FCA fines Nationwide £44m for financial crime control failings

The FCA has fined Nationwide just over £44m for failings in its anti-financial crime systems and controls between October 2016 and July 2021. 

The FCA found that, during this period, there were numerous deficiencies in Nationwide’s anti-money laundering (“AML”) systems and controls, which had a material impact on its ability to carry out effective monitoring of its customers. In particular, ineffective systems for conducting customer risk assessments and refreshing customer due diligence (“CDD”) impacted on the effectiveness of Nationwide’s systems for monitoring unusual or suspicious transactions. This led to particular risks where customers used their personal accounts for business purposes. Whilst the FCA recognised there were ongoing remediation efforts during the relevant period, it found that Nationwide took too long to address identified flaws in its AML systems effectively. 

The fine is a timely reminder both of the FCA’s continuing focus on combatting financial crime and the need for firms to ensure their AML systems and controls are robust and proportionate to the risks presented by their customer base. Deficiencies must always be remedied in a timely manner.

FCA’s findings

The FCA fined Nationwide for breaching Principle 3 of the FCA’s Principles for Business (systems and controls). It also found associated breaches of SYSC 6.1.1R and 6.3.1R, which require firms to have adequate policies and procedures to counter risks of the firm being used to further financial crime, including systems and controls that enable it to effectively manage money laundering risks. 

The FCA identified the following deficiencies in Nationwide’s AML systems and controls within the relevant period: 

• Ineffective risk assessment and CDD refresh processes: The FCA identified deficiencies in Nationwide’s customer risk assessment processes. At the start of the relevant period, Nationwide had an unsophisticated customer risk assessment system that resulted in most customers being automatically classed as ‘standard risk’. Although Nationwide had worked to implement a new, more effective, system, this took significant time to implement and, even once operational, there remained concerns around its ability to accurately identify its full high-risk customer population.  

• Inadequate periodic and event-driven reviews: Despite requirements in its policies and procedures to undertake periodic reviews of customers at defined intervals, in conjunction with an event-driven review process, the FCA found that Nationwide lacked appropriate systems to give effect to these requirements. During the relevant period, Nationwide did not have processes for undertaking either periodic or event-driven AML reviews for a substantial proportion of its customers. In addition, work to deliver an event-driven review process had been deferred and was still ongoing as at the end of the relevant period. 

• Inadequate transaction monitoring system: As a consequence of the deficiencies outlined above, the FCA found that Nationwide’s systems for monitoring customer transactions for unusual activity were inadequate and ineffective. In particular, the system was insufficiently tailored to individual customer information identified through CDD (for example, information on a customer’s expected income or usage was not fed into the system) and the thresholds set for transaction monitoring alerts were very high. Whilst recognising there had been internal consideration of the matter and work undertaken to remedy internal systems, the FCA found that at the end of the relevant period the system still only partially covered the money laundering risks Nationwide faced and required further development to be fully effective. 

The FCA found that Nationwide was unable to effectively assess, monitor or manage financial crime risks amongst its personal current account customers. In particular, the FCA drew attention to the increased financial crime risks arising from account holders using personal current accounts for business purposes and flagged that, although Nationwide was aware of customers using the accounts in this way, its systems were inadequately designed to identify the scale of the issue and could not address it. 

Notably, the FCA referred to “one egregious case” in which Nationwide missed opportunities to identify unusual activity on the part of a customer who had fraudulently claimed and received multiple Coronavirus Job Retention Scheme furlough payments from HMRC into their Nationwide accounts. During an eight-day period between 2020-2021, the customer received around £26m of JRS payments into their accounts, but Nationwide’s transaction monitoring controls did not alert it to this suspicious and unusual activity until the following month.

Sanction

When carrying out its assessment to determine the appropriate financial penalty, the FCA assessed the seriousness of the breach as being at Level 4 out of 5 on the basis that it revealed serious or systemic weaknesses in the firm’s procedures and the breach created a significant risk that financial crime would be facilitated or occur.

The usual 30% early settlement discount was applied to the fine. 

Key takeaways

The FCA’s decision points to several important takeaways for firms:

• FCA  views banks as playing a significant role in the fight against financial crime. Firms need to ensure that their AML systems are sufficiently robust for the level of risk they face and they should be prepared to discuss these systems in supervisory discussions.

• In its Final Notice, the FCA flagged that even where Nationwide obtained enhanced CDD information, this was not included in all relevant databases, meaning it was not fed into customer risk assessments or transaction monitoring systems. Therefore, in addition to verifying that AML systems enable the appropriate customer data to be collected, firms should ensure there is sufficient connectivity within their systems to enable them to utilise that data effectively and obtain a holistic overview of the financial crime risks they are facing.

• As aggravating factors for the breach, the FCA referred both to the availability of JMLSG guidance and FCA guidance on AML controls, and to numerous published FCA notices against firms for AML weaknesses. This highlights that when developing and reviewing their AML systems, firms should have regard both to FCA guidance and decisions around AML systems and controls and to other associated guidance on AML compliance.

• As noted above, the FCA recognised that Nationwide had taken action to remedy some of the deficiencies in its AML systems during the relevant period but considered it had not done so sufficiently quickly or effectively. The FCA expects firms to monitor and test the efficacy of remedial work carried out in response to issues they have identified.