by the Branch and this was committed by the CBC-appointed Special Administrator knowingly and intentionally. UK banks, mindful of the FinCEN Notice of Findings, were refusing to remit moneys to the Bank or any accounts of the Bank including those held at CBC. The Special Administrator was in receipt of firm advice that disguised payments were both unlawful and potentially highly damaging to the Bank in the current regulatory climate following the FinCEN Notice of Findings. He chose to disregard the advice and instead instructed that funds be remitted to a non-existent account for Language Link Ltd, purportedly at the CBC. The breach had the effect of disguising the Bank as the true beneficiary of an international payment relating to the repayment of the Language Link Ltd loan and knowingly deceived both the payer in receipt of the instruction and the UK banks involved in the transaction. The matter resulted in considerable professional embarrassment for the payer, a top tier UK-regulated law firm, that was compelled to file a SAR with the UK authorities. Requests for return of funds by the law firm were ignored. When the Bank complained of this deliberate breach of the Law to the Special Administrator and the CBC, the matter was completely ignored by both.
The Bank does not trivialise in any way the obligations set out in the Law or the CBC Directive. However, given the context and content of the Report it is self-evident that it is a contrived, unwarranted and unsubstantiable work product produced by a regulator with a vested interest in portraying the Bank in as negative light as is possible in order to mitigate the litigation exposure it has created for itself and the Republic of Cyprus and to distract attention and conceal from scrutiny the bad faith and incompetence of its conduct prior to, and subsequent to, the FinCEN Notice of Findings. This conduct is to the detriment of the depositors, the Bank, the reputation of the financial system and the Republic of Cyprus, each of whom suffer the consequences of the bad faith and incompetence of the CBC, a regulator that refuses to adhere to the law or demonstrate a responsible regard for the interests of the stakeholders of the jurisdiction it purports to serve.
24 List of Appendices
1 CBC press release in response to MONEYVAL and Deloitte reports dated 23 May 2013
2 Holdmail accounts using bank address
3 CBC invitation to PwC workshop on preparation of risk assessment report
4 e-mail to CBC dated June 2015 submitting FY2015 Risk Assessment
5 Audit report for Q3 of 22 Jan 2014 and AAU response to deficiencies of 4 Feb 2014
6 Audit report for Q4 dated 4 June 2014 and AAU response to deficiencies dated July 2014
7 Spread sheet of Findings
8 Documentation per customer in support of spreadsheet of findings
9 Progress report dated 17 December 2010 on file update
10 Internal Process Document for the Compliance Monitoring Unit
11 Guidance for placement of Compliance Marker 8 based on Internal Process Document
12 e-mail to dated 4 July 2014 regarding Mantas
13 Extract from the manual of Mantas
14 e-mail 16012013 re Mantas issues
15 e-mail 16052014 re Mantas issues
16 Examples of Swift of holdmail clients
17 Bank-wide register for all staff internal trainings since 2011
18 List of 2013 AML training