The ACPR (Autorité de Contrôle Prudentiel et de Résolution) has issued its first sanction of the year. of the year for very serious breaches, which seriously affected several fundamental elements of the system for combating money laundering and the financing of terrorism (AML-CFT).
Treezor, one of France's leading providers of Banking-as-a-Service (BaaS) services, has been fined €1 million, with a non-quantifiable reputational risk (since, as with all recent sanctions, the ACPR has ruled out the possibility of anonymizing the penalty). Note that the ACPR took Treezor's remediation plan into account in its verdict...
What to remember about this sanction:
- La détermination du Profil de Risque doit être adaptée à son activité mais également suffisamment discriminante.
- Even even if the clientele seems almost exclusively Franco-French, this in no way detracts from the fact that taxpayers must fulfill their obligations!
- The ACPR commission does not hesitate to refer to previous previous sanctions, which have set a precedent and clarifiedAML-CFT to be implemented.
- Adverse Media" lists come under fire once again (after the "AXA" sanction of February 2023).
- By half a word, the ACPR indicates that a reporting entity has a maximum of "100 days" from the detection of an alert to file a Suspicious Transaction Report (DS)
- Explanability and traceability are at the heart of the reproaches of this ACPR sanction, since Treezor was unable to explain how certain tools worked...
Let's take a closer look at the complaints:
Risk profile
Data quality and relevance
Like many of the ACPR's other sanctions, this one is not immune to criticism concerning the level and quality of customer knowledge. level and quality of customer knowledge in particular information that was too vague, imprecise or irrelevant to enable acceptable customer profiling and risk classification.
In this sanction, the ACPR lists some data which, without saying so, seem to be the fundamental data/minium :
- For individuals
- Name
- First name
- Place of birth
We could easily add Date of Birth and Nationality/Citizenship to this list.
- For legal entities
- Legal form
- Registration date
We could easily add the company name and national identifier (such as the SIREN for French legal entities) to this list.
Other data, impacting Scoring/Profilingare also in demand, such as Income, Assets, Purpose of business relationship...
Of course (but given the penalty, it's worth remembering), these data must be reliable and justified!
Risk level ratio
As a new point in this sanction, the ACPR states that the profiling criteria implemented by Treezor are not sufficiently discriminating or inappropriate for its activity.
In terms of discrimination, the ACPR notes that too few people (0.2%!) are at "moderately high" or "high" risk. The ACPR points out that insurers must have sufficient criteria on which to base their scoring rules, in order to obtain consistent results. Unfortunately, the ACPR does not indicate the average ratio of people it expects to be at these risk levels.
For example, the ACPR suggests criteria such as :
- Has the customer entered into a long-distance relationship?
- Is the business relationship conducted through an intermediary?
- Is the customer present with several intermediaries?
- ...
Detection results (Sanction, Politically Exposed Persons, but also Adverse Media) must also be taken into account when profiling a customer.
Finally, vigilance rules must also be consistent:
- par rapport à l’activité de l’assujetti.
Treezor avait mis en place des seuils de détection pour les virements à 10 000€ et 50 000€ alors que les virements moyens sont de 52€ et 819€. - In relation to the customer's risk profile.
- Par rapport au KYC global.
Exemple : cumul des différentes opérations.
Avis AP Solutions IO
It is essential that all actions, decisions (whether manual or automatic), supporting documents, comments, etc. are traced and stored in your AML-CFT tool, with the possibility of making them available at any time. ACPR inspection reports prove that investigators know exactly what to ask to verify compliance of AML-CFT systems. What's more, your system must be capable of integrating and analyzing any data you may transmit to it. The quality of the information transmitted is essential if the ACPR is to consider your AML-CFT system compliant.
It is essential that a profiling tool allows dynamic parameterization, so that different data from different sources can be taken into account and cross-referenced.
It is essential that the AML-CFT tools can be configured to take precise account of all internal compliance criteria. We note that the ACPR is adamant about any inconsistencies found between the theoretical compliance policy and the configuration of its tools AML-CFT. Moreover,this parameterization must be easily exportable, so that an auditor can be presented with an explanation of how the system works at any time. This configuration must also enable certain decisions to be automated, so as to facilitate the customer/KYC process.
Declaration deadline
The ACPR notes that some suspicious transaction reports were filed very late: more than 100 days after the detection of an alert. Without saying so, the ACPR repeatedly refers to this delay. Could this be the threshold that triggers reproach during their audits?
Please note that taxable persons must apply sanctions/freezes of assets without delay!
The ACPR also criticizes Treezor for having many manual steps in its AML-CFT process. This is deemed to be "rudimentary" and does not meet all obligations.
Avis AP Solutions IO
It is essential that your screening toolcontinuously updates all lists (Assets Freeze, Sanctions, PEP and close relations, Reputational risk...).
It is then essential that your toolfilters your entire customer portfolio on a daily basis . This automated screening should then highlight only new alerts or alerts that have undergone a major change. For the sake of productivity, previously decided alerts that have not undergone a major change should not be resubmitted to the decision of an operator/analyst AML-CFT.
When you enter into a relationship, your tool should immediately inform you whether or not there is the slightest suspicion that your prospect is on an official list. You can then adapt instantly, for example, by requesting additional documents for your KYC.
This parameterization should also enable certain decisions to be automated, in order to streamline (digitized) customer and KYC paths, offering :
- Productivity
- Security
- Coherence
Internal control
In addition to the various grievances raised, the ACPR criticizes Treezor for not having had an effective Internal Control system, enabling it in particular to detect (before the ACPR audit) certain breaches such as :
- the frequent lack of relevance of the risk profiles of business relationships, due to the failure to take into account important BC-FT risk criteria;
- the absence of aggregation of all operations performed by a single user;
- the absence of a scenario parameterized according to the user's income, professional situation or activity;
- alert thresholds for detecting atypical transactions not adapted to transactions and customer profiles;
- the use of thresholds unsuited to the detection of split operations;
- the poor quality of the information recorded in the information system.
Avis AP Solutions IO
Il est indispensable que les outils LCB-FT soient paramétrables et prennent en compte précisément tous les critères internes de conformité. On remarque que l’ACPR est intraitable sur les éventuelles incohérences constatées entre la politique conformité théorique et la configuration de ses outils LCB-FT. D’ailleurs, ce paramétrage doit facilement être exportable pour pouvoir présenter et expliquer, à tout moment, à un auditeur, le fonctionnement du dispositif.
As soon as there is consistency between the theoretical Compliance policy and what is put into practice, internal control is simplified.
Cependant, l’outil doit permettre d’extraire un grand nombre des données afin de pouvoir répondre aux différentes préoccupations opérationnelles, réglementaires, statistiques, …
