Case Document 34-1 Filed 09/01/15 Page 1 of 134

EXHIBIT A

Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 2 of 134
Hogan Lovells US LLP
Columbia Square
555 Thirteenth Street, NW
Washington, DC 20004
T +1 202 637 5600
F +1 202 637 5910
www.hoganlovells.com

September 22, 2014
BY ELECTRONIC FILING AND ELECTRONIC MAIL
Jennifer Shasky Calvery
Director
Financial Crimes Enforcement Network
U.S. Department of Treasury
P.O. Box 39
Vienna, VA 22183
Attention: Richard May, Director, FinCEN Office of Special Measures
Re:

Notice of Proposed Rulemaking -- Financial Crimes Enforcement Network (FinCEN)
RIN 1506-AB27

Dear Director Shasky Calvery:
On behalf of our client, FBME Bank Ltd. (“FBME” or the “Bank”), we present the following comments
with respect to the Notice of Proposed Rulemaking (the “NPRM”) and Notice of Finding (“Notice”)
contained in RIN 1506-AB27, dated July 15, 2014 and published in the Federal Register on July 22,
2014.
FBME is committed to continuing to cooperate with the U.S. Government, as well as the
governments of Cyprus and Tanzania, in the fight against money laundering and terrorist financing
activities. FBME has devoted substantial resources to developing and enhancing its anti-money
laundering (“AML”) and sanctions compliance program ("Compliance Program" or "Program") to
adhere to applicable European, Cypriot, and Tanzanian standards. Hogan Lovells LLP has retained
Ernst & Young in the United States ("EY") to conduct a comprehensive, independent review of the
Bank’s Compliance Program and to make recommendations for improvement according to
applicable regulatory standards and best practices. In its Assessment of FBME's Compliance
Program dated September 22, 2014 (“Assessment”), which FBME will provide to FinCEN, EY
observed that the Program “incorporates the requirements” of the EU's Third Money Laundering
Directive (2005/60/EC) ("MLD3") and the fourth issue of the Central Bank of Cyprus ("CBC")
Directive to credit institutions in accordance with Article 59(4) of the Prevention and Suppression of
Money Laundering Activities Laws of 2007 to 2013, issued in December 2013 (the "CBC 4 th
Directive") (together the "Directives") 1/ EY’s Assessment further reported that FBME “has
protocols in place that allow the Bank to continuously keep the Program aligned with these legal
requirements.” Hogan Lovells and EY have also made recommendations in some areas where
FBME’s Compliance Program “could be improved.” FBME is already working to implement these

th

1/
We note that the requirements of the CBC 4 Directive exceed the requirements of the MLD3
th
The CBC 4 Directive is in line with the draft of the EU’s proposed Fourth Money Laundering Directive,
which has not yet been enacted.

Hogan Lovells US LLP is a limited liability partnership registered in the District of Columbia. “Hogan Lovells” is an international legal practice that includes Hogan Lovells US
LLP and Hogan Lovells International LLP, with offices in: : Alicante Amsterdam Baltimore Beijing Brussels Caracas Colorado Springs Denver Dubai Dusseldorf
Frankfurt Hamburg Hanoi Ho Chi Minh City Hong Kong Houston Johannesburg London Los Angeles Luxembourg Madrid Mexico City Miami Milan Monterrey
Moscow Munich New York Northern Virginia Paris Philadelphia Rio de Janeiro Rome San Francisco São Paulo Shanghai Silicon Valley Singapore Tokyo
Ulaanbaatar Warsaw Washington DC Associated offices: Budapest Jakarta Jeddah Riyadh Zagreb. For more information see www.hoganlovells.com

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 3 of 134
-2-

September 22, 2014

recommendations, and the Bank will continue to enhance its Compliance Program to the
satisfaction of FinCEN.
FBME has carefully reviewed the Notice and the NPRM. On the basis of this review and FBME’s
ongoing enhancement of its Compliance Program, FBME respectfully requests that FinCEN
withdraw the Notice and the NPRM. Hogan Lovells respectfully submits that a complete review of
the Bank’s current Compliance Program and its plans for enhancing certain aspects of the Program
will demonstrate that FinCEN should not impose the fifth special measure under Section 311 of the
USA PATRIOT Act.
Rescission of the regulatory proposal here would be consonant with the purposes of Section 311.
As the Department of the Treasury has noted, Section 311 special measures can spur rehabilitative
conduct on behalf of the affected financial institution:
"In some instances, the entities of primary money laundering concern have rehabilitated
their practices and implemented significant reforms to mitigate some of the risks and
vulnerabilities identified as supporting the finding of primary money laundering concern. In
such circumstances where the continuing risks to the U.S. financial system appeared to be
diminished, Treasury has decided not to pursue a final rule implementing special measures
and notice has been given to rescind the regulatory proposal." 2/
At the outset of this comment, FBME wishes to make the following key points:

1. FBME’s current Compliance Program incorporates the requirements of the Directives.
FBME’s compliance with these laws has been reviewed by EY and (also very recently)
by KPMG AG WPG Frankfurt (“KPMG”). As described in section I.L.2. below, in 2013,
KPMG determined that FBME’s compliance policies were “comprehensive”, and that the
Bank’s Compliance Program was “in principle in compliance” with the standards set by its
regulators.
2. In response to program enhancement recommendations made by previous audits, FBME
has substantially strengthened its Compliance Program over the last two years.
3. FBME and its officers and directors do not in any way condone the “use” of the Bank for
illicit purposes and strive to prevent such misuse.
4. Some of the statements in the Notice are incorrect. Others appear to be based on
incomplete information. FBME seeks to clarify these discrepancies in this comment and
in its ongoing engagement with FinCEN.
5. In some cases, FBME filed a Suspicious Transaction Report to MOKAS (Republic of
Cyprus’ Unit for Combating Money Laundering) regarding events that appear to be
related to those described in the Notice.
6. The Treasury Department’s proposed rulemaking has had a significant adverse impact
on the business activities of FBME and its customers and CBC’s actions to place FBME
2/
U.S. Department of the Treasury, “Fact Sheet: Overview of Section 311 of the USA Patriot Act,”
(May 22, 2012), available at http://www.treasury.gov/press-center/press-releases/Pages/tg1591.aspx.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 4 of 134
-3-

September 22, 2014

in resolution proceedings 3/ have not allowed the Bank to maintain its business. FBME’s
inability to function has, in turn, damaged the ability of thousands of FBME’s business
clients from operating their businesses. FBME therefore respectfully requests that
FinCEN work with all appropriate dispatch in assessing FBME’s response to the NPRM.
Section I of this comment describes FBME’s Compliance Program. As EY found in its Assessment,
“FBME’s AML policies are in line with the applicable requirements of the Directives.” The Bank’s
policies and procedures provide fulsome coverage of AML issues including KYC procedures,
documentation for personal and corporate accounts, procedures for high-risk customers and
approved third parties, monitoring of accounts and transactions, suspicious transaction reporting,
employee training, and the role of the Money Laundering Compliance Officer. In January 2010, the
Bank invested in industry-leading tools for transaction monitoring, employing Oracle’s Mantas
monitoring platform to review past transactions, and implementing CGI HotScan to screen all
incoming and outgoing SWIFT transactions in real time against international sanctions lists. In
March 2011, the Bank designated a new, highly qualified AML Compliance Officer and Global Head
of Compliance, who has further invigorated the activities and increased the resources of the
Compliance Department.
Section II of this comment addresses some of the specific statements in the Notice. This section
responds to some statements in the Notice that are inaccurate, have been taken out of context, or
require additional explanation. Unfortunately, FBME is unable to respond fully to other statements in
the Notice because the Notice lacks information required for the Bank to identify the transaction(s) at
issue, and the Treasury Department has not shared any additional information pertaining to the
alleged transaction-specific activities with the Bank. The Bank takes seriously any allegation that its
customers have used the Bank for illicit or illegal purposes. FBME looks forward to providing
additional information to FinCEN and cooperating with U.S., Cypriot, and Tanzanian officials to halt
any possible criminal or other illicit activities of third parties involving the Bank.
I.

FBME’S ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM
A.

Overview of the Bank and the Program

FBME has been consistently operating in Cyprus for over 30 years. The Notices point out that
during this time period, FBME has twice changed its country of incorporation. However, the Notices
do not provide the context for these moves, which in both cases involved changing circumstances in
FBME’s country of incorporation that hindered FBME’s ability to function as a legitimate international
commercial bank.
In 1977, Michel Ayoub Saab and his son Ayoub-Farid M. Saab moved to Cyprus. Later that same
year, the Federal Bank of Lebanon (“FBL”), a Lebanese retail bank owned by the Saab family,
opened a representative office in Cyprus. Cyprus had close proximity to Lebanon, was a stable
country, and had established good international communications networks.
In 1982, the Saab family sought to incorporate an international commercial bank in Cyprus. The
CBC, however, was unwilling as a matter of policy to take on home supervisory responsibility over
international banks that were not among the large international banks. Instead, the CBC required
3/
On July 18, 2014, the CBC announced that it was taking over management of the operations of
the Bank’s Cyprus branch. The Resolution Committee (appointed to manage the Bank) subsequently
issued a Decree placing the branch under resolution and providing that the expressed purpose of the
Decree was the sale of the Bank’s operations in Cyprus.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 5 of 134
-4-

September 22, 2014

the Saab family to establish its international bank in Cyprus as a subsidiary of a bank headquartered
outside Cyprus. Accordingly, in 1982, the Saab family formed FBME (then named Federal Bank of
the Middle East Ltd.) in Cyprus as a subsidiary of FBL, with fifty-one percent of the shares owned by
FBL and forty-nine percent owned by Michel Ayoub Saab, Ayoub-Farid M. Saab, and Fadi M. Saab.
In 1985, security deteriorated in Lebanon due to the Syrian occupation. The Saab family, who are
members of the Lebanese-Christian minority, became concerned about the possibility of the
occupying power nationalizing Lebanese banks, including FBL, which had been occurring elsewhere
in the region at the time. The Saab family therefore decided to protect FBME by removing FBL from
its ownership structure. In 1986, Michel Ayoub Saab, Ayoub-Farid M. Saab, and Fadi M. Saab
acquired FBL’s fifty-one percent ownership interest in FBME. At that time, FBME and FBL became
unrelated legal entities. FBME was no longer a subsidiary of FBL, and the two entities have
remained separate to the present day, although they are both presently owned by Ayoub-Farid M.
Saab and Fadi M. Saab.
In 1985, FBME discussed with the CBC its options for incorporating the Bank in a foreign jurisdiction
and maintaining a Cyprus branch. The CBC expressed to FBME that it would be advisable if FBME
approached the Cayman Islands Monetary Authority (“CIMA”) for a full banking license. The CBC
made the necessary introductions and the Saabs took steps to apply for a “Banking License B” for a
Cayman Islands incorporated company, Federal Bank of the Middle East Ltd (“FBME-CY”), which
would allow a fully operating branch then to be based in Cyprus. Consequently, in 1986 FBME-CY
changed its country of incorporation and primary banking license to the Cayman Islands. FBME’s
international banking business operations remained in Cyprus.
With the approval of the CBC and CIMA, FBME therefore incorporated itself in the Cayman Islands,
and the Cyprus operations became a branch of the Bank. In 1987, the Cyprus branch received a
license from the CBC to carry out banking business in Cyprus. In 1991, Michel Ayoub Saab passed
away, and Ayoub-Farid M. Saab and Fadi M. Saab inherited their father’s shares and became equal
owners of FBME.
FBME’s decision to move its headquarters to Tanzania was not motivated by any attempt to escape
Cayman regulation, as the Notice seems to suggest. In 2001, fifteen years after FBME was
incorporated in the Cayman Islands, the Cayman Islands amended its banking legislation to require
all banks headquartered in the Cayman Islands to establish a physical presence there or cease
conducting business in the Islands after April 2003. 4/
CIMA viewed this change in the law as a requirement to have a substantial physical and
management presence in the Cayman Islands, which would have involved at least one of the Saab
brothers residing in the Islands. Given the Bank’s international customer base (in particular its
geographic spread) and the fact that its existing work force was located primarily in Cyprus, the Bank
decided that it made little business sense to establish a substantial physical and management

4/
In April 2001, the Banks and Trust Companies Law (2001 Revision) was amended to require all
banks that were not a subsidiary or branch of a bank licensed in a country or territory outside the Islands
to establish a physical presence in the Cayman Islands by January 2002. In December 2002, the Cayman
Islands Law was further revised so as to provide that a holder of a "B" license which is not a subsidiary or
branch of a bank licensed in a country or territory outside the Islands, shall not after April 2003 carry on
business in the Islands unless it has such resources (including staff and facilities) and such books and
records as the Authority considers appropriate with regard to the nature and scale of the business.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 6 of 134
-5-

September 22, 2014

presence in the Cayman Islands. It therefore, once again, became necessary for FBME to find a new
jurisdiction from which it could obtain a “Home License.”
By this time, the Bank had already been doing some business in Africa and had targeted the
continent as a region for expansion. FBME investigated various countries and spoke with different
regulatory authorities, including representatives from the International Monetary Fund and the World
Bank while visiting the Central Bank in Tanzania. The opportunity arose in 2003 for FBME to acquire
from the Bank of Tanzania certain assets of Delphis Bank, which the Bank of Tanzania then held in
receivership. FBME did not acquire Delphis Bank, but purchased certain assets and assumed
certain liabilities. CIMA enabled this process to be accomplished by extending the April 2003
deadline first to July 2003, and then again to September 2003. Neither of these two extensions was
linked by CIMA to any change in the capital structure of the Bank.
FBME moved its headquarters to Tanzania, obtained a license from the Bank of Tanzania, and
began operations on September 12, 2003. Due to these changes and the fact that its customer
base was primarily from Europe and the Commonwealth of Independent States (“CIS”), the Federal
Bank of the Middle East Ltd. formally changed and shortened its name to FBME Bank Ltd. on
August 4, 2005.
FBME is headquartered in Tanzania 5/ and operates primarily in Cyprus, owing to its legacy
connection to the island. FBME is the longest established international bank in Cyprus, having
operated continuously on the island since 1982. As of July 15, 2014, FBME had 375 employees,
including 225 in Cyprus. 6/
FBME has a geographically diverse client base of international companies and individuals located
in more than fifty countries. The Bank specializes in international commercial transactions
accommodating high net worth individuals’ banking needs, ranging from portfolio management to
payment solutions. Of FBME’s current customers, approximately 33.2% of deposits are from
Europe, 35.4% are from the CIS market, 13.0% are from Asia, 11.3% are from sub-Saharan Africa,
5/
The Financial Action Task Force (“FATF”), of which the United States is a member and
cooperating and supporting nation, has found Tanzania’s banking system to have sufficient AML/CFT
controls in place. As FATF stated in a June 27, 2014 press release:
"The FATF welcomes Tanzania’s significant progress in improving its AML/CFT regime and notes
that Tanzania has established the legal and regulatory framework to meet its commitments in its
action plan regarding the strategic deficiencies that the FATF had identified in October 2010.
Tanzania is therefore no longer subject to FATF’s monitoring process under its on-going global
AML/CFT compliance process. Tanzania will work with ESAAMLG as it continues to address the
full range of AML/CFT issues identified in its mutual evaluation report."
FATF, “Improving Global AML/CFT Compliance: on-going process - 27 June 2014 (Tanzania),” available
at http://www.fatf-gafi.org/countries/s-t/tanzania/documents/fatf-compliance-june-2014.html. The United
States is an observer to the Eastern and Southern Africa Anti-Money Laundering Group (“ESAAMLG”),
and Tanzania has been a member of the ESAAMLG since its inception in 1999. In fact, the ESAAMLG
was launched in Arusha, Tanzania.
6/
FBME Card Services Ltd (“FBMECS”) had employed an additional 105 people, but 75 of those
were laid off in August 2014 due to the refusal by the Special Administrator (appointed by the CBC to
administer the Cyprus branch while under resolution) to settle with card companies and local merchants,
causing FBMECS to suspend all activity. FBMECS currently employs 30 people.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 7 of 134
-6-

September 22, 2014

4.3% are from the Americas, 2.5% are from the Middle East and Northern Africa, and 0.3% are from
other locations. In 2013, the Bank had assets (e.g. cash balances, customer loans, property, etc.)
of approximately 2.78bn US Dollars; liabilities (e.g. customer deposits) of 2.6bn US Dollars and total
capital and reserves of 173m US Dollars. FBME’s prudent financial management has proven
successful, allowing the Bank to maintain a healthy financial condition amidst recent financial crises
both internationally and in Cyprus. As of July 18, 2014, FBME's Cyprus branch had a liquidity ratio
of 104%.
FBME is committed to complying with the laws and regulations of the Bank of Tanzania and the
CBC. The Bank’s Compliance Program has evolved in response to developing legal authorities
within Europe, including the EU's MLD3, as implemented in Cyprus by The Prevention and
Suppression of Money Laundering Activities Law (which came into force in Cyprus on January 1,
2008) (the “Law”). The CBC subsequently issued local directives, most recently the CBC 4 th
Directive which sets forth specific policy, procedures and control systems that all credit institutions
should implement for the effective prevention of money laundering and terrorist financing so as to
achieve full compliance with the Law (as amended since 2008).
B.

Anti-Money Laundering Compliance Policies

The Bank has an extensive Manual of Policies and Procedures (the “Manual”) that includes a
detailed Compliance section. According to EY’s Assessment, the Manual “is in line with the
applicable requirements of the [CBC and EU] Directives.”
Adopted in its current form in October 2006, the Manual is provided to all employees and is available
electronically on all employee computer desktops as a shortcut from the shared drive of all Bank
departments. Compliance personnel annually review and revise the Manual to implement
enhancements to the Bank’s Compliance Program or as and when prompted by changes in legal
and regulatory requirements, industry best practices, or the recommendations of internal or external
audits. Since its adoption in 2006, the Manual has been approved by senior management and the
Bank’s Board of Directors at least annually and whenever there were changes to law or policy that
required updates to the Manual.
The Manual’s Compliance section provides detailed policies and procedures covering AML issues,
including but not limited to: KYC procedures, required documentation for personal and corporate
accounts, procedures for high-risk customers, monitoring of accounts and transactions, and the role
of the Money Laundering Compliance Officer. Further discussion of these and other topics is below.
C.

Money Laundering Compliance Officer

FBME’s Board of Directors has appointed a Money Laundering Compliance Officer (“MLCO”) to
oversee the Compliance Program and to report regularly his or her assessment of such compliance
to the Board. Following the retirement of her predecessor in March 2011, FBME’s current MLCO
took over the position with the benefit of her predecessor’s assistance as an advisor for a short time
period to facilitate a smooth transition and provide any necessary information and training.
The current MLCO received her M.B.A. from Harvard Business School and has over a decade of
banking experience. She holds a diploma in Compliance from the International Compliance
Association in the United Kingdom and has studied international law. She started working at the
Bank in 2009 and in 2011 became the MLCO and Group Head of Compliance. As evidenced by the
CBC correspondence approving her appointment in April 2011 and as noted by EY in its

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 8 of 134
-7-

September 22, 2014

Assessment, FBME’s MLCO “has the requisite qualifications (e.g., knowledge, skills, experience)
and seniority to discharge her duties.”
The MLCO’s duties include, among others, effective implementation of the Compliance Program.
Thus, the MLCO oversees the provision of training to employees, and is responsible for assessing
and managing the risks emanating from existing and new customers. The MLCO also serves as a
first point of contact for AML regulators. The MLCO directs the submission of suspicious transaction
reports to the appropriate authorities and the maintenance of a registry of all such reports.
The Compliance Department reports to the MLCO / Group Head of Compliance, who in turn reports
directly to the Board of Directors. The MLCO / Group Head of Compliance has been a member of
the Executive Committee, which is the most senior management committee in the Bank, since that
committee was formed in 2012. The MLCO delivers an annual report on the state of the Compliance
Program to the Board of Directors and the Executive Committee. The MLCO’s report to the Board
includes an overview of new measures implemented to comply with the CBC’s applicable directives,
the findings and recommendations of any new audit results, the number of suspicious transaction
reports submitted to MOKAS with any particular trends identified, the number of suspicious
transactions investigated by the MLCO for which no report was filed with MOKAS, preparation of any
recent internal suspicion reports, the identification of any gaps in monitoring, due diligence or other
compliance functions, a summary of key information related to high-risk customers, an update on
AML employee training, and any other information necessary to keep the Board apprised of AML
developments within the Bank. (Additionally, in her role as Group Head of Compliance, she reports
to the Board semiannually on general compliance matters, including AML, for FBMECS and FBME’s
Tanzanian operations.)
In 2014, the Board appointed an Alternate MLCO to assist the MLCO with her duties or formally act
in her place in the case of absence or illness. Before joining FBME, the Alternate MLCO worked in
the credit department of Commerzbank in Berlin. She began working at FBME in July 2007 and has
served in the Account Opening section assisting the Head of the section and the Compliance
Department, where she is currently an Assistant Manager (in addition to her Alternate MLCO duties).
D.

Compliance Department

FBME is committed to maintaining a compliance program in line with or exceeding regulatory
requirements and industry best practices of comparably-sized, similarly-located banks. When it
named its new MLCO in 2011, FBME empowered its MLCO with the authority and resources
necessary to expand and enhance the Compliance Program.
FBME and its management welcome regular feedback from internal and external sources such as
auditors, correspondent banks, and regulators in order to identify and implement any necessary
program enhancements. In response to recommendations and requests by the CBC, internal and
external auditors, and Compliance Department leadership, FBME has taken significant steps to
bolster its policies, procedures, and practices and has dramatically augmented the Compliance
Department’s resources. FBME has steadily increased the size and capability of the Compliance
Department, which has tripled in size in five years, from six employees in 2009 to eighteen
employees in 2014.
The current Compliance Department consists of seasoned professionals who have broad experience
across the Bank. They draw from their understanding of how other departments function in order to
ensure a healthy, seamless relationship between the compliance and business functions. In June
2011, the MLCO restructured the Compliance Department to provide dedicated functions for specific

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 9 of 134
-8-

September 22, 2014

program requirements. The Compliance Department is presently divided into three units: the New
Accounts Approval Unit; the KYC Due Diligence Update Unit; and the Monitoring Unit.

1.

New Accounts Approval Unit

The New Accounts Approval Unit consists of three employees who review all applications for new
accounts. For each account, the New Accounts Approval Unit is required to perform a full
KYC/background review of the prospective customer in accordance with the Bank’s policies,
described below in section I.F. Before approving the account, the Unit considers the prospective
customer’s business activities and risk level to determine whether such an account is consistent with
the Bank’s internal policies and the CBC 4th Directive. For example, upon the recommendation of
the Compliance Department, the Board banned the onboarding of Russian Politically Exposed
Persons ("PEPs") in January 2013 in light of compliance risks.

2.

KYC Due Diligence Update Unit

The KYC Due Diligence Unit consists of seven employees responsible for completing annual
reviews of all high-risk customers. The Bank's policy is to review customers classified as normal risk
every three years. The KYC Due Diligence Unit is required to obtain up-to-date KYC documentation
as part of the review. In the case of corporate customers, the Unit will check that the customer
remains of good standing (for example by requesting a Certificate of Good Standing or performing a
company search); review the customer’s business activities to ensure they align with its transactions;
and perform World-Check searches, internet searches, and sanctions screening (which is conducted
for the shareholding structure, including the ultimate beneficial owner(s)). Should the KYC Due
Diligence Unit encounter any questions or concerns, it involves other compliance personnel, such as
the MLCO, to determine what further action should be taken. These KYC reviews are described in
more detail in section I.F below.

3.

Monitoring Unit

The Monitoring Unit consists of seven employees responsible for regularly monitoring payments
being processed through the Bank’s accounts. The monitoring process encompasses several
functions, including, but not limited to: monitoring of live payments by processing transactions
through HotScan to signal any pending transactions warranting closer analysis by the Compliance
Department; monitoring all card transactions; monitoring post-factum transactions through Mantas,
which detects irregularities in past payments; monitoring all inward and outward transfers related to
high-risk accounts, regardless of amount, through HotScan; and manual transaction monitoring for
high-risk accounts with markers flagging transactions for manual review. The Monitoring Unit is also
required to prepare daily cash and check reports to determine whether there were any cash deposits
in excess of 10,000 Euro or withdrawals in excess of 15,000 Euro (or equivalent), in which case
documentation supporting the deposit / withdrawal is requested from the customer. (Note: cash and
check payments total only 0.3% of the total value of payments made and 0.8% of the total number of
transactions.) In addition, the Unit is required to prepare numerous other reports, such as monthly
reports to the MLCO analyzing cash deposit patterns, reports of accounts closed by the Compliance
Department, and suspicious transaction reports to MOKAS.
E.

Customer Acceptance and Know Your Customer Policies

FBME’s policy requires the Bank to conduct a thorough KYC exercise, including obtaining
documentation to confirm the customer’s identity, and the Bank uses standardized account opening

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 10 of 134
-9-

September 22, 2014

forms to complete this process. For corporate accounts, such documentation is required for all
parties, including shareholders with an interest over 10% of each entity up to and including the
ultimate beneficial owner(s). Required documentation includes passports and certified true copies
thereof (or other legal alternatives), references, proof of address, certificates of incorporation,
statutory documents, and other items consistent with industry best practices. Individual customers
complete an Activity Profile, and corporate customers complete a Business Profile, which contains
information on the purpose for which the account is required; the anticipated annual account
turnover and method of deposits; a detailed description of the customer’s main business activities;
the expected sources of incoming funds (including countries and principal counterparties); and
expected destination of outgoing payments (including countries and principal counterparties).
Further, since 2007, the Bank has used the World-Check® database to screen customers not only
for sanctions exposure, but also to help identify reputational risk (the background check includes a
search of adverse media). See http://thomsonreuters.com/world-check-risk-intelligence/. The Bank
conducts its own KYC on all customers, even those referred by its most trusted Approved Third
Parties (“ATPs”).
Some aspects of the Bank’s KYC practices exceed U.S. regulatory requirements. For example,
consistent with EU best practices and CBC requirements, FBME has required the identification and
verification of ultimate beneficial owners since at least 2000. FinCEN proposed just last month to
require U.S. financial institutions to identify ultimate beneficial owners. 7/ Moreover, FinCEN’s
proposal sets a threshold of a 25% equity interest for the identification of ultimate beneficial owners.
FBME adheres to a far stricter threshold, defining ultimate beneficial owners as “persons with direct
or indirect ownership or control or voting rights of 10% plus one share of the company’s share
capital.” 8/
EY’s Assessment notes that, “FBME applies [Enhanced Due Diligence (“EDD”)] measures on its
high-risk customers” in accordance with the requirements of the Manual. The Compliance
Department is required to classify customers as high-risk if they are: PEPs (public functionaries or
related individuals who present higher risks for bribery and corruption due to their position); bearer
share companies; trusts; foundations; non-face-to-face customers; customers from countries that do
not apply FATF’s Recommendations; correspondent banks outside the EU; or if they meet any of
several other factors listed in the Compliance section of the Manual. FBME does not employ a onesize-fits-all approach to EDD for high-risk clients. Instead, as EY points out, EDD measures “are
tailored to address the unique risk(s) posed by each . . . customer type.” The Manual defines
appropriate EDD measures, which may include, for example, completing Bearer Share
Questionnaires (e.g., to identify changes in corporate ownership structure), conducting a further
analysis of PEP relationships (e.g., additional background checks on the PEP focusing on source of
wealth), and verifying the validity of business / professional licenses. All high-risk customers must be
approved by the MLCO or Alternate MLCO prior to account opening.
FBME recognizes the importance of regularly reviewing its KYC procedures in order to eliminate any
potential gaps and ensure the Bank utilizes evolving technologies. In its 2013 external audit of
FBME (discussed below), KPMG noted that a Customer Relationship Management System
(“CRMS”) ought to be implemented to enable better oversight of all customer-related data, and the
Bank did so in 2013. Similarly, KPMG recommended that FBME add specific markers in FlexCube
7/
See Notice of Proposed Rulemaking, Customer Due Diligence Requirements for Financial
Institutions, 79 Fed. Reg. 45151-74 (Aug. 4, 2014).
8/

FBME Manual of Policies and Procedures, § 3.2.3.2.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 11 of 134
- 10 -

September 22, 2014

(FBME's core banking system) describing the nature of all high-risk accounts. The Bank also made
this upgrade in 2013. (Previously, the version of FlexCube the Bank was using did not provide for
the nature of the high risk to be identified in the system; it only allowed for the categorization of
accounts as high-risk. However, the Compliance Department maintained spreadsheets which
assigned specific categories to the high-risk accounts. The current version of FlexCube enables this
categorization detail.)
KPMG also identified a limited number of customer files containing some expired due diligence
documentation and, as a result, KPMG recommended adding a function to the Bank’s automated
system to alert compliance officers whenever a document expires. The Bank is in the process of
implementing an alert functionality in the CRMS.
In September 2014, EY reviewed FBME’s Manual and reported that FBME’s policies, procedures,
and processes are in line with the Directives. EY then tested a statistically relevant sample of recent
and older corporate and individual customer files in order to determine whether the procedures are
properly carried out in line with the Manual. For almost all of the reviewed customer files, FBME
conduced sufficient due diligence and collected all necessary information from its customers.
EY identified certain enhancements FBME could implement, such as more consistently documenting
its verification of the sources of funds/wealth and its internet and database searches for customer
identification. FBME is enhancing its procedures in accordance with EY’s recommendations.
F.

Updates to Customer Due Diligence

As noted in section I.D above, FBME has a separate unit dedicated to reviewing and updating KYC.
The team of seven officers is devoted exclusively to the updating and maintenance of customer files.
1.

