Investigator-led Investigations and the NatWest Case

By Rebecca Lindley

NatWest Case

    Get the latest news and insights sent straight to your inbox

    Can Investigators Help to Improve AML/CFT Compliance Programmes?


    In December 2021, the Financial Conduct Authority (“FCA”) announced that National Westminster Bank Plc (“NatWest”) was being fined approximately £265 million following the bank’s conviction for three offences related to its failure to comply with the UK’s anti-money laundering (“AML”) regulations. This was considered a fairly significant outcome because it was the first time the FCA had pursued criminal charges for money laundering failings.

    The bank’s failings were related to deficiencies in its ongoing monitoring of both the transactions and risk profile of one of its customers, Fowler Oldfield (the “Client”), a jewellery business based in Bradford. The failings occurred between 2012, when the Client was first onboarded and 2016 when the bank finally ended the relationship.

    On the face of it, the facts appear straightforward: NatWest experienced a series of control failures that led to very large amounts of cash being deposited with several of its branches, the volumes of which were both alarming and surreal, and whose source was unverified. Descriptions about some of the branches needing to use extra strong bags to hold the cash being deposited and bank notes smelling “musty” made for interesting headlines in the news. 

    However, the case also provides some food for thought about how an investigator-centric approach might have led to a different outcome and contribute towards ensuring that AML/CFT controls operate as they should.

    Benefits of an Investigator-Centric Approach

    You might be aware that Blackdot’s team has previously written about and hosted webinars on the benefits of an investigation-centric approach. This approach puts investigative teams at the centre of efforts to fight financial crime (“FC”).  Investigation teams begin with small pieces of information suggesting unusual activity and then follow up in a proactive way that allows them to connect information about financial transactions and a customer’s known risk profile or open-source intelligence (“OSINT”). This enables regulators those teams to formulate a more holistic view around unusual activity and effectively respond where that activity is determined to be suspicious and requires reporting to the FIU. 

    Key to this are the tools used by a financial institution that allow it to detect whether a customer’s use of its products and services is consistent with either its risk profile or expected activity. Recent regulatory decisions, such as the ABN AMRO decision in the Netherlands last year, also highlight the importance of examining non-transactional changes, relating to a customer’s business model, customer base or even ownership and control.

    One of the other benefits provided by an investigator-centric approach is that it can act as a form of additional assurance where, despite the best of intentions, existing controls fail to raise an alert about unusual changes to a customer’s activity. Investigators might discover through speaking with frontline staff, for example, instances where unusual activity has been detected by otherwise been missed or previously dismissed as part of ongoing transaction alert reviews.

    Want to learn more about open-source intelligence and how it can transform the effectiveness of your AFC investigations?

    Download your free copy of The OSINT Handbook.

    NatWest’s Organisational Model: Relationship Manager and the Three Lines of Defence

    NatWest’s operating model incorporated the classic three lines of defence: staff working in the front office, the compliance team and assurance or audit function. The model was supported by a control framework that included the use of an automated transaction monitoring (“TM”) system. Procedures were in place which required that changes to a customer’s risk profile were to be reviewed and, where activity was identified as suspicious, escalated to a dedicated investigation team, known as the Financial Crime Intelligence and investigations Unit (“FCIIU”).

    Within this model, relationship managers (“RMs”), played a critical role as part of the front office. RMs were responsible for collecting the initial KYC from new customers and ensuring that necessary due diligence information (”CDD”) was recorded. RMs were required to ensure that any risks associated with customers were proactively managed and brought to the attention of CDD analysts who ensured that KYC was properly completed, and a risk rating assigned. RMs were also responsible for providing clarification, if requested by compliance teams and the FCIIU about a customer’s transactions. 

    The court’s sentencing remarks describe the various control failings which occurred in this case. At times, some controls were not effective and staff had taken steps to try and deal with this by disabling certain TM rules because too many alerts were being generated by them. In other instances, rules were being applied to cash transactions that were not specifically designed to detect high volume cash activity. There also did not appear to be a specific TM rule for high risk rated customers, nor was any periodic review of the Client scheduled to take place to verify its understood risk profile or how it was using NatWest’s banking services.

    These various control failures, and particularly the ones related to TM rules, appeared to have had the unintended effect of anesthetizing the staff from realising how the Client’s account use was changing over time. For example, it’s possible that some staff attributed TM alerts that suggested a change in cash volumes were simply the result of the TM not being set up properly, and so were less vigilant towards verifying whether other evidence existed to suggested this was actually occurring. 

    Another major control failure was the level of reliance placed upon the RMs to ensure that accurate and up to date KYC and CDD information was held about the Client and that assurances given by the Client about its transactions were consistent with their expected activity. The evidence suggested that the RM failed to include required KYC and CDD information and provided information about the Client and its business that were inaccurate.

    Failed Investigation of Unusual and Suspicious Activity

    The failures in this case also extended to the bank’s response to internal reporting. Over three years, bank staff raised 11 internal suspicious activity reports (“SARs”). There were in addition to the bank’s automated TM system that had raised a further 10 alerts in relation to activity on the Client’s account. The court found that investigation these reports were inadequate due to a: 

    • Failure to seek further information from internal or open sources about the Client and over-readiness to dismiss concerns based on the low-risk rating that had been erroneously assigned to the Client;
    • Over-reliance on or failure to sufficiently challenge explanations given by the RM;
    • Failure to adequately analyse the Client’s account behaviour against information provided at the account opening; and 
    • Failure to consider the cumulative implications of prior investigations when determining each new SAR / TM alert.

