UT/2023/000092 - [2024] UKUT 00035 (TCC)

The Authority considered all ten files to be inadequate. A summary of the Authority’s findings (derived from the Authority’s Statement of Case), with reference to the relevant regulation in the MLRs is set out below.

The review explained the Authority was not able to assess the adequacy of transaction monitoring as there was no evidence of the relevant alerts in the ten files, nor was it able to assess adequacy of suspicious transaction reporting. But the Authority considered because of the Customer Due Diligence failings Nvayo might be unable properly to monitor for suspicious transactions. (In other words, without the basic context on the nature of the customer, their business and what they needed the account for it would be difficult to assess what counted as suspicious activity).

Mr Temple took me through the review conclusions of several client files to illustrate the serious nature of the concerns. In relation to one, a customer was designated a medium risk customer but with no rationale. There was no evidence on file of any risk assessment having been completed at onboarding or at any point during the customer relationship. In relation to another it was noted, despite the information suggesting the individual was based in a country designated as high risk under Schedule 3ZA of the MLRs, that there was no rationale on file as to the impact of that on the risk score and why the risk rating remained medium. Mr Temple also pointed out in relation to one of the files that it had been noted that the Enhanced Due Diligence document had been completed by Mr Scanlon and that he had originally rated the customer medium risk, but the MLRO had upgraded it to high risk.

According to the review another customer, designated originally as medium risk, was then moved to high risk but there was not then any detail of the customer’s occupation, position or income, though there was some evidence of screening using ComplyAdvantage. It is said that a simple Google search on the customer’s name and location showed the customer operated in a high risk sector and that their business was the subject of an investor warning in 2018 by a financial regulator. The review said that no evidence of Enhanced Due Diligence, SoF or SoW was put forward (the document put forward as a SoF – a bank statement did not explain the source of the funds).

Nvayo’s overall response is that it does have the required AML frameworks in place and that it does comply with the relevant obligations. It submits the alleged failings were administrative in nature and posed no risk to ongoing customers. As explained in Mr Jacklin’s second witness statement Nvayo’s solicitors responded to the Authority’s letter of 16 November 2023 feeding back on the review and making representations on the FSSN on 13 December 2023. Referring to that he goes on say that “accordingly Nvayo believes that the failings relied upon by the FCA are not as serious as stated in the FSSN and the Feedback Letter.” The letter included the following:

“Nvayo believes that the conclusions reached in the FSSN do not fully represent the present position and that additional information had been provided to the FCA on policies risk scoring and risk assessments, including Nvayo’s approach to conducting risk scoring, the consequential updates to risk assessments and ongoing remediation of client files. In the light of the additional context, Nvayo believes that the failings are not as serious as stated in the FSSN”

“This also applies to actual evidence that has been obtained and or retained by Nvayo in respect to individual clients. Deficiencies identified by the FCA in the FSSN have explanations and/or have not taken into account the requirements detailed in Nvayo's policies technical solutions deployed during client due diligence, or other information that is held outside of the actual client files by Nvayo and not explicitly requested by the FCA during the review of client files.”

In addition, Mr Jacklin raised the following points:

Nvayo also responded to the criticisms levelled by the Authority’s review through Mr Auld’s oral submissions. He submitted, all customers were risk rated, there had been an updated enhancement to the risk score card following advice from independent advisers. The AML and PEP screening parameters had been provided by ComplyAdvantage, an independent provider of financial advice. Ongoing monitoring is provided by ComplyAdvantage and all customer documents are electronically certified through Jumio. Mr Auld also referred to the progress of the appointment of Skilled Person process. A shortlist of potential candidates had been drawn up one of whom was on the Authority’s panel. Terms of reference could be drawn up in a matter of days and then the initial review of 4 weeks could start and then any remediation addressed. With the Skilled Person in place to establish the relevant facts there was no reason not to pay customers their money.