All customers

All customer files are reviewed regularly to ensure the adequacy and validity of relevant identification
documents and information. The outcome of such review is recorded in a separate note kept in the
customer file. Each non-high-risk customer file is reviewed every three years. Additional due
diligence is undertaken whenever, for example, an individual transaction appears to be unusual or
significant compared to the normal pattern of transactions or the business profile of the customer;
there is a change in the legal status, corporate structure; or there is a change in the way the account
operates. The Compliance Department maintains files that compare transactions executed against
anticipated or usual turnover.
2.

High-risk customers

FBME’s Manual requires the review of high-risk customer files on an annual basis. Transactions
executed are compared against anticipated or usual turnover (this annual comparison is kept on file).
The KYC team also reconfirms the customer’s business activities, location, and status as an entity in
good legal standing and not subject to international sanctions.
In addition, certain types of high-risk accounts (such as accounts held for PEPs or companies with
bearer shares, etc.) are subject to annual all-encompassing review by the Monitoring Team and
approval by the MLCO or Alternate MLCO for continuation of the relationship.
PEPs must fill out a supplemental due diligence form, which probes their involvement in public
administration as well as their professional background and source of wealth. The form also contains

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 12 of 134
- 11 -

September 22, 2014

questions about close associates and the visibility of immediate family members in public life. As
stated above, for example, the onboarding of Russian PEPs has been prohibited since January
2013.
G.

Approved Third Parties

In accordance with its applicable policies and procedures and as permitted by the CBC 4 th Directive,
the Bank engages certain ATPs to develop potential new customer relationships. FBME seeks
lawyers, accountants, and other licensed professionals from trusted occupations who can refer
potential customers, and who are subject to supervision with regard to their compliance with the
requirements of MLD3 or are from selected jurisdictions determined by the Cyprus Advisory
Authority for Combating Money Laundering and Terrorist Financing to have AML/CTF measures
equivalent to those within the EU.
Business development personnel attend professional conferences to develop relationships with
these potential partners. FBME recognizes significant value in utilizing licensed professionals to
identify potential customers, and as a result, around 90% of the Bank’s customers are introduced by
ATPs. The Bank identifies potential ATPs through one of six ways: membership of a professional
association; internet research; business magazines and newspapers; referral by existing associates
or clients; attendance at conferences or seminars relating to tax planning or the offshore industry; or
recommendation by FBME staff or an existing ATP.

1.

ATP Due Diligence

The Bank’s engagement with these ATPs is governed by its Manual. Upon identifying a prospective
ATP, the Bank must ensure that the country of operation of the ATP falls within the target areas
designated by the CBC 4th Directive. FBME then registers the ATP on a “prospective list” for recordkeeping purposes. All ATPs must hold membership in a professional association that regulates and
supervises the ATP for AML compliance.
Before engaging a new ATP, FBME policy requires that the prospective ATP complete a due
diligence questionnaire. This questionnaire requests information about the regulatory environment
surrounding the ATP; its customer acceptance, identification and verification policies; its recordkeeping and reporting procedures; and its training program. The Bank reviews the ATP’s AML/CTF
policies to confirm they adhere to the Bank’s requirements.
Additionally, all ATPs must complete a profile form. Prospective ATPs acting in a personal capacity
must include general information, including their name, their business and correspondence
addresses, and contact information. These prospective ATPs must also explain their business
activities, including areas of expertise and industry sector. The prospective ATP must also provide
information about their clientele, including nationality, industry sector, and net worth. In addition to
all of this information, prospective corporate ATPs must provide additional information, including the
names of all partners and directors, whether the ATP acts as a nominee director and/or shareholder,
and detailed company information.
All prospective ATPs must also provide sufficient supporting documentation. Personal ATPs must
provide: policies and procedures for preventing money laundering and terrorist financing, as noted
above; a certified copy of a passport or national identification card; proof of residential address; a
personal reference letter from a bank, lawyer, or chartered/certified accountant; and a regulatory
license. Corporate ATPs must provide: the company’s written policies and procedures for
preventing money laundering and terrorist financing; a certified copy of statutory documents for the

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 13 of 134
- 12 -

September 22, 2014

corporate entity; a certified copy of statutory documents for any nominee companies; certified copies
of passports for all directors, shareholders, and beneficial owners; proof of residential address for all
directors, shareholders, and beneficial owners; reference letters from a bank, lawyer, or
chartered/certified accountant for all directors, shareholders, and beneficial owners; and a regulatory
license.
The Bank performs due diligence on all ATPs in accordance with the Manual, including contacting
professional organizations to ensure that the prospective ATP is a member and is supervised for
AML compliance purposes. The Bank also performs KYC of the ATP, including World-Check
searches, URU passport verification, and internet searches. If the ATP clears all due diligence and
KYC processes, the file is sent to the MLCO/Group Head of Compliance for final approval.

2.

MLCO Approval of ATPs

If the ATP satisfies the requirements of FBME policy, the Group Head of Compliance may approve
the engagement. According to EY’s Assessment, “the MLCO assesses the adequacy of the third
party by reviewing the ATP’s policies and procedures.” In all the ATP files that EY tested, the MLCO
approved the ATP before it began a relationship with the Bank.

3.

ATP Contracts and Guidance Documents

All ATP relationships are governed by the Bank’s Business Introducer Agreement, with which ATPs
must agree to comply. The agreement provides that the ATP must comply with all laws, rules, and
regulations and may not refer any client which could violate any laws, rules, and regulations that
might breach the terms and conditions of FBME’s banking license, Cypriot law, the rules and
regulations of the CBC, or FBME’s internal policies and practices
FBME requires that the ATP ensure strict compliance with the Bank’s customer identification and
due diligence procedures for all clients. ATPs must continue to follow the Bank’s updated
identification and due diligence procedures whenever those procedures are amended by the Bank.
The Bank further reserves the right to check and verify the due diligence performed by the ATP. The
Bank may also refuse to accept any new clients referred by any ATP, terminate any clients referred
by any ATP, and refuse further business from any ATP. The Bank may also terminate its
relationship with any ATP. Notably, the Bank has terminated ATPs where the ATP has failed to
satisfy the Bank’s expectation for referring compliant customers. The Bank also declines to open
new accounts for potential customers referred by ATPs when those customers fail to meet the
Bank’s compliance requirements. FBME welcomes the opportunity to provide more specific
information on these points to FinCEN.
Additionally, the Bank provides each ATP with a document titled “Customer Acceptance – Guidance
Notes,” (“The Guidance”), which describes the types of business that FBME seeks and that which it
does not permit. The Guidance provides that clients of the Bank are corporate entities or higher networth individuals actively involved in the international trade of goods and services, or managing their
global wealth and assets. The document also specifically describes unacceptable client
relationships. The form describes unacceptable clients in a number of categories: (1) certain clients,
including persons or entities on US, EU, UK, and UN sanctions lists and anonymous accounts; (2)
certain activities, including production or trade of weapons, gaming and gambling related business,
adult entertainment, and unlicensed trade of pharmaceutical products; and (3) certain geographical
locations, currently Iran, Syria, North Korea, Cuba, and North Sudan.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 14 of 134
- 13 -

4.

September 22, 2014

Customer Due Diligence

All of the Bank’s customers are subject to the due diligence procedures required by the Manual. The
Bank’s policies permit it to rely on ATPs to implement certain customer identification and due
diligence procedures. These procedures are generally limited to the ATP certifying customer
documents as true copies of originals. In order to accept this data, the Bank also must confirm that
the ATP implemented these policies in line with the requirements of the law and directives issued by
the relevant supervisory authorities.
After the Bank opens an account, FBME’s policies require the Bank to obtain all ongoing due
diligence directly from the directors or beneficial owners on the customer’s account. These policies
prescribe the minimum standards Bank personnel may follow. In practice, the Bank performs
complete due diligence for all prospective clients referred by ATPs, including performing World
Check and internet searches. For example, when the Bank accepts certified copies of a customer’s
passport via an ATP, the Bank still confirms the authenticity of the document though an identify
check in the URU database maintained by GB Global PLC.

5.

ATP Monitoring

The Bank’s Business Development Team maintains a close relationship with ATPs. Business
development personnel regularly visit ATPs to cultivate the relationship, ensure the ATP
understands the Bank’s practices, and confirm that the ATP is operating as described in its ATP
Profile. FBME employees are encouraged to contact the ATP at least every three months. FBME
monitors ATPs annually not only in terms of the quality of the customers they introduce, but also the
occurrence of account closures and suspicious transaction reports submitted to MOKAS. Their
registrations or licenses are verified regularly to confirm validity. The MLCO further performs an
annual reassessment of ATPs in accordance with the current Directive. In appropriate cases, the
Bank terminates ATPs that do not satisfy the Bank’s requirements.
H.

Transactional and Account Monitoring

As noted above, the Compliance Department was restructured in 2011, resulting in the creation of a
dedicated Monitoring Unit. FBME also has been consistently enhancing its Compliance Program
through the introduction and use of electronic solutions in addition to the manual review of
transaction and account activity. FBME uses automated monitoring systems that detect unusual or
suspicious activities or types of transactions by setting limits on certain types of transactions or
categories of accounts, while considering the customer’s business profile, country of origin and
source of funds, nature of transaction, and other factors.

1.

HotScan

Since January 2010, FBME has used the CGI HotScan Intelligent Self Learning sanctions screening
solution, an interdiction filter that monitors the Bank’s outgoing and incoming SWIFT transactions in
real-time (see http://www.cgi-group.co.uk/solutions/HotScan). HotScan screens all payments
against current sanctions lists from the U.S. Department of Treasury Office of Foreign Assets
Control (“OFAC”), the United Nations, the EU, HM Treasury (UK), and other regulatory bodies, as
well as lists maintained by financial agencies such as the Financial Action Task Force, the Financial
Conduct Authority (UK), the Cyprus Securities and Exchange Commission, and others. The lists are
updated daily from their sources and uploaded into HotScan. HotScan also enables manual entry of
individuals and internal watchlists, such as lists of high-risk accounts, into the system. In addition to

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 15 of 134
- 14 -

September 22, 2014

the above, HotScan stops all inward/outward transfers as per the value thresholds set in the system
(500,000 Euro and 100,000 US Dollars or equivalent in Tanzania) for investigation and so that
documents can be obtained before processing. Although HotScan does not review internal transfers
between existing Bank client accounts, the Compliance Department generates a report of and
reviews manually such transfers on a daily basis.
Transactions that contain a positive match to HotScan’s list are put on hold (i.e. frozen and reported
or rejected, depending on the nature of the match). Partial matches trigger an investigation, and the
payment will be processed only in the event of a false positive match. The investigation may include
obtaining supporting documents such as contracts, invoices, bills of lading, etc., as well as a review
of the account holder’s past activity, information regarding the account holder’s ultimate beneficial
owner(s), internet search results, and additional documentation sought from the account holder. For
outgoing payments, two different investigators must review the alert, and HotScan has a control in
place to ensure this double-review takes place. All alerts are documented in an Excel spreadsheet.

2.

Mantas

Since January 2010, FBME has also used Oracle’s industry-leading Mantas AML monitoring
platform, which evaluates past transactions and tracks the following pre-populated scenarios: fund
transfers between customers and external entities, focal high-risk entity, high-risk counterparty, rapid
movement of funds, large depreciation of account value, and large reportable transactions (see
http://www.oracle.com/us/industries/financial-services/mantas-anti-money-laundering-ds046161.pdf). Up-to-date transaction and account information data from the core banking system,
FlexCube, is imported into Mantas, which runs an automated script to detect any activity under these
scenarios and generate an alert if there is such activity.
If an alert is generated, FBME Compliance staff conducts an investigation, which is tracked and
documented in an Excel spreadsheet. An investigator may draft an internal report or may add a
“marker” to an account, which will notify personnel monitoring accounts when the client attempts to
transact further. The monitoring personnel can then review the transaction or request further
information from the client before any transaction is processed. If a decision is taken to close an
account, a marker is placed on the account to indicate this decision. FBME promptly notifies the
client and terminates the relationship within the minimum notice period required by law.
Although FBME has adequately tracked alerts and their investigation and disposition in Excel
spreadsheets, EY recommended that the Bank introduce an automated system to perform these
tasks. An electronic case management system would register alerts, track the progress of the related
investigation, and automatically update the report when an investigation was closed. It would also
generate case reports. FBME plans to introduce this system by the end of 2014.

3.

Manual Review

In addition to utilizing electronic resources, the Compliance Department manually reviews a list of
cash and check transactions on a daily basis, and retains transaction records and supporting
documentation in hard copy format. Documentation of the source of funds is required for deposits
over 10,000 Euro which have historically been and still are at very low levels due to the non-retail
model of the Bank. Withdrawals of over 15,000 Euro require a stated purpose and over 30,000 Euro
require documentation that justifies the economic / business purposes of such withdrawals.
Monthly reports of cash and check transactions are also kept in the same file and are reviewed for
patterns of suspicious activity, in conjunction with the previous three months’ activity.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 16 of 134
- 15 -

I.

September 22, 2014

Suspicious Transaction Reporting to MOKAS

The Bank has an effective process to escalate suspicious activities to the MLCO and (where
appropriate) to MOKAS. Thus, after EY reviewed this process, it made no recommendations for
improvement. When the Compliance Department is investigating a customer for suspicious activity,
the Bank places a marker on the relevant account to denote that the customer is under investigation.
If the Compliance Department determines that a customer's activities are suspicious, the MLCO
prepares a Suspicious Transaction Report (“STR”) and files the report with MOKAS. The Bank
maintains a spreadsheet of all STRs that have been filed with MOKAS. The Bank keeps a copy of
the STR, MOKAS’ acknowledgment of receipt, and the disposition of the STR by MOKAS. If it does
not receive a response from MOKAS within 14 days, the Bank will close the client’s account unless
otherwise advised by MOKAS. The Bank has engaged with MOKAS on a regular basis, and its
relationship with MOKAS is characterized by frequent communication and swift resolution of
concerns. On multiple occasions, MOKAS staff has verbally complimented FBME employees on
their helpfulness and cooperation.
J.

Training

Bank employees, including those in back office and support functions, receive training relating to
compliance matters, including AML and sanctions policies and procedures. Employees maintain a
“Training Passport” containing stamps for each training session that they attend. These trainings
consist of on-site and off-site programs. In 2004, the Head of Compliance and Audit created an
education plan for all Bank employees. According to Bank policy, all newly hired employees are
required to receive initial induction training featuring these AML and sanctions-related topics. Under
current procedures, the MLCO conducts these trainings on an ad hoc basis. Consistent with EY’s
recommendation, the MLCO is documenting a formal induction training curriculum for all new
employees.
The trainings cover both high-level AML concepts as well as procedural and substantive issues. To
ensure that participants actually process the material instead of simply passively absorbing it,
quizzes and other interactive exercises are given to confirm mastery of the content.
Furthermore, supplemental training is provided to customer-facing employees in accordance with the
CBC 4th Directive. For example, on July 12, 2014, FBME held AML training at the Hilton Hotel in
Nicosia, Cyprus, signaling the importance of the subject matter and differentiating it from a routine
information session on Bank premises. In this session, the MLCO provided training on the changes
in AML law and the CBC 4th Directive to all staff in customer-facing departments. EY reviewed the
July 12, 2014 training provided to customer-facing employees. EY determined that the content met
the key requirements of the Directives and addressed the following subjects, among others:
customer due diligence / customer acceptance, handling of PEPs and other high-risk customers,
ongoing monitoring of customer relationships, updating customer records, and reliance on third
parties (e.g. key business introducers). The Bank also conducted a more general AML e-training for
staff employed in the back office and support functions. FBME had also been planning a September
2014 general knowledge training course for all Bank employees, but this has been delayed since the
installment by the CBC of a Special Administrator over the Bank.
This supplemental training is also combined with interface between groups so that other
departments within the Bank can gain visibility into daily compliance functions. For example, in
March 2013, a team of employees from the Client Relationship Management Unit spent a half day in
the Compliance Department during the course of a business day in order to better understand
routine compliance functions and activity.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 17 of 134
- 16 -

September 22, 2014

All employees within the Compliance Department also have attended external AML trainings,
including those offered by other institutions, to stay informed about key regulatory developments and
industry practices. For example, four employees (including employees from FBMECS) attended a
December 2013 seminar held by KPMG that covered changes to AML requirements under the CBC
4th Directive and the impact of those changes on Cyprus. FBME also sent an employee to the
Association of Certified Anti-Money Laundering Specialists AML/CTF seminar and workshops in
London in May 2014, as it has done in several years past. The MLCO maintains a Training Register
that documents past trainings (2012-2014) taken by Compliance staff. In accordance with EY’s
recommendations, FBME is working to implement a streamlined system to replace the Training
Register as a method of documenting these trainings. FBME will be pleased to provide more
information to FinCEN regarding the nature and content of the Bank’s training.
K.

Risk Assessment

Following the advice of KPMG discussed below in section I.L.2, the MLCO enhanced the
Compliance Program by creating a formal AML/CTF risk assessment in addition to the Risk
Department’s assessment of operational risk. This first AML/CTF risk assessment of FBME’s Cyprus
branch was completed in February 2014.
The AML/CFT risk assessment examined risks posed by the following areas: the Bank’s customers;
customers’ behavior; distribution channels; the Bank’s products and services; the nature and profile
of customers, nature of business transactions and products and services offered; the customers’
geographical location and the origin and destination of customers’ funds; the scale and complexity of
the Bank’s operation and geographical spread of its operations, staffing of compliance department,
storage of KYC data and record retention; and deviations from the anticipated level, volume and size
of transactions from the stated business activities of customers. The MLCO assessed several
potential risk areas within each of these broader categories, ultimately investigating approximately
fifty-five areas of potential risk. The assessment determined that additional controls were
unnecessary for fifty of these potential risk areas and identified five areas requiring follow up.
First, the risk assessment concluded that additional control measures ought to be applied to accord
with newly issued CBC guidelines regarding PEPs. The assessment found that PEPs are identified
through World Check and internet searches, and the Bank performs full checks to ensure that the
PEP has not been involved in any cases of corruption, embezzlement, etc. and does not have any
criminal track record. The Bank also requires the Head of Compliance to sign a PEP profile
document, and twice yearly reviews of PEP customers are conducted by the AML Monitoring and
KYC Due Diligence teams. All PEP transactions are closely monitored. The risk assessment
generally suggested additional control measures relating to the identification of source of wealth and
funds for PEPs, and FBME implemented them in March 2014, earlier than the suggested due date of
mid-2014.
The risk assessment also found that the Bank refuses all potential non-face to face customers as
defined in the Directives, including any customers approaching the Bank via telephone, internet, or
mail. The very few non-face-to-face customers are categorized as high risk, such that all
transactions are closely monitored. It has always been the Bank’s business model not to accept
customers who approach the Bank via telephone, internet or mail, and the Bank has only five nonface-to-face customers, all of whom were recommended by existing clients. The risk assessment
recommended that efforts be undertaken on an ongoing basis to make all such relationships face-toface.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 18 of 134
- 17 -

September 22, 2014

Additionally, the risk assessment concluded that the majority of the Bank’s customers are introduced
by ATPs, but that any risk associated with this is mitigated by having the accounts approved by a unit
reporting to the Head of Compliance, who reserves the right to reject any account application. In
addition, should ATPs fail to introduce quality customers, the ATP is subject to termination. As noted
in section I.G.4, the Bank does due diligence on all customers referred by ATPs. The MLCO has
declined to open accounts for customers who did not provide complete documentation or where the
due diligence otherwise triggers compliance concerns. In addition, the MLCO has terminated
relationships with ATPs for referring potential customers who fail the due diligence process. FBME is
happy to provide further detail to FinCEN regarding these account declinations and ATP
terminations.
The risk is further reduced by FBME’s use of a document called the Customer Acceptance –
Guidance Notes, which lists the type of business the Bank seeks (always subject to the customer
meeting the Bank’s due diligence requirements). The Bank also circulates to all ATPs a list of
unacceptable activities, jurisdictions, and types of client. Many customers also visit the Bank or are
visited by members of FBME staff at the onset or during the course of the relationship. The risk
assessment recommended making ongoing efforts to see more customers in person. The Bank’s
practice is to meet all customers who have balances of more than 100,000 US Dollars (or
equivalent) in person, although Bank personnel also meet other clients with smaller balances.
The risk assessment further found that all fiduciary loans are co-signed by the Head of Credit and
the Head of Compliance after they pass compliance screening and due diligence checks. The
MLCO recommended that the Bank gradually reduce the number of fiduciary customers by mid2015. The Bank has recognized this recommendation and the number of fiduciary customers has
been reduced since.
The AML/CTF report has been discussed both at the Executive Committee and Board of Director
meetings and approved by both bodies. FBME was pleased to see that potential risk areas continue
to be effectively mitigated. However, the Bank takes seriously the recommendations for additional
controls made by its MLCO and continues to take steps to work to reduce its risks.
L.

Recent Third Party Reviews of FBME’s Compliance Program

FBME has benefited from the findings and recommendations of the third party auditors that have
reviewed its policies and procedures. EY reports in its Assessment that “All previously identified
money laundering and sanctions-related issues have been addressed by the institution. For those
corrective actions that have yet to be fully implemented, FBME has documented project plans with
milestone dates in place.” FBME’s work to implement or improve procedures relating to the areas
identified in past audit reports is described below.

1.

Ernst & Young audit (2011)

In 2011, EY released the results of an audit that consisted of reviewing AML policies, procedures,
reports, and other related documents; interviewing senior Bank employees; and reviewing 95
customer files selected by the Bank's Compliance Department (the “EY 2011 audit”). The goal was to
assess whether the documents that FBME's Cyprus branch obtained during the client acceptance
process as part of the Bank's KYC and due diligence work were consistent with the CBC Directive in
existence at the time.
The EY 2011 audit noted that the standard Business Profile in use at the time for all new accounts
included all the required information sufficient to meet the requirements of the CBC Directive. EY

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 19 of 134
- 18 -

September 22, 2014

noted that older versions of the Business Profile template used at different points in time did not
have all of the required information. The EY 2011 audit noted that the Compliance Department had
advised that it used the (then) current standard Business Profile as part of process of updating the
information for existing customers.
The EY 2011 audit also reviewed whether FBME obtained appropriate documentation, including
company incorporation documents, passports, and utility bills, and ensured that the certifications of
such documents were valid. It noted that in certain cases incorporation documents for corporate
customers, and passports and utility bills for individuals, were not appropriately certified, due in part
to requirements of the CBC, which did not hold apostille to be an acceptable means of certification.
The EY 2011 audit noted that the Bank compared actual against anticipated turnover for high-risk
customers but observed that there was no evidence in non-high-risk files that actual transactions
executed were being compared against anticipated or usual turnover on the account. The EY 2011
audit report further noted that the comparison of anticipated and actual turnover was being done
annually by the Bank's Compliance Department for all clients, using an automated report extracted
by the Bank's system.

2.

KPMG audit (2013)

In April 2013, KPMG released the results of an audit that consisted of reviewing documentation
(including 68 customer files and two bank files selected randomly from lists of new and/or high-risk
customers), walkthroughs, interviews with Bank personnel, and an assessment of the Bank’s
AML/CTF policies, procedures and practices. The goal was to assess whether FBME’s AML/CTF
policies and practices were compliant with EU and Cypriot law, as well as in accordance with good
industry practice in Europe.
The review concluded that “FBME basically fulfills requirements as set out by the Cyprus regulator
and is in principle in compliance with EU standards.” KPMG found that FBME employed AMLcompliant procedures, including using standardized account opening forms, assigning risk ratings to
customers, verifying customer and UBO information, and performing database searches on all
customers, and that the Bank’s internal policies were comprehensive. KPMG also made a number
of suggestions to further improve the Bank's Program. In addition to the enhancements described
above (i.e., hiring an alternate MLCO and amending the Manual), the Bank has also focused on
addressing other recommendations as well as the broader categories of concerns described below.
KPMG made observations, including those related to the accessibility of ownership information,
documentation of information, and risk assessment. KPMG noted, for example, that FBME’s core
banking system (FlexCube) does not capture the names of UBOs. Instead the Bank stores that
information in an Excel file that is screened on a monthly basis and as and when there are changes
in current sanctions lists of designated parties (e.g. OFAC, EU, HMT). The spreadsheet can be
accessed by middle and senior management in Compliance, IT, Audit, and Customer Service
Departments, and has been screened regularly since 2011. KPMG also recommended better
presentation of ownership information to demonstrate links between group entities for older
customers, in line with a new structure that had been introduced for new customers. KPMG also
found that certain customer files reviewed did not have sufficient information to gain a complete
understanding of the customers’ activities or business rationale. In response to such findings, FBME
has increased its efforts to document the information obtained and reviewed.
Although it found that the Bank’s strategy addressed a number of risk-related issues, KPMG
recommended rethinking the approach to money-laundering and terrorist-financing to develop a

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 20 of 134
- 19 -

September 22, 2014

comprehensive risk analysis. As described above in section I.K., the Bank has adopted the
AML/CTF risk assessment report and implemented this recommendation.
M.

FBME Card Services

FBMECS was founded as a subsidiary of FBME Bank in 2002 to offer a range of charge card-related
products and services to businesses. A member of VISA Europe and MasterCard International,
FBMECS provides acquiring, issuing, and processing services to merchants across Europe,
enabling them to authorize, settle, and manage transactions. FBMECS’s card products include
payout, payroll, and co-branded programs. FBMECS also offers related operational support for its
customized processing services.
FBMECS has a separate AML Compliance Program, which has been audited multiple times by
several independent auditors. Recent reports have praised FBMECS’ “strong commitment to
compliance” and noted that “past problems have been successfully remediated” (SightSpan, 2013).
A 2014 RiskSkill audit that measured FBMECS policies and procedures against VISA standards
gave resoundingly positive reviews to the program; in fact, RiskSkill stated that FBMECS had
“overcompensated” for past failings, “driven by a strong compliance team/function and clear
leadership directing [its] approach.” A Deloitte audit, also in 2014, found that FBMECS was in
compliance with Cyprus’ requirements for a License to Operate an Electronic Money Institution,
stating that the company had in place correct and appropriate management and accounting
procedures, had sufficient internal control mechanisms, and had taken all auditing and governance
arrangements necessary to ensure reliable issue of electronic money.
The Bank acknowledges that it has had prior gaps in the AML program of FBMECS and has been
fully committed to closing those gaps. FBMECS voluntarily sought the suspension of its VISA ecommerce license while it addressed these issues, and audits in 2012 identified the specific gaps in
the program. In response, FBMECS implemented the recommendations of its auditors, including
updating its customer files and creating an additional weekly report monitoring transactions above a
certain threshold. In light of what it called “the significant progress made since May 2012,” VISA had
in turn reinstituted FBMECS’ e-commerce license to acquire merchants on a provisional basis in
June 2014. These substantial efforts and progress in 2014 took place prior to the issuance of the
NPRM.
Not only has FBMECS continued to enhance its compliance program, but it also restructured the
management of the company from 2012 to 2014, including in 2012 replacing the CEO who had led
the company during the period in which there were (FBMECS accepts) compliance gaps. Prior to the
issuance of the NPRM, the new leadership of FBMECS had been committed to the rigorous
compliance program described in recent audit reports, had been well-reviewed by auditors, and had
continued to enhance its compliance program. FBMECS also had named a new MLCO with
extensive experience and other qualifications. The current FBMECS MLCO earned an M.B.A. from
Hawaii Pacific University and spent one year as an operations specialist at an investment bank in
New York. He then joined FBME, where he spent more than seven years, working his way up to
Anti-Money Laundering Manager and Assistant MLCO before moving to FBMECS.
FBME would be pleased to provide further information on this subject.
II.

LACK OF CONTEXT AND CERTAIN INACCURACIES IN FINCEN NOTICE

As stated above, FBME believes that the Notice contains a number of points purporting to justify the
NPRM that are inaccurate, are taken out of context, or are less relevant with additional explanation.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 21 of 134
- 20 -

September 22, 2014

We appreciate FinCEN considering this additional information. We will be pleased to provide further
support for the points in this comment and to take all necessary steps to resolve these matters. The
Notice statements addressed below include references to the Notice as it appeared in the Federal
Register Volume 79 on Tuesday, July 22, 2014.
A.

Statements in the Notice regarding FBME

FBME’s preliminary responses to certain statements in the Notice are set forth below.
1.

Notice Statement: “The Central Bank of Cyprus (“CBC”) . . . has found
FBME’s compliance with Cypriot banking laws and AML regulations deficient
on at least two occasions.” 79 Fed. Reg. 42639 (July 22, 2014)

FBME strives to comply with all requests of the CBC. There have been two occasions where FBME
was held to be not entirely compliant with CBC demands. In both circumstances, however, FBME
openly communicated to the CBC its difficulties and objections to these demands. FBME continued
to attempt to engage in dialog to avoid these issues.
a.

