A €653,637 administrative penalty has been issued against a credit institution for a number of failings, the FIAU has said.
The compliance review of Ferratum Bank P.L.C revealed that the Bank's Business Risk Assessment had various shortcomings that were of high concern for two reasons.
The first was that the inherent risk was being assessed inadequately, the FIAU said. "For example, a particular product; low value loans, was risk assessed as 'low', despite the elevated financing of terrorism (FT) risks associated with this product. The Bank only took into consideration that this product involved low value funds and that it had a low risk of money laundering (ML). The Bank also failed to consider other important areas such as the urgency to open a bank account and the risk of customers involved in sanctions or linked to adverse information. The geographical connection emanating from the place of remittance/receipt of funds was also not considered."
Secondly, the controls in place were not being adequately assessed. "A generic statement rather than a comprehensive assessment of controls was noted in the Business Risk Assessment. At times it was not even confirmed whether the mentioned controls were being implemented or otherwise."
The Bank's Business Risk Assessment was not comprehensive, the FIAU said. "The Bank had multiple assessments in place on the different products it was offering, which focused on the jurisdiction the product was being offered in. These assessments were not merged in one global assessment providing details of the inherent and residual risks and therefore could not be considered as a comprehensive Business Risk Assessment. Consequently, the assessment was not reflecting a clear picture of the threats and vulnerabilities of the Bank's business."
"The Bank stated that its Business Risk Assessment was holistic and comprehensive and that the arguments put forward during the supervisory review were unpublished expectations by the MFSA and FIAU. The Committee rebutted this statement by underlining that the requirement to carry out a Business Risk Assessment has been in place since January 2018, furthermore a guidance paper was issued by the FIAU and MFSA in February 2018, providing more insight into this obligation."
"The Members of the Committee determined that at the time of the compliance examination the Bank's shortcomings with regards to the Business Risk Assessment were serious and systematic, and concluded that the Bank was in breach of its obligations."
In addition, the compliance review revealed that the Bank did not have Customer Risk Assessment procedures in place prior to November 2018. A broad review of all the Bank's customers was eventually carried out within a 24-hour period at the time when the Bank received notification of the compliance review. Yet, the Customer Risk Assessment for all the mobile banking customers reviewed and the Customer Risk Assessment's of almost all the EFDIS (savings and fixed deposits accounts) customers reviewed were not provided. The Bank explained that at the time when the mobile banking and EFDIS customers reviewed were onboarded, the obligation to have a documented Customer Risk Assessment in place was not in force. However, the Committee could not agree with this statement, reminding the Bank that the obligation to carry out a Customer Risk Assessment has been in place since 2008, and that more detail as to the implementation of such risk assessments were explained in the FIAU's IPs which were first issued in 2011. The recording of the Customer Risk Assessment in writing, has also been in place since August 2011."
Members of the Committee declared that having no Customer Risk Assessment for approximately 6 years (from the time it was licensed until 2018) had serious and widespread repercussions, over understanding the customers' risks and applying effective controls to manage and mitigate the same.
Among other things, the FIAU also found that from the compliance examination it transpired that screening for PEP exposure was not being carried out in an adequate manner. While for mobile banking customers the screening was carried out in an automated manner, for loan customers and EFDIS customers, the screening was being carried out manually. However, no records of this manual monitoring were retained on file or provided to the officials during the compliance examination.
The committee was informed that following the compliance examination, the Bank provided a word/notepad document indicating that screening was carried out. However, the committee members concluded that this document could not be considered as adequate, both because it was provided following the compliance examination (during the wrap up meeting) and because its format was not reliable (in view of the fact that such word/notepad document could easily be edited and that it did not include an audit trail). Whilst the Bank stated that the information on the word/notepad document was extracted from a system, the process was not carried out during the compliance examination and neither was the system shown to the officials during the compliance examination, therefore the Committee could not accept the Bank's submissions."
The Committee viewed as positive the overall good level of cooperation demonstrated, and the actions taken by the Bank since the compliance review or those it planned to take to enhance compliance with its AML/CFT obligations. The size and operations of the Bank as a credit institution in carrying out relevant financial business were also taken into account.