The ACPR (Autorité de Contrôle Prudentiel et de Résolution) has issued its first sanction of the year. of the year for very serious breaches, which seriously affected several fundamental elements of the system for combating money laundering and the financing of terrorism (AML-CFT).
Treezor, one of France's leading providers of Banking-as-a-Service (BaaS) services, has been fined €1 million, with a non-quantifiable reputational risk (since, as with all recent sanctions, the ACPR has ruled out the possibility of anonymizing the penalty). Note that the ACPR took Treezor's remediation plan into account in its verdict...
What to remember about this sanction:
- The determination of the Risk Profile must be adapted to its activity but also sufficiently discriminating.
- Even even if the clientele seems almost exclusively Franco-French, this in no way detracts from the fact that taxpayers must fulfill their obligations!
- The ACPR commission does not hesitate to refer to previous previous sanctions, which have set a precedent and clarifiedAML-CFT to be implemented.
- Adverse Media" lists come under fire once again (after the "AXA" sanction of February 2023).
- By half a word, the ACPR indicates that a reporting entity has a maximum of "100 days" from the detection of an alert to file a Suspicious Transaction Report (DS)
- Explanability and traceability are at the heart of the reproaches of this ACPR sanction, since Treezor was unable to explain how certain tools worked...
Let's take a closer look at the complaints:
Risk profile
Data quality and relevance
Like many of the ACPR's other sanctions, this one is not immune to criticism concerning the level and quality of customer knowledge. level and quality of customer knowledge in particular information that was too vague, imprecise or irrelevant to enable acceptable customer profiling and risk classification.
In this sanction, the ACPR lists some data which, without saying so, seem to be the fundamental data/minium :
- For individuals
- Name
- First name
- Place of birth
We could easily add Date of Birth and Nationality/Citizenship to this list.
- For legal entities
- Legal form
- Registration date
We could easily add the company name and national identifier (such as the SIREN for French legal entities) to this list.
Other data, impacting Scoring/Profilingare also in demand, such as Income, Assets, Purpose of business relationship...
Of course (but given the penalty, it's worth remembering), these data must be reliable and justified!
Risk level ratio
As a new point in this sanction, the ACPR states that the profiling criteria implemented by Treezor are not sufficiently discriminating or inappropriate for its activity.
In terms of discrimination, the ACPR notes that too few people (0.2%!) are at "moderately high" or "high" risk. The ACPR points out that insurers must have sufficient criteria on which to base their scoring rules, in order to obtain consistent results. Unfortunately, the ACPR does not indicate the average ratio of people it expects to be at these risk levels.
For example, the ACPR suggests criteria such as :
- Has the customer entered into a long-distance relationship?
- Is the business relationship conducted through an intermediary?
- Is the customer present with several intermediaries?
- ...
Detection results (Sanction, Politically Exposed Persons, but also Adverse Media) must also be taken into account when profiling a customer.
Finally, vigilance rules must also be consistent:
- in relation to the taxpayer's activity.
Treezor had set detection thresholds for transfers at €10,000 and €50,000, whereas the average transfers are €52 and €819. - In relation to the customer's risk profile.
- In relation to overall KYC.
Example: accumulation of different operations.
APS notice
It is essential that all actions, decisions (whether manual or automatic), supporting documents, comments, etc. are traced and stored in your AML-CFT tool, with the possibility of making them available at any time. ACPR inspection reports prove that investigators know exactly what to ask to verify compliance of AML-CFT systems. What's more, your system must be capable of integrating and analyzing any data you may transmit to it. The quality of the information transmitted is essential if the ACPR is to consider your AML-CFT system compliant.
It is essential that a profiling tool allows dynamic parameterization, so that different data from different sources can be taken into account and cross-referenced.
It is essential that the AML-CFT tools can be configured to take precise account of all internal compliance criteria. We note that the ACPR is adamant about any inconsistencies found between the theoretical compliance policy and the configuration of its tools AML-CFT. Moreover,this parameterization must be easily exportable, so that an auditor can be presented with an explanation of how the system works at any time. This configuration must also enable certain decisions to be automated, so as to facilitate the customer/KYC process.
Declaration deadline
The ACPR notes that some suspicious transaction reports were filed very late: more than 100 days after the detection of an alert. Without saying so, the ACPR repeatedly refers to this delay. Could this be the threshold that triggers reproach during their audits?
Please note that taxable persons must apply sanctions/freezes of assets without delay!
The ACPR also criticizes Treezor for having many manual steps in its AML-CFT process. This is deemed to be "rudimentary" and does not meet all obligations.
APS notice
It is essential that your screening toolcontinuously updates all lists (Assets Freeze, Sanctions, PEP and close relations, Reputational risk...).
It is then essential that your toolfilters your entire customer portfolio on a daily basis . This automated screening should then highlight only new alerts or alerts that have undergone a major change. For the sake of productivity, previously decided alerts that have not undergone a major change should not be resubmitted to the decision of an operator/analyst AML-CFT.
When you enter into a relationship, your tool should immediately inform you whether or not there is the slightest suspicion that your prospect is on an official list. You can then adapt instantly, for example, by requesting additional documents for your KYC.
This parameterization should also enable certain decisions to be automated, in order to streamline (digitized) customer and KYC paths, offering :
- Productivity
- Security
- Coherence
Internal control
In addition to the various grievances raised, the ACPR criticizes Treezor for not having had an effective Internal Control system, enabling it in particular to detect (before the ACPR audit) certain breaches such as :
- the frequent lack of relevance of the risk profiles of business relationships, due to the failure to take into account important BC-FT risk criteria;
- the absence of aggregation of all operations performed by a single user;
- the absence of a scenario parameterized according to the user's income, professional situation or activity;
- alert thresholds for detecting atypical transactions not adapted to transactions and customer profiles;
- the use of thresholds unsuited to the detection of split operations;
- the poor quality of the information recorded in the information system.
APS notice
It is essential that the AML-CFT tools can be configured to take precise account of all internal Compliance criteria. We note that the ACPR is adamant about any inconsistencies found between the theoretical compliance policy and the configuration of its tools AML-CFT. What's more, this parameterization must be easily exportable, so that an auditor can be presented with an explanation of how the system works at any time.
As soon as there is consistency between the theoretical Compliance policy and what is put into practice, internal control is simplified.
However, the tool needs to be able to extract a large amount of data in order to respond to various operational, regulatory and statistical concerns...