Notice Statement: “FBME’s weak AML controls and customer due
diligence resulted in a fine by the CBC in 2008.” 79 Fed. Reg. 42639
(July 22, 2014)

FBME was not fined by the CBC in 2008. In 2010, the CBC imposed an administrative fine on
FBME. Following one of its regular on-site examinations of FBME, in March 2009 the CBC identified
certain issues requiring corrective action including: making amendments to the Manual’s customer
identification processes; implementing an electronic management information system for monitoring
accounts and transactions; and updating customer due diligence files. FBME immediately began
addressing these issues. Among other measures, in April 2009 the Bank informed the CBC that it
planned to amend its Manual and that it planned to install and implement Mantas by the end of June
2009 (which, following technical delays, went active in January 2010). As explained in detail below,
the Bank further worked diligently to update its customer due diligence files. FBME kept the CBC
informed of its progress. Throughout the process, the Bank closed the accounts of those dormant
clients who declined to provide certified updated documents. Although the Bank ultimately failed to
meet the CBC’s deadline for updating its files because it did not receive all its customers’ responses
in time, it did complete its review of all files and requested the necessary documents from its
customers before the deadline passed.
In March 2009, the CBC wrote to the Bank following one of its regular on-site examinations of the
Cyprus branch. As part of its examination, the CBC had reviewed a sample of customer files and
had identified areas for improvement with respect to the KYC information held on certain files. By
way of example, the CBC felt that, in some cases, the information collected with respect to the
customers' business activities or the occupation of UBOs was too broad. As a result, the CBC
made certain recommendations to the Bank. It required the Bank to take steps to rectify the
deficiencies which it had identified across the sample files, and to institute procedures to review and
update customer files more generally. The Bank responded in April 2009 and confirmed that it
would review and update its customer files as requested. Over the course of the following months,
the Bank met with and wrote to the CBC to keep it informed of progress.
In December 2009, the CBC imposed a deadline of March 31, 2010 for completion of the review and
update of all customer files (regardless of risk rating or dormancy). Given the size of the project, the
Bank promptly informed the CBC that it would not be able to meet the deadline and sought a short

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 22 of 134
- 21 -

September 22, 2014

extension of time. Its request was refused. In late January 2010, the Bank wrote to the CBC and
confirmed that it had fully reviewed and updated the sample of customer files identified during the
2009 on-site examination and that it was continuing to review and update the balance of its customer
files. The Bank noted that it had ten employees working intensively (including nights and weekends)
to complete the task and was making every effort to meet the CBC's deadline. However, the Bank
explained that it had to review approximately 9,000 files and that the project was time-consuming, in
particular because many of the Bank's customers were located abroad. The CBC did not permit
FBME to accept certified identity documentation through apostille and notarization for international
customers, instead requiring documents certified either by a bank officer or an ATP from all of
FBME’s many international clients.
Notably, the Bank was able to complete its review of all files and contact all relevant customers by
the deadline set by the CBC, but it did not receive all updated records by the deadline. On March
31, 2010, the Bank told the CBC that, despite its best efforts and serious commitment, it was unlikely
to complete the task before the end of June 2010.
In November 2010, the CBC imposed an administrative fine. FBME notified the CBC in September
2011 of the actions taken to address the areas for improvement identified by the CBC. The CBC
next conducted an on-site examination in November 2011 where they reviewed, inter alia, a large
sample of customers of different types, risk-rating, and on-boarding in different years. The CBC did
not identify any further concerns with respect to the customer identification issues referenced in its
2009 on-site examination.
b.

Notice Statement: “[I]n 2013, FBME took active steps to evade
oversight by the Cypriot regulatory authorities. In November 2013,
the CBC stated that FBME may be subject to sanctions and a fine of
up to 240 million Euro for alleged violations of capital controls.”
79 Fed. Reg. 42639 (July 22, 2014)

This statement is neither accurate nor supported by credible sources. FBME never sought to evade
oversight by the Cypriot regulatory authorities. Rather, it consistently and promptly communicated
with the CBC in real time about the payments affected by capital controls directives at issue. The
CBC never stated that FBME may be subject to a fine of up to 240 million Euro; the only support for
the statement in the Notice is a November 2013 article in the Cyprus Mail relying on “sources at the
central bank . . . who wished to remain anonymous.” 9/ We note that it is a criminal offense in
Cyprus for a CBC employee to leak confidential bank information gained through CBC employment.
When the CBC did eventually impose a fine, it was for reasons totally unrelated to AML issues, the
fine was approximately one quarter of one percent of the amount referenced in the article, and it is
being disputed by FBME in the Supreme Court of Cyprus on the basis that it is legally infirm.
In early 2013, Cyprus experienced a financial crisis. In mid-March 2013, the CBC suspended the
payment system until further notice and then declared a series of consecutive bank holidays
(effectively closing the banks). When banks reopened on March 28, 2013, the Minister of Finance
(following the recommendation of the Governor of the CBC) issued the first of a series of Restrictive
Measures Decrees (“Decrees”), imposing blanket capital controls on all banks operating in Cyprus
without regard to any particular bank’s liquidity and capital stability. At the time of these Decrees,
FBME was entirely solvent and posed no risk to the financial system. In fact, during the crisis,
9/
“CBC threatens FBME with €240m fine,” Elias Hazou, Cyprus Mail (Nov. 29, 2013), available at
http://cyprus-mail.com/2013/11/29.cbc-threatens-fbme-with-e240m-fine/.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 23 of 134
- 22 -

September 22, 2014

FBME loaned the Republic of Cyprus over 200 million Euro, evidencing its stable financial
conditions and its willingness and readiness to support the Cypriot economy. The early Decrees
required all banks, including FBME, to obtain approval from a designated committee of the CBC
(“CBC Committee”) for any transfers of money out of Cyprus. The Decrees required the CBC
Committee to approve or decline banks’ payment requests within 24 hours of receiving the request.
On March 16, 2013, the Association of International Banks (the “Association”), on behalf of FBME
and its 25 other member banks, sent a letter to the CBC, stressing that foreign banks should be
exempt from the Decrees’ restrictions because, among other reasons, the foreign banks did not
have the liquidity problems of the local Cypriot banks. The Association sent a similar letter to the
Governor of the CBC on March 24, 2013.
Following the twelve-day suspension of business, FBME began sending transfer requests to the
CBC Committee. The CBC Committee repeatedly failed to respond to FBME’s requests in a timely
fashion. The CBC Committee regularly missed the deadline, and in some cases the CBC
Committee never responded at all. As a result of the CBC Committee’s inaction, on April 3, 2013,
FBME wrote to the Governor of the CBC, explaining that the Bank had not received any responses
to its payment notifications within the time limits prescribed by the Decree.
On April 5, 2013, FBME wrote to the Cyprus Minister of Finance that the Decrees’ restrictions were
damaging its business and exacerbated the risk of capital flight from Cyprus. The Bank therefore
requested a suspension of the Decrees with respect to FBME. FBME also notified the CBC that it
would not comply with all of the Decrees’ requirements with respect to certain international
customers. In a letter to the Minister of Finance on April 5, 2013, FBME explained that it would
“notify, but not seek the permission or approval of, the [CBC] on transaction dates and amounts” for
international clients. However, FBME explained to the Ministry of Finance that it would employ a
process to comply with the Decrees’ objectives to prevent capital flight from Cyprus. Among other
things, this process included FBME’s refusal to transfer its Cypriot clients’ money out of Cyprus.
FBME also refused to open any accounts with funds transferred from other Cypriot banks. In
addition, the Bank submitted to the CBC all the liquidity and solvency reports required by the
Decrees, and it notified the CBC of its daily transactions affected by the Decrees. The Ministry of
Finance did not respond to FBME’s proposal.
After providing this clear written notice to the CBC and the Ministry of Finance, from at least April 30
through August 16, 2013, FBME promptly informed the CBC in writing about all of its payment
transfers out of Cyprus. FBME also sent numerous letters to the CBC and continually offered to
meet in person to discuss the CBC’s concerns, if any, with FBME’s proposal. The CBC never
responded to FBME efforts to communicate. FBME interpreted the CBC’s silence as approval of
the Bank’s proposal. During this period, FBME’s deposit base increased by 3%, consistent with the
aims of the Decrees.
As noted above, FBME is unaware of any public statement by the CBC that it considered imposing
a 240 million Euro fine on the Bank; however, FBME is aware of the single Cypriot newspaper
article reporting that anonymous sources purporting to be from the CBC had said that the Governor
of the CBC had discretion to decide whether to impose such a fine. 10/ On February 28, 2014, the
CBC issued a decision imposing a fine on FBME of 652,320 Euro for these alleged violations.
Immediately thereafter, FBME filed an application before the Supreme Court of Cyprus for
administrative review of the fine because the CBC’s application of the Decree violated Cyprus law
10/
“CBC threatens FBE with €240m fine,” Elias Hazou, Cyprus Mail (Nov. 29, 2013), available at
http://cyprus-mail.com/2013/11/29.cbc-threatens-fbme-with-e240m-fine/.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 24 of 134
- 23 -

September 22, 2014

and the constitution and European law. FBME continues to litigate this matter in the courts of
Cyprus, is seeking to refer the matter to the European Court of Justice, and is confident that it will
ultimately prevail on the merits.
Throughout this process, FBME actively sought to maintain constructive dialogue with the CBC and
the Ministry of Finance, but those agencies declined to respond. The Bank then openly
communicated its plan to satisfy the objectives of the Decrees. Regardless of the outcome under
Cypriot and EU law, we respectfully submit that FBME was not seeking to “evade oversight” by its
regulator.
2.

Notice Statement: “FBME is used by its customers to facilitate money
laundering, terrorist financing, transnational organized crime, fraud,
sanctions evasion, and other illicit activity internationally and through the
U.S. financial system.” 79 Fed. Reg. 42639 (July 22, 2014)

FBME has controls in place that are audited annually by its regulator, the CBC. The CBC has not
identified to the Bank a single case in which FBME facilitated any of the above activities. As
described in more detail below, FBME is not aware that it is being “used” in this manner. If it is in
fact being used in connection with money laundering or other illicit activity, the Bank is not
knowingly or intentionally participating in such activities. The Bank might have been the victim of
sophisticated criminal activities, notwithstanding the Bank’s serious efforts to detect and prevent
such activities. FBME would welcome the opportunity to review the evidence in the possession of
the Treasury Department, to provide additional information, and to take action, together with U.S.,
Cypriot, and Tanzanian officials, to prevent any criminal activities. FBME remains ready, willing,
and able to work with any regulator to ensure that such activities are not facilitated.
3.

Notice Statement: “FBME has systemic failures in its AML controls that
attract high-risk shell companies, that is, companies formed for the sole
purpose of holding property or funds and that do not engage in any
legitimate business activity.” 79 Fed. Reg. 42639 (July 22, 2014)

Cyprus’ favorable tax and fiscal environment attracts many businesses to establish asset holding
companies that take advantage of the double tax treaties with almost 50 countries (See
www.mof.gov.cy). This business climate explains why many of FBME’s customers are holding
companies, businesses with nominee structures, or “brass plate” companies with addresses in
Cyprus. It is not uncommon for banks to service these types of companies; indeed, favorable
Cypriot banking laws attract such customers. As set forth in the Bank’s policies and procedures,
upon the opening of an account, FBME collects information (from all customers) that is designed to
ensure that the Bank knows the identity of its accountholders and the beneficial owners of those
accountholders and ensures that accounts are not used for illicit purposes. In particular, the Bank
has policies and procedures in place that are designed to identify customers that pose “high-risk”
and to monitor the activities of such customers accordingly.
FBME recently has undergone independent third party audits, none of which has identified the
“systemic failures in its AML controls” that the Notice asserts. Indeed, the contrary is true. In its
most recent independent third party audit predating the FinCEN Notice, auditors determined that
the Bank is “in principle in compliance” with Cypriot and EU standards. These independent audits
identified certain areas for improvement, many of which FBME has either already implemented or
for which FBME has documented project plans with milestone dates in place. In its Assessment,
EY found that FBME’s Compliance Program incorporates the requirements of the Directives, and
that its Manual is in line with the requirements of the Directives. EY has identified certain

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 25 of 134
- 24 -

September 22, 2014

enhancements related to documentation, training, and other processes, and FBME is committed to
further strengthening its Program in accordance with these recommendations. However, EY’s
recommended enhancements to the Program are far from “systemic failures in its AML controls.”
FBME has a documented record of cooperation with regulatory and law enforcement authorities.
Cypriot regulatory and law enforcement authorities, as well as financial institutions in other
countries with which FBME maintains correspondent relationships, on many occasions have
requested information from FBME pertaining to certain customers, accounts, or transactions.
FBME has cooperated fully and provided the requested information in a timely manner. FBME
would be pleased to provide documentary evidence of such cooperation.
4.

Notice Statement: “FBME solicits and is recognized by its high-risk
customers for its ease of use. FBME advertises the Bank to its potential
customer base as willing to facilitate the evasion of AML regulations.
Separately, FBME is recognized for the ease of its account creation. In
September 2013, FBME’s offshore bank account services were featured
prominently on a website that facilitates the formation of offshore entities.”
79 Fed. Reg. 42639, 42640 (July 22, 2014)

FBME does not facilitate the evasion of AML regulations; the Bank has never advertised its
willingness to do so. FBME regularly monitors the internet for any inaccurate or misleading claims
which might be made about the Bank. As discussed below in section II.A.5, FBME demands – in
writing and, when appropriate, through outside counsel – that inaccurate statements be removed
from websites, but there are legal limits to what the Bank can do to prevent misstatements by third
parties. Thus, FBME cannot always ensure that the false statements are removed.
Indeed, in contrast to the statement in the Notice, FBME has a reputation among prospective clients
and third party introducers for being particularly stringent relative to other banks both in Europe and
particularly in Cyprus in its on-boarding of new customers and processing of payments. The Bank
routinely receives complaint letters from customers and third party introducers bemoaning the
stringent guidelines to which FBME adheres and its unwillingness to expedite account openings.
FBME also works to the best of its ability to ensure that contrary messages are not advanced in any
forum.
The Bank primarily markets itself to third party introducers at professional conferences and relies
upon personal introductions through existing relationships. As part of its “Business Introducer
Agreement” with third party introducers, FBME insists that such introducers obtain the Bank’s prior
written approval before using its name in any materials. The Bank enforces this rule and sends third
party introducers letters demanding the removal of any unapproved advertising, regardless of the
content.
FBME does limited advertising to the general public, such as posting signage at Larnaca airport in
Cyprus and through its extensive local Corporate Social Responsibility program. FBME’s
promotional materials do not advertise the Bank’s ease of use or evasion of regulations. Marketing
materials primarily emphasize benefits related to the Bank’s extensive international banking
experience, and highlight its international network of correspondent banks, multi-lingual personnel,
expanded working hours for different global markets, and geographically diverse client base.
Besides its focus on international accessibility, FBME’s promotional materials also emphasize a
strong customer focus with individualized attention, a history of high liquidity, cutting-edge services,
confidentiality, collaboration, and the benefits of a Cypriot presence, such as low corporate tax rates,

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 26 of 134
- 25 -

September 22, 2014

an EU regulated banking environment, and its strategic geographic location between Europe, Asia,
the Middle East, and Africa.
5.

Notice Statement: “FBME is also popular with online gamblers, particularly
U.S. gamblers that seek to engage in unlawful internet gambling. One
website that encourages the opening of offshore bank accounts to gamble
online notes that FBME in Cyprus is ‘[a]nother Europe-based bank [we’ve]
found particularly easy to deal with.’” 79 Fed. Reg. 42639, 42640 (July 22,
2014)

The Notice accurately quotes this misstatement by an unauthorized third party on a website
unaffiliated with FBME. But the Notice fails to acknowledge that in January 2008, FBME identified
this false statement and took action on multiple occasions to eliminate it. In fact, as explained in
detail below, FBME has a documented record of opposing these sorts of misstatements because of
the damage they do to the Bank’s reputation.
Although FBME cannot control all the misstatements of others, it consistently seeks the removal of
any false, maligning statements about the Bank that third parties publish on the internet. The Bank
regularly searches the internet for references to FBME and sends letters requesting the removal of
false statements to the parties who make or maintain them. Some examples of the Bank’s efforts in
this regard are as follows:
•

With respect to the statement quoted in the Notice, FBME identified this statement in
January 2008 and sent a letter to the website host on January 31, 2008, requesting the
reference to FBME be removed. FBME’s letter provided, “The statement regarding
‘FBME Bank of Cyprus’ is not accurate and since our name is mentioned in the article we
are asking you to remove the reference to our name. Moreover, it is particularly harmful
to FBME because FBME is being portrayed on this website as an institution participating
in a gambling activity.” The website making this statement,
www.blackjackforumonline.com/Complete_Guide_to_Offshore_Bank_Accounts.htm, is
unaffiliated with FBME. It is worth noting that FBME was not the only bank attacked in
the statement. Identical allegations were made against five other banks alongside
FBME.

•

On January 31, 2008, FBME sent a letter to GoDaddy.com, the company that hosts
blackjackforumonline.com, and similarly requested the removal of the false and
defamatory statements on this website.

•

On January 31, 2008, FBME sent a nearly identical letter to Domains by Proxy Inc.
regarding its website. Despite FBME’s efforts, the statement about FBME was never
edited or removed.

•

In 2010 and 2011, FBME sent several similar letters to the owners of a website entitled
searchnfindarticles.com regarding false and defamatory statements about FBME
involvement in gambling activity.

•

On August 3, 2012, FBME sent letters to two UK companies (a website and a website
host company) requesting the removal of an article referencing FBME on the grounds
that it was “inaccurate, misleading, and posted without [FBME’s] authority” from
www.armadaboard.com.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 27 of 134
- 26 -

September 22, 2014

•

In October 2012, FBME’s external counsel in the UK sent a Letter of Claim to the owner
of the website www.cityclub-casino.com, Imperial e-club Limited in Antigua, its service
provider, Paragon Internet Inc. in Canada, and its host, WebFusion Internet Solutions in
the UK, threatening legal action if false statements instructing customers to wire money
to an FBME account were not removed. The fund transfer related to the commencement
of online gambling, and the stated recipient of the funds had not been an FBME
accountholder since 2004.

•

In October 2013, FBME sent letters to two Russian companies (a website and a website
host company) demanding removal of false and defamatory statements from
http://bankir.ru.

•

On May 27, 2014, FBME sent a letter to GoDaddy.com regarding an unauthorized
advertisement of a card purportedly owned by FBME.

•

On June 11, 2014, FBME sent letters to two UK companies (a website and a website
host company) demanding removal of defamatory statements from the website
www.cypriot.org.uk.

Whenever FBME uncovers inaccurate or potentially defamatory information about it on third party
websites, the Bank sends letters requesting that the entity remove the false information. In many
cases, these letters have resulted in removal of the inaccurate mention of FBME from the website. If
the websites do not remove the inaccurate information, FBME considers its options on a case-bycase basis. FBME regularly works with internal and external legal counsel with regards to these
situations and has obtained legal opinions to aid in these decisions. In certain instances, FBME has
pursued the matters in courts (both in Cyprus and abroad); however, the Bank often faces limitations
to its ability to require the removal of these statements.
6.

Notice Statement: “FBME facilitated transactions for entities that perpetrate
fraud and cybercrime against victims from around the world, including in the
United States. For example, in 2009, FBME facilitated the transfer of over
$100,000 to an FBME account involved in a High Yield Investment Program
(“HYIP”) fraud against a U.S. person.” 79 Fed. Reg. 42639 (July 22, 2014)

FBME did not knowingly facilitate this transfer. To the contrary, in May 2009 FBME identified the
relevant transactions as suspicious and made appropriate inquiries, consistent with its KYC policy, to
understand the nature and purpose of the transfer, the relationship of the parties, and the business
activities of the remitters. The client provided information sufficient to establish the apparent
legitimacy of the transactions.
However, in July 2010, FBME received notification from another bank that a July 2010 transfer to the
same client was fraudulent. Upon receiving this notice, FBME immediately froze the account.
FBME conducted an investigation and concluded that the client may have been involved in
fraudulent activities. Accordingly, FBME filed an STR on the transfer with MOKAS, and it kept the
account frozen. In 2014, FBME delivered the frozen funds to the victim’s lawyer's account in
compliance with a court order. FBME has been required by law to maintain the account, keeping the
remaining funds frozen due to pending litigation. At the conclusion of the litigation, FBME will
disburse the funds in compliance with any court order that may be issued and close the account.
FBME has not willingly or knowingly associated itself with criminals or permitted known criminals to
open accounts with FBME. In fact, the Bank has in place a Fraud Task Force Group (“FTG”),

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 28 of 134
- 27 -

September 22, 2014

consisting of the Group Head of Compliance, Group Head of Audit, Legal Counsel, Group Head of
Operations, Head of Customer Services and Business Development, and Head of Risk. The FTG is
focused on fraud perpetrated against the Bank and also receives updates about cases relating to
fraud against Bank customers. The FTG educates all Bank departments about fraud risk indicators,
as well as raises general awareness of potential fraud. The Bank is confident that its policies and
procedures in place today permit the Bank to monitor customer activities in such a way as to detect
illicit behavior.
B.

Other Specific Statements regarding FBME

The Notice contains a number of other statements regarding specific transactions involving FBME.
FBME in certain cases cannot respond directly to the cited examples without more specific
information from the Treasury Department. However, the Bank would be pleased to provide any
additional information and assistance possible to U.S., Cypriot and Tanzanian officials in their
investigations of criminal activity and enforcement of related laws.
C.

Additional Section 311 factors

According to Section 311 of the USA PATRIOT Act, the U.S. Government should consider, among
other factors, the impact of the imposition of the fifth special measure upon the legitimate business
activities of FBME. In its discussion of this factor, FinCEN notes that the “[l]egitimate activity at
FBME’s Cyprus branch is difficult to assess.” FBME believes that a full assessment of its
Compliance Program demonstrates that FBME’s Cyprus branch is a legitimate member of the
international banking community. Furthermore, the statements relied on by FinCEN in the Notice,
including that FBME has a limited number of customers in Cyprus, that the Bank holds 90% of its
assets in Cyprus or even that the Bank has a significant number of holding companies as
customers in no way establish that the vast majority of FBME’s customers do not use the Bank for
legitimate business purposes.
FBME respectfully requests that the U.S. Government consider that FBME supports its customers’
legitimate business activities and that the imposition of the fifth special measure will have a
significant impact on the legitimate business activities of those customers and FBME itself. FBME’s
almost 10,000 customers make legitimate use of the Bank’s services every day. And FBME’s
approximately 375 employees work hard to serve those customers in a reliable, compliant manner.
III.

CONCLUSION

FBME has sought to demonstrate in this public comment its strong commitment to compliance, its
firm opposition to the use of the Bank for illicit purposes, and its unequivocal resolve to work in
cooperation with its regulators and with FinCEN to prevent financial crime whenever and wherever
possible. As demonstrated by the reviews of independent third parties, the Bank has substantially
strengthened its Compliance Program over recent years, and it has implemented a Program that is
in line with applicable regulatory requirements. FBME recognizes, however, that every compliance
program – including its own – can be improved, and the Bank is entirely committed to continuing to
enhance its Compliance Program to FinCEN’s satisfaction. To this end, Hogan Lovells and EY are
working with the Bank to implement all appropriate compliance enhancements. In light of all these
facts, FBME respectfully requests that the Notice and NPRM be withdrawn.
We understand from representations made by Mr. May of your office that, upon conclusion of the
comment period, FinCEN and the Treasury Department, in consultation with other agencies of the
U.S. Government, will review all of the comments received. We also understand that we will

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 29 of 134
- 28 -

September 22, 2014

engage in exchanges of additional information and points of view with FinCEN. We look forward to
cooperating with FinCEN in this regard, and we respectfully request that FinCEN work with all
appropriate dispatch to assess FBME’s Compliance Program and enhancement plans so that
FBME and its customers can return to their legitimate business activities as soon as possible.
Thank you for your consideration of the foregoing.
Sincerely,

Peter Spivack
Beth Peters
Evans Rice
Hogan Lovells US LLP
Counsel to FBME Bank Ltd.
cc:

FBME Bank Ltd.
Jeanne Archibald
Louise Lamb
Anthony Capobianco

 Case Document 34-1 Filed 09/01/15 Page 30 of 134

EXHIBIT 

Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 31 of 134

FBME Bank Ltd.
ASSESSMENT OF FBME BANK LTD's ANTI-MONEY
LAUNDERING (AML /SANCTIONS COMPLIANCE PROGRAM
)

SEPTEMBER 22 , 2014

EY
FOIA CONFIDENTIAL TREATMENT~i

inBwPNLTD.

FBME00000001

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 32 of 134

Table of contents
1.
2.
3.
4.

Executive Summary .................................................................................................................. 2
Summary of Observations ....................................................................................................... 4
Scope and Approach ................................................................................................................ 5
Detailed Observations and Recommendations .......................................................................... 8

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

FBME00000002

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 33 of 134

1. Executive Summary
By letter of engagement dated July 30, 2014 ("SOW"), Hogan Lovells US LLP ("Hogan Lovells" or
"Counsel") retained Ernst & Young LLP ("EY" or "we") in connection with their provision of legal advice to
their client, FBME Bank Ltd ("FBME," or the "Bank") with respect to the Financial Crime Enforcement
Network's ("FinCEN's") Notice of Findings dated July 15, 2014.
Specifically, in conjunction with the terms of the SOW, this report assesses FBME's compliance program
compared to the requirements established by the Central Bank of Cyprus ("CBC") in the fourth issue of
the Directive to Credit Institutions in Accordance with Article 59(4) of the Prevention and Suppression of
Directive") and
Money Laundering Activities Laws of 2007 to 2013, issued in December 2013 ("CBC

Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the
prevention of the use of the financial system for the purpose of money laundering and terrorist financing
("EU 3 rd Directive"), as well as to industry leading practices. We understand that the EU 3rd Directive
was issued in 2005 and served as a basis for the third issue of the CBC AML Directive issued in 2008.
Further, we understand that the CBC 4th Directive is in line with the draft of the EU 4th AML Directive
which has not been enacted yet.
As agreed with Hogan Lovells, EY's procedures focused on an evaluation of process and controls over
key Anti-Money Laundering ("AML") and sanctions compliance-related functions, with particular
emphasis on:
• Resolution of Prior Audit Issues
• Appointment of a Money Laundering Compliance Officer ("MLCO")
• AML and Sanctions Risk Assessments
• Compliance Policies and Procedures
• Employee Training
• Customer Identification and Due Diligence
• Enhanced Due Diligence ("EDD")
• Transaction Monitoring / Sanctions Screening
• Alert Investigations
• Suspicious Transaction Reporting ("STR")
•

External Inquiries

This report is intended solely for the information and use of FinCEN, the United States Department of
Justice ("DO]"), the Bank of Tanzania ("BoT"), the CBC, the European Central Bank C'ECB"), the
International Monetary Fund ("IMF"), the European Commission ("EC), Hogan Lovells, and the
management of FBME and is not intended to be and should not be used by anyone other than these
specified parties. EY therefore assumes no responsibility to any user of the report other than FinCEN,

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

FBME00000003

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 34 of 134

the DOJ, BoT, CBC, ECB, IMF, EC, Hogan Lovells, and FBME. Any other persons who choose to rely on
our report do so entirely at their own risk.
We appreciate the cooperation and assistance provided to us during the course of our work. If you
have any questions, please call

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD,

FBME00000004

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 35 of 134

2.

Summary of Observations
FBME has developed, administered, and maintained an AML / sanctions compliance program
("Compliance Program" or "Program"). The Program incorporates the requirements of both the CBC
4th Directive and the EU 3rd Directive (collectively, the "Directives") and there are protocols in place
that allow the Bank to continuously keep the program aligned with these legal requirements. The
Bank has designated an MLCO and Alternate MLCO, and established a system of AML policies,
procedures, and related internal controls, including: implementing an employee training program,
conducting risk-based due diligence on new and existing customers, and monitoring for potentially
suspicious transactions.
Organizationally, the MLCO maintains overall responsibility for the Bank's Compliance Program.
Collectively, the MLCO and Alternate MLCO have several years of pertinent experience and continue to
stay abreast of emerging regulatory requirements by attending industry conferences and seminars.
Additionally, the Bank utilizes commercial-grade technology solutions to facilitate compliance with
applicable regulatory requirements (e.g., World-Check for sanctions/PEP/negative news screening, URU
by GB Group Plc for identity checks, HotScan for sanctions/payment interdiction, Mantas for suspicious
activity monitoring). The Bank is also in the process of implementing various measures to improve or
strengthen its compliance program (based on recommendations made in prior audits).
EY has, however, identified areas where the Compliance Program could be improved. These include:
• More consistently documenting the efforts taken to verify the sources of funds/wealth and
business purpose of accounts from prospective customers.
• Further investigating connections / relationships between FBME customers, especially when
inordinate volumes of internal transfers are identified.
• Although not required by the Directives, modifying its periodic customer due diligence process to
better align with industry practices (e.g., moving to a rolling 12 or 36-month review cycle,
depending on the customer's risk, rather than an annual or three-year review cycle).
• Implementing an automated case management system to record the alerts generated, stage of
investigation, and ultimate disposition of the alerts generated by both HotScan and Mantas (as
opposed to the current process of manually entering the alerts/outcome on several different Excel
spreadsheets).
• More thoroughly documenting the AML/sanctions training given to new hires and providing general
awareness training to all employees on an annual basis.
Our testing procedures and results are outlined in Section 4 of this report. It is management's
responsibility to evaluate and implement the recommendations noted.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

FBME00000005

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 36 of 134

3. Scope and Approach
EY's onsite fieldwork was conducted from August 4, 2014 through September 5, 2014. Throughout
the duration of its assessment, FBME provided EY with access to all files, documents, data, and
information requested.
EY's procedures consisted of an assessment of FBME's Compliance Program. We considered the issues
and recommendations made in prior audits, the roles of the MLCO and Alternate MLCO, risk assessments
performed, the Bank's compliance policies and procedures, AML and sanctions training for employees,
customer acceptance and risk-based due diligence, transaction monitoring, sanctions screening,
investigations, reporting of suspicious transactions, and response to inquiries from other financial
institutions and law enforcement.
Our assessment approach varied depending on the operational history associated with the AML /
sanctions process and controls under review. If a process or control was established and in existence
long enough to provide historical artifacts available for detailed testing, EY read relevant documents
(e.g. policies & procedures), conducted interviews (refer to Table 1 for an illustrative list of key Bank
personnel interviewed), performed process walkthroughs and conducted sample-based testing. If a
process or control was under development during our scope period, we read related documents and
conducted interviews to gain an understanding of the intended future state of that control.
J Table 1: FBME Bank Ltd Personnel Interviewed

FBME Bank Ltd Representative

1

Position
Group Head of Compliance & MLCO
Alternate MLCO
Compliance Officer
Compliance Officer
Senior Vice President, Personnel Department
Training Manager, Personnel Department
Assistant Manager, New Accounts Department

FBME Card Services Ltd.'s ("FBMECS") AML / sanctions compliance program was in scope only to the
extent of identifying unresolved issues from prior audits and comparing policies and procedures against
the requirements promulgated by the Directives. EY did not assess the design or operation of the
remainder of FBMECS' AML / sanctions compliance program.

