Anti-money laundering: Outsourcing — pitfalls to avoid

Financial crime staff should be alert to action taken by regulators in other parts of the financial services industry.

The Financial Conduct Authority’s (FCA) Final Notice against Interactive Brokers UK (IBUK), which attracted a fine of £1,049,000, is a case in point.

The issue is also of importance because it gives a strong indication of what regulators are looking out for and what pitfalls firms should avoid.

IBUK is an online broker that offers the arranging and execution of trades in certain financial products, such as contract for differences (CFDs), index options and index futures, for UK clients and clients of the wider Interactive Broker Group, whose headquarters are in the US.

With the introduction of the Market Abuse Regime in July 2016, IBUK was required to monitor both orders and subsequent transactions and to submit to the FCA suspicious transaction and order reports (STORs) in appropriate cases.

As a matter of Group policy, all transaction and order monitoring for Group entities across its global operations was conducted in a US located entity.

Whilst IBUK had its own specific policy on market abuse, which was available on the Group intranet, it failed to bring the UK policy to the attention of the US monitoring staff, nor did it take any steps to ensure those US staff understood and applied the UK policy.

These omissions were compounded by the absence of any training of US monitoring staff in the UK’s Market Abuse Regime. Also, IBUK management did not take any steps to ensure the Group’s Market Abuse Policy addressed specific UK requirements.

The US monitoring team produced a number of daily reports that did not specifically identify those transactions and orders which IBUK originated.

Management of IBUK did not provide any input into the design of these reports, nor did they conduct any testing of the reports to gain confidence that the reports generated accurate information.

US staff were responsible for the preliminary review of the daily reports and the subsequent notification to IBUK of any relevant potential evidence of market abuse.

Unless further action was required in any particular case, there was no documentation of the reviews conducted in the US. IBUK chose not to conduct any reviews on the daily reports as, in their eyes, they would be duplicative and the US staff were deemed to be the experts in this field.

During 2013 and 2014 US staff referred 11 trades to IBUK for review, of which IBUK deemed two to be potentially suspicious, however during this period, IBUK failed to submit any STOR reports to the FCA.

An FCA visit to IBUK in December 2014 had a dramatic effect. In the first five months of 2015, US staff referred 15 trades to IBUK for further review, of which 13 were deemed to be potentially suspicious. This, in turn, led to 10 STORs to the FCA.

The FCA noted that during the Relevant Period of February 2014 to February 2015, IBUK failed to submit STORs on three occasions where its clients made significant profits as a result of trading shortly before and after corporate announcements on the FCA’s Regulatory News Service.

Although this case addressed systems and controls around market abuse, there are many lessons that financial crime staff can learn from the Final Notice, where their firm outsources financial crime monitoring to another group unit whether that unit be located in the UK or not:-

• Firms must provide guidance to monitoring staff in how to detect potentially suspicious transactions;
• Monitoring staff must document their reviews;
• Guidance must be given to staff where specific cases must be escalated;
• Firms must ensure that “outsourced” functions are implemented effectively;
• Firms must ensure that monitoring staff are effectively trained in UK regulatory obligations, even in cases where they delegate training to another Group unit;
• Firms must have adequate input the design of monitoring reports or ensure that they are adequately tested to ensure the reports are accurate;
• Firms must consider that where the Group adopts a global approach that there is an adequate focus on UK issues;
• Firms must ensure that monitoring reviews conducted by Group staff are effectively implemented and that there is effective escalation of relevant cases.

FCA have specific Rules on “outsourcing” contained in SYSC 8, which sets out their expectation of matters that UK firms should address when considering “outsourcing” any functions to a Group unit or a third party entity.

Those firms that “outsource” their KYC and transaction monitoring functions to Group units in other countries would be well advised to review the FCA Handbook on outsourcing.

The IBUK case follows the outsourcing-related Final Notices of Zurich Insurance in 2010 which resulted in a fine of £2.3 million and the 2016 AVIVA case which led to a fine of £8.3 million.

Against this history, firms with a less than adequate management and control of any outsourced function cannot complain that they were not put on notice!

KYC360 asked Interactive Brokers UK to comment on its penalty and a spokesman said: “Interactive Brokers UK disputed the FCA’s proposed findings before the FCA Regulatory Decision Committee (“RDC”). The RDC determined that the penalty figure originally proposed was disproportionate to the breaches and reduced it by 50%.”

This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.

Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016.

He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.