The issuance of a joint consent cease and desist order by the US Federal Reserve Board and a number of other state regulators last week for Royal Bank of Scotland (RBS) Group’s New York, Illinois and Connecticut branches indicates some of the data issues underlying its risk management and anti-money laundering (AML) compliance functions. The ruling by the Fed, which asks RBS to improve the oversight of its US operations in these two key areas, follows an AML related £5.6 million fine issued in August last year by the UK Financial Services Authority (FSA).
As well as RBS Group, the Fed’s order applies to the US-based branches related to RBS’ Amsterdam operations in the Netherlands, which were acquired during RBS Group’s acquisition of ABN Amro in October 2007. In addition to the Fed, the New York State Banking Department, the State of Connecticut Department of Banking, and the State of Illinois Department of Financial and Professional Regulation are also issuing the order in their various jurisdictions.
Given the fact that in the space of a year, RBS has received two regulatory slaps on the wrist related to AML, it is likely to be under intense regulatory scrutiny on both sides of the pond to ensure these issues are adequately dealt with. The FSA’s £5.6 million fine last year highlighted customer data management failings that meant RBS did not have adequate data checks in place to conduct mandatory AML screening.
For its part, the wholesale business of RBS has been working on a customer data management system revamp, focused on rationalising the database it acquired from ABN Amro and merging this with the legal entity data on the central RBS system over the last couple of years. However, it seems that the customer data management systems surrounding this consolidated database may not be as robust as required under US AML legislation, especially on a global basis.
It is also interesting to note that although RBS has been working on improving the quality of the data underlying its risk function as part of its One Risk project (as elaborated upon by head of reference data Mark Davies last year), the firm cut around 4,000 jobs in the operations and technology services teams last year . Could this headcount cutting have had an adverse effect on the risk project overall? What about the entity data management angle? Certainly, the firm is likely to be focusing more attention on bolstering the data management systems underlying the risk and AML compliance functions further as a result of the US ruling.
In its ruling, the Fed notes that although “certain business lines” have been integrated on the ABN Amro front, there are outstanding issues, including in the “cross border payment processing” function. It is therefore the duty of the Fed and the other US state regulators to: “ensure that RBS Group maintains effective corporate governance and oversight over the US operations, including the establishment and maintenance of robust risk management and compliance programs on a consolidated basis,” as required by the Office of Foreign Asset Control (OFAC) regulations.
To this end, RBS has been compelled to submit a written plan to the Federal Reserve Bank of Boston within 60 days that will detail its proposals to “strengthen board and senior management oversight of the corporate governance, management, risk management, and operations of the US operations on an enterprise-wide and business line basis” and to elaborate on its plans to improve its suspicious activity reporting and customer due diligence programmes. It also notes that enhancement to management information systems and data checking procedures will be integral to this improvement programme.
On the customer data management side of things, the group will need to improve its audit trail related to transaction monitoring, customer risk assessment (and the related data checks), due diligence and data monitoring.
A review of all the policies, procedures and processes is therefore likely to compel investment in data infrastructure in order to support this enterprise-wide compliance and risk management push. The regulators also note the need for a review of any third party service providers that are supporting the group’s operations, so data management partners such as SmartCo, who was selected last year for centralised securities reference and price data management, may fall under the spotlight.
On the staffing side of things, the regulators indicate that RBS must evaluate the coverage it currently has to ensure the branches are “adequately staffed by qualified personnel with the ability, experience, and other qualifications necessary to ensure that the branches comply with applicable laws and regulations.” New hires are therefore likely to be made in the data, risk and compliance teams over the coming months.
Once the group has submitted its written plans and they have been approved by the various regulators, RBS will have 10 days to kick off its improvement programmes. In order to monitor whether it is keeping to the schedule, the firm will also need to submit written progress reports detailing all the actions that have been taken on a quarterly basis.