Sampling Methodology and Sample Selection:
EY's sampling methodology was used to select samples for testing. We considered the following
factors in selecting our samples: population size, risk, and complexity and criticality of the process
being tested. EY's sampling methodology uses a variety of techniques, including professional
judgment.
Judgmental or risk-based sampling uses the reviewer's judgment as a basis to select the sample.
Judgment can be based on risk, information obtained from previous regulatory examination reports,
prior audit reports or other facts learned during the course of the assessment.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

FBME00000006

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 37 of 134

EY utilized judgmental sampling techniques to focus its testing on high risk customers as identified by
FBME. Our samples were also further stratified to include a representation of each of the various types of
high-risk clients accepted by the Bank (e.g., PEPs, bearer share corporations, offshore trusts). The
selected files and transactions represented activity (e.g., onboarding new customers, closing of accounts,
transactions executed) that occurred within the years 2011-2014. Where applicable, samples were
expanded to include accounts opened and/or transactions executed outside of the scope period. The
sample sizes were selected to achieve a 90% confidence level based on control frequency.
When determining the sample size, EY considered the frequency of the control and the population size.
Both of these components are important in the sample selection process. Per the EY methodology, there
is a statistical basis for the sample sizes articulated in Table 2 below. Generally, a sample of 25, without
finding any exceptions, allows us to determine with 90% confidence that the error rate in the population
does not exceed 10%.

Frequency of Control

Sample Size

Multiple Times Per Day

25

Daily

25

Weekly

5

Monthly

3

Quarterly

2

Annually

1

EY selected due diligence files for open (e.g., active) customers (corporate and individual), former
customers/closed accounts, and declined customers. According to files provided by the Bank (as of
August 4, 2014), FBME has 9,883 open customers. Of the 7,817 open corporate customers, EY
selected 36 corporate customer files. Of the 2,066 open individual customers, EY selected 10 files. EY
also selected 5 customer files related to closed accounts and 5 files related to "declined" applicants.
The Bank has 445 active ATPs and 172 de-activated ATPs. EY selected files for 10 active ATPs and 5
deactivated ATPs. EY requested the files from the Compliance department. All requested files were
received within 1 day.
For the transaction monitoring and investigations review, EY judgmentally selected alerts, case
investigations, and STRs to capture both HotScan and Mantas activity with varying levels of escalation
(e.g., transactions dispositioned at the alert stage, closed investigations, and STRs filed with MOKAS).
EY selected samples of 25 manually passed HotScan alerts, 25 closed investigations derived from
HotScan alerts and 25 closed investigations derived from Mantas alerts. Additionally, EY tested a
sample of 25 filed STRs.

Procedures:
In executing this approach, EY performed the following steps:

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

FBME00000007

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 38 of 134

1. Read documentation pertaining to FBME's AML / sanctions compliance program.
2. Held discussions with relevant FBME personnel to obtain a further understanding of remediation
efforts and changes to procedures and processes; personnel spoken to included compliance and
operations teams as well as senior executives of the Bank.
3. Performed walkthroughs of certain procedures with relevant FBME personnel to understand their
practical application. Walkthroughs consisted of a FBME employee explaining or performing
procedural tasks whilst an EY team member observed.
4. Performed targeted testing, where deemed relevant, on a sample of data/reports; for example,
monitoring and alert reports, including unusual activity reports, and customer due diligence files.
5. Recorded notes and observations. Where additional information was needed for clarification,
supplementary discussions and walkthroughs were held.
We have conducted our engagement in accordance with the consulting standards established by the
American Institute of Certified Public Accountants. These standards are different from the profession's
auditing and attestation standards. We were not engaged to express, and do not express, an opinion on
the Bank's Compliance Program. This assessment contains our observations and recommendations
concerning the Bank's Compliance Program in accordance with the aforementioned AICPA consulting
standards.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000008

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 39 of 134

Detailed Observations and Recommendations
AML
Program
Element
Prior Audit
Issues

Procedure(s) Performed
EY obtained and read the prior
internal and external audit reports
issued between 2011 and 2013,
including the ones listed below:

All previously identified money laundering and sanctions-related Issues have
been addressed by the institution. For those corrective actions that have yet to
be fully implemented, documented project plans with milestone dates are in
place.

KPMG Report on the
Effectiveness of Measures
regarding Anti-Money
Laundering and CounterTerrorism Financing at FBME
Bank Ltd (April 2013);
• EY Findings Report to the Board
of Directors of FBME Bank Ltd Anti-Money Laundering
Controls
Assessment/Independent Test
(March 21, 2011);
• Internal Audit Report on
Compliance-AML Effectiveness
Review (plus FATCA) (Maid 31,

Prior audits noted that ultimate beneficial owner (UBO) information (names and
addresses) had not been captured in FBME's Core banking system FlexCube. The
Bank's response to the concern was that the UBO information has not been
added to FlexCube for confidentiality reasons. Instead, the Information is stored
in an Excel spreadsheet to which access is limited. The names on the
spreadsheet are screened on at least a monthly basis (or more frequently
depending on specific events, such as updates to sanctions lists) in order to
identify potential PEP, sanctions, or other watch list matches. Any matches are
then reviewed and verified by the MLCO.

•

Recommendations

Observations

FBME should consider purchasing and
Implementing an onboarding platform.
This could mitigate the risk of human
error that's inherent with solely
maintaining key information (e.g., UBO
names/addresses) on a spreadsheet.
Additionally, such a tool could allow for
an even more efficient client acceptance /
account opening process.

Refer to the Customer Identification and Due Diligence, Transaction
Monitoring/Sanctions Screening, Alert Investigations, and Suspicious
Transaction Reporting sections for detailed testing and results regarding prior
issues identified in those areas.

2014).

Sightspan Independent Review
of the Anti-Money Laundering
(AML) Compliance Program of
FBME Card Services Ltd (May
24. 2013).
EY conducted testing to determine
whether:
•

Appointment
of a Money
Laundering
Compliance
Of icer
(MLCO)

1.A Money Laundering
Compliance Officer (MLCO) with
requisite knowledge and
experience has been appointed
by the Bank's Board of Directors
and approved by the Central
Bank of Cyprus.
2. An Alternate MLCO has
also been appointed.

lOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

1.

FBME's Board of Directors has appointed
as Head of
Compliance/MLCO. A letter of approval from the Central Bank of Cyprus
(CBC) was received on April 21, 2011, evidencing that she has the
requisite qualifications (e.g., knowledge, skills, experience) and seniority to
discharge her duties.

None.

took the Cambridge Advanced and Proficiency Exams at
the University of Cambridge in the United Kingdom and earned her BS and
MS in Oriental Studies at Yerevan State University in Armenia before
studying International Law at the same university. She went on to earn her
MBA
She has extensive experience working as a
-

F8MEDOD00009

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 40 of 134

AML
Program
Element

Procedure(s) Performed

Observations

3. The duties (e.g., roles,

Recommendations

project manager and analyst for over ten years before joining FBME in
2009 as the Assistant Vice President, Head of Compliance. In 2011, she
became the Group Head of Compliance and MLCO. Her expertise includes
developing measures, systems and procedures to adhere to the CBC
Directive, assessing the adequacy of policies and procedures against
money laundering and terrorist financing, and preparing training to further
develop and broaden staff knowledge. She received an International
Diploma in Compliance from the International Compliance Association in
collaboration with the University of Manchester and Is a Member of the
International Compliance Association (MICA).

responsibilities, tasks) of the
MLCO, Alternate MLCO, and
Compliance Unit have been
documented.
4.The MLCO prepares an Annual
Report on the state of the
Bank's Anti-Money Laundering /
Counter Terrorism Financing
(AML/CTF) Compliance
Program.

— reports directly to the Banks Board of Directors. She is

2.

3.

4.

9 FBME
FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

also a non-voting member of FBME's Executive Committee. Funding for the
compliance program is approved by the Bank's Budget Committee, We
were advised by
that she has never been overruled by
management on any decisions she has made and believes she's fully
empowered to administer the compliance program.
On April 24, 2014, FBME appointed
as Alternate MLCO
and a letter was sent to the CBC notifying them of this appointment.
— has worked for FBME since 2009, starting in the Account
Opening Unit where she assisted the head of the department. She became
the Senior Compliance Officer in 2013. We were advised that as a Senior
Officer in the Account Opening Unit, she ensured that customer accounts
were opened In accordance with Bank policies and the Directives. Prior to
joining FBME, — worked for Commerzbank AG, Berlin.
The duties and responsibilities of Compliance, including those of the Group
Head of Compliance / MLCO are documented in the Bank's Manual of
Policies and Procedures (Section 0— Compliance). These duties include:
• Effective implementation of the AML program;
• Assessment of all risks arising from existing and new customers;
• Implementation of a program to ensure employees are appropriately
trained; and
• Preparation of an Annual Report presented to the Board to assess
compliance with the CBC's Directives for the prevention of money
laundering and terrorist fnancing.
The MLCO prepares an Annual Report that Is presented to the Board. The
Annual Report provides an overview of key updates/changes over the past
year, including figures that were presented in the Monthly Statements of
Large Deposits compiled each month by the business lines. EY reviewed
the MLCO's Annual Report for the Year 2013 on Prevention of Money
Laundering & Terrorist Financing and found that it Includes the following
information:
• Measures taken to comply with the amendments in the law and the
CBC's 4"' Directive.

IBME000000r0

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 41 of 134

AML
Program
Element

Procedure(s) Performed

Observations

Recommendations

• Material deficiencies / weaknesses in the Bank's AML policies and

procedures.
• Information on the automated systems and procedures applied for the

Risk
Assessments

EY obtained and read the AML/CTF
risk assessment to observe
whether the Bank's key risks have
been identified, risk rated, and
addressed by risk mitigation tools
(the Bank's policies, procedures, or
processes).
EY also conducted testing to
observe whether the risk
assessment results are supported
with documentation and reported
to the Bank's Board of Directors
and/or Executive Committee,
Additionally, EY read meeting
minutes to see whether the Board
of Directors is regularly updated
with the gaps identified in the risk
assessment and any progress
toward resolving said gaps.

10 FBME
FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

on-going monitoring of accounts and transactions, description of the
main functions of these systems and procedures, and weaknesses that
have emerged.
• Suspicious activity/transaction reports submitted by Bank employees to
the MLCO (10).
• Suspicious activity/transaction reports submitted by the MLCO to
MOKAS (34).
• Suspicious transactions investigated by the MLCO for which no report
has been submitted to MOKAS (0).
• Communication to staff on money laundering and terrorist financing
prevention issues.
• Annual statement of customers total cash deposits and funds transfers
in excess of EUR 10,000 and EUR 500,000 respectively.
• Customers' total deposits and loans on the basis of the permanent
residence of the ultimate beneficial owner of the account.
• Information on the policy, procedures and controls applied in relation to
high risk customers.
• Training courses/seminars attended by the MLCO and Compliance Staff.
• Information on training provided to staff in 2013.
• Information on the following year's training program.
• Information on the structure and staffing of the compliance department.
The 2014 AMI/CTF risk assessment (for FY2013) reflects FBME's timely
Implementation of a recommendation cited in a prior audit report. Since the
publication of this latest risk assessment, we were advised that there have not
been material changes to the institution's risk profile (e.g., introduction of new
products) that would warrant an updated risk assessment.
While FBME's AML/CTF risk assessment identifies the key risks faced by the
Bank, it is not supported by a documented methodology that outlines the
approach taken to assess the Institution's money laundering, terrorist financing,
and sanctions risks. As such, the criteria and data used to conduct the analysis
of specific risk categories are not documented. Additionally, the risk
assessment does not appear to be supported by relevant documents,
information, and data (e.g., pertinent statistics, business volumes). The
assessment does not specify inherent or residual risks for each of the Bank's
business lines, and solely details the risk mitigation tools for each risk category.

FBME should consider updating the
AML/CTF risk assessment to include a
documented methodology that explains
the approach taken to assess the Bank's
risk. Specifically, the methodology
should include the scope of the
assessment, the risk framework used, the
data collection and information gathering
process, the analysis of the risks
identified, and the reporting and
Implementation procedures.

FBME indudes the following risk categories in its risk assessment: customer type,
customer behavior, distribution channels, products/services, geographical
location of customers, origin and destination of customers funds, customer
activities, and the Bank's structure (scale and complexity of the Bank's activities

FBME00000011

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 42 of 134

AML
Program

Procedures) Performed

Observations

Recommendations

Element

Compliance
Policies and
Procedures

Employee
Training

EY obtained and read FBME's
Manual of Policies and Procedures
(MoPP). The Compliance policies
and procedures (Section 0 of the
MoPP) were compared against the
CBC 4'" Directive and the EU 3 r°
Directive,
EY also obtained and read
FBMECS' AML policies and
procedures and compared them to
the CBC's 4'" Directive and the
EU'S 3,d Directive.
EY verified that the MLCO has
implemented an annual education
and training plan, as required by
the CBC Directive. EY obtained the
relevant training materials to
determine whether they are
comprehensive, address key
regulatory requirements, and are
appropriately tailored to the risk
profile of the Institution,

11 FBME
FOIA CONFIDENTIAL TREATMENT REOUESTED BY FBME BANK LTD.

and the geographical spread of its operations, staffing of compliance
department, and storage of customer's KYC data and record retention period).
The assessment considers the entire universe of FBME's business lines, but
does not specifically address the risks resulting from internal transfers between
FBME accounts. FBME's AML/CTF risk assessment considers sanctions risks.
However, other financial crimes, such as fraud and bribery/corruption, are not
prominently featured in this risk assessment.
The provisions stipulated in FBME's MoPP are in line with the applicable
requirements of the Directives.

None.

Since FBMECS is not a bank and does not have a deposit taking license, It Is
not covered by the CBC 4' Directive. That said, FBMECS does have a
compliance program and its Compliance Policy and Procedure Manual Is In line
with the applicable requirements of the Directives.

New Employee Training
According to the Directives, newly hired staff should be educated in
understanding the Importance of preventive policies against money laundering
and terrorist financing and the procedures, measures and controls that the
credit Institution has in place for that purpose.
FBME provides induction training to new hires and attendance records are
maintained for these sessions. The induction training consists of a two-day
rotation through the various compliance functions. EY was provided with an
agenda of the elements comprising the typical induction course. The agenda
Included the following topics:
•
Overview of Compliance department and its role in the Bank and applicable
AML regulations.
•
Economic sanctions and the risks they entail,
•
Brief description of Compliance responsibilities (e.g., customer acceptance
policy, Approved Third Party (ATP) relationships, monitoring/reporting
obligations, legal and regulatory frameworks).
•
Risk classification and Identification of high-risk clients (e.g., bearer share
companies, PEPs).
•
Overviews of the HotScan and Mantas monitoring systems.
•
Daily monitoring and action taken (e.g., alert investigations).
•
Disclosure letters from authorities,
•
Correspondent bank inquiries,
•
Suspicious transactions/suspicious activities (e.g., MOKAS reports).

All new hires should receive dedicated
AML and sanctions training within a
reasonable timeframe after the
commencement of their employment.
This timeframe for new employee
AMI/sanctions training (e.g., within 30
days from start date) should be stipulated
in the Bank's Compliance Policies and
Procedures.
FBME should provide annual AML and
sanctions awareness training to all Bank
employees.
Additionally, FBME should consider
Implementing a formal training regimen
(e.g., regulatory updates, enforcement
actions, industry trends) for the
Executive Committee and BOO members.
Additionally, the Bank should consider
implementing a system to track tralnings
taken and required to be taken by all
employees. Currently, training

FBME00000012

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 43 of 134

AML
Program
Element

Procedure(s) Performed

Observations
Annual regulatory reporting requirements.
The induction training agenda indicates that a sufficient amount of time is
allotted to each session. There were no other written training materials to
evidence the level of detail in which AML and sanctions concepts were covered,
Additionally, FBME's MoPP does not define the timeframe in which new
employees should receive AML training,

Recommendations
information appears to be ad hoc and
maintained mostly on an Individual basis
by each employee. There are no
consolidated training records to
determine which employees took a
particular training or which trainings an
employee has taken.

Ongoing I General Awareness Training
Per the Directives, ongoing training should be given at regular intervals so as to
ensure that staff are reminded of their duties and responsibilities and kept
informed of any new developments. The CBC 1 v, Directive requires that the
MLCO prepare and implement, on an annual basis, an education and training
program for staff. The CBC 4 u Directive further establishes that the time and
content of staff training of different units should be adapted to the needs of
each credit institution. Furthermore, the frequency of education/training may
vary depending on the amendments to the legislative or regulatory
requirements, the staff dudes as well as any other changes that the financial
system is undergoing."
EY observed that Bank-wide AML/san tlons awareness training has not been
conducted since December 2011/January 2012, even though the 2012 MLCO
report indicates that a general training was to be provided to all staff members
in the second half of 2013. It should be noted that the MLCO's 2014 education
plan Includes a general knowledge training course to be given to all Bank
employees; however, this has been put on hold since the CRC's installment of a
Special Administrator.
The FBME Board of Directors (BoD) and the Executive Committee (EC) receive
regular updates on regulatory requirements and significant changes in polities,
which they must approve (per the Directives and the MoPP). Tailored AML
training, however, in not provided to either the BoD or the EC. Rather, the
MLCO provides informal information on an ad-hoc basis. While this is not an
express requirement under the Directives, it is an Industry practice that many
financial institutions have Implemented.
Supplemental Role-Based Training
Per the CBC Directive, employees who deal directly with customers (e.g.,
customer-facing employees) should be trained on the verification of new
customers' identity, the exercise of due diligence on an on-going basis, the
monitoring of accounts of existing customers and the detection of patterns of
unusual and suspicious activity.
EY noted that, on July 12, 2014, the MLCO provided training on the changes in

12 FBME
FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANKLTD.

FBME00000013

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 44 of 134

AML
Program
Element

Observations

Procedure(s) Performed

)

Recommendations

AML law and the CRC's 4p1 Directive to all staff in customer-facing departments.
Additionally, EY noted that a more general AML e-training was provided to
employees in the back office and support functions. EY reviewed the July 12,
2014 training provided to customer-facing employees and observed that the
Content met the key CBC 4 1° Directive provisions and addressed, among others,
the following: customer due diligence / customer acceptance, handling of
Politically Exposed Persons (PEPs) and other high-risk customers, ongoing
monitoring of customer relationships, updating customer records, and reliance
on third parties (e.g., key business introducers).
EY also observed that the MLCO provides informal training throughout the year
to FBME employees in targeted departments (e.g., Business Development,
Operations).

The MLCO maintains a Training Register which documents past trainings (2012•
2014) taken by the Compliance staff. However, for all other employees a
central database or learning management system is not in place to certify and
track trainings sessions attended. Rather, each employee maintains a 'Training
Passport" Indicating trainings attended with a stamp.
Reporting of Training Results
The MLCO Report includes a section on the "Results of the assessment of the
adequacy and effectiveness of staff training;" EY read the 2012 and 2013
MLCO reports. The 2012 report indicates the training courses taken by the
MLCO and Compliance staff as well as the results of the Internal training given
to FBME employees. Additionally, the 2012 report Indicates that the average
test result from the December 2011/January 2012 training was 82.15%,
which, according to the MLCO demonstrates a high level of"Staff knowledge
and awareness of the prevention of money laundering and terrorist financing
and related policies and procedures." The training section for the 2013 report
stated "N/A" which is accurate given the fact that formal Bank-wide training

Identification
and Due
Diligence

determine whether FMBE has
documented and implemented
policies, procedures, and processes
in line with the Directives. EY
sampled and tested 36 corporate
customer files and 10 Individual
files. Specifically, EY:
1. Determined whether a
customer profile is develooed at

t3 FUME
FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

•

The CBC Directive and the MoPP require that adequate measures must be
taken to establish the source of wealth and source of funds involved in a
client relationship. The CBC Directive recommends this to be established
through audited financial statements, business plans, or management
accounts, where deemed necessary. The Bank has many newly
formed/incorporated customers, and as "start-ups", they do not have
financial statements. Even so, source of wealth checks were not
consistently performed on the ultimate beneficial owners (UBOs) of the
start-ups. EY was advised by the MLCO that the Bank gains comfort about
a customer's wealth by performing additional public database and Internet

database and Internet searches
performed, including support to evidence
the absence of adverse information.
Additionally, when conducting searches
on the World-Check database, FBME
should utilize the "part match" search
feature for all customer types.
FBME should consider obtaining (on a risk

FSMEGODDD014

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 45 of 134

AML
Program
Element

Procedure(s) Performed
the inception of a relationship
that includes Know Your
Customer (KYC) information,
such as, business profile,
intended use of account and the
assigned risk classification
(normal/low or high);
2. Verified that the ultimate
beneficial owner's identity has
been verified and adequate
measures have been taken to
understand the ownership and
corporate structure of a
customer;
3. Verified that ongoing
monitoring of the business
relationship is conducted and
all documents and client
Information is kept up to date,
EY also tested 5 closed accounts
and 5 declined accounts to verify
that appropriate measures were
taken to terminate customers and
decline applicants,
In addition, EY tested LO ATP files
to verify that the Bank has
performed due diligence on the
third party to verify they are
subject to professional registration
by law and are subject to
supervision with regards to
requirements of/equivalent to the
EU 3" Directive,

Observations
searches on the UBOS. However, when the searches do not yield negative
information, the Bank does not document these searches or the fact that
no negative information was found. For lower-wealth IJBOs who typically
do not have a large presence on the internet or in the public domain, the
group structure form is reviewed; however, this document is not obtained
from an independent source (rather it is obtained from clients).
For four (4) corporate customers, FBME did not sufficiently document its
verification of the source of wealth of its customers or source of funding
for accounts,
Figures on expected turnover and business purpose were included in each
customer's Business Profile; however, these figures were often not
validated with supporting documentation.

•

For two (2) corporate customer files, there was no documentary evidence
to explain the customer's activities or the business purpose for these
accounts,
For one (1) individual customer, a sufficient level of information was not
obtained in order to reasonably understand the customer's expected
pattern of transactions for the account,
EY noted that numerous files contained references to existing FBME
customers throughout the onboarding documents. While reviewing the
file of a corporate customer, EY identified an instance of potential tax
evasion and found that the transaction pattern involved multiple other
FBME customers. Based on E is observation, the MLCO performed a
further assessment of the internal transfers and made a decision to file an
STR related to the activity on August 28, 2014.

•

•

All FBME customers are assigned a risk rating. There are two levels of risk
associated with the Bank's customers, normal and high. Both the CBC ,w
Directive and the Bank's MoPP provide a list of customer types that are
considered high risk.
•

FBME
FOIACONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

Recommendations
differentiated basis) further
documentation (beyond Internet
searches) from potential customers to
verify their source of funds/wealth and
the business purpose of their accounts.
EY noted that numerous customer files
contained references to existing FBME
customers throughout the onboarding
documents. EY recommends FBME to
further investigate these relationships at
the onboarding stage.
Although not required by the Directives,
FBME should consider modifying its
periodic review process and move
towards rolling 12 or 36-month cycles for
high and normal customers, respectively,
rather than annual or three-year review
cycles. This should help avoid large
concentrations of reviews being
performed during the fourth quarter of
the calendar year. Additionally, such a
schedule will allow for accounts to be
reviewed no later than the one year (highrisk customers) or three year (normal risk
customers) anniversary dates of its
previous reviews.
FBME should implement the enhanced
risk rating methodology for ATPs, as
required by the CBC Directive, by the
October 2014 deadline.

While FBME has procedures in place to verify the Identity of its customers,
the process for obtaining customer information was not always clearly
documented throughout the sample of files tested. For example, there was
no consistency in the completion of Internet searches performed or
documentation of research from external sources. After June 2012, FBME
began performing "part match" searches in World-Check for individuals
only. FBME performs "exact match" searches on corporate entities, which
increases the likelihood that a potential match may be

14

FBME00000015

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 46 of 134

Program

I

Procedure(s) Performed

I

Observations

Recommendations

missed.
)ing Customer Due Diligence (CDD) Reviews
FBME performs periodic due diligence reviews on all customer accounts.
The frequency of these reviews depends on the risk classification of the
customer. High-risk customers are reviewed annually and normal-risk
customers are reviewed every three (3) years.
For certain high-risk customers (e.g., bearer share companies, PEPS), this
ongoing (periodic) review process begins with an annual evaluation of a
client's transaction history and a determination as to whether FBME
Intends to retain the customer relationship. The second phase of the
process applies to both high and normal-risk customers and entails a
documentary review by FBME Compliance (KYC Update Team). The KYC
Update Team tracks the scheduling, completion and results of these
periodic reviews via Excel spreadsheets. These spreadsheets are embedded
with a color coding system that indicates the status of a review.
For example, newly opened or recently reviewed accounts are coded green,
accounts closing in on their review date are coded yellow, and accounts
whose reviews are due or past due are coded red. FBME has been using
these tracking spreadsheets since late 2013.
At the time of EY's fieldwork, FBME had reviewed 34% (399 oft183) of its
high-risk accounts subject to the annual review for the year 2014. For
those accounts whose review was in progress more than 60 days, FBME
Compliance placed "No Debit / No Credit" markers on each of these
accounts. We were advised by FBME Compliance that, in accordance with
Bank policy, It will only lift a marker once the periodic due diligence review
has been completed and will exit customers who refuse to provide the
requisite documentation. EY was further advised by the MLCO that a plan
is in place for the periodic reviews (due in 2014) to be completed by the
end of the calendar year. Additionally, the MLCO indicated that the 2012
and 2013 reviews were completed by December 31r of each year.
Additionally, EY testing of 25 completed KYC reviews yielded the following:
o
For seven (7) corporate customers and two (2) individual customers,
documentation was requested in the review yet not obtained (I.e.,
passports, corporate structure, expected business activity). Per
review of the aforementioned spreadsheets, it appears that the
markers are being placed on these accounts In order to prevent the
execution of additional transactions.

before the start or ATP relationships, the MLCO assesses the adequacy Or the
third party by reviewing the ATP's policy and procedures. For the 10 ATP files
tested, EY observed that AML Questionnaires were completed and that approval
was obtained from the MLCO prior to the start of the relationship.

FBME
FOIACONAOENnAL TREATMENT REQUESTED BY FBME BARK LTD_

15

Fauxoco00016

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 47 of 134

AML
Program

Procedures) Performed

Recommendations

Observations

Element

_______
Due diligence for ATPs was enhanced in the CBC 4'" Directive. An addendum to
the Directive was issued on July 10, 2014 that introduced an ATP Scorecard,
which tallies declined accounts, closed accounts, and MOKAS reports related to
each ATP. This scorecard also calculates a risk status and high-risk ATPs are to
be reviewed every six months. FBME is working towards incorporating the ATP
Scorecard Into its ATP onboarding process by the October 2014 deadline
Imposed by the CBC.

Enhanced
Due Diligence
(EDD)

EY verified that FBME's AML
program provides guidance on the
types of clients that are
considered "high risk" to the
institution; thereby, necessitating
EDD measures.

EY determined whether the EDD
procedures and processes outline
the measures to be used by FBME
to identify and gain sufficient
knowledge of potential customers
that may pose higher risk for
money laundering or terrorist
finanang.
EY determined
ned that
that the MLCO has
a mechanism/tool to track
customers m /tor
as high
cs Select a sample of such
clients and verify that EDD
measures were sufficient,
comprehensive, and documented,

Transaction
Monitoring I
Sanctions

EY determined whether a process
is in place to review client
transaction activity and identify

18 FBME
FOIACONFIDENTIAL TREATMENT REQUESTED ST FBME BANK LTD

For 2 out of 10 active ATPs, there was no evidence of the ATP's AML Policy &
Procedures in the file. Per discussion with the MLCO, this was not required by
the CBC directive at the time the ATPs were onboarded, EY noted that of the 7
ATPS in our sample that were onboarded prior to the issuance of the CBC 4v
Directive In December 2013, only the 2 ATPs Identified did not have AML
policies and procedures included in their files. In addition, 1 out of the 2 ATPs
is in the process of being deactivated as of June 2014.
FBME has defined the following types of customers as high-risk:
•
Non-face-to-face clients;
•
Companies with bearer shares;
•
Trusts and foundations;
•
Client/pooled accounts;
•
Politically Exposed Persons (PEPs);
Correspondent accounts for a bank outside of the European Union;
•
Customers from high-risk jurisdictions;
Private banking customers (e.g., Investment Desk clients); and
Clients involved in electronic gambling/gaming

None.

In addition to its normal customer identification and due diligence practices,
FBME applies EDD measures on Its high-risk customers. These EDD measures
may vary by account as they are tailored to address the unique risk(s) posed by
each of the above-mentioned customer types. Examples of EDD measures
include: completing Bearer Share Questionnaires (e.g., to Identify changes in
corporate ownership structure), conducting a further analysis of PEP
relationships (e.g., additional background checks on the PEP focusing on source
of wealth), and verifying the validity of business / professional licenses.
All high-risk customers require approval (sign-off) from the MLCO or Alternate
MLCO prior to account opening. Additionally, high-risk customers are reviewed
on an annual basis, compared with every three years for customers categorized
as normal risk. Further, the MLCO must approve any downgrades from high to
normal risk.
FBME uses two tools to monitor client wire transactions and Identify unusual or
conspicuous customer behavior, HotScan and Mantas. FBME also monitors cash
and check transactions through a daily manual review process.

