The Financial Intelligence Analysis Unit (FIAU) has slapped Triton Capital Markets Limited (previously FXDD Malta Limited) with an administrative Penalty of €226,902 after a number of shortcomings were found.
Prior to the compliance examination, the company was requested to provide the latest The Business Risk Assessment (BRA) and evidence of its approval, however, this was not provided, the FIAU said. "The absence of a BRA was further confirmed during the initial interview held, wherein it was explained that the drafting of the BRA was still in its final stages, as the company had engaged a third party to assist in its formulation. Therefore, at the time of the compliance review the Company had failed to take appropriate steps, proportionate to the nature and size of its business, to assess the risks of Money Laundering/Terrorism Financing (ML/FT) arising from its operations and to adequately document such assessment. The Committee reiterated that by not having an adequately documented BRA, the company diminished both its ability to comprehensively identify the threats and vulnerabilities to which it was exposed and to adequately implement the necessary controls to mitigate the risks."
"In view of this, the Members of the Committee determined that at the time of the compliance examination the Company's shortcomings with regards to the BRA were serious and systematic," the FIAU said.
The FIAU also observed that apart from the risk rating assigned, none of the files reviewed contained a documented Customer Risk Assessment (CRA). "The company rebutted that the CRAs were conducted at on-boarding and recorded in a spreadsheet which included the risk rating of each customer. However, the Committee stressed that irrespective of having risk ratings assigned to each of its customer files, there was no clear rationale behind such risk ratings. The information necessary to confirm an understanding of risks, including the risk factors that were being taken into consideration, the effectiveness of the control measures implemented, how all this would contribute to the final risk score and how the overall risk rating assigned to the customer was allocated, were not defined."
Further to the above, "the Committee noted that the CRA adopted was not rigorous and comprehensive enough to enable the company to understand the risks posed by customers and to effectively apply the risk-based approach."
The compliance review also found that in 20% of the files reviewed, "the company had failed to obtain the necessary identification and verification of natural persons as required. The Committee noted that most of the failures identified related to the identification and verification of the address and that otherwise the customers and BOs were listed. However, there were instances where the residential address verified did not tally with the one provided by the customer at onboarding, and yet the company did not question this. Similarly, at times the identity information did not match and yet again the company did not enquire about this discrepancy."
It was also brought to light that eight files held no evidence of Enhanced Due Diligence (EDD) measures applied, to which the company replied that its Risk Matrix includes an indicative list of enhanced measures that must be taken for all high-risk corporate entities. "The Committee here discussed that although a general reference was made to the circumstances that would require EDD measures, the procedures were generic and non-comprehensive since most of the measures focused on obtaining verification documents or validating the customer's residential address. Therefore, the company had failed to ensure that the risk management procedures implemented are commensurate to the levels of risks met or that could possibly be encountered."
Among other things, the compliance review also revealed that in four of the files reviewed, PEP identification measures were not done for all the individuals involved, the FIAU said.
"Moreover, in another file, although the customer was not marked as a PEP on the Company's system, no evidence to confirm this status was found on file at onboarding nor presented during the visit. In its defence, the Company put forward the fact that when the old retail customers were transferred from the entity in the United States, they were run through the compliance database which screens customers for PEPs, sanctions, and adverse media. However, the company was not able to provide evidence to confirm that searches on the PEP status of customers and BOs were indeed carried out."
"After taking into consideration the abovementioned breaches by the company, the Committee decided to impose an administrative penalty of two hundred twenty-six thousand, nine hundred and two Euro (€226,902) with regards to the breaches identified."
In addition the FIAU served the Company with a Follow-up Directive. "The aim of the Follow-up Directive is for the FIAU to ensure that the Company enhances its AML/CFT safeguards and that it becomes fully compliant with the obligations imposed in terms of the PMLFTR and the FIAU's IPs, as well as perform any required follow-up measures in relation to the company's adherence to its AML/CFT legal obligations." The company is required to make available an Action Plan indicating the remedial actions that it has carried out and implemented since the compliance examination, together with remedial actions which are expected to be carried out to ensure compliance following the identified breaches.