Public Statement Concerning The Imposition Of A Civil Penalty Under Section 16 Of The Financial Services Act 2008 And The Financial Services (Civil Penalties) Regulations 2015 (“The Regulations”) in respect of The Royal Bank of Scotland International Limited ("RBSI")

  1. Action
    • The Isle of Man Financial Services Authority (the “Authority”) makes this public statement in accordance with powers conferred on it under section 13 of the Financial Services Act 2008 (the “Act”).
    • The making of such public statement supports the Authority’s regulatory objectives of, among other things, securing an appropriate degree of protection for customers of persons carrying on a regulated activity, reducing financial crime and maintaining confidence in the Isle of Man’s financial services industry.
    • Between June and July 2021, the Authority conducted an inspection of elements of RBSI’s Isle of Man non-personal customer book under section 15 of the Act (the “Inspection”). The Inspection identified that RBSI had contravened paragraph 7 of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2015 (the “Code”). Compliance with the Code, or any successor, is a regulatory requirement under the Financial Services Rule Book 2016, made under section 18 of the Act. The Authority has deemed it appropriate, necessary and proportionate, in all the circumstances, that RBSI be required to pay a civil penalty imposed under the Regulations and the Act.
    • The Authority acknowledges the constructive dialogue between RBSI and the Authority. RBSI continues its customer outreach work, which will remediate any remaining cases in the population affected by the breach with the Authority having been made fully aware of the steps it has put in place.
    • The civil penalty is the sum of £1,440,481, which is discounted by 30% to £1,008,337 (the “Civil Penalty”).
    • As with all discretionary civil penalties issued by the Authority, the level of the Civil Penalty is calculated as a percentage of RBSI’s income in accordance with the Regulations. In conducting this calculation, there is limited scope to depart from the requirements of the Regulations. Accordingly, the absolute amount of the Civil Penalty relative to the absolute amount of other civil penalties that have been imposed by the Authority previously does not always reflect the relative seriousness of the contraventions and breaches identified in each matter – the level of a civil penalty (calculated on a percentage basis) is determined each time on the facts of a particular matter and whilst regard is had by the Authority to the level and the percentage of civil penalties imposed in other matters, this is only one of a number of factors.
    • The level of the Civil Penalty reflects the fact that RBSI co-operated with the Authority and agreed settlement at a relatively early stage. It is also noted by the Authority that there were mitigating factors in this case, and that this has been taken into consideration by it, when determining both the level and the actual amount of the Civil Penalty.

 

  1. Background
    • RBSI is licensed under the Act to undertake Class 1 (Deposit Taking) and Class 2 (Investment Business), as well as being registered with the Authority as a ‘general insurance intermediary’ under the Insurance Act 2008.
    • The Inspection was conducted by the Authority between June and July 2021 in relation to elements of RBSI’s deposit taking business and this identified contraventions of paragraph 7 of the Code by RBSI across its non-personal client base (the “Contraventions”).
    • The final inspection report was issued to RBSI by the Authority on 23 November 2021.
    • RBSI has engaged promptly and positively with the Authority throughout this matter in a timely and constructive manner.

 

  1. Key Findings from the Investigation

Contraventions of the Code identified by the Inspection included:

    • RBSI was unable to demonstrate that its up to date Customer Risk Assessment process was brought into use in a timely manner following the introduction of the Code. This resulted in 2,239 non-personal customers, on-boarded between 2015 and 2018 (and not rated high risk), having inadequate documented Customer Risk Assessments taking into account the applicable requirements of the Code (paragraph 7 of the Code), albeit these customers were still subjected to a risk rating to a pre-2015 standard during that period.

 

  1. Key Learning Points for Industry
    • Compliance with the Code and its subsequent iterations is a legal requirement; the Authority is committed to taking appropriate and proportionate action to address contraventions of the Code.
    • Procedures and controls are a legal requirement and a fundamental part of a relevant person’s internal risk framework as they protect its staff, business and communities from the threat and / or abuse by criminals or those assisting/enabling criminals. As new legislation and documents are issued domestically it is important for licenceholders, and other relevant persons, to review and update procedures as necessary.
    • The money laundering/terrorist financing risks posed by certain business relationships demonstrates the increased importance of on-boarding processes (including appropriate documentation and evidencing of risk assessments, sign off, conducting effective ‘Enhanced Customer Due Diligence’ and enhanced ongoing monitoring). The absence, or ineffectiveness, of these controls will affect a relevant person’s ability to conduct effective and appropriate monitoring, including scrutiny of transactions, which in turn may result in unusual or suspicious activity not being identified in the appropriate circumstances. Without the appropriate effective procedures and controls being in place, or not being operated adequately, a relevant person will be unable to effectively manage and mitigate the risks of money laundering/terrorist financing (as appropriate) and to conduct the business utilising a risk-based approach as required by the Code.
    • There are a number of powers available to the Authority to address identified instances of non-compliance with the Code. The Authority’s powers include, but are not limited to, the issuance of directions and / or public statements as well as the imposition of civil penalties or the commencement of criminal proceedings under the relevant legislation. The particular circumstances and the nature of an entity’s non-compliance with the Code will determine the action(s) taken by the Authority.
    • Active engagement and cooperation with the Authority provides the best possible opportunity to resolve matters in a timely and constructive manner and, where appropriate, to minimise the likelihood of the Authority taking further action in relation to instances of non-compliance with the Code.
    • The Authority will publish details of ongoing and concluded matters when it is in the public interest to do so.