FBME should consider utilizing a case
management system to record the alerts
generated, level of investigation and

FBME00000017

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 48 of 134

AML
Program
Element
Screening

Procedure(s) Performed
unusual or conspicuous customer
behavior. EY verified that
appropriate monitoring and
surveillance systems or tools have
been implemented and cover all of
the institution's products, services,
customers, transactions, and
geographic locations. EY sampled
and tested 25 manually passed
HotScan alerts.
EY determined whether the criteria
or "red flags" utilized to define
"suspicious" are documented and
appropriate given the nature of the
institution's business and clientele,
Any volume and value thresholds
utilized are reasonable given the
nature of the business and the
client base. EY verified that these
monitoring parameters have been
approved by an appropriate level
of management (e.g., MLCO,
Alternate MLCO).

Observations

HotScan is an interdiction filter that monitors all of the Bank's SWIFT
transactions, both Incoming (CYI) and outgoing (CYO). HotScan monitors
transactions In real-time against sanctions lists and other customized lists
maintained by the Bank. Usts of individuals and entities are imported daily
from the United States Treasury Department's Office of Foreign Assets Control
(OFAC), HM Treasury, the Financial Action Task Force (FATF), the Cyprus
Securities and Exchange Commission (CySEC), the United Nations sanctions list,
European Union sanctions list, and other sources as determined by the Bank.
The updates are received daily from these sources via email and uploaded to
HotScan using system functionality. Individuals and entities can also be
manually entered into the system, and the Bank uploads the names of high-risk
clients into HotScan.
Transactions flagged in HotScan are reviewed on a daily basis. If there is a
positive match within HotScan, the transaction Is put on hold. If there is a
partial match within HotScan, an Investigation is initiated, and depending on
the outcome the transaction may or may not be processed. Interbank
transactions (i.e., transfers between existing FBME client accounts) are not
screened by HotScan. Mantas captures Interbank transactions that fall within
the scenario thresholds. As a compensating control, the Compliance
Department generates and reviews on a daily basis a Business Objects report
which lists all interbank transactions.

Recommendations
ultimate disposition of the alerts
generated by HotScan, Mantas, and
manual monitoring as opposed to
manually entering the alerts/outcome on
several different Excel logs. FBME uses
different processes (HotScan, Mantas,
manual monitoring) to monitor
transactional activity. A case
management system would streamline
the monitoring process by combining
duplicate alerts and ensuring that there
are not gaps in the separate monitoring
processes,
FBME should consider adding a Mantas
scenario to capture structuring activity in
order to capture transactions that appear
structured to avoid actual and perceived
thresholds.

Mantas monitors past transactions and generates alerts based on specific
scenarios within a certain timeframe. FBME uses six pre-populated/installed
scenarios in its version of Mantas: funds transfers between customers and
external entities, focal high risk entity, high-risk counterparty, rapid movement
of funds, large depreciation of account value, and large reportable transactions
FBME does not transact in physical currencies; therefore, there is no regulatory
requirement (per the Directives) to monitor wire transmittals for patterns of
structuring. Nevertheless, the lack of a structuring detection scenario, even for
wire transmittals, is not in line with US regulatory expectations and US industry
practices. As a result, FBME may continue to find itself in a position where it
cannot explain such transactions to a future US correspondent bank (which will
likely be monitoring for such activity).
EY performed a transactional review and identified instances of FBME customers
transacting in USD between April 2013 and April 2014 in a manner that would
normally alert under a structuring scenario. The activity consisted of numerous
small, round dollar wires between repetitive parties within a short timeframe that
was Indicative of potential structuring of wires in attempted avoidance of
perceived thresholds. These wires were not captured through

17 FBME
FOtA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

FBME0000001 B

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 49 of 134

AML
Program
Element

Observations

Procedure(s) Performed

Recommendations

Mantas or manual monitoring.
A daily extract from FlexCube, is imported into Mantas reflecting the most
updated transaction and account Information. The batch .csv files are Imported
from FlexCube to Mantas through an automated process and the ability to run
the script is available to the IT department only. The Bank retains a copy of the
.csv files.
Cash and check transactions are monitored daily. The list of daily transactions
is printed out and retained in a binder by the Compliance Department. These
transactions are manually reviewed and checked off on the spreadsheet. In
instances where documentation is required, the printed copies of the
documents are retained in the binder with the daily transaction printouts.
Monthly reports are also maintained in hard copy form and retained in the
binder with the daily printouts. The monthly cash and check transactions of
each customer are manually reviewed for patterns of suspicious activity. The
three previous months' cash and check transaction reports are included in the
review.
Deposits over EUR 10K require documentation as proof of the source of the
funds. Documentation is requested from the customer even If the amount is
close to EUR 10K. Withdrawals over EUR 15K are required to be supported with
an additional explanation regarding the purpose of said withdrawal. These
transactions are documented on a form and any supporting documentation
received from the customer is retained in the binder with the daily/monthly
cash and check reports. Checks are reviewed against HotScan sanctions lists
and reviewed for authenticity for clearance.

Alert
Investigations

EY identified the process for alert
generation and subsequent
investigation of the alerts. EY
determined the level of
management oversight / approval
over the dispositloning of these
items. EY verified that the reason
for escalation/non-escalation is
sufficiently documented and that
any supporting documentation is
collected and retained,

I8 F Sri E
FOIE CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

Internal transfers between FBME accounts are monitored through MANTAS
scenarios and through a daily review performed by a Compliance officer. A
report is run on a daily basis that includes transactions exceeding $500,000. A
review of the i nternal transfers is conducted through this daily review.
FBME has an Investigative process in place for handling both money laundering
and sanctions-related alerts. These step-by-step procedures are outlined In the
Compliance Monitoring Unit Internal Process Document.
Investigations performed for HotScan and MANTAS alerts typically consisted of
obtaining documentation to support the alerted activity. For Investigations
related to partial matches in HotScan, a number of items may be reviewed to
determine whether suspension of the transaction is warranted. The
Investigators review may include the account holder's past transactions, the
ultimate beneficial owner (UBO) of the account holder, and online search engine
results. Additionally, the investigator may send an e-mail to the Customer
Service department requesting supporting documents to be provided by the

Instead of manually entering the
alerts/Investigation outcomes on several
different Excel spreadsheets, FBME
should consider Implementing an
automated case management system to
log the alerts generated, describe the
investigations performed, and record the
ultimate disposition of the alerts, and
SARs filed.

FBMED0000019

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 50 of 134

AML
Program

Procedure(s) Performed

Observations

Recommendations

Element
EY verified that an appropriate
review / Investigation process
(including management
supervision) has been established
and account activity is dosely
monitored and that alerts/cases
are researched and resolved in a
timely manner.

client (e.g. invoice, sales agreement), or place a marker (e.g., no credit or debit
posting) on the account. If the Investigator Is not satisfied with the information
reviewed and/or documents received, the transaction will not be processed.
The Customer Service department will accordingly inform the client that the
transaction will not be processed for compliance reasons.
Markers are only removed from the file once sufficient documentation is
received (as deemed by Compliance). Marker 10 indicates that the account will
be dosed. Transactions are not processed on the account and the account can
close within one week of this marker being placed on the file.
Investigations related to outgoing payments follow a 'four eyes principle,'
meaning that before an alert can be closed, two investigators must review the
alert. There is a system-control in HotScan that prevents the initial Investigator
from acting as the second Investigator on a particular alert. The control includes
an audit trail with the usernames and the corresponding actions associated with
each user. All HotScan alerts are manually entered and tracked on an Excel
spreadsheet.
EY's sample-based testing of 25 closed HotScan alerts revealed the following:
• For 24 of the 25 alert investigations tested, supporting documentation for
the transactions in question was obtained from the customers.
• For the other one (1) investigations tested, supporting documentation was
not received from the customer. Rather, FBME received a verbal
explanation from the client explaining the purpose of the wire transfer.
This was noted In an email from Customer Service. However, there was no
evidence on file to indicate that documentation was subsequently
requested or received.
In a Mantas Investigation, a Mantas alert form is manually completed in Excel
with the details of the investigation. Once an alert has been investigated, the
alert will be closed in Mantas. An internal report or an account monitoring
marker may result from the investigation.
EY's testing of 25 closed Mantas alert Investigations found that, for the most
part, the documents supporting the alerted transactions were requested and
obtained. However, there were Instances in which missing documentation was
noted in EY's review. Specifically:
• For one (1) Mantas investigation, the incorrect alert was printed and
included in the customer file. As a result, the alert included in the file did
not correspond to the actual investigation conducted and supporting
documentation obtained. This was subsequently corrected by FBME.
• For two (2) Mantas investigations tested, supporting documentation for the
alerted activity was not obtained. In one of the two instances, the Bank

19 FBME
FOIACONFIOENTIALTREATMENT REOUESTO BY FBME BANK LTD

FBME00000020

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 51 of 134

AML
Program
Element

Suspicious
Transaction
Reporting
(STR)

Procedure(s) Performed

EY conducted a walkthrough of the
process for escalating potentially
suspicious matters activities to the
MLCO.
EY identified and documented
the tracking process or log
system used to manage the
inflow of referrals received from
both employees and through the
transaction monitoring process.
EY verified that the control log
clearly illustrates the disposition of
each referral (STR filed or not).
EY sampled and tested 25 STRs
filed to MOKAS by FBME, and
reviewed the documentation
supporting the filings.

20 FBME
FOA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

Recommendations

Observations
explained that no documentation was obtained because the transactions
were from the customer's own account or to the beneficial owner of the
customer. In another instance, because the activity involved inward
transfers, supporting documentation was requested but not fully obtained
as the alert was not prioritized.
FBME has a process in place to escalate suspicious activities to the MLCO and to
MOKAS, if necessary. In cases where FBME determines that a customer's
activities are suspicious, the MLCO completes an STR and files the report with
MOKAS. Prior to sending the report to MOKAS, the Compliance department
places a monitoring marker alert on the specific customer denoting that the
customer is under Investigation by Compliance. Once the marker is placed in
the system, a Bank officer records the information in a shared spreadsheet.
The Bank maintains a tracking spreadsheet (or all reports (STRS) filed with
MOKAS by year. Additionally, FBME maintains a copy of the MOKAS report,
acknowledgement of receipt received from MOKAS and the disposition of the
STR by MOKAS if applicable.

None.

Alerts generated through the Bank's monitoring systems are recorded on
separate trackers and would need to be cross-referenced against the MOKAS
report tracker to determine if the alert resulted in a STR being filed.
When filing a report with MOKAS, FBME will freeze or close the customer's
account if a response is not provided by MOKAS within 14 days.

FBME00000021

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 52 of 134

EY

I

Assurance I Tax

I

Transactions

I

Advisory

About EY
EY is a global leader in assurance, tax, transaction and advisory services. The
insights and quality services we deliver help build trust and confidence in the capital
markets and in economies the world over. We develop outstanding leaders who
team to deliver on our promises to all of our stakeholders. In so doing, we play a
critical role in building a better working world for our people, for our clients and for
our communities.
EY refers to the global organization, and may refer to one or more, of the
member firms of Ernst & Young Global Limited, each of which is a separate legal
entity. Ernst & Young Global Limited, a UK company limited by guarantee, does
not provide services to clients. For more information about our organization,
please visit ey.com .
© 2013 Ernst & Young LLP
All Rights Reserved.
In line with EY's commitment to minimize its impact on the environment,
this document has been printed on paper with a high recycled content.
This material has been prepared for general informational purposes only and is
not intended to be relied upon as accounting, tax, or other professional advice.
Please refer to your advisors for specific advice.
ey . com

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

FBME00000022

 Case Document 34-1 Filed 09/01/15 Page 53 of 134

EXHIBIT 

Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 54 of 134

Hogan
Lovells

Hogan Lovells US LLP
Columbia Square
555 Thirteenth Street, NW
Washington, DC 20004
T +1 202 637 5600
F +1 202 637 5910
www.hoganlovel ls.com

November 17, 2014

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.

BY ELECTRONIC MAIL
Jennifer Shasky Calvery
Director
Financial Crimes Enforcement Network
U.S. Department of Treasury
P.O. Box 39
Vienna, VA 22183
Attention: Richard May, Director, FinCEN Office of Special Measures
Richard. May@fincen.gov
Re: Notice of Proposed Rulemaking — Financial Crimes Enforcement Network
(FinCEN): Supplemental Information
RIN 1506-AB27

Dear Director Shasky Calvery:
On behalf of our client, FBME Bank Ltd. ("FBME" or the "Bank"), and as discussed with Richard
May, we thank you for the opportunity to provide additional information to FinCEN as part of the
Bank's response to the Notice of Proposed Rulemaking and Notice of Finding in this matter.
As detailed in EY's September 22, 2014 Assessment of FBME's Compliance Program
("Assessment"), FBME's Manual of Policies and Procedures (the "Manual") is in compliance
with the applicable requirements of the current EU and Cypriot Money Laundering Directives 1/.
The enclosed submission provides documentation, Bates numbered FBME00000023 to
FBME00000614, to deepen FinCEN's understanding of the policies and operations of FBME's
anti-money laundering ("AML") and sanctions compliance program ("Compliance Program" or
"Program"). This letter describes the documents contained in this submission for your

1/
Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on
the prevention of the use of the financial system for the purpose of money laundering and terrorist
financing (the "EU 3rd Directive") and the fourth issue of the Directive to Credit Institutions in
accordance with Article 59(4) of the Prevention and Suppression of Money Laundering Activities
Laws of 2007 to 2013, issued by the Central Bank of Cyprus ("CBC") in December 2013 (the "CBC
4th Directive").
Hogan Lovells US LLP is a limited liability partnership registered in the District of Columbia. 'Hogan Lovells" is an international legal practice that includes Hogan Lovells US
LLP and Hogan Lovells International LLP, with offices in: Alicante Amsterdam Baltimore Beijing Brussels Caracas Colorado Springs Denver Dubai Dusseldorf
Frankfurt Hamburg Hand Ho Chi Minh City Hong Kong Houston Johannesburg London Los Angeles Luxembourg Madrid Mexico City Miami Milan Monterrey
Moscow Munich New York Northern Virginia Paris Philadelphia Rio de Janeiro Rome San Francesco SAo Paulo Shanghai Silicon Valley Singapore Tokyo
Ulaanbaatar Warsaw Washington DC Associated offices: Budapest Jakarta Jeddah Riyadh Zagreb. For more information see www.hoganlovells.com

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 55 of 134

Jennifer Shasky Calvery

-2 -

November 17, 2014

reference. We also detail certain enhancements to the Program that FBME has implemented or
is in the process of implementing.
As we have discussed, we will be providing additional information in future submissions. For
example, we are working with EY to complete a transactional review of the issues raised in the
Notice of Finding. As that review progresses, we will seek to meet with you to explain our
findings, our compliance enhancement plans, and to address any outstanding questions or
concerns.
As we have expressed previously, the commercial uncertainty surrounding this proceeding has
had, and continues to have, a detrimental impact on the business operations of FBME, its
affiliates, and its many accountholders. With each passing day, the hurdles to its eventual
successful reentry into the banking system get higher. Accordingly, we respectfully request
expedited review of this submission.
I. Corporate Governance
FBME's internal structure ensures that Compliance has an active role and a strong voice in
Bank matters. Not only does the Money Laundering Compliance Officer ("MLCO") deliver an
annual report directly to the Board of Directors regarding the Compliance Program in Cyprus,
but as Group Head of Compliance, the MLCO reports semi-annually to the Board regarding
compliance issues facing the entire Bank. The MLCO is also a member of the Executive
Committee. Unlike most of the other Group Heads, the MLCO / Group Head of Compliance has
an elevated status within the reporting structure.

In our Comment, we described the history of the Bank as well as the reasons for locating the

II. Manual of Policies and Procedures
FBME's Manual governs its internal processes and serves as a reference of FBME's policies. It
is provided to all employees and is available electronically on all employee computer desktops
as a shortcut from the shared drive of all Bank departments.
Since its adoption in its current format in 2006, Compliance personnel annually review and
update the Manual. The Bank further updates the Manual when prompted by changes in legal
and regulatory requirements, industry best practices, or the recommendations of internal or
external audits. The Manual has been approved by senior management and the Bank's Board
of Directors at least annually and whenever there were changes to policy that required updates
to the Manual. For example, in May 2010, FBME added new requirements to the Monitoring
2/

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 56 of 134

Jennifer Shasky Calvery

- 3-

November 17, 2014

subsections of the Manual to incorporate new procedures used in connection with HotScan and
Mantas. In August 2011, the Bank added due diligence requirements governing services to
private banking customers. The most recent update to the Manual occurred in May 2014 to
reflect changes to the CBC's 41h Directive. In response to the 4 1h Directive's changes, several
sections of the Manual were amended and others were restructured to achieve greater
specificity and clarity.
The Compliance section of the current Manual provides policies and procedures designed to
address AML risks, including but not limited to: KYC procedures, required documentation for
personal and corporate accounts, procedures for high-risk customers, monitoring of accounts
and transactions, procedures governing funds transfers and cash deposits, and the duties of the
MLCO.
For your reference, we attach the Compliance section of the current Manual, which focuses on
KYC and other AML compliance procedures.
Further, we attach an

Ill. Money Laundering Compliance Officer
In our public Comment, we described the duties of the MLCO and Alternate MLCO. The MLCO
at the Bank is responsible for effective implementation of the Compliance Program, assessment
of risks facing the Bank, preparing and applying an annual staff training program, and
preparation of an annual report to the Board of Directors regarding the status of various
compliance activities and Program elements. EY had no recommendations or areas of
improvement to this element of FBME's Program. 3/
we att ach the Manual (please see Section O.B.7)

I
IV. Employee Training
As described in more detail in our Comment, all employees receive training related to
compliance matters, including AML and sanctions compliance. In addition, supplemental
training on AML procedures and legal developments is provided to all customer-facing
employees, and Compliance personnel also attend external trainings offered by AML experts.
EY noted in its report that the MLCO provides informal training throughout the year to
employees in selected departments (i.e. Business Development).4/ As part of its Assessment,

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 57 of 134

Jennifer Shasky Calvery

-4 -

November 17, 2014

EY analyzed a July 12, 2014 training conducted by the MLCO and found that it "met the key
CBC 4`h Directive provisions and addressed, among others, the following: customer due
diligence / customer acceptance, handling of Politically Exposed Persons (PEPs) and other
high-risk customers, ongoing monitoring of customer relationships, updating customer records,
and reliance on third parties (e.g., key business introducers.)"5/
FBME has procedures to document compliance training. FBME has a bank-wide central training
register maintained by the Training Manager for all internal trainings, and consistent with EY's
recommendation, the Bank has expanded this central register to include external trainings as
well as internal training.
The Bank developed an education plan, with the most recent version issued on January 22,
2014. Compliance training for newly hired employees is required by Bank policy. In line with
EY's recommendation, the Bank has directed the MLCO to put in place formal procedures for
new hire training. The Bank is implementing these formal procedures before the Bank hires any
new employees. Additionally, also in accordance with EY's recommendation, the Compliance
Department is documenting a formal induction training curriculum for all new employees. The
course covers the Compliance Department's function and duties; AML and sanctions
regulations and risks; customer acceptance and Approved Third Party policy; risk classification
and identification of high risk clients; monitoring systems, such as HotScan and Mantas;
suspicious transaction reporting; interactions with external financial institutions and regulatory
authorities; and regulatory and legal frameworks. With respect to other employees, the Bank will
provide a general awareness electronic training program for all employees, including the
Executive Committee, before the end of 2014 and intends to have similar training in every
subsequent year. The program also includes formal training for Members of the Board of
Directors before the end of 2014 and refresher trainings on an annual basis.

For your refe rence, we attach the Manual (please see Section O.B.7),
and a ban k-wide
AML training and quiz from 2012. We also attach a training regarding the 4th Directive and
a supplemental training, both from July 12, 2014, given to customer-facing employees.
V. Approved Third Parties
FBME devotes considerable attention to ensuring that Approved Third Parties ("ATPs"), the
third-party lawyers, accountants, or other professionals who introduce customers to FBME, are
registered and regulated in their respective jurisdictions to guard against money laundering. The
policies governing the engagement and monitoring of ATPs were detailed in our Comment. We
described the due diligence that is conducted regarding ATPs. That due diligence includes
FBME's verification that the ATP is subject to mandatory professional registration in a
jurisdiction that complies with EU or EU-equivalent AML/CTF measures, that the ATP's
compliance with those measures is subject to supervision, and that sufficient documentation
exists to substantiate the ATP's professional expertise and maintenance of an AML policy. As
described below, FBME maintains ongoing account monitoring for all customers, including the
ATPs themselves as well as customers referred by ATPs. Moreover, the MLCO reviews and
approves every ATP engagement before it is undertaken.
5/

Assessment at FBME0000001 3.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 58 of 134

Jennifer Shasky Calvery

-5-

November 17, 2014

To supplement our description, we attach the following documents:
•

Form 213A — Customer Acceptance — Guidance for Intermediaries. This document,
referred to in our Comment, describes the nature of the business sought by FBME and
the type of clients. activities, and aeoaraohical locations that FBME does not permit.

S

VI. KYC
As described in further detail in our Comment, FBME conducts extensive KYC due diligence,
both at the onboarding stage and on an ongoing basis. The KYC process has evolved since
2011, as FBME has continued to enhance its program and procedures.
With regard to prospective corporate customers, the Bank requires that such customers
complete several forms during the onboarding stage. These forms and the requisite su orting
documentation are listed in

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 59 of 134

Jennifer Shasky Calvery

-6-

November 17, 2014

Form 213 — Unacceptable Client Activities Declaration. Customers are required to
confirm that they are not and will not become involved with any unacceptable business
activities. Specifically, they agree not to engage in business with any unacceptable
clients (e.g. persons included on UN, EU, HMT, and OFAC sanctions lists or anonymous
accounts), unacceptable activities (e.g. production or trade of weapons and military
arms, gaming and gambling related business, adult entertainment, unlicensed trade of
pharmaceutical products, or wholesale trade of telephones and/or electronic computer
components), or unacceptable geographic locations.
Form 213B — List of Unacceptable Business Activities. This list, provided to all
corporate customers, outlines the unacceptable business activities described in the

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 60 of 134

Jennifer Shasky Calvery

-7-

November 17, 2014

With regard to prospective personal account customers, the Bank requires that such customers
complete several forms during the onboarding stage. These forms and the requisite supporting
documentation are listed in
attached. For your
I
reference, we also attach the following documents:

If the accountholder is a Politically Exposed Person, a

For all customers, the Bank performs several checks to verify the accuracy of the customer's
information. The New Accounts Approval Unit ("Unit") performs internet-based research and
uses World-Check and URU checks to verify the provided information. The Unit verifies the
authenticity of the documents provided (passports, identification cards, reference letters, etc.) as
well as the submitted incorporation information, the company's good standing status, and
business licenses. The Unit carries out background checks on all individuals linked to the
account, all remitters/beneficiaries the company works with, and affiliated companies. The Unit
also returns to the customer, often on multiple occasions, with questions raised during the
background research before an account is approved or declined.
As described in the Comment, the KYC Due Diligence Unit's seven employees are responsible
for completing annual reviews of all high-risk customers as well as reviews of customers
classified as normal risk every three years. For your reference, we attach the KYC Update Unit
Internal Process document, which provides guidelines for these KYC due diligence updates,
and the
,
The KYC Due Diligence Unit
conducts an extensive check of each file when it is reviewed, including reviewing individual
KYC, business profiles, and World-Check and URU checks. The guidelines further stipulate
that should a client not respond within the legally prescribed deadline, the Bank places a "No
Credit/No Debit" marker on the account, which indicates that no credits may be applied to and
no withdrawals may be made from the account. Files are marked complete only upon receipt of
all original/certified documents.

VII. Transaction Monitoring
For your reference, we attach the Manual (please see Section O.5.6) and the Compliance
Monitoring Unit Internal Process Document. This document cites the various restricted entity

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 61 of 134

Jennifer Shasky Calvery

-8-

November 17, 2014

lists screened by FBME's interdiction filter, HotScan, and describes the procedures used to
monitor transactions via Mantas, FBME's software to evaluate past transactions and generate
alerts based on certain activity; monitor dormant accounts and those blocked by Compliance;
monitor card transactions; and review cash and check transactions. FBME has invested in
upgrades to its HotScan and Mantas systems and additional World-Check software, as well as
in human resources by increasing the number of Compliance staff and the number of trainings
they attend locally and abroad.

VIII. Alert Investigation
FBME has in place an investigation process to address AML and sanctions issues, as described
in our Comment. EY recommended that FBME implement an electronic case management
system to register alerts and track the progress of the related investigation, and automatically
update the report when an investigation is closed,6/ FBME plans to introduce this system by the
end of 2014.
For your reference, we attach the Compliance Monitoring Unit Internal Process Document,
which explains the step-by-step procedure followed when alerts are triggered in HotScan or
Mantas, or received from other Bank departments following suspicious account activity.

IX. Risk Assessments

This submission details the procedures and operations FBME has established to implement the
requirements of its Compliance Program. These procedures, together with the planned
enhancements described in this letter, the strength of FBME's existing Compliance Program,
and the further enhancements to FBME's AML policies, organizational structure, and KYC
requirements described in FBME's public Comment, demonstrates a firm commitment by
FBME to further enhance its Compliance Program in accordance with industry best practices.
FBME reaffirms its commitment to continue to cooperate with the U.S. Government, as well as
the governments of Cyprus and Tanzania in the fight against money laundering and other illicit
activities. We look forward to working with FinCEN to resolve its concerns so that it may
withdraw the Notice and NPRM as quickly as possible.
We will continue to provide additional information to FinCEN about FBME's AML and sanctions
Compliance Program. We thank you for your consideration of the foregoing, and we welcome
your questions or comments at any time.

6/

Assessment at FBME00000018.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 62 of 134

Jennifer Shasky Calvery

- 9-

Sincerely,

Peter Spivack
Beth Peters
Evans Rice
Hogan Lovells US LLP
Counsel to FBME Bank Ltd.
cc:

Mona Sahaf, FinCEN
FBME Bank Ltd.
Jeanne Archibald
Louise Lamb
Anthony Capobianco

November 17, 2014

 Case Document 34-1 Filed 09/01/15 Page 63 of 134

EXHIBIT 

Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 64 of 134

Hogan
Lovells

Hogan Lovells US LLP
Columbia Square
555 Thirteenth Street, NW
Washington, DC 20004
T +1 202 637 5600
F +1 202 637 5910
www.hoganlovells.com

November 21, 2014

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD.
BY ELECTRONIC FILE TRANSFER
Jennifer Shasky Calvery
Director
Financial Crimes Enforcement Network
U.S. Department of Treasury
P.O. Box 39
Vienna, VA 22183
Attention: Richard May, Director, FinCEN Office of Special Measures
Richard. May@fincen.gov

Re:
Notice of Proposed Rulemaking — Financial Crimes Enforcement Network
(FinCEN): Supplemental Information
RIN 1506-AB27
Dear Director Shasky Calvery:
On behalf of our client, FBME Bank Ltd. ("FBME" or the "Bank"), and as discussed with you and
Richard May, we want to reiterate our client's willingness and commitment to respond fully and
address all concerns set forth in the Notice of Proposed Rulemaking (the "NPRM") and Notice
of Finding (the "Notice") (together the "Notices").
The enclosed submission, Bates numbered FBME00000615 to FBME00000711, details the
specific actions FBME has taken to enhance the Bank's anti-money laundering ("AML") and
sanctions compliance program ("Compliance Program" or "Program") in response to
recommendations by external auditors of the Bank — most recently the audits by KPMG in April
2013 and EY in September 2014. FBME takes seriously the observations and suggestions of
third party auditors and recognizes that compliance is a continual, dynamic process. With this
submission, FBME seeks to demonstrate to FinCEN its firm commitment to continued
improvement of its Compliance Program.
The Bank self-identified, prior to the issuance of the Notices, the need to improve its
Compliance Program and both had taken, and was in the process of implementing, a number of
steps to do so. As the Department of the Treasury has noted, Section 311 special measures
can spur rehabilitative conduct on behalf of the affected financial institution. The Bank wants to
Hogan Lovells US LLP is a limited liability partnership registered in the District of Columbia. - Hogan Lovells" is an intematlonal legal practice that includes Hogan Lovells US
LLP and Hogan Lovells International LLP, with offices in: Alicante Amsterdam Baltimore Beijing Brussels Caracas Colorado Springs Denver Dubai Dusseldorf
Frankfurt Hamburg Hanoi Ho Chi Minh City Hong Kong Houston Johannesburg London Los Angeles Luxembourg Madrid Mexico City Miami Milan Monterrey
Moscow Munich New Your Northern Virginia Pans Philadelphia Rio de Janeiro Rome San Francisco Sao Paulo Shanghai Silicon Valley Singapore Tokyo
Ulaanbaatar Warsaw Washington DC Associated offices: Budapest Jakarta Jeddah Riyadh Zagreb. For more information see www.hoganlovelis.com

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 65 of 134

Jennifer Shasky Calvery

-2-

November 21, 2014

work closely with FinCEN to continue this process. Accordingly, we respectfully request that the
Bank be given an opportunity to meet and discuss this information, and the EY transactional
report that we will be submitting, with FinCEN and engage in the rehabilitation process. For
these reasons, we continue to request that FinCEN withhold issuance of any final rule.1/
We anticipate that you will have questions or want additional information based on the
submissions to date, and we look forward to the opportunity to elucidate these issues further in
a face-to-face meeting. As discussed on November 17, we plan to submit a Transaction Report
by EY on their work to date shortly. Please let us know when you would like to meet in person
regarding this matter.

