trending Market Intelligence /marketintelligence/en/news-insights/trending/9-ur6k_citnce3fa04eetq2 content esgSubNav
In This List

Rogue banking: Inside FBME's haywire compliance department

Blog

Europe: 5 key OTT trends to watch in 2022

Podcast

Next in Tech | Episode 50: InfoSec spending up, again…

Blog

Broadcast deal market recap 2021

Podcast

Next in Tech | Episode 49: Carbon reduction in cloud


Rogue banking: Inside FBME's haywire compliance department

Profile of a rogue bank

This story is part three of a series of three articles examining the practices that brought down Cypriot bank FBME.

Part 1: How Russian criminals used FBME Bank in Cyprus to pay firms tied to Syrian sarin

Part 2: FBME: a hive of financial crime that spanned the globe

The risk and compliance functions of FBME Bank Ltd., a now defunct lender based in Tanzania that carried out most of its business in Cyprus, were so defective that they enabled suspicious transactions and money laundering risks to flourish to an extent that caused the firm to lose its license. The bank failed to stop a growing number of customers taking advantage of its weak money laundering controls for international money transfers through offshore shell companies, over a period of several years. Based on confidential reports from external auditors and regulators, S&P Global Market Intelligence has learned of the dysfunctional processes that led to widespread misconduct inside the Nicosia, Cyprus, office of this Tanzanian company, and exposes them as a cautionary tale to all finance professionals.

The global banking industry was set to spend about $18 billion on anti-money laundering measures in 2017, according to a study by LexisNexis Risk Solutions, a London consultancy. PwC estimates that more than $1 trillion is laundered annually through the banking system.

FinCEN, the specialist financial crimes unit of the U.S. Treasury Department, in 2014 labeled FBME a "primary money laundering concern," effectively locking it out of the world financial system. It lost its correspondent banking relationships and was taken over by regulators shortly after.

In May 2014, two months before it collapsed, FBME owed liabilities, including deposits, of €1.665 billion. The liquidation of the bank is on pause while a claim by its owners seeking to reverse it goes through the Cypriot courts.

When it fell to the Central Bank of Cyprus in 2014 to untangle the finances of the insolvent bank, the regulator ordered a detailed examination of its conduct to determine how FinCEN came to its conclusion. S&P Global Market Intelligence obtained the resulting confidential report, revealing a consistent pattern of regulation defiance and documenting failures at all levels of governance and risk control — to the point where the regulator was left wondering if the chaos was deliberately tolerated to permit illicit activity.

FBME is a vivid example of the EU's still ineffective enforcement of financial crime rules. Regulators across the continent have been criticized for not collaborating adequately across borders and for not acting swiftly enough to stem illicit financial transactions at home.

"What is required is a root-and-branch assessment of whether the financial crime fighting apparatus that we have in Europe is fit for purpose. ... The modern-day [financial] system is much faster and more complex, but we are still using a legal framework which is fundamentally based on the way banking was in the 80s and 90s," Tom Keatinge, head of financial crime and security studies at the RUSI think tank in London, said in an interview. "Should we actually be ripping up the whole thing that we have right now and creating a regulatory architecture that reflects the state of the financial industry today? Because the current one doesn't."

Fear of speaking out

FBME attracted many of its customers through a system of references that paid so-called introducers to bring in new clients while relying on the same introducers to check the prospect's probity. Clients paid the introducers as well, and if a prospective client was found unworthy of opening an account, the introducer was therefore not rewarded. Few clients were ever rejected during this process, although the bank did close some customer accounts and cut ties with a number of introducers when it was fined for weak money laundering controls in 2013. The bank's owners acted as introducers themselves, which the central bank feared deterred employees from speaking out about irregularities in acquiring customers.

At the same time, the bank's auditors, KPMG, also acted as introducers. The central bank denounced this in its report as "a serious concern as to conflict of interest," noting that KPMG excluded from its work any assessment as to the extent of money laundering and terrorist financing passing through FBME, as well as the potentially criminal provenance of deposits. In an emailed statement KPMG denied receiving fees for referring clients to FBME.

Fadi and Farid Saab, brothers who jointly owned FBME until it was taken into resolution by the regulator after FinCEN's action, wholly deny all allegations of wrongdoing and claim the watchdogs harbored ulterior motives.

