The European Banking Authority (EBA) has found “general and systematic shortcomings” in the Financial Intelligence Analysis Unit’s (FIAU) application of anti-money laundering directives with regard to the infamous Pilatus Bank.
The EBA said in June that it had started probing the FIAU’s handling of Pilatus Bank, which has been mired in controversy and named in several leaked FIAU reports. The bank was allegedly used to transfer kickbacks into PEP accounts. A former employee, Maria Efimova, had claimed that Panamanian company Egrant belonged to Michelle Muscat, the PM’s wife.
The bank was authorized by the Malta Financial Services Authority in 2014. Both the MFSA and the FIAU carried out on-site inspections, with the latter initially saying that there were serious breaches of AML/CFT requirements. After a follow-up visit, the FIAU had said that the issues raised previously had now been closed.
The EBA conducted a preliminary enquiry, including an on-site visit to the Maltese competent authorities. The enquiry focused on the extent to which the FIAU’s approach to AML/CFT supervision and enforcement in relation to Pilatus Bank has been effective and in line with EU law.
On 23 May 2018, the EBA opened a Breach of Union Law investigation pursuant, on the basis that the FIAU appeared to have failed to apply Union law or had applied it in a way which appeared to breach Union law.
In its findings, the EBA said that the FIAU does not have sufficient records of the specific files and documents examined during the first on-site visit, to make it possible to identify which customer files were examined and which due diligence documentation was available or not available at the time.
In particular, no record was made of any request for documents that the institution did not provide. Furthermore, during the second on-site visit, the FIAU did not establish a detailed list of the documents examined by reference to the first visit. This lack of records contributed to the FIAU’s inability to defend itself against the institution’s challenges.
Discussions in the Compliance Monitoring Committee Meetings, the FIAU’s decision-making body on supervisory matters (CMC), are not adequately reasoned or documented with the result that it is not possible to understand what led to the closure of the case without further supervisory measures or sanctions. It is not possible to establish whether the decision was well founded.
The EBA said that the institution and its advisers sought to narrow down the scope of the investigation to focus primarily on the existence of customer due diligence documentation confirming the source of funds. “The FIAU seems to have agreed to this narrowed scope unquestioningly. As a consequence, it appears that in the second on-site visit the FIAU only paid attention to the availability of source of funds documentation without a deeper analysis of it but it did not pay any attention to some of the more serious findings listed in the letter of 17 May 2016. The CMC also did not take into consideration these remaining deficiencies when deciding on next steps.”
“Notwithstanding the serious nature of its initial findings, the FIAU has not documented, or otherwise provided clear reasons and compelling arguments why it considered it appropriate not to impose any sanctions or other supervisory measures. This applies, in particular in relation to those initial findings that are not related exclusively to the institution’s failure to provide the required customer diligence documentation, including: i) the very high risks of ML/TF to which the institution is exposed not being mitigated adequately; and ii) the lack of sound AML/CFT policies established by the institution’s board of directors for customers classified as PEPs.”
“Notwithstanding it was a high-risk institution of a type which was new to the jurisdiction, the FIAU neither planned nor carried out an on-site inspection to the institution until asked to do so by the MFSA, two years after the institution started its activities and no risk-based justification has been given for this inaction.”
“After deciding to close the case, without imposing any sanction or considering any other supervisory measure, and despite the stated concerns of the FIAU as to how documentation became available in the second on-site visit although it was not available at the first inspection, the FIAU did not develop any other supervisory engagement plan with the institution. The documents provided by the FIAU to the EBA and interviews held with FIAU staff confirm that, after the 26 September 2016 communication to the institution closing the case, despite the documented concern regarding the documentation that was not available until after its first inspection, the FIAU considered the need for additional supervisory measures only in April 2017, when the allegations were made public against the institution.”
These findings point to general and systematic shortcomings in the FIAU’s application of AMLD3.
Although the preliminary enquiry was initiated to address the concerns raised by the FIAU’s supervision of Pilatus Bank, the findings from the EBA’s investigation reveal a general practice of the FIAU at the time of the case at issue and not only, as argued by the FIAU, a failure in this particular case. The information requested and provided to the EBA has not been limited to the procedures and policies applied to Pilatus Bank. The FIAU has also challenged the issuing of a Recommendation because an Action Plan had been already adopted by the FIAU to address the same concerns set out in the draft Recommendation.
The EBA welcomes the actions that the FIAU has taken, and is in the process of taking, to strengthen its activities and functioning, and recognises that organisations can always improve their effectiveness. However, in the EBA’s view the need identified by the FIAU for such a wide-ranging nature Action Plan provides support for its findings that the procedures and policies applied at the time of the case at issue were not appropriate and effective.
The FIAU did not effectively monitor and take the necessary measures with a view to ensuring compliance with the requirements of the Directive by the institution as required under Article 37 of AMLD3; the FIAU failed to ensure that the institution put in place adequate and appropriate AML/CFT policies and procedures, as required under Article 34 of AMLD3; and the FIAU neither imposed effective, proportionate and dissuasive sanctions nor any other supervisory measures to correct the shortcomings it had identified to ensure the institution’s compliance with AMLD3’s requirements, pursuant to Article 39 of this Directive.
The FIAU has informed the EBA of general actions that, as an Action Plan, it has undertaken, or which are in train, to strengthen its supervision. While a move in the right direction, these measures are not enough to be satisfied that the deficiencies that led to a breach of Union law
Original article found on The Malta Independent