I. Management Response to KPMG Audit
In March 2013, over a year prior to the issuance of the NPRM, FBME requested that KPMG
review its Compliance Program. The review consisted of documentation (including 68 customer
files), walkthroughs and interviews. The scope of the review covered four main areas: risk
management (AML/CTF risk analysis, risk response, risk monitoring, risk reporting); AML
Organization (AML functions, internal policies and procedures, suspicious activity reporting,
recordkeeping); Risk Mitigation for Customers and Transactions (KYC, periodic reviews,
sanctions and PEP screening, transaction monitoring); and Quality Assurance (employee
training, internal supervision, internal and external audit). Enclosed is a copy of the KPMG Audit
Report (the "Audit Report"), issued in April 2013.
Overall, the Audit Report concluded that "FBME basically fulfills the requirements as set out by
the Cyprus regulator and is in principle in compliance with EU standards." KPMG found that
FBME employed AML-compliant procedures, including using standardized account opening
forms, assigning risk ratings to customers, verifying customer and UBO information, and
performing database searches on all customers.
KPMG also identified areas where FBME could improve its Program, and FBME took these
suggestions seriously. Enclosed is a document outlining the steps that FBME has taken in
response to KPMG's recommendations. For example, after reviewing the Audit Report, FBME
changed its risk assessment procedures, appointed an alternate MLCO, made amendments to
its Manual of Policies and Procedures, upgraded its software, and implemented additional
procedures to enhance its KYC process. The chart provides details about the specific actions
taken.

1/
"In some instances, the entities of primary money laundering concern have rehabilitated their
practices and implemented significant reforms to mitigate some of the risks and vulnerabilities identified
as supporting the finding of primary money laundering concern. In such circumstances where the
continuing risks to the U.S. financial system appeared to be diminished, Treasury has decided not to
pursue a final rule implementing special measures and notice has been given to rescind the regulatory
proposal." U.S. Department of the Treasury, "Fact Sheet: Overview of Section 311 of the USA Patriot
Act," (May 22, 2012), available at http://www.treasury.gov/press-center/pressreleases/Pages/tg 1591. aspx

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 66 of 134

Jennifer Shasky Calvery

-3-

November 21, 2014

II. Manaqement Response to EY Assessment
On September 23, 2014, Hogan Lovells submitted to FinCEN EY's Assessment of FBME Bank
Ltd's Anti-Money Laundering (AML)/Sanctions Compliance Program (the "Assessment"). As
noted in our earlier submission, EY observed in its Assessment that the Program "incorporates
the requirements" of the EU's Third Money Laundering Directive (2005/60/EC) and the fourth
issue of the Central Bank of Cyprus ("CBC") Directive to credit institutions in accordance with
Article 59(4) of the Prevention and Suppression of Money Laundering Activities Laws of 2007 to
2013, issued in December 2013. EY's Assessment further reported that FBME "has protocols in
place that allow the Bank to continuously keep the Program aligned with these legal
requirements." The Assessment covered critical elements of FBME's Program, including
compliance policies and procedures, employee training, customer identification and due
diligence, risk assessments, transaction monitoring / account surveillance, and alert
investigations. EY documented FBME's efforts to improve its Program over the years, and
recommended areas of improvement where FBME could further strengthen it.
The Bank has reviewed EY's observations and recommendations. The Bank has already taken
steps to implement these recommendations, even in the current environment where it is under
resolution by the CBC and the Special Administrator was put in place by the CBC to sell the
Bank within three days of the Notices.
Enclosed is a document outlining each recommendation and detailing the actions FBME has
taken in response to each recommendation. The document specifies the procedures that have
been implemented, new IT or other upgrades that have been proposed, and timelines for
completion. For example, in response to EY's observations, FBME instituted enhancements to
its AML/sanctions employee training program and is updating its AML/CTF risk assessment to
include a documented methodology for FY2014. With respect to its customer identification and
due diligence procedures, FBME is implementing new forms to capture additional KYC
information, enhanced documentation in customer files of what KYC research has been
performed, and software adjustments to ensure centralized maintenance of the information
collected. Although the Bank already uses industry-leading electronic screening solutions,
FBME is making upgrades to its screening software and alert investigation systems. These and
other actions are detailed in the chart attached.

This submission details the enhancements FBME has made, and continues to make, to its
Compliance Program. These improvements to FBME's procedures, software, documentation,
and other Program elements demonstrate FBME's continued dedication to operating in
accordance not only with the legal requirements of its regulators, but also with industry best
practices.
FBME reaffirms its commitment to continue to cooperate with the U.S. Government, as well as
the governments of Cyprus and Tanzania in the fight against money laundering and other illicit
activities.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 67 of 134

Jennifer Shasky Calvery

-4-

November 21, 2014

We look forward to working with FinCEN to resolve its concerns so that it may withdraw the
Notice and NPRM. We thank you for your consideration of the foregoing, and we welcome your
questions or comments and look forward to discussing further.

Sincerely,

Peter Spivack
Beth Peters
Evans Rice
Hogan Lovells US LLP
Counsel to FBME Bank Ltd.
cc:

Mona Sahaf, FinCEN
FBME Bank Ltd.
Jeanne Archibald
Louise Lamb
Anthony Capobianco

 Case Document 34-1 Filed 09/01/15 Page 68 of 134

EXHIBIT 

Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 69 of 134

cutting through complexity

on the
Effectiveness of

h
Measures regarding
Anti-l\'Ioner Laundering and
Counter-Terrorism Financing
at F RI~1F Bank Limited

April 2013

/7,

i

I

'~ I

A

1

I_•

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 70 of 134

KPMG Limited
KPMG Building
14 Esperidon Shoot
1087 Nicosia
Cyprus

P.O.Box 21121
1502 Nicosia
Cyprus
Telephone +357 22209000
Telefac +357 22678200
Website www.kprng.com.cy

Mr. F. Saab
FBME Bank Limited
Nicosia
Cyprus

13 May 2013
Dear Mr. Saab,
In accordance with our engagement letter dated 15 March 2013 we deliver herewith the outcome of our
work with respect to the Anti-Money Laundering / Counter — terrorism financing audit of FBME Bank
Limited ("FBME" or "the Bank").
The purpose of our work was to review and evaluate the extent to which the FBME's AML/CTF policies
and practices are compliant with the Requirements under the Third EU AML Directive (Directive
2005/60/EC) and any Cyprus Law transposing this directive including, without limitation, the "Prevention
and Suppression of Money Laundering Activities Law" (Law No 188(I)12007) as amended from time to
time and the relevant directives issued by the Central Bank of Cyprus (in particular the CBC AML
directive). The relevant legal framework for our review also included in the Regulation (EC)
No 1781/20061 as well as the CBC Internal Governance and Controls directive2. They are collectively
referred to as "the Requirements.
In addition to the main objective of our review which was to ascertain compliance with the requirements,
KPMG also considered whether the Bank's practices and processes are compatible with good industry
practice followed by banks mother European countries, as this is interpreted by KPMG based on our
experience with other institutions.
The engagement services did not cover the processes and potential MLITF risks associated with prepaid
cards and credit cards which are provided by the Bank's subsidiary FBME Card Services Ltd (FBMECS),
the FBME head office in Tanzania or any subsidiary, sister company or parent company of the Bank. They
also do not cover forensic investigation on the Bank's AML processes and systems or transaction history.
We note that, as disclosed within our engagement letter, and at the request of the Bank, KPMG Limited in
Cyprus has engaged KPMG AG WPG Frankfurt to provide the services agreed within the scope of our
engagement services to the Bank.

''Regulation (EC) No 1781/2006 on information on the payer accompanying transfers of funds"
"Directive an a Framework of Principles of Operation and Criteria of Assessment of Banks Organisational Structure, Internal Governance and
Internal Control Systems" of 2006 (basis Directive) and the amending directives of 2009 to 2012, published by the Central Bank of Cyprus, Bank
Supervision and Regulation department, in January 2012.
Limited Is a private company limited by shares, registered
Cyprus under registration number HE 132822, with its registered

KPMG
in

office ar 14 Esperidon Street 1087 Nicosia, Cyprus

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000616

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 71 of 134

KP

GJ
KPMG AG WPG Frankfurt
April 2013

In accordance with our agreement and the request of the Bank, KPMG Limited (Cyprus) has
commissioned KPMG in Germany to perform the review and prepare a report. The full report with the
findings of the AML/CTF Audit, as prepared by KPMG AG WPG Frankfurt, is made available to the
Bank's Management in Annex I of this document.
As agreed within our engagement letter, we consent to the bank sharing our report with regulators in
Cyprus and Tanzania, however we bear no liability against any third party in relation to this report and any
reliance they place on our report should be at thei own risk.
We are delighted to have worked with you and your team in this engagement and we look forward to
further cooperation in the future

Sincerely Yours,

Marios G Lazarou
Board Member, KPMG Ltd, Financial Risk
Management Department

2
a 2013 KPMG AG WPG Frankfurt. All rights roservad.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000617

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 72 of 134

ICPMG
KPMG AG WPG Frankfurt
April 2013

Annex 1
on the Effectiveness of
Measures regarding Anti-Money Laundering and
Counter Terrorism Financing
-

at FBME Bank Limited

® 2013 KPMG AG WPG Frankfurt. AU rights roservsd.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000618

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 73 of 134

r~tlrfA~l[1
KPMG AG WPG Frankfurtl
April2013

Table of Contents
introduction ........................................................................................................................................... 9

A.

1.

Scope of our Review ............................................................................................................

2.

Limitations to our Review ................................................................................................................. 9

3.

Fields of Review ............................................................................................................................. 11

B.

Executive Summary ............... ............................................................................................................. 12

C.

Assessment of the Effectiveness of Measures regarding Anti-Money Laundering and Counter-

terrorism Financing ..................................................................................................................................... 15

D.

1.

General Remarks ............................................................................................................................. 15

2.

AML/CTF Risk Analysis ................................................................................................................ 16

3.

AML Function ................................................................................................................................. 18

4.

Internal Policies and Procedures ................................................................................................

5.

Suspicious Activity Reporting Process ..................................................................................

6.

Record Keeping ......................................................................

7.

Know Your Customer (KYC) ...................................................................

8.

Periodic Review of Customer Relationships ................................................................................... 29

9.

Know Your Counterparty ......................................................................

..... 21

............................................. 22

...................................... 30

10.

Sanctions Screening of Relationships ......................................................................................... 37

11 .

PEP Screening ............................................................................................................................. 41

12 .

Transaction Monitoring . ............................................................................................................. 43

13.

Payment Screening according to EU regulation 1781/2006 (FATF SR VII) .............................. 46

14.

Payment Filtering for Sanctions .................................................................................................. 47

15.

Employee Training and Internal Information Sharing ................................................................ 49

16.

Internal Supervision ............................................................ ........................................................ 51

17.

Internal Audit .............................................................................................. .......................... ...... 53

18 .

Sampling Inspection on Customer Files ...................................................................................... 54

Final Assessment ................. .................... ...... .................. .................................................................... 63

4
'rJ 2013 KPMG AG WPG Frank'urt. All rights rOsorvod.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000619

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 74 of 134

l PMG
KPMG AG WPG Frankfurt
April2013

Table of Abbreviations
AML

Anti- money Laundering

Art(s)

Article(s)

ATP

Approved third party

BoD

Board of Directors

BoE

Bank of England

CBC

Central Bank of Cyprus

CDD

Customer due diligence

CED

Chief Executive Director

CIF

Customer Information File

CRM

Customer relationship management

CSU

Customer Service Unit

CTF

Counter-terrorism Financing

CU

Compliance Unit

DI

Directive

EC

European Commission

EEA

European Economic Area

EU

European Union

F/S

Financial statement

FAQ

Frequently Asked Questions

6
t

2013 KPMG AG WPG Frankfurt. All rights reserved.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000620

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 75 of 134

TTT

ICPM~
KPMG AG WPC Frankfurt
April2013

FATF

Financial Action Task Force on Money Laundering and Terrorist
Financing

HMT

Her Majesty's Treasury

ISR

Internal Suspicion Report

KBI

Key Business Introducer

KYC

Know-your-customer

Ltd

limited

MI

Management information

ML

money laundering

MLCO

Money Laundering Compliance Officer

MOKAS

Unit for Combating Money Laundering of Cyprus

MoPP

Manual of Policies and Procedures

No

Number

OFAC

Office of Foreign Assets Control

para

paragraph

PEP

Politically exposed person

SAR

Suspicious Activity Report

SDN

Specially designated national

STP

Straight-through-processing

SWIFT

Society For Worldwide Interbank Financial Telecommunications

TF

terrorist financing

TM

transaction monitoring

7
© 2013 KPMG AG WPG Frankfurt. All rights reserved.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000621

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 76 of 134

P G'
KPMG AG WPG Frankfurt
April 2013

UB0

Ultimate beneficial owner

WPG

W irtschaftsprilfungsgesellschaft

*2o1 KPMG AG WPG Frankfurt. All rights reserved.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000622

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 77 of 134

/CP
KPMG AG WPG Frankfurt
April 2013

A.

Introduction

This report has been prepared by KPMG AG WPG Frankfurt for KPMG Limited in Cyprus in accordance with our
Interoffice Agreement dated 14 March 2013.

1. Scope of our Review
For the purposes of preventing money laundering risk and terrorism financing, banks have to comply with the
standards set out in the Third EU AML Directive (Directive 2005/60(EC) 3 and any Cyprus Law transposing this
directive including, without limitation, the "Prevention and Suppression of Money Laundering Activities Law" (Law
No 188(I)12007) as amended from time to time and the relevant directives issued by the Central Bank of Cyprus (in
particular the CBC AML directive )4 • The relevant legal framework for our review also included the Regulation (EC)
No 1781/2006 5 as well as the CBC Internal Governance and Controls directive 6. They are collectively referred to as
"the Requirements".
KPMG Ltd. agreed to enter into an engagement with FBME Bank (Cyprus) Ltd (henceforth "FBME" or "the Bank")
for the purpose of reviewing and evaluating the extent to which the FBME's AML/CTF policies and practices are
compliant with the Requirements.
In addition to the main objective of our review which was to ascertain compliance with the requirements, KPMG
also considered whether the Bank's practices and processes are compatible with good industry practice followed by
banks in Cyprus and other European countries, as this is interpreted by KPMG based on our experience with other
institutions.
This report outlines the findings of our review and our key recommendations.

2. Limitations to our Review
The scope of this engagement relates solely to the approaches followed for preventing money laundering and
terrorism financing by the Cyprus Branch of FBME Bank Ltd. In this context, we have not reviewed the processes

' "Directive 2005/60/$C of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system
for the purpose ofmoney laundering and terrorist financing".
"Directive to banks in accordance with article 59(4) of The Prevention and Suppression of Money Laundering Activities Law of 2007 published
by the Central Bank of Cyprus, Bank Supervision and Regulation department, in April 2008.
"Regulation (PC) No 1781/2006 on information on the payer accompanying transfers of funds".
F
"Directive on a Framework of Principles of Operation and Criteria of Assessment of Banks Organisational Structure, Internal Governance and
Internal Control Systems" of 2006 (basis Directive) and the amending directives of 2009 (0 2012, published by the Central Bank of Cyprus, Bank
Supervision and Regulation department, in January 2012.

® 2013 KPMG AG WPG

Frankfurt. All rights reserved.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000623

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 78 of 134

KPMG AG WPG Frankfurt
April 2013

and potential ML/TF risks associated with prepaid cards and credit cards which are provided by the Bank's
subsidiary FBME Card Services Ltd (FBMECS).
The scope of our engagement did not cover the FBME head office in Tanzania or any subsidiary, sister company or
parentcompany of the Bank.
In addition, as agreed in our engagement letter any work in respect of any forensic investigation on the Bank's AML
processes and systems or transaction history was out of scope. In particular our work does not constitute an
assessment of the extent to which suspicious and or unusual activities/transactions may have passed through the
Bank or any assessment of whether criminal funds have passed through the Bank.
The findings within this report rely solely on the information made available to us during our review by the Bank,
through documentation, walkthroughs and interviews. Data extracts from the Bank's systems that were provided to
us were assumed to be complete and accurate and KPMG did not proceed to a full validation or verification..
Due to the Bank's high standard of data protection we were only provided with the full list of the Bank's customers
with deposits exceeding EUR 50k so that a full review of potential legacy risk in relation to existing customers could
not be performed.
Reportedly an extensive KYC remediation project was initiated in late 2009 in order to update KYC information and
perform proper due diligence on all customer accounts being onboarded pre-2009 in light of the new standards
implemented by the CBC AML directive. Relationships to customers who were reluctant to provide updated KYC
information or documentation were reportedly terminated. Together with the standard account closures, this led to a
total of 1939 accounts being closed in 2010 and 2658 accounts in 2011. Many of these were dormant accounts. This
KYC remediation project was imposed by the CBC.. Those closed accounts were not subject to KPMG's review.
While we identified in the customer list provided to us a number of customers using a PO Box address or the ATP's
address as correspondence address, we noted that the business address was specified in the cases under review. In
principle, a PO Box or the ATP's address is insufficient according to standard AML procedures. We could not
validate for all the PO Box and ATP's correspondence addresses in the customer list whether the underlying KYC
information complied with the requirements of the Third EU AML directive or CBC AML directive respectively.
We do not intend to revise our work for subsequent updates to the requirements, including updated regulatory
interpretation, as part of this engagement.
Our report has been prepared for the use of the Bank only and our liability is limited to the Bank. At the request of
the Bank we concede that our report can be shared with regulatory authorities in Cyprus, Tanzania or other European
countries upon notification to us. Any third parties that gain access to our report and wish to use it or rely on it
should do so at their own risk. KPMG will bear no liability against those third parties.

10
© 2013 KPMG AG WPG Frankfurt, All rights reserved.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000624

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 79 of 134

/(P
KPMG AG WPG Frankfurt
April2013

3. Fields of Review

AMLICTF Risk Anstyais
(Secson2)

AML Function
(Section3j

Krlwvyoar Customer (KYC)
(Section?)
Periodic Review of Customer Relations
(Sedan 8)

Responding to Risks
Deriving appropriate
mitgatng measures

Internal Policies
and Procedures
(Section 4)

Knowyour Counterparty
(Section g)

Employee Training and
internal Information Sharing
)Section 15)

Internal Supervision
(Section 181

Sanctions Screening of Reistionshlpa
(Section 10)
RisitCnrdro8'mg
Monitoring risks and
mitigating measures

Suspicious Activity
Reporting Process
(Section 5)

PEP Screening
(Section 11j

Interrol luck
(Section 17)

Transa ction MoNtoring
(Section 12)
Risk Reporting
e.g. MLCO Report
to CED / BoD

Record Kaepkg
/SftVon S)

Payment Screening according to 1781/2006
(Section 13)
PaymentFlkering for Sanctions
(Section 14)

0101] KPMG AG WPG rr.nkfn. A0 dells mirwd.

Third.Party Review
(Section 18)

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 80 of 134

ICP ~
KPMG AG WPG Frankfurt
April 2013

B.

Executive Summary

1. Based on our audit work, we came to the overall conclusion that FBME basically fulfills the requirements as set
out by the Cyprus regulator and is in principle in compliance with EU standards.
2.

The Bank established an AML organization including written policies and procedures, which in principle is
suitable to prevent MLJTF.

3. The existing older customer base, however, should be subject to a risk-based review, in order to ensure full
AML compliance (e.g. KYC, source of funds/wealth, reliability checks of ATPs involved) in accordance with
the present regulatory requirements. The upcoming changes of the 4 th EU Directive may be taken into
consideration. It should be considered to integrate the UBOs into the core date base, in order to make them
subject to all (automated) regular prevention & mitigation measures, the customers are subject to.
4.

Our key recommendations regarding points of high or medium significance per fields of review are as follows:
a. Risk Management

AMIJCTF risk analysis: While the Bank addresses quite a number of ML/TF risk-related issues and the
correspondent mitigation measures, we recommend rethinking the overall approach to develop a comprehensive
AML/CTF risk analysis, in order to create an even stronger instrument for the development of efficient AML/CTF
measures. For more information see Section 2.
b. AML/CTF Organisation
• AML Function: While the AML/CTF organization is run by an experienced MLCO, we recommend installing an
Assistant MLCO who would formally be in a position to take over the responsibilities in case of absence of the
MLCO. For more information see Section 3.
Internal Policies and Procedures: Although the Bank's internal policies and procedures can be regarded as
comprehensive, they should be amended or further granularized in respect to a couple of subjects. For more
information see Section 4.
• Suspicious Activity Reporting Process: In view of the number of ISRs and SARs (approx. 40 cases), the Bank is
capable to manage the reporting process without an IT-based case management system for the time being. For
more information see Section 5.

12
(02013 KPMG AG WPG Frenkturt. All rights roservod.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000626

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 81 of 134

CPMJ
KPMG AG WPG Frankfurt
April 2013
C.

Risk Mitigating Measures in relation to Customers & Transactions

• Know your Customer (KYC): The compliance with the KYC requirements could be further enhanced by
integrating UBO information into the core banking system. While the business address is captured, the use of
hold mail accounts and ATP-managed PO boxes should be reconsidered in order to avoid potential
anonymisation. It should be ensured that where possible the source of funds should be substantiated by proper
documentation (e.g. F/S, business plans). For more information see Section 7.
• Know your Counterparty: We recommend ensuring that the assurance of the ATP's reliability in their function as
"reliable third party" is risk-based and further intensified. For more information see Section 9.
• Transaction Monitoring: The scenarios and typologies of the MANTAS transaction monitoring system should be
derived from the AML/CTF risk analysis and reviewed on an annual basis in order to ensure an updated and
bank-specific system. A back-up solution in view of system failures should be considered. For more information
see Section 12.
• Payment Screening according to 1781/2006: Although the missing remittance information reportedly has always
been identified, manual input of transactions may lead to errors with regard to EU regulation 1781/2006 and
therefore automatization should be considered. We understand that the Straight-Through-Processing planned to
be introduced in June 2013 will include an automatic filter. The alternative rules and requirements should be
specified in a more detailed manner. For more information see Section 13.
• Payment Filtering for Sanctions: The "Good guys list" or so called "White List" should be subject to sanctions
screening on a regular basis. The use of numerous Excel-based lists (e.g. for UBOs) may complicate the
controlling and may lead to errors. The percentage applied for fuzzy logic (approximately 50 e%o) is well below
industry standard and may generate a large number of alerts. This number of alerts, however, can only be
handled due to substantial staffing of the Compliance department. For more information see Section 14.
d. Quality Assurance
Internal Supervision: The overview of Compliance Department's planned activities lists proper controls and reviews.
Based on European benchmark practice, we recommend amending it with information regarding resource planning,
time schedules, etc. For more information see Section 16.
5. As part of our audit work, we reviewed a sample of the Bank's customer files, comprising of 68 customer files
(33 individuals and 35 companies) and 2 bank files. Our key findings are that in general the Bank adheres to the
requirements for:
• Maintaining a KYC file for each customer
• Using standardized account opening forms, requesting key information from the customer including source of
wealth, expected turnover, etc.
13
O 2013 KPMG AG WPG Frankfun. All rights reserved.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000627

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 82 of 134

ICP G
KPMG AG WPG Frankfurt
April 2013

• Identifying and verifying the customer and UBO and receiving relevant supporting documentation
• Assigning a risk rating on each customer and identifying cases for which simplified or enhanced due diligence is
applied
• Performing database searches on all customers
• Using third parties for onboarding that are approved by the Bank and maintaining a file for each of the ATPs
used

6. During our review we also observed certain areas in which the Bank's implementation of the directive can be
further enhanced or adopted in a more conservative manner. Such areas include:
• The presentation of group information or ownership structure with regard to older customer files to ensure that
the link between group entities is clear, in particular when group entities include a number of the Bank's
customers; however, we understand that within the last two years the Bank has introduced a group structure form
to cover these for new customers; furthermore, we note that the customer structures are grouped in the core
banking system.
• Extent of investigation and documentation of the business profile of a) the customer and h) the UBO.
• Evidence and justification of expected turnover and due diligence on the customer's source of funds (e.g. F/S for
corporate customers and salary slips for individual customers)
• Timing of customer updates and reviews, in particular for cases where the update of obtaining documentation
has been pending for a long time

14
02013 KPMG AG WPG Frantfur. All rights reserved.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000628

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 83 of 134

KPMG AG WPG Frankjuri
April 2013

C.

Assessment of the Effectiveness of Measures regarding
Anti-Money Laundering and Counter-terrorism Financing

1. General Remarks
The following detailed report on the effectiveness of measures regarding Anti-Money Laundering (AML) and
Counter-terrorism Financing (CTF) focuses on areas where we have identified necessities for improvement
concerning organizational or procedural matters.
These areas of improvement identified mainly are the result from a benchmark analysis against the AML/CTF
standards set in comparable banks within the EU. Each gap identified is classified in terms of significance on a threepart scale. The classification "high" (red) refers to substantial issues. A very important gap is regarded as "medium"
(orange). The classification "low" (yellow) refers to important issues.

15
02073 KPMG AG WPG Frankfurt. All rights reserved

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000629

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 84 of 134

KPMG AG if PG Frwrkfrvt
Apt ii 2013

2. AMUCTF Risk Analysis
Regulatory Reference:
Art. 8 No 2 of DI 2005/601EC
Section 61 Para 2 of Law No 188(1)12007
Provisions 19 to 33 of the CBC AML Directive
Appendix 4 to the CBC Internal Governance and Controls directive on Basic Principles and Internal Control Procedures for the Management of Compliance Risk
(paragraph 15(2) and 28(5))

2.1

Performing a comprehensive AMUCTF risk analysts of the Bank's operations

Finding / Observation
In compliance with Appendix 4 to the CBC Internal
Governance and Controls directive the Bank monitors its main
compliance risk indicators to identify potential increases in the
Bank's compliance risk profile. The Bank's compliance risk
indicators include i. a. the number of account applications
rejected, MOKAS reports submitted, high risk accounts under
monitoring as per AML directive, or transactions
rejected/declined by flotScan.

tuailow

Possible Risk/ Implication

Recommendation

A thorough understanding of the MIIrF risks
underlying a bank's operation is key, if a bank
is to apply proportionate AMUCTF systems
and controls,

While the Bank addresses quite a number of
MLITF risk-related issues and the
correspondent mitigation measures, we
recommend rethinking the overall approach
to develop a comprehensive AMUCTF risk
analysis, in order to create an even stronger
instrument for the development of efficient
AMUCTF measures. By implementing this

Disregarding this analysis tool, the Bank may
risk not identifying, managing and mitigating all
the Bank's potential MUTE risks.

16
a 2013 KFrMG AG WVG Funkf,at AI l Naha --ed.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 85 of 134

if PMT
KPMG AG WPG Frunkfrvt
April 20/3

it

■ae

Performing a comprehensive AMIJCCF risk analysis of the Bank's operations

Finding / Observation

Possible Risk / Implication

In addition, the MLCO outlines We risks of the Bank's AMLrelated processes in the document "Management of
Compliance risk" which is to be submitted to the CBC. This
Bank's current AML/CTF risk analyses primarily focuses on
the MUTF risk emanating from the Bank's current processes.
The MLCO's considerations in relation to the ML/IT risks
emanating from the Bank's customers, products/services and
geographical areas are not documented.

to

Recommendation
requirement as best industry practice in the
Bank, it could demonstrate to the CBC its
pioneering role in relation to AMUCTF.
The AMUCTF risk analysis may consist of
the following sections:
•

•

•

•
•

17
O 1013KPMG AG WPG Fnnkl.,t NI,inh

,n .VW

Overview of the Bank's actual set-up in
customers,
terms
of
products,
transactions and distribution channel
Determination of risk and sub-risk
indicators in relation to the AMUCTF
risk analysis as well as the underlying
risk scale
Assessment of the Bank's MUFF risks
and
products
from
customers,
transactions
Description of die Bank's current
AMUCTF mitigation measures
Assessment of the Bank's remaining
risk
profile
and
AMUCTF
determination of further mitigating
actions (gap analysis)

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 86 of 134

KPMG AG WFG Frankfurt
April 1013

3. AML Function
Regulatory Reference:
Provisions 11 and 13 of the CBC AML Directive

3.1

Formally appointing an Assistant MLCO

Finding / Observation
The CBC AML directive states that where it is deemed
necessary, banks may appoint an Assistant MLCO for the
purpose of assisting the MLCO.

toe
Possible Risk I Implication

Recommendation

The CBC may not have any point of contact for
urgent matters in case the MLCO is absent.

While the AMLJCTF organization is tun by
an experienced MLCO, we recommend
installing an Assistant MLCO who would
formally be in a position to take over the
responsibilities in case of absence of the
MLCO (e.g. illness, vacation).

The MLCO has internally appointed a deputy who, however,
has not been formally appointed as Assistant MLCO and
therefore has not been communicated to the CBC.

The appointment of the Assistant MLCO is
to be communicated to the CBC. It should
be ensured that either the MLCO or her
Assistant is available anytime during regular
business hours.

We understand that the Bank is aware of this issue and is in
the process of recruiting an adequate Assistant MLCO.

The Assistant MLCO should be granted the
same rights to act on the MLCO's behalf and
should directly report into the CEO as far as
AMI.JCTF matters are concerned.

9 2013 KPMG AG WPG Franklyn. All rights rnennd.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 87 of 134

KPMG AG WPG Frankfurt
April 2013

4. Internal Policies and Procedures
Regulatory Reference:
Art. 34 No 1, 20, 35 No I of DI 2005/60/EC
Section 58 of Law No 188(0/2007
Provision Ito 9 of the CBC AML Directive

4.1

Developing a process document In relation to the AML Investigation process

medium

Finding / Observation

Possible Risk/Implication

Recommendation

According to the Third EU AML directive, institutions should
be required to establish adequate and appropriate policies and
procedures of e.g. internal control, risk assessment, risk
management and compliance management,

There may be a regulatory risk in case of
potential ML/TF cases not being duly
investigated.