    Complicating things further, the team responsible for investigating the TM alerts or SARs, did not have direct access to the system on which the Client’s KYC and risk profile were recorded. In several instances, the alerts and reports submitted were assessed without having regard to this information because, quite simply, it was not made accessible to them until several years later.

    New call-to-action

    Missed Detection Opportunities

    So what were the things that changed about this Client and its risk profile that the court found should have resulted in a further investigation?

    When account was first opened, the RM recorded that the Client was owned by two individuals being a husband and wife with the husband acting as the sole director. The Client was described as a highly regarded corporate customer of the bank who was a qualified accountant who had previously worked for Rothschild and had been known to the bank for over 25 years. The account was opened based on assurances from the RM that there would be the Client would not be handling any cash transactions. The Client was recorded as having been registered with HM Revenue and Customs (“HMRC”) as a high value dealer, required to comply with the UK’s AML regulations. 

    In fact:

    • There was no evidence to corroborate the background of the Client and its director;
    • The owners and director were changed and recorded on Companies House one month after the account was opened with a further director added 6 months later;
    • The Client’s business model, which involved paying customers for their gold jewellery (i.e. outgoing cash payments) quickly changed and large cash deposits began to be made into the Client’s account, and the Client, according to the RM was now melting and selling the gold to large corporate metal trading companies; and
    • The certificate issued to the Client by HMRC had expired several months before the Client had applied for an account, due to its failure to reply to letters and pay the annual renewal fee. The Client later re-registered with HMRC one month after the account was opened.

    Over the course of the 4 years, approximately £365 million was deposited with the bank, of which around £264 million was in cash. 

    Disclosure of SARs and NCA Enquiries

    For each of the above changes or discrepancies from the Client’s understood risk profile, the RM was able to provide an explanation. Those explanations were relied upon as the main evidence upon which to decide whether to commence an investigation or submit a SAR to the National Crime Agency (“NCA”). None of the records relating to the 19 investigations into unusual or suspicious activity noted above, referred to or assessed the credibility of the change in business model and activity on the account, as described by the RM.  

    No SARs were submitted to the NCA concerning the Client until June 2016 when the West Yorkshire police notified the bank its discovery of suspected wide-scale money laundering operation being run out of the Client. NatWest subsequently exited the relationship and filed 13 SARs which retrospectively reported conduct on the account including conduct dating back to 2013.

    Food for Thought – Investigator-Centric Approach – How Might it Have Helped?

    There are many other aspects to this case that contributed to the overall failings found by the court. Looking at the bank’s investigation activities, there are several points worth considering as food for thought in relation to the use of an investigator-centric approach.

    Firstly, it is worth considering whether the use of an investigator-centric approach would have mitigated the overreliance placed upon the assurances given by the RM. Using OSINT, for example, might have allowed the investigation team to corroborate whether the RM’s explanations for the apparent change in business model, coincided with the type of transactional activity one would expect from a wholesale gold reseller, for example. 

    Secondly, an investigator-centric approach might have provided an additional level of assurance or warning about inconsistencies in the understood risk profile of the Client. Obtaining additional information from OSINT about the Client and its business activities when reviewing the TM alerts, might have brought to the bank’s attention that a review of the Client’s KYC and risk rating was needed.

    Thirdly, an investigator-centric approach might have provided the opportunity to review previous alerts and SAR data with a fresh perspective using OSINT. This might have helped to reveal a broader concern about the Client’s real business activities and how it was able to generate so much cash. This approach might also have helped to mitigate the anaesthetising effect of previously dismissed alerts and SARs.

    Fourthly, even where no suspicious activity was detected, an investigator-centric approach might have allowed the investigation team to feedback to the second line its observations concerning the effectiveness, or deficiencies, of controls. It might have also allowed them to detect where improvements were needed in their own investigation processes. For example, in this case, limited notes were maintained about reviews of the TM alerts and SARs in the investigation database. This made it difficult for investigation teams to understand the basis upon which previous alerts had been dismissed. This shortcoming could have been acted upon and possibly improved at an earlier stage were investigators encouraged to adopt a more investigator-centric approach. 

    Concluding Thoughts

    It is likely that we will hear more about the parties involved in this scheme later in 2022 as the criminal proceedings against them continue in the courts. In the meantime, financial institutions should consider the role which their investigation teams can play in supporting their overall AML/CFT compliance framework. Adopting an investigator-centric approach and harnessing OSINT can greatly improve efforts to detect and prevent financial crime. In addition, this approach can also act as a valuable tool through which to identify control weaknesses or failures within the broader the financial institutions broader financial crime prevention programme. 

    Blackdot Solutions’ Videris platform helps anti-financial crime teams implement an investigator-centric approach efficiently and effectively. To find out more about how we can help your team to use OSINT in its investigations, get in touch.

    New call-to-action

    More insights