From ING's recent fine, a compliance lesson: Don't do this
14 September 2018. By Richard Vanderford.
A familiar refrain from the $1000-an-hour lawyers that firms pay to advise them on how to set up a compliance program is that the program needs to be real — not an on-paper simulation to give the outward appearance of compliance. The Amsterdam-based bank ING got a 775 million euro ($897 million) version of that lesson after Dutch prosecutors levied a money laundering-related penalty and, in a remarkably candid assessment, called out the "serious shortcomings" at the institution.
ING's Netherlands unit's compliance program, fragmented between multiple divisions and with no single point of ultimate responsibility, led to "shortcomings" that "shocked" the legal system, Dutch prosecutors said last week in announcing a settlement with the bank.
"None of these divisions oversaw the whole picture," the Dutch prosecution service, also called the NPPS, said. "The criminal investigation brought to light the fact that one of the main reasons for the shortcomings was the insufficient attention paid by ING NL to compliance risk management."
ING's experience is a stark example for firms and their advisors of the potentially serious risk that can accompany a lax approach to compliance, a point that the NPPS itself emphasized, calling the case "illustrative."
In many ways, ING's approach could be used as a "don't do this" model.
Compliance advisors routinely advise against subordinating the program and its staff to the business teams, and treating compliance as though it were an unfortunate but necessary bit of box-checking to placate regulators.
Responsibility for anti-money laundering compliance at ING was split between three different divisions, and the NPPS called out a "business over compliance" culture.
The NPPS also noted that the bank was warned by its regulator, the Dutch Central Bank, "on multiple occasions."
"Enhancement programmes were in place, but were not carried out with enough vigour by ING NL," the NPPS said. "Although ING NL did look at solutions for individual incidents, the structural problems in the monitoring system were not sufficiently recognised and addressed."
The weak approach had serious consequences. Vimpelcom, an Amsterdam-based telecom firm, used ING to transfer tens of millions of dollars in bribes to a company owned by the daughter of the then-president of Uzbekistan. That case caught the attention of US enforcers, who in 2016 entered into a $750 million global settlement with the company.
A supposed lingerie company laundered 150 million euros through ING, the NPPS said in a list of multiple similar incidents.
ING's deficiencies were so pronounced that the bank was effectively "culpable" for the money laundering, the prosecutors said.
Though the significant hit to the balance sheet will likely resonate most deeply at the bank, for many firms, financial institutions in particular, compliance failures such as ING's can cause serious reputational harm and real harm to individuals.
In a 2015 $8.9 billion settlement with Paris-based BNP Paribas over the bank's violation of US sanctions laws, prosecutors stacked the courtroom's gallery with Sudanese refugees put in harms way by the bank's complicity in illicit money flows.
The unusual display was meant to make the point for the financial press corps in attendance, used to dealing with dry securities filings and analysts' reports, that the bank's activities had led to potential harm and arguably dangerous outcomes for real people. Not a good look for an institution that describes itself as one of the world's "pre-eminent banking groups."
ING, whose slogan is "empowering people," makes a point in the first pages of its most recent annual report of noting the bank's commitment to "responsible finance" and "sustainable assets," an image-building effort surely undermined by its compliance lapse.
The bank in a statement said it "sincerely regrets" the misuse of its accounts that its "shortcomings" caused.
ING's oversight failure is particularly hard to explain in light of the clear benefits that go with catching wrongdoing early.
US Foreign Corrupt Practices Act prosecutors in their treatment of self-reporting of FCPA violations have strongly incentivized firms to uncover their own bad behavior. Those prosecutors are now instructed, by policy, to presume that a firm that comes forward, discloses involvement in corruption and cooperates won't face criminal charges.
Even before that policy was formally enacted in late 2017, there were signs that prosecutors went relatively easy on firms whose effective compliance programs had uncovered wrongdoing.
At the sentencing hearing last week for a former broker at the real estate firm Colliers International, prosecutors disclosed that the company had provided substantial cooperation in its investigation of a scheme to bribe a Qatari official. In the words of the presiding judge, Colliers investigated, went to the FBI, then "dropped it in their lap."
The firm wasn't charged with an FCPA violation.
ING, in contrast, got a fine that the NPPS said "deals a tangible blow to the accused and does justice to the shocked legal system."
ING's current chief risk officer, Dutch career banker Steven van Rijswijk, was appointed after the money laundering issue, according to the NPPS timeline. All in, Rijswijk earned about 885,000 euros in 2017. If it could find them, ING could have hired hundreds of equally talented risk managers at the same salary, presumably caught its compliance problem in its infancy, and still ended up hundreds of millions of euros ahead.
That kind of effort would be overkill. But the example illustrates just how costly a poor compliance culture can end up being and how it could be remedied relatively cheaply. ING, with its mantra of "empowering people," probably wishes now that it had hired and empowered a few more people, a few years earlier.