"FBME operated fully within the law and our audits support this, but our regulator had their own objectives and failed to help us. We believe that the Central Bank of Cyprus actively misled FinCEN against us, to suit their own purposes," they told S&P Global Market Intelligence through Tim Maltin, their London-based spokesman. The spokesman also accused the central bank of fabricating its suspicions against FBME in order to seize the lender for its own profit, and said the media coverage of FBME is aimed at influencing a Paris court to rule against the brothers in an arbitration claim they have brought against the Cypriot state.

False qualifications

By 2014, it emerged that FBME's head of compliance, Lilit Khachatryan, an Armenian, falsely claimed to have received an MBA from Harvard Business School. The revelation of her falsification, however, did not lead to her dismissal, S&P Global Market Intelligence confirmed from two independent sources.

The Saabs said they were "shocked and surprised" at the revelation, but that they were not able to recruit a new head of compliance because of FinCEN's tarnishing of their bank's reputation. They continue to stand by Khachatryan's ability, however. "It should be noted that we did not hire Lilit because of her general academic qualifications, but because of her compliance competence," they said through a spokesman.

The bank attracted customers from the world's riskiest jurisdictions in terms of corruption, organized crime and money laundering, and allowed them to open accounts controlled through contrived mechanisms of offshore shell companies based in countries where corporate disclosure requirements are lax.

After being fined €80,000 by the central bank in 2013 for control failings, FBME acquired software tools that represented the industry standard in fighting money laundering and terrorist financing, according to the central bank report. However, as the central bank later found, it made little or no use of these resources to vet customers. Software such as HotScan, Flexcube, World-Check and Mantas all have functions that enable banks to detect suspicious transactions, but at FBME the parameters of these programs were set up in a way that seldom raised any alarms.

For their part the Saabs maintain that "suspicious transactions were reviewed in accordance with industry standard processes," according to their spokesman.

Moreover, in an unusual procedure that surprised inspectors at the Cypriot central bank, FBME stored the names of the ultimate beneficial owners of many of its corporate clients in one separate Excel spreadsheet instead of in Flexcube, the main banking software designed to carry such information.

"Unfortunately the said tasks ... are done manually with an increased risk of human error," the regulator wrote in reference to the bank's habit of bypassing specialized software by using editable spreadsheets to keep track of high-risk transactions. "Furthermore, it is simple to manipulate the said list in order to avoid carrying out checks on selected customers/persons."

Warnings ignored

Even so, the systems produced a number of warnings, which the bank's compliance officers largely ignored. When the central bank seized FBME, there were some 2,000 outstanding alerts in the money laundering detection software, going back to March 2013.

EU rules require banks to check customer data for suspicious transactions and political exposure at least once a month and for any suspicious transactions to be reported to law enforcement, which in Cyprus is an agency called MOKAS. Although FBME occasionally did so, the central bank found that it frequently did not attempt to identify the ultimate beneficial owners of companies based in high-risk jurisdictions, leading to its failure to identify a number of politically exposed persons who used its services. This failure is a breach of the EU anti-money laundering directive. In the EU, national governments and central banks have the duty to supervise financial transactions, while the ECB and other supranational bodies carry out checks on the regulators and set the rules.

Essential documents were missing from customer files in hundreds of cases, the regulator found, even when the customers were incorporated as high-risk entities such as offshore firms with unclear business objectives, trusts or companies with bearer shares. Several clients whom the Central Bank of Cyprus found to be high-risk and politically exposed had been classified by FBME as normal risk, a label that attracts a much lower level of scrutiny from compliance officers. Bearer shares are a form of anonymous corporate ownership that allows for the person in physical possession of the shares to act as company director. They have been outlawed in most countries.

Although customer documentation needs to be reviewed annually, FBME had only reviewed 10 out of 844 files from 2013 as of June 27, 2014, equivalent to 1.18% of the workload it should have carried out that year. It completed a single file to regulatory standard in 2013, or 0.12% of the total, the central bank's internal report said.

The central bank found that FBME's anti-money laundering performance had deteriorated in 2014 even from the weak base in the preceding three years, when it reviewed only 2% to 3% of its customer files. It was not uncommon for the bank to allow customers up to six or seven months to submit necessary documents, whereas a survey conducted by Lexis Nexis Risk Solutions found that the average European bank takes less than 11 days to complete due diligence in 89% of cases, and more than 11 days only when the bank deals with large company transactions with complex structures such as multinational acquisitions.