We recommend developing a more granular
process document in relation to the AML
investigation process providing instructions
for investigating HotScan / Mantas alerts
and outlining the requirements with regard
to the documentation of the outcome of the
investigation and the underlying escalation
process.

We understand that there is no process document with regard
to the AML investigation process in addition to the general
description of the Mantas and ilotScan framework as set out
in the MoPP.

02913KPMG AG WPG r»nmue. All ngnts me d

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 88 of 134

KPMG AG WPG Profiler!
April2013

4.2

Amending the Bank's MoPP

Finding I Observation
According to the Third EU AML directive, institutions should
be required to establish adequate and appropriate policies and
procedures of e.g. reporting and communication,

kiss
Possible Risk I Implication

Recommendation

There may be a regulatory risk in view of these
processes not being clearly defined,

The Bank's MoPP should he amended or
further granularized in respect to the subjects
currently not being explicitly defined as
required.

Section 0 "Compliance" of the Bank's current Manual of
Policies and Procedures (MoPP) outlines the Bank's
compliance framework as well as the standards for the
prevention of ML and TF activities.
The MoPP, however, does not explicitly define the:

•
•
•

Bank's overall approach to AMUCT'F training of staff;
Process for internal reporting of ML/'TF suspicions and
reporting to MOKAS;
Process for updating policies and procedures outlining the
responsibilities of she various parties involved.

20
910i3 KPMO AG wPG Fmnuun. An riahn reserved.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 89 of 134

~pT
KPMG AG WPG F-aakfi<rr
April

2013

5. Suspicious Activity Reporting Process
Regulatory Reference:

Arts 20, 24, 28 No I and 33 No 2 of DI 2005/60/EC
Sections 48 as well as b9 to 71 of Law No 188(1)12007
Provisions 18] to 193 of the CBC AML Directive

5.l

IT-based case management system

In view of the number of ISRs and SARs (approx. 40 cases
per year), the Bank is capable to manage the reporting process
without an IT-based case management system for the time
being.

Recommendation

Possible Risk I Implication

Finding / Observation
n. a.

92013 CPMG AG WPG F,nkt a. AP nghn rmer .d

n.a.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 90 of 134

K PJIaG
KPMG AG WPG Frankfurt
April 2013

6. Record Keeping
Regulatory Reference:
Art 30 of DI 2005/601EC
Section 68 of Law No 188(1)12007
Provisions 167 to 180 of the CBC AML Directive

No findings /observallons made regarding theprinciples for record keeping.
Individual gaps detected by spot checks are listed In Section 18 of this report

22
62017 KPMG AG wrG F— Mfl. AU dghtr mamd.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 91 of 134

ll PM~G
KPMG AG WPG Frankfurt
April 2013

7. Know Your Customer (KYC)
Regulatory Reference:

• Customer Acceptance Process — Art 8 No 2 of DI 2005/60/EC; Section 61 pare 2 of Law No 188(1)12007
• Customer Identification and Verification / Customer Due Diligence — Art 7ffof DI 2005 /60/EC; Section 60ff of Law No 188(1)/2007
• Establishing Purpose and Intended Nature of the Business Relationship — Art 8 No lc of Dl 2005/60/EC ; Section 61 pare I lit c of Law No 188(1)12007
• Simplified Due Diligence — Art 1 1 f of DI 20051601EC ; Section 63 of Law No 188(1)/2007
• Enhanced Due Diligence - Art 13 of DI 2005/60/EC ; Section 64 of Law No 188 ( 1)12007
— Not physically present for identification purposes — Art 13 No 2 of DI 2005/60/EC; Section 64 pare l lit a of Law No 188(1)12007
— Correspondent Relationships — Art 13 No 3 of DI 2005 /601EC ; Section 64 pare I lit b of Law No 188(1)12007
— PEPS — Art 13 No 4 of Dl 2005/60/EC; Section 64 pare I lit c of Law No 188(1)/2007
• Termination of Customer Relationships — Art 9 No 5 of Dl 2005/60/EC; Section 62 pare 4 of Law No 188(1)12007
Provision 38 to 149 of the CBC AML directive

This section should be seen together with the points raised in Section 18 of this report.

-n
Q3

23

0

m 70 } 3 KPMG AG WPG Franklin . All nphb nra v.d.

O
O
O
0

W
J

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 92 of 134

KP1l (;
KPMGAG WPG Frankfurt
April2013

7.1

Integrating UBO information into the core banking system (reference to section 10.3)

Finding / Observation
We learned that the core banking system FlexCube does not
capture digital information on the:
•
•

Nominee shareholder's name or addresses;
UBO 's name (Note that CRC has recently issued the
requirement to electronically capture information on the
UBO's country of residence).

medium

Possible Risk / Implication

Recommendation

Electronically capturing the names of nominee
shareholders and UBOs on a standalone Excel
database means that only Excel-based screening
for sanctions can be conducted which is prone
to error.

We recommend the Bank to further enhance
the compliance with the KYC requirements
by integrating UBO information into the
core banking system.

The names of UBOs, however, are stored on a standalone
Excel database.

24
e2013KPMGAG WPG Fnnlaurt, All ,

hI.,.,NVM,

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 93 of 134

ICPMC~;
KPMG AG WPG Frankfurt

Apri2013
7.2

Acknowledging potential risks with hold mail addresses

Finding / Observation
In the customer list provided to us we determined a number of
customers who use hold mail (" collected at branch ") or ATPmanaged PO boxes as a correspondence address ,

~atMnpt

Possible Risk / Implication

Recommendation

The use of hold mail or ATP-managed PO
boxes may pose reputational risk, as it may raise
suspicion of tax evasion , which according to the
recently stated FATF recommendation and the
draft of the Forth EU AML directive should be
seen as a "predicate offence" for money
laundering . That means that going forward
banks may be obliged to be on the lookout for

While the business address is captured in the
core banking system, we recommend the
Bank to reconsider the use of hold mail
accounts and ATP-managed PO boxes in
order to avoid potential anonymisation.

suspected

tax

evasion

by

their

clients.

Customers found to be involved in tax evasion

may then be charged with money laundering as
well as tax offences.

25
01013 KPMG AG WPa F,.nvuh. 511,lghn r"t" red

In view of the upcoming Forth EU AML
directive, the Bank should continue actively
managing this risk.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 94 of 134

Cpl'
KPMG AG WPG Frankfurt
April 2013

73

Evidencing source of funds I wealth

atom

Finding / Observation
According to Provision 67 of the CBC AML directive, banks
should request and obtain sufficient information an the
customer's business activities and the expected pattern and
level of transactions with the aim of constructing the
customer's business/economic profile,

Possible Risk I Implication

Recommendation

The supporting documentation on the source of
funds or source of wealth should assist
Compliance in substantiating the customer's
statements on its business activities as provided
in the Account Application form,

We recommend the Bank to ensure where
possible that the source of funds is
substantiated by proper documentation (e.g.
F/S, business plan). This requirement needs
to be set out in writing in the MoPP
Compliance.

In the course of our sampling inspection (see also point 18.2
and 18.4), we found out that the expected annual turnover
(corporate accounts) or the salary level (individual accounts)
as stated in the Account Application form has yet not been
substantiated by e.g. F/S, business plan, etc.

7.4

low

Ensuring a centralized pool for all customer-related data

Finding / Observation
No CRM system has yet been implemented to enable the
overview of all customer-related data obtained, including data
on regular customer contact (as well as contact with the
UBO).

Possible Risk / Implication

Recommendation

This may result in a lack of overview of all
customer-related data obtained during the
ongoing customer relationship which is part of
the requirement to update customer-related
information on a regular basis.

We teamed that the Oracle update from
version 5.1 to 11.2 will also provide for a
CRM application. This is to be implemented
in 2014.

26
a 2013 KPMG AG WPG Frantlun. All ,irhn mrvW.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 95 of 134

PM(o
KPMG AG WPG Frankj nr
Apri12013

7.5

Specifying the nature of high-risk accounts

Finding / Observation
According to Provisions 13 (xxiv) and 147 of the CBC AML
directive, a bank's MI system should be able to produce
detailed lists of high-risk customers so as to facilitate
enhanced monitoring of accounts and transactions,
All high -risk customers are classified as such in FlexCube.
We learned however that — with the exception of accounts in
the name of companies whose shares are in the form of bearer
— there was no specific marker on the core banking system to
indicate e.g. accounts for PEPs, accounts in the names of
trusts or client accounts. Instead, the Bank maintains customer
lists for each of the high -risk categories as required by the
CBC AML directive.

low
Possible Risk / Implication

Recommendation

The use of specific markers on the core banking
system may support Compliance in tailoring the
periodic review and account/transaction
monitoring measures to the nature of high -risk
account (high-risk category) concerned.
Otherwise, a customer periodic review process
may be inconsistent.

We recommend the Bank to ensure that the
nature of high-risk accounts is specified
through markers in FlexCube.

Furthermore, a separate customer list is maintained with
regard to other cases being classified as high risk per the
MOPP Compliance.

27
97013 KPK{n AG WPG h.nNurt. All riasa maven.

We learned that this should be implemented
by 24 June 2013 in the course of the upgrade
of the core banking system to Oracle
version 11.2.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 96 of 134

I,PMG
KPMG AG WPG Frankfirr
Apri12013

7.6

Ensuring proper due diligence on lender in a loan syndication

Finding / Observation
The Bank is reportedly not engaged in loan syndications at
present,
With regard to the borrower for which a loan syndicate has
been established, we learned that the Bank would perform
proper CDD either itself, or seek assurance from the arranger
based on a legal confirmation that due diligence already been
conducted meets the Bank's CDD requirements.

low
Possible Risk / Implication

Recommendation

The Bank may face ML/FF risks associated
with a lender, in case no proper due diligence
has been performed by the arranger.

We recommend the Bank as best practice to
determine in the MoPP Compliance the
requirement to conduct own due diligence
with regard to the borrower in loan
syndications and not to rely on the due
diligence performed by the arranger.

According to the Wolfsberg FAQs on Selected Anti-Money
Laundering

Issues

in

the

Context

of

Investment

and

Commercial Banking lenders in a loan syndication are

themselves responsible to conduct due diligence with regard
to the borrower and should not rely on the due diligence
performed by arrangers. The relevant documentation for
customer identification and due diligence purposes (e.g.
organisational documents, annual reports) can however be
provided to the lenders through the arranger or agent.

28
O

20t3KPMG AG WPG Fm,N n. MI fights tMuHd.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 97 of 134

KPMG AG IVPG Franhfmr
April2013

8. Periodic Review of Customer Relationships
Regulatory Reference:
Art 8 No td of Dl 2005/60/EC
Art 9 No 6 of DI 2005/60/EC
Section 62 pare 6 of Law No 188(1)12007
Provisions 48 to 52 of the CBC AML directive

8.1

Ensuring actuality of business address

Finding / Observation
Provision 49 of the CBC AML directive requires banks to
ensure that their customer identification records remain
completely updated with all relevant identification elements
and information throughout the business relationship. In this
context, banks should examine and check on a regular basis
the validity and adequacy of the customer identification data
and information they maintain, especially those concerning
high-risk customers.

low
Possible Risk I Implication

Recommendation

An outdated business address may pose sanction
risk I significant ML/TF risk if the customer has
changed the country of its operations to a
sanctioned country or to a country regarded as
high risk per the Bank's High Risk Approach
Policy.

We recommend the Bank not only to check
the validity of identification documents but
also to confirm with the customer the basic
account information (e.g. business address)
so as to ensure actuality of all customer data
This should be especially applied to hold
mail accounts and ATP-managed PO box
accounts.

We understand that no checks are performed by default on the
actuality of the business address during the periodic review of
high-risk accounts.
29
02019 KPMG AG WPG Fwnv0un. Al d Il rosened.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 98 of 134

IlP C>'
KPMG AG WPG Franlçfurt
April2013

9. Know Your Counterparty
Regulatory Reference:
Art 14ff of DI 2005160/BC
Common Understanding between Member States on third country equivalence under the .Anti-Money Laundering Directive (Directive 2005/60/EC) — June 2012
Section 67 of Law No 188(I)12007
Provision 70 to 78 of the CBC AML directive

The Bank approaches potential customers through so-called "approved third parties" (ATPs) with whom the Bank maintains an ongoing close business relationship.
The Bank relies on the ATPs assessment of the certification of documents as well as the reference letter in relation to an introduced customer. Hence, ATPs are to be
classified as reliable third parties as per the Third EU AML directive as well as Provision 70 to 78 of the CBC AML Directive.

30
02017 KPMG AG WPG F,.nNUn. All rights ieferveA.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 99 of 134

LC,PMC'
KPMG AC IYPG Frankfort
April 2013

9.1

I Applying risk-based approach with respect to ATPs

Finding / Observation
The Transparency International Corruption Perceptions Index
2012 demonstrates that there are different levels of corruption
risk perceived in relation to the countries where ATPs may be
lawfully situated. E.g. Greece, Bulgaria, Italy, South Africa,
Romania, Slovakia, Latvia and Czech Republic have a
Corruption Perceptions Index score below 50 indicating a
serious corruption problem.

Possible Risk I Implication

Recommendation

By risk-rating its ATPs, the Bank can manage
regulatory and reputational risk more efficiently
in that enhanced due diligence and more regular
monitoring are conducted in relation to ATPs
categorized as high risk.

We recommend the Bank as best practice to
introduce a more differentiated process with
regard to ATPs, in order to mitigate potential
risks (e.g. ML, corruption, drug dealing,
etc.) from an ATP's country of residence or
nationality.

The Bank's list of ATPs per country of registration exhibits
that all ATPs are situated in EU/EEA countries or countries
regarded as equivalent as per the "Common Understanding
between Member States on third country equivalence" on June
2012. We noted, however, that the Bank does not differentiate
between the various jurisdictions according to the ML risk
perceived.

m

m
to

O
O
O
O
O

31
07013 KPMG AG WPG ft—MM AN nyhe ,.w ne

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 100 of 134

KPMG AG WPG Frankfwr
April 2013

9.2

Assessing the adequacy of an ATP's ARIL organization

Finding / Observation
The Bank relics upon third parties who are subject to
mandatory professional registration and to AMUCTF
supervision by the appropriate competent authority of their
country of incorporation or of operation as required by the
CBC AML directive,
Only since 2011 the Bank has requested evidence in form of a
written confirmation of the competent authority that proper
(AMUCTF) supervision is being conducted prior to
onboarding the ATP. Furthermore, the Bank has analyzed the
relevant country's AML law and requested the ATP to
complete a questionnaire enquiring on the AMUCTF
framework being implemented,

Possible Risk / implication

Recommendation

According to Section 67 pars 1 of Law No
188(1)12007 it is the banks that bear the ultimate
responsibility
for
meeting
CDD
the
requirements even though due diligence is
conducted by a third party. Therefore, the Bank
should gain assurance of the ATP's proper
AMUCTF organization applying a risk-based
approach. There is a regulatory and reputational
risk.

We recommend the Bank to introduce a
standardized process requiring the MLCO to
perform a more comprehensive review of the
AMUCTF organization of major ATPs and
ATPs classified as "high-risk".

The Bank, however, has never taken own controls to ensure
the adequacy of the ATP's AML/CTF measures.
In various FATF country reports on the observance of
A:MIJCTF-related standards and codes the FATF criticized
the low standard of self-regulated bodies (e.g. bar association)
for supervising AMUCTF measures of registered parties.
Therefore, banks should not fully entrust the self-regulated
bodies but perform separate reviews as to the standard of
AMUCTF measures implemented by the ATP and the
A-MT./CTF training provided to staff that is responsible for the
identification and due diligence of potential customers.

For other cases, the Bank should require the
Business Development officers not only to
manage the business relationship with the
ATPM but also to assure themselves of the
ATP's implemented AMUCTF measures on
site (in particular CDD, AML training) prior
to entering into a business relationship with
the ATP. For this purpose, Business
Development officers should undergo a
tailor-made AML training. Furthermore, full
comfort should be gained in relation to the
ATP's company structure and the UBO
behind.
In all cases, Compliance should request by
default the as. AMUCTF policies and
procedures so ac to evaluate the adequacy of
the AMUCTF standards in place.
We suggest the Bank to conduct a clean-up
exercise on old ATPs to ensure that proper

32
O 7013 KPr.IG AG WPG Fnnkfun. All ,igha ,way.d

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 101 of 134

KPMG AG WPG Frankfurt
April 2013

9.2

Assessing the adequacy of an ATP's AML organization

Finding / Observation

Possible Risk / Implication

Recommendation
AMIJCTF measures are in place.

9.3

Conducting periodic sanctions screening on ATPs

Finding/Observation
The Bank's Business Development team maintains a close
relationship with each ATP and meets at the ATP's premises
at least annually. During the ongoing business relationship
Compliance closely monitors the ATPs on the basis of the
quality of customers introduced and the occurrence of account
closures, ISRs or SARs submitted to MOKAS. Furthermore,
Compliance regularly reviews all ATP files so as to establish
whether the third party's licence or certificate of registration is
still valid.

rT

Possible Risk / Implication

Recommendation

The Bank may violate sanctions rules resulting
in a substantial regulatory and reputational risk,

We recommend introducing a standardized
process to also screen ATPs quarterly
against World-Check and in case there is a
change to OFAC / EU sanctions list, as is
required in relation to customers.
This process should be proceduralized and
the outcome of any investigation
documented in the ATP file.

Yet only at onboarding has the Bank so far screened all related
parties of an ATP against the World-Check database.

33
02013 I MG AG WPG FrwMM An Nphe n.uvW.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 102 of 134

KPMG AG WPG Fronkjbrt
April 2013
9.4

Ensuring periodic review on ATPs

ti

Finding / Observation
Throughout the year the Business Development team
maintains a close relationship with each ATP including at
least annual meetings at the ATP's premises. During the
ongoing business relationship Compliance closely monitors
the ATP on the basis of the quality of customers introduced
and the occurrence of account closures, ISRs or SARs
submitted to MOKAS.
Furthermore, a regular review is conducted by Compliance in
conjunction with Business Development to identify whether
art ATP still maintains a valid licence / certificate of
registration as laid down in Section 67 of Law No
188(Iy2007. This review, however, is not documented.

Possible Risk I Implication

Recommendation

According to Section 67 pare 1 of Law No
188(1)/2007 it is the banks that bear the ultimate
responsibility
for
meeting
CDD
the
requirements even though due diligence is
conducted by a third party.

We recommend the Bank as best practice to
introduce a standardized process to regularly
review the ATP files. During this review the
Bank should ensure the:

Due to the potential regulatory and reputational
risk with regard to ATPs, the Bank should
conduct comprehensibly documented periodic
reviews on them.

•

•

•
•

Validity of the licence / certificate of
registration;
Actuality of the ATP information;
Completeness of documentation in the
ATP file (e.g. contact report).

This review should be documented and the
outcome filed.
It should be noted that the Bank has taken
immediate action to check the validity of the
ATP's certificate/ licence in those cases
where it has not yet been evidenced.

Our sampling inspection on 15 ATP flies also revealed that:
•

•

3 ATP files require to be updated due to the "KBI profile"
not capturing complete or consistent information on the
ATI';
for 9 ATPs it was not evidenced in the file that a meeting
had been taken place face-to-face at the ATP's premises
prior to onboarding the ATP (contact report);
In 4 cases it has not yet been evidenced whether the
certificate of registration or practising licence respectively
is up-to-date.

34
02013 XPMG AG WPG Fnnea. As ,iphu mse—d.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 103 of 134

l.! Pll~G
KPMG AG WPG Frankfrrrr
ApriI2013

9.5

Ensuring enhanced due diligence in cases of non-6ca4n -Ice ooboarding

Finding / Observation
Our sampling inspection on 15 ATP files revealed that in 2
cases the ATP indicated that he would accept third party
certification of ID documents from EU-based banks, certain
non•EU-based banks, regulated persons and/or additional noncertified ID documents ( e.g. driver ' s licence) in relation to his

.adW.

Possible Risk / Implication

Recommendation

There may be the risk of non-compliance with
section 64 pare 1 lit a of Law No. 188(1)/2007 in
case a customer has not been onboarded face-toface,

We recommend adapting the ( service level)
agreement with the ATP so as to set out the
obligation to meet any customer face-toface.

customers.

Such a case would require the Bank to conduct enhanced due
diligence on the customer as per section 64 pars lilt a of the
Cypriot Law No 188 ( 1)12007 as well as provisions 114 to 117
of the CBC AML directive.

35
02513 KING AG WPG Fx15ut. Al right. rww.sd

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 104 of 134

KPMG AG WPG Frankfurt
April2013

9.6

Assessing the ATP's AML policies and procedures

Finding / Observation
The Bank's MoPP requires the MLCO to evaluate the ATP's
systems and procedures in relation to AMIJCTF. During our
sampling inspection on 15 ATP files it came to our attention
that 5 ATP's had no documented KYC policies and
procedures. In 3 cases the ATP's maintained AML policies
and procedures which yet have not been provided to the Bank.

low
Possible Risk / Implication

Recommendation

The inspection of the KYC policies and
procedures should assist the MLCO in
validating the ATP's statements in the
Professional Intermediary Evaluation form so as
to gain assurance of ATP's compliance with the
Third EU AML directive. The absence of such
documentation may lead to wrong or incorrect
activities by the ATPs.

We recommend the Bank to request the
ATP's AML policies and procedures in
place where they are available and to
document the cases where these have not
been provided due to confidentiality reasons.

36
64013 KPMG AG WPG F .nkh,rt. All dais. m—d.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 105 of 134

KPMG AG WPG Frankfurt
April 20) 3

10. Sanctions Screening of Relationships
Regulatory References
UN Resolution 1373 as 01 28 September 2001
EU regulations 258012001 and 881/2002

10.1

Clarifying non - exposure to North Korea

Finding / Observation
Our review of the customers country of operation revealed
that as of 16 April 2013 the Bank has supposedly maintained a
relationship with two customers (CIFs) with exposure 1
residence in the Democratic People's Republic of Korea (i.e.
North Korea). The Bank proved that this was due to a coding
mistake in FlexCube and that indeed South Korea was laid
down as the customers' correspondence address. This issue
indicates that the core banking system does not have the
ability to screen the related field for sanctions.

4Wdhto

Possible Risk / Implication

Recommendation

The fact that an account marked as North
Korean has not been closed or frozen indicates a
gap in the account surveillance set-up.

The Bank has taken immediate action to
correct the country code accordingly.

37
02013KPMG AS WPI Frankfrt. M

iaha raw

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 106 of 134

1(PMr
KPMG AG WPG Frankfurt
April 2013

10.2

Considering Guinea -Bissau as EU-sanctioned country

Finding I Observation
The comparison of the Bank's High Risk Approach Policy
with the EU and OFAC sanctions lists showed that no
adequate measure has been taken against the EU-sanctioned
country Guinea-Bissau.

MWINN
Possible Risk/ Implication

Recommendation

The Bank may maintain business relationships
to customers from Guinea-Bissau without being
classified as high-risk due to its predominant
sanction risk.

We recommend the Bank to take immediate
action by adding Guinea-Bissau to the list of
countries under geography risk in the MoPP
Compliance.

It should be noted that the Bank has not maintained any
relationships with customers from Guinea-Bissau (EU) as yet.
Sanctioned individuals or organizations from Guinea-Bissau
would have still been identified during screening against the
World-Check database. Furthermore, this predominant
sanction risk could be controlled by having the latest EU, BoE
and OFAC SDN lists imported into the transaction filtering
system HotScan as soon as they have been issued.

02013 KPMO As WPG Fna,t Aa Iphn$ rnW nA.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 107 of 134

LC.PM(a
KPMG AG WPG Frankfurt
April 2013

10.3

Integrating UBO information into the core banking system (reference to seaxlon 7.1)

Finding /Observation
We teamed that due diligence information on UBOs has so far
not been electronically stored in FlexCube to protect against
loss of highly confidential data. Instead, the UBO's full name
and CIF code was captured in a separate highly confidential
Excel file which only authorized middle and senior
management staff could access. In light of the new monthly
reporting requirement of the CBC on the geographical
location of customers' beneficial owners, the Bank has now
included the information on the country of residence in
FlexCube.

sodium

Possible Risk/ Implication

Recommendation

The use of an Excel-based tool for screening is
prone to error,

We recommend the Bank to further enhance
the compliance with the KYC requirements
by integrating UBO information into the
core banking system.

Compliance conducts Excel-based sanctions screening on the
UBO name against the OFAC, HMT and EU sanctions lists as
and when a change in the sanctions lists occur.

39
02013 MG AG WPG rrantlurt. AN 0gM...m

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 108 of 134

I,C,P.(ul.G
KPMG AG WPG Frankfurt
April2013

10.4

Acknowledging MI./IF rinks in relation to Tanzania being treated as regular risk country

Finding/ Observation
The comparison of the Bank's High Risk Approach Policy
with the most current FATF list on high-risk countries (as of
February 2013) showed that all countries are treated as highrisk according to the FATF's public statement except for
Tanzania. This is due to the Bank's head office being located
in the country of Tanzania. Putting Tanzania on the list of
high•risk countries would require the Bank itself being
assessed as high risk,

low

Possible Risk / Implication

Recommendation

Potential MLITF risks emanating from Tanzania
may remain unnoticed leading to a regulatory
and reputationai risk for the Bank.

We recommend the Bank to consider
potential MUFF risks posed by Tanzania
and to introduce mitigating measures so as
to manage these risks without classifying the
country itself as high risk. Such measures
may include e.g. a statement in the local
MoPP not to onboard Tanzanian customers
at the Bank (in Cyprus).

It is noted that the Bank (in Cyprus) does not maintain
relationships with Tanzanian customers.

40
02013 KPMG AG WPG Fankf 0 All dphu * nvnd.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 109 of 134

KPMG AG WPG Frankfwr
April2013

11. PEP Screening
Regulatory Reference:
Art 8 No Id of DI 2005l60IEC
Section 64 pars l lit c (iv) of Law No I88(I)12007
Provisions 126 (iv) of the CBC AML directive

11.1

low

Evaluating the functionality of World-Check

Finding / Observation
We learned that the Bank did not regularly validate the
functionality of the World-Check database, e.g. by testing on
an annual basis whether a known sanctioned name would
generate an alarm in World-Check,

Possible Risk! Implication

Recommendation

Deficiencies in the PEP screening functionality
of World-Check may lead to PEP risk being
undetected in relation to customer accounts,

We recommend the Bank as a best industry
validate the
standard
to regularly
functionality of World-Check (e.g. search
algorithm used).

e 2413 KPMG AG MPG Frantlud. All righm —ved.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 110 of 134

~{p
KPMG AG WPG Frankfurt
April 2013

11.2

Considering a more frequent automated review for PEPS

Finding / Observation
We learned that due diligence information on UBOs has so far
not been electronically stored in FlexCube to protect against
loss of highly confidential data. Instead, the UBO's full name
and CIF code was captured in a separate highly confidential
Excel file which only authorized middle and senior
management staff could access. In light of the new monthly
reporting requirement of the CBC on the geographical
location of customers beneficial owners, the Bank has now
included the information on the country of residence in

low
Possible Risk I Implication

Recommendation

The AML risk with standalone databases is that
new/emerging PEPs may not be detected in
time.

PEP screening on a quarterly basis is in
principle in compliance with the regulatory
requirement. However, we recommend the
Bank as best practice to consider a more
frequent automated review.

FlexCube.

For PEP screening purposes the UBO name in this highly
confidential Excel list is screened against the World-Check
database by IT every quarter.

42
G 3013 KPMG AG WPG FnnSun, As Saha nmrved.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 111 of 134

KPMG AG WPG Frankfort
April2013

12.Transaction Monitoring
Regulatory Reference;
Art 8 No id of DI 2005/60/EC
Section 61 pars I lit d of Law No 188(1)/2007
Provisions 143 to 149 of the CBC AML directive

12.1

Regularly reviewing scenarios and typologies of MANTAS transaction monitoring

Finding I Observation
The provisions 145 and 149 of the CBC AML directive
require banks to introduce automated systems for the
monitoring of transactions, whose effective operation will be
based on the creation of statistical models of customers'
transactions and will be managed by setting certain threshold
limits and further indicators,

■adios

Possible Risk / Implication

Recommendation

A full review of scenarios and the underlying
parameters should ensure that they fit to the
Bank's current MLrfF risk profile. There is a
regulatory and reputational risk,

We recommend deriving the scenarios and
typologies of the MANTAS transaction
monitoring system from the AMUCTF risk
analysis and reviewing them on an annual
basis in order to ensure an updated and
bank-specific system.

Once a year the MLCO takes a closer look at the set of rules
(threshold limits) underlying the MANTAS transaction
monitoring (TM) solution. This review, however, does not
include a critical evaluation of the scenarios themselves. The
change history is tracked by MANTAS.

m 2013 KPMG AG wvG Fnnrlurt. All rirhlr reeelved.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 112 of 134

1C P/lZ
KPMG AG WPG Frankfurt
April2013

12.2

Reviewing the number of scenarios for MANTAS transaction monitoring

Finding / Observation
Provision 149 of the CBC AML directive requires banks to
introduce automated monitoring systems that detect unusual or
suspicious activities or types of transactions by setting limits
for a particular type, or category of accounts (e.g. high-risk
accounts) or transactions (e.g. deposits and withdrawals in
cash, incoming/outgoing transfers made over a prescribed
limit), taking into account the customer's business profile, the
country of his origin, the source of funds, the type of
transaction or other risk factors.

rsatfirtr

Possible Risk / Implication

Recommendation

Focusing on a small set of scenarios may limit
the effectiveness of monitoring of transactions,

We recommend the Bank as a best practice
to review the number of scenarios for
MANTAS transaction monitoring. Further
scenarios may be added and linked to the
potential MLITF risks identified in the
AMUCTF risk analysis.

