What lessons to learn from the ACPR’s decision regarding AXA Banque on KYC/KYB?

The ACPR audited KYC/KYB files on a randomized sample of customers
This randomized sample was based on risk criteria like the customer nationality, the country of residence, the presence of adverse media, or the use of crypto-assets.
Here are the findings for individuals (KYC):
- Significant delays in some KYC refreshes
- Missing proof of funds for some high-risk customers
- Absence of enhanced due diligence for some customers residing in high-risk jurisdictions (listed by GAFI and EU commission)
Here are the findings for businesses (KYB):
- Significant delays in some KYB refreshes
- Missing proofs of incorporation and by-laws
- Missing financial information
👉 Regulated institutions must keep relevant information on their customers and update them according to a frequency that depends on the level of risk each customer presents throughout the business relationship - even if a customer's account is inactive.
The only way to stop KYC/KYB obligations is to take steps to close a customer account.
On customer due diligence
AXA Banque did not undertake additional due diligence measures for high-risk customers, such as those politically exposed or residing in high-risk jurisdictions.
Further, high-risk customers must be approved by a senior executive of the institution or an authorized agent.
Here are the findings:
- Missed flagging politically exposed persons (PEPs)
- Absence of enhanced due diligence for customers that were appropriately identified as PEPs
- Lack of specific approval by senior executives for customers residing in high-risk jurisdictions
👉 Identifying the presence of PEPs at any time during a customer relationship is not a best-efforts obligation. Instead, it is a strict liability regime (obligation de résultat).
Said otherwise, the financial institution is liable even if its provider misses a PEP. It is also liable, if its compliance officer misses a true hit. Finally, it is also liable, if it misses a PEP hidden behind a shell company.
On enhanced customer due diligence
Here are the findings:
- Some customers were erroneously labeled low or medium risk despite showing money laundering risks (adverse media mentioning indictment or criminal conviction).
- Some customers subject to judicial warrants (réquisitions judiciaires), and some customers who were requested to return funds for fraud suspicions were also erroneously labeled low or medium risk.
👉 There is no strict liability regime for adverse media checks, only a best-effort obligation. However, if a provider misses an adverse media, the institution will still be liable if the negative news was of such a big magnitude (important press coverage) that the institution should have known.
Conclusion
The downside risk of not managing compliance properly is severe. AXA Banque spent 13.2 million euros over 4 years on compliance providers and full-time employee salaries for AML-CFT. Of this, 9 million euros were invested in the remediation plan, which was only found partially satisfactory by the ACPR.
The ACPR also found the fact that Axa Banque belongs to a large group to be an aggravating circumstance in the failure to remediate AML-CFT breaches promptly.
🔎 ACPR’s decision 2022-01 regarding AXA Banque is available here.
If you want to learn more about how the Ondorse platform can help you meet the above requirements, contact us here.