Article
March 7, 2023
What lessons to learn from the ACPR’s decision regarding AXA Banque on KYC/KYB?
The ACPR audited KYC/KYB files on a randomized sample of customers
This randomized sample was based on risk criteria like the customer nationality, the country of residence, the presence of adverse media, or the use of crypto-assets.
Here are the findings for individuals (KYC):
- Significant delays in some KYC refreshes
- Missing proof of funds for some high-risk customers
- Absence of enhanced due diligence for some customers residing in high-risk jurisdictions (listed by GAFI and EU commission)
Here are the findings for businesses (KYB):
- Significant delays in some KYB refreshes
- Missing proofs of incorporation and by-laws
- Missing financial information
👉 Regulated institutions must keep relevant information on their customers and update them according to a frequency that depends on the level of risk each customer presents throughout the business relationship - even if a customer's account is inactive.
The only way to stop KYC/KYB obligations is to take steps to close a customer account.
On customer due diligence
AXA Banque did not undertake additional due diligence measures for high-risk customers, such as those politically exposed or residing in high-risk jurisdictions.
Further, high-risk customers must be approved by a senior executive of the institution or an authorized agent.
Here are the findings:
- Missed flagging politically exposed persons (PEPs)
- Absence of enhanced due diligence for customers that were appropriately identified as PEPs
- Lack of specific approval by senior executives for customers residing in high-risk jurisdictions
👉 Identifying the presence of PEPs at any time during a customer relationship is not a best-efforts obligation. Instead, it is a strict liability regime (obligation de résultat).
Said otherwise, the financial institution is liable even if its provider misses a PEP. It is also liable, if its compliance officer misses a true hit. Finally, it is also liable, if it misses a PEP hidden behind a shell company.
On enhanced customer due diligence
Here are the findings:
- Some customers were erroneously labeled low or medium risk despite showing money laundering risks (adverse media mentioning indictment or criminal conviction).
- Some customers subject to judicial warrants (réquisitions judiciaires), and some customers who were requested to return funds for fraud suspicions were also erroneously labeled low or medium risk.
👉 There is no strict liability regime for adverse media checks, only a best-effort obligation. However, if a provider misses an adverse media, the institution will still be liable if the negative news was of such a big magnitude (important press coverage) that the institution should have known.
Conclusion
The downside risk of not managing compliance properly is severe. AXA Banque spent 13.2 million euros over 4 years on compliance providers and full-time employee salaries for AML-CFT. Of this, 9 million euros were invested in the remediation plan, which was only found partially satisfactory by the ACPR.
The ACPR also found the fact that Axa Banque belongs to a large group to be an aggravating circumstance in the failure to remediate AML-CFT breaches promptly.
🔎 ACPR’s decision 2022-01 regarding AXA Banque is available here.
If you want to learn more about how the Ondorse platform can help you meet the above requirements, contact us here.
Discover our latest guide
Everything you need to know about this subject
Heading
Subtextt