At present MANTAS transaction monitoring is based on six
different scenarios: funds transfers between customers and
external entities, focal high risk entity, high risk counterparty,
rapid movement of funds, large depreciation of account value
and large reportable transaction.
Banks of a comparable size have introduced an additional set
of scenarios to cover potential ML/TF risks emanating from
all the Bank's activities as determined in the AMUCTF risk
analysis.

44
02013 APMG AG wre Fnntlurt. All rlphts ms.esod

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 113 of 134

1CP
KPMG AG WPG Franlrjwt
Apri12013

12.3

Intensifying the Investigation of MANTAS transaction monitoring alerts

Finding/ Observation
MANTAS has produced a significant number of false alerts
from June 2012 through March 2013 leading to an
unmanageable number of weekly duplicate alerts (in total
ca. 3000 alerts/week). This substantial number of false alerts
was reportedly caused by technical problems. The Compliance
department mitigated this gap by using certain functions of
HotScan and investigated alerts of Mantas not being classified
as duplicates.

sodium

Possible Risk /Implication

Recommendation

Due to the technical problems the Bank faced in
2012, there may be transactions which fell
outside the regular pattern of an accounts'
activity, complex or unusual transactions or
transactions without obvious economic purpose
or clear legitimate reason that were not
investigated by Compliance and not reported to
MOKAS.

Whilst we understand that the Compliance
department has mitigated this gap by using
certain
functions of HotScan and
investigated alerts of Mantas not being
classified as duplicates, we recommend
intensifying the investigation of MANTAS
transaction monitoring alerts, in order to
mitigate any legacy risk resulting from the
non-utilization of MANTAS for such an
extensive time period.

This issue could only be completely fixed during the first
quarter of 2013. Since then 28 alerts have been investigated in
relation to I1 different customers.

Furthermore, a back-up solution in view of
system failures should be considered.
We acknowledge the approach that currently
MANTAS transaction monitoring alerts are
being investigated not only per single
transaction but per customer (including full
set of transaction being executed, business
profile and source of funds).

45
m 2O13 KPMG AG WPG rein it M noon ,canoe.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 114 of 134

ICPM
KPMG AG WPG Frankfurt
April 2013

13. Payment Screening according to EU regulation 1781/2006 (FATF SR VII)
Regulatory Reference:
EU regulation 1781/2006

13.1

Implementing an automated transaction processing system

Finding / Observation
On an average the Bank manually processes 400-500 inward
SWIFT payments each day. Within the period January 2012 to
March 2013 35 payments have been received with missing
remittance information, of which Il payments have been
returned due to not having provided the information as

asedlrm

Possible Risk I Implication

Recommendation

Manual input may inevitably give rise to the
possibility of error,

Although the missing remittance information
reportedly has always been identified,
manual input of transactions may lead to
errors with regard to EU regulation
1781/2006 and therefore automatization
should be considered. We understand that
the Straight-Through-Processing planned to
be introduced in June 2013 will include an
automatic filter.

Tequested•

The alternative rules and requirements
should be specified in a more detailed
manner (e.g. frequency of insufficient
remitting information until sending bank
will be placed on the blacklist).

46
02013 KPMG An WPG r.ntlun. AS ,iyhn ,1$vv d.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 115 of 134

I/C PGA
KPMG AG WPG Frankfurt
April 2013

14. Payment Filtering for Sanctions
Regulatory Reference:
UN Resolution 1373 as of 28 September 2001
EU regulations 2580/2001 and 881/2002

14.1

Regularly screening "Good guys list" for sanctions

Finding / Observation
Partial matches in relation to customers and their
counterparties can be added to the so-called "Good guys list",
In this case, the match will not pop up again as an alert
provided that there has not been any change in the sanctions
lists referring to this exact name. We learned that this "Good
guys list" is not screened against sanctions by default. The
Bank assumes that the transaction filtering application
HotScan would give priority to the newer sanctions list in case
the good guy's name is added to a sanctions list and would
overrule the exemption.

Possible Risk / implication

Recommendation

The Bank may violate sanctions rules resulting
in a substantial regulatory and reputational risk.

We recommend the Bank to screen the
"Good guys list" for sanctions on a regular
basis.

47
02013 KPMG AG wPG rnnl0 ,t. Aa

ohm merved.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 116 of 134

PIVIC
KPMG AG WPG Frankfwf
April 2013

14.2

A large number of HotScan alerts being generated due to percentage applied for fuzzy logic

Finding / Observation
On an average the Bank daily processes 500-600 outward
SWIFT payments and 400-500 inward SWIFT payments.
Transactions are manually processed by Operations.
Furthermore, transactions are filtered against several sanctions
lists and internal lists via HotScan. In January 2013 the
percentage of alerts in HotScan to be reviewed by Compliance
amounted to 99% of total number of transactions executed
each day, in February 2013 the percentage of alerts in
HotScan amounted to 92%. This high percentage of alerts may
on the one hand be the result of inadequate parameters used
for screening via HotScan (e.g. fuzzy logic of less than 80 %).
On the other hand, this could be explained by the integration
of a number of additional internal lists (e.g. high-risk accounts
list, high-risk jurisdiction list, no debit/ no credit accounts
list).

low

Possible Risk / Implication

Recommendation

The high percentage of alerts in HotScan may
lead to a backlog in the investigation and faulty
evaluations. In addition, it may have an impact
on MANTAS generated hits as the filtering is
given priority compared to the investigation of
alerts from transaction monitoring.

The percentage applied for fuzzy logic
(approximately SO %) is well below industry
standard and may generate a large number of
alerts. This number of alerts, however, can
be handled due to substantial staffing of the
Compliance department.

48
m 2019 KPMa AG WPG f,.nkn,n. Ali egh,. ,eanv.e.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 117 of 134

MPUM„G
KPMG AG WPG Frankfurt
April2013

15. Employee Training and Internal Information Sharing
Regulatory Reference:
Art 35 No I of Dl 2005/601EC
Section 58 (f) and (g) of Law No 188(1)12007
Provisions 13 (xx) and 18 (xi) as well as 194ff of the CBC AML Directive
15.1

low

Documenting informal information sharing measures

Finding / Observation
According to Provision 13 (xx) of CBC AML Directive the
MLCO has to prepare and apply an annual staff training
program on which the MLCO has to report as part of the
MLCO's Annual Report. Nevertheless, Provision 196 of the
same Directive stipulates that the frequency of training can
vary depending on the amendments of legal and/or regulatory
requirements and staffduties.

Possible Risk / Implication

Recommendation

Possible non-compliance with Provision 13 (xx)
of the CBC AML Directive regarding the annual
reporting requirement.

In view of the fact that formal annual AML
training was replaced in 2012 to a certain
degree by informal ways of information
sharing, we recommend documenting those
information sharing measures.

The last AML staff training was conducted as a web-based
training in January 2012 with respect to the financial year
2011. The recurrent AML/Compliance training 2012 has so
far not been scheduled. It is planned to conduct a tailor-made
AML/CTF training for the Bank's various departments.
According to the MLCO, AML training is usually conducted
every two years provided there have not been any changes to
the A1uIL framework during the year. Furthermore, joiners are
49
a 7x13 KPMG AG WPG i,.nNun. Al ,nom. u..,v.d.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 118 of 134

t
g

v
0.

E
C

79
fr

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000664

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 119 of 134

KPMG AG WPG Franl~rt
Apri12013

16. Internal Supervision
Regulatory Reference:

Appendix 4 to the CBC Internal Governance and Controls directive on Basic Principles and Internal Control Procedures for the Management of Compliance Risk
(paragraph 15(2) and 28(5))

16.1

tnadlu

Developing an AML Control Plan

Finding / Observation
According to App . 4 to the CBC Internal Governance and
Controls directive the head of the Compliance Unit (CU) is
responsible for the preparation of an annual Compliance
Programme outlining the CU's planned activities,
The current Compliance Programme provides a generic
overview of the AMUCTF - related control activities as well as
one specific AML Compliance review ( i.e. quarterly review of
a representative sample of new accounts).

Possible Risk / Implication

Recommendation

An annual AML Control Plan may support the
MLCO with planning the major supervisory
measures to be conducted by Compliance ( in
accordance with the AMI.JCTF risk analysis)
and with ensuring adequate resourcing . There is
a regulatory and reputational risk,

We recommend the Bank as a European
benchmark practice to amend the overview
of "Compliance Department ' s planned
activities" with more detailed information
( e.g. resource planning , time schedules).
This AML Control Plan should list all
reviews as conducted by the Compliance
department.

The Compliance Programme , however, does not outline all
reviews currently performed within the Compliance
department, e.g. quarterly review on account turnover for a
sample among all customer accounts.

01013 KPMO AnwPG Fx.Nut. Allnahf

rv.d.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 120 of 134

KPMGAG JVPG Frankfurt
.tyr112013

16.2

low

Backlog in respect to New Account Compliance review finally been dearest

Finding / Observation

Possible Risk I Implication

During the year 2012, there has been a great backlog in This backlog may result in regulatory risk due
relation to the 10% sample review of new accounts for to potentially incorrect assessment of New
inadequate documentation or incomplete records due to Account documentation and information not
shortage of staff. This issue has been reported in the quarterly being uncovered in time.
self-audit by the Compliance Unit on KYC procedure
adherence as well as in the Management Review of
Compliance Risks. Appropriate corrective measures have been
set in liaison with the Audit Unit.
The review for 2012 has finally been completed in March
2013. In April 2013 the Compliance Unit has already started
with the Quarter I review of new accounts.

52
m 2013KsMOAe WVG Fnnkf rl. Allughss,.

.d

Recommendation
We recommend the Bank to ensure
additional resourcing facilitating the
Compliance department to perform adequate
supervisory measures.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 121 of 134

R

KPMG AG WPG Frankfw t
April21)13

17. Internal Audit
Regulatory Reference:
Internal Audit Report on Compliance • AML effectiveness review as of21/2/2013 and 24/212012.

No findings /observations made

53
02013 KPMG AG VRG FmnkfuM An nphu mer—L

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 122 of 134

r~P r
KPAMG AG N'PG Frankfurt
April 2013

78. Sampling Inspection on Customer Files
Scope

For a sample of 70 customer files, we have reviewed the implementation of the procedures established by the bank with respect to the requirements of the AMUCTF
Directive for customer due diligence.
Our findings are based on the information provided by the bank in relation to the customers within our sample . Our conclusions do not take into account any
additional information that may be held by the bank which has not been made available to us during our review.
As per our agreed scope, our review did not include any extensive testing of the transactions of the customers in the sample and, hence, our findings do not extent to
this area. We note, however, that in a few instances our work included some isolated review of customer transactions in order to better understand the customer's
profile.

Sample composition
Our sample was selected at random out of the customer lists provided by the bank for "High Risk" customers and for "New Customers". As we did not have access to
the full list of the bank ' s customers , our sample is not representative of the entire customer base of the bank . Moreover there might exist categories and types of
clients that have not been captured within our sample.
Overall we reviewed 70 files, 68 of which were customer files and 2 were bank files. Appendix 1 contains comments for each file that has been reviewed.
The composition of our sample is depicted graphically

-

in the

charts below:

n

ca
K
^t
0
O
O
O
O
m

Os
as
O

54
m

2017KPMG

AGwPG

Fnnnun. NI 1igh a—d.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 123 of 134

KPMG AG WPG Frankfurr
Apri12013

Sample breakdown by risk category

Sample breakdown by ageing profile

70%

70%
60%
50%
40%
30%
20%
10%
0%

60%
50%
40%
30%
20%
10%
0%

High risk

New

Medium risk

Sample breakdown by risk category and counterperty type

Old

Sample breakdown by ageing profile and eounterparty type

35

30

30
25
25
20
20

•Individual

15

15

■ Individual

• Companies

10

10

5

5

0

• Companies

0

High risk

Normal risk

New accounts

m
W
m
0
0

o
0
0
Cl)

m
eb

55
m

2013KPMGAG WPG FnnfkNn. All n5ha rwuncd.

Old accounts

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 124 of 134

CPMG
KPMG AG WPG Frnnk,Jwwt
Apri12013

Findings and Recommendations
Regulatory Reference: Provisions Ito 9, 24, 48 to 52,70 to 78,126 (iv), 131, 105 (ii), 143 to 149 of the CBC AML Directive

• Review of Customer Files

The key findings from our review of the customer files are summarized below, by order of significance:
18.1

Complex or unclear group structure (referencetosection 7.5)
Provisions 67, 68,101 of the CBC AML Directive

Finding I Observation
During the file inspection we observed that 9 out of 68 files
have group structures of increased complexity like trust or
foundation structures (5 out of 68 files), bearer shares (2 out
of 68 files), and nominee structure (2 out of 68 files). These
customers are correctly assessed as high risk.
We observed 2 out of 68 specific cases in our inspection,
which belong to the same group, and were part of a
franchisee system, in which a number of different
franchisees lie under a franchisor, that lies in turn under
another legal entity. We understand that this is the only
group case of a franchisee system.

Possible Risk / Implication
Complex Group structures may to lead to
lower levels of comfort and reliance
compared to more transparent company
structures, as they may be used to conceal
information about the UBO's activities or
origin of wealth.
Especially in the case of the franchisees, the
structure creates difficulty in identifying the
UBO.

Recommendation
We recommend that enhanced due
diligence procedures are performed with
respect to complex group structure in
order to make sure that proper comfort
and understanding is gained with respect
to their structure and beneficial ownership,
the business profile and purpose of their
activities, as well as the source of their
income.
Especially with complex company
structures, all necessary measures should
be taken to ensure that the identity,
activities and source of income of the
UBO are properly reviewed and
documented.

In those cases we observed that disc diligence procedures
were carried out up to the level of the principal franchisor,
i.e. the entity that the bank considers to be the controlling
entity, based on the information available to it. However, it

e 2013 KPMG AG WPG FsnNV n. All ,iahu —,—d

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 125 of 134

KPMG AG WPG Frankfurt
April2013

18.1

Complex or unclear group structure (reference to section 7.5)
Provisions 67. 68, 101

of the CBC AML

ITIU

Directive

Finding / Observation

Possible Risk I Implication

Recommendation

is not directly evident from the file why the due diligence
procedures did not cover the ultimate legal entity.

18.2

Establishing the business/economic profile of customer and UBO (reference to section 7.3)
Provisions I to 9, 105 (3t) of the CBCAML Directive

Finding I Observation
In 21 out of 68 cases within our inspection sample it was
perceived that the investigation of the business profile and
operations of the customer was not adequate to gain a
complete understanding of the customer's activities and
business rationale. It was noted that the bank investigates
and files more information regarding the business profile
and operations of the customer in respect of newly accounts,

Possible Risk / Implication
Customers with these characteristics are often
associated with lower levels of transparency
with respect to the source of their income, due
to the fact that it is more difficult to obtain
satisfactory evidence to verify the exact
nature of the services they provide,

This became more apparent for customers whose activities
come under a generic description i,e, consultancy services
(4 files out of 68), or use multiple addresses (registration vs.
business vs. correspondence address) in different countries
(3 files out of 68), or have nominee shareholders based in
multiple countries, making it difficult to establish the exact
nature of their business activities.

57
0 2013 KPMG AG WPG F—Mun. AS n9hta raf

W.

Recommendation
To mitigate this risk, we advise the Bank
investigations
thorough
to
apply
consistently for all customers, in order to
gain a solid understanding of the business
of the customer and clarify the services it
offers and the source of its income. This is
more required for the old customer files,
as it was identified that new file accounts
includes more thorough investigation In
respect of the customer's business profile.
Such understanding could be obtained
through the financial statements of the
customer, the business plan in cases where
the customer is newly start up or any other
evidence confirming the source and size of
wealth of the customer.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 126 of 134

KPMC;
KPMG AG WPG Frankfurt
April2013

18.2

Establishing the bmdne&economie profile of customer and UBO (reference to section 7,3)
Provisions 1109, 105 (ii) ofthe CBCAML Directive

Finding I Observation

Possible Risk I Implication

Recommendation
In addition, all checks performed should
be properly documented in the customer's
file.

18.3

Mositoriog of accounts with PEPs

atedlns

Provisions 24, 126 fly), 131 ofthe CBC AML Directive

Finding / Observation
For one specific case of a PEP within our sample we noted a
transaction and/or affiliations with other parties which were
not perceived to be very transparent and as a result raised
suspicions,
The suspicions related to questions with respect to the actual
purpose of the transaction and the existence of conflicts of
interest in certain business relationships.

Possible Risk / Implication
In relation to PEPs there is an increased risk
of failing to detect an illegal activity due to
the fact that relationships or transactions may
be presented under an apparently legitimate
spectrum, making it difficult to check their
validity or even suspect the existence of
unlawful practices.

Nevertheless, no evidence of a more enhanced due diligence
review was observed to exist in the file, addressing the
specific issues that caused our suspicions,
The bank has proceeded to collect information of the
customer and his relationships as part of the enhanced due
diligence transaction however, fiulher investigation might
58
C 2013 KPMG AG WPC Fnnuurt. AU riahn -d

Recommendation
In performing the enhanced due diligence
reviews applicable to PEPS, the Bank is
advised to place great emphasis on the
parties with which PEPS have business
relationships with and the transactions
they perform, placing extra care on
understanding the purpose of the
transaction and the role of the two parties
in it. The review of the PEP's
relationships should take into account the
possibility of the relationship creating
incentives for unlawful behavior (e.g.
bribes) and should provide for escalation
if the information gathered is not

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 127 of 134

kM JJ
KPMG AG WPG Frankfivt
April 2013

183

Monitoring of accounts with PEPa

twill D

Provisions 24. 126 (iv), 131 ofthe CBCAML Directive
Finding / Observation

Possible Risk / Implication

have been warranted in this case

18.4

Recommendation
satisfactory.

Proof of income for individuals (reference to section 7.3)

Nwdhm

Provisions 1 to 9 of the CBC AML Directive
Finding I Observation
During the course of our review we identified l8 out of 68
files where the source of funds in the customer's account
was declared to be salary income (for individuals), the Bank
relied on the gross annual salary amount stated on the
customer's application form and did not obtain supporting
evidence to verify the accuracy of this amount, or its
consistency with the annual account turnover declared by
the customer,

Possible Risk / Implication
In the absence of evidence verifying the
customer's salary, there is a risk of the Bank
failing to detect cases where the incoming or
outgoing funds exceed the salary by a
significant amount, in which case a further
investigation would need to be carried out to
clarify the source of the funds and whether
such transactions are in line with the business
profile of the customer.
This risk is increased in the case of high risk
customers,

59
0 2013 KPMG AG WAG FunMxt. Si dghn reed.

Recommendation
The Bank should consider incorporating a
procedure to obtain supporting evidence
for the salary being stated in the account
application form and to ensure that this is
in line with the anticipated annual account
turnover, at the account opening stage.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 128 of 134

C

('
KPMG AG NYPG F rantfurt
Apri12013

18.5

Verification of expected turnover for new customers

medium

Provisions 110 9 of the CBCAMML Directive

Finding / Observation
It was noted that for 8 files out of 68 no specific tests were
documented to evidence the verification of the anticipated
account turnover stated in application forms,
In addition, there were 6 files out of 68 with a significant
discrepancy between the anticipated and the actual account
turnover (annual) which is reviewed quarterly. We
investigated the review process for 2 situations where we
identified that the evidence and reasoning on the
documentation does not sufficiently explain the rationale for
the change in turnover,

Possible Risk/Implication
There is a risk of failing to capture a potential
inconsistency between the source of funds
and the nature of the customer's activities on
the one hand, and the anticipated account
turnover on the other.
Such inconsistency would require further
investigation for the Bank to get the comfort
that no suspicions exist with regards to the
specific customer.

We noted that the bank's standard of documentation kept in
file is higher for new files compare to old ones (from 2
years ago).

Recommendation
We advise the Bank to document or
reference in customer files the due
diligence tests carried out with the purpose
of verifying the consistency of the
anticipated annual account turnover and
the source of funds and purpose of
opening the account.
Satisfactory documentation could be, in
the case of legal entities, the financial
statements or management accounts of the
customer if they are available, projected
cash flows and a detailed description of
the entity's activities and operations or
business plan in the cases of newly start
up legal entities.
We acknowledge that gathering additional
information may not be appropriate for all
customer and we urge the bank to consider
balanced
and
implementing
a
proportionate approach under which
additional information is obtained on a
risk basis.

60
02013 KPMG AG WPC Frankhrl. All A9SU -ea

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 129 of 134

!CP
KPMG AG WPG Frankfurt
April2013

18.6

Customer due diligence documentation (reference to section 16.2)

low

Provisions 48 to 52 ofthe CBCAML Directive

Finding ! Observation
Follow-up of outdated due diligence documentation

During our inspection of a sample of customer files we
observed that in 6 files out of 68 there was insufficient
follow up for receiving expired customer due diligence
documentation (such as passports of beneficial owners). In 2
of the 6 cases, although the updated documents were
received, they were not placed in the customer file.

Possible Risk 1 Implication
Outdated documentation may provide
misleading information on the current status
of customers if it changes. The bank may fail
to capture a material change in the customer's
status

Recommendation
The Bank could incorporate stringent
controls so as to make sure that important
documents that are outdated are obtained
timely and that immediate action is taken
to document updated versions.
To facilitate this process, a function may
be added in the Bank's system to alert
responsible officers whenever one such
document has expired and its collection is
pending
The above recommendation is in line with
common industry practice.

18.7

low

Filing documentation

Finding / Observation
Through the inspection of customer files we observed that
28 files out of68 which concerns customer accounts opened
before 2011 the risk categorization was not documented
within the file.

Possible Risk I Implication
Customer status may be overlooked and
enhanced due diligence procedure may not
apply in High Risk cases that were not clearly
signposted.

22013 KPMG AG WPG Fnnkfi,n. All ngh%,a avud.

Recommendation
Similar to the practice followed for all
new customers, we recommend that the
Bank updates older files to include the
customer risk within the file. This can be
done at customer review.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 130 of 134

L1PM
KPMG AG I5PG Frankfitrr
April 2013
a Review

of Bank Files

The findings from our review of the bank files are summarized below:

18.8

low

Credit due diligence for other banks

Finding / Observation

Possible Risk I Implication

In both the bank files we inspected we observed that
corporate certificates were not translated in the Bank's
business language (English).

Documentation held in a language not widely
understood by bank employees, bears the risk
of inability to verify the authenticity or
completeness of the information presented in
the documents or of false interpretation with a
potential impact on the risk categorization and
due diligence of the customer,

62
L 2013 KPMG AG WPG Ftan55 ,t. AJI ,iaht. -04

Recommendation
Although we recognize that the Bank has
Russian speaking personnel who can read
the documentation, in the interest of full
disclosure and consistency with other
information in the file, we recommend
that key documentation is translated by an
official source.

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 131 of 134

CP
KPMG AG WPG Frankfurt

April 2013

D.

Final Assessment

1. Based on our audit work, we came to the overall conclusion that FBME basically fulfills the requirements as set
out by the Cyprus regulator and is in principle in compliance with EU standards.
2. The Bank established an AML organization including written policies and procedures, which in principle is
suitable to prevent ML/TF.
3. The existing older customer base, however, should be subject to a risk-based review, in order to ensure full
AML compliance (e.g. KYC, source of funds/wealth, reliability checks of ATPs involved) in accordance with
the present regulatory requirements.
4. Our key recommendations regarding points of high or medium significance per fields of review areas follows:
a. Risk Management
AMUCTF risk analysis: While the Bank addresses quite a number of ML/TF risk-related issues and the
correspondent mitigation measures, we recommend rethinking the overall approach to develop a comprehensive
AML/CTF risk analysis, in order to create an even stronger instrument for the development of efficient AML/CTF
measures.
b. AML/CTF Organisation
• AML Function: While the AML/CTF organization is run by an experienced MLCO, we recommend installing an
Assistant MLCO who would formally be in a position to take over the responsibilities in case of absence of the
MLCO.
• Internal Policies and Procedures: Although the Bank's internal policies and procedures can be regarded as
comprehensive, they should be amended or further granularized in respect to a couple of subjects.
• Suspicious Activity Reporting Process: In view of the number of ISRs and SARs (approx. 40 cases), the Bank is
capable to manage the reporting process without an IT-based case management system for the time being.
c. Risk Mitigating Measures in relation to Customers & Transactions
• Know your Customer (KYC): The compliance with the KYC requirements could be further enhanced by
integrating UBO information into the core banking system. While the business address is captured, the use of
hold mail accounts and ATP-managed PO boxes should be reconsidered in order to avoid potential
anonymisation. It should be ensured that where possible the source of funds should be substantiated by proper
documentation (e.g. F/S, business plan).
63
® 20T3 KPMG AG WPG Frankfurt. All nghts reserved.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000677

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 132 of 134

KPMG

'

KPMG AG WPG Frankfurt
April 2013

• Know your Counterparty: We recommend ensuring that the assurance of the ATP's reliability in their function as
"reliable third party" is risk-based and further intensified.
• Transaction Monitoring: The scenarios and typologies of the MANTAS transaction monitoring system should be
derived from the AML/CTF risk analysis and reviewed on an annual basis in order to ensure an updated and
bank-specific system. A back-up solution in view of system failures should be considered.
• Payment Screening according to 1781/2006: Although the missing remittance information reportedly has always
been identified, manual input of transactions may lead to errors with regard to EU regulation 1781/2006 and
therefore automatization should be considered. We understand that the Straight-Through-Processing planned to
be introduced in June 2013 will include an automatic filter. The alternative rules and requirements should be
specified in a more detailed manner.
• Payment Filtering for Sanctions: The "Good guys list" should be subject to sanctions screening on a regular
basis. The use of numerous Excel-based lists (e.g. for UBOs) may complicate the controlling and may lead to
errors. The percentage applied for fuzzy logic (approximately 50 %) is well below industry standard and may
generate a large number of alerts. This number of alerts, however, can be handled due to substantial staffing of
the Compliance department.
d. Quality Assurance
Internal Supervision: The overview of Compliance Department's planned activities lists proper controls and reviews.
Based on European benchmark practice, we recommend amending it with information regarding resource planning,
time schedules, etc.
5. As part of our audit work, we reviewed a sample of the Bank's customer files, comprising of 68 customer files
(33 individuals and 35 companies) and 2 bank files. Our key findings are that in general the Bank adheres to the
requirements for:
• Maintaining a KYC file for each customer
• Using standardized account opening forms, requesting key information from the customer including source of
wealth, expected turnover, etc.
• Identifying the customer and UBO and receiving relevant supporting documentation
• Assigning a risk rating on each customer and identifying cases for which simplified or enhanced due diligence is
applied
• Performing database searches on all customers
• Using third parties for onboarding that are approved by the Bank and maintaining a file for each of the ATPs
used
64
92013 KPMG AG WPG Frankfurt. All rights reserved.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000678

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 133 of 134

PMG
KPMG AG WPG Frankfurt
April2013

6. During our review we also observed certain areas in which the Bank's implementation of the directive can be
further enhanced or adopted in a more conservative manner. Such areas include:
• The presentation of group information or ownership structure with regard to older customer files to ensure that
the link between group entities is clear, in particular when group entities include a number of the Bank's
customers; however, we understand that within the last two years the Bank has introduced a group structure form
to cover these for new customers; furthermore, we note that the customer structures are grouped in the core
banking system
• Extent of investigation and documentation of the business profile of a) the customer and b) the UBO
• Evidence and justification of expected turnover and due diligence on the customer's source of funds (e.g. F/S for
corporate customers and salary slips for individual customers)
• Timing of customer updates and reviews, in particular for cases where the update of obtaining documentation
has been pending for a long time

65
©2013 KPMG AG WPG Frankfurt. All rights reserved.

FOIA CONFIDENTIAL TREATMENT REQUESTED BY FBME BANK LTD

FBME00000679

 Case 1:15-cv-01270-CRC Document 34-1 Filed 09/01/15 Page 134 of 134

KP,NG AG WPG Pmrdfirr7
April 2013
Overview of the Assessment of the Effectiveness of Measures rogsrding Anti - Money Laundering and Counter-terrorism Financing'

AMC TFRiskAnalysis

AMLFUnctioo
lSaeion31

13ecaan2l
40

• 0 •
000

O

Periodic Review of Customer Relatiominips
f$ecaonel

O
RespordingtoRisks
Deriving appropriate
mtdgadrtgmeasures

40

O

InternalPdicies
and Procedures
f$ecypn4)

4000
• 0 0
• • •

O
Risk Controlling
Monitoring risks and

mitigating measures

Risk Reporting

e.g.MLCORepoit
to CED / BoD

SUSPICIOUS Activity
Re

Process
~stion 51

KnowyourCoumerparty
jSecaon91
Sanctions $creating of Relationships
(Section 10)

Employee Training and
Internal Information Sharing
O 13eon 151

Intamal Supervision
(Section 16)

00

PEP Scresning

Interrgi Audit

O O

f8ecaon 111

lsec#en 171

0 •

Trarrsaction Monitod g
(Section 1 21

Record Keeping

1Secacn Bl

Know your Customer(KYC)
1Set5On71

40

Payment3creening according to 178112006
1Secdon 131

6

400

ThIrd.Party Review
jsecaon 181
•0••0000

PaymeriFlltoringforSanctions
(Section 14)

' The dots reflect the resell of the evaluation of the indivsdual nests addressed in rash field of review. The clasaificalion "hitch ° (red) refers to subatamial issues- A very important pip is regarded as
' medium" (orange). The classificalton "Iota" (yellow) refers to important issues

66
02723 KPMGAG WPG Frenkhrt. Oil ,i hu reserved.