The ING 775 M€ AML fine

As a set of ING's clients were facing relevant charges regarding suspicions of money laundering and corruption, the Dutch authorities initiated an investigation, under the name "Houston", regarding ING's anti money laundering (AML) systems and procedures. This investigation identified a set of flaws, namely regarding Customer Due Diligence (CDD), risk classification, client classification and transaction monitoring, leading ING to fail to identify a presumably significant number of money laundering and corruption signals between 2010 and 2016. (I used the word 'presumably' because there is no way to estimate the number of clients nor the amounts involved in money laundering through the use of ING bank accounts). This investigation culminated with ING settling with the Dutch authorities to pay 775 M€.

What flaws did the Dutch authorities found in ING's AML systems and procedures?

According to the Netherlands Public Prosecution Service (NPPS), ING showed to have major flaws across all of its CDD framework (to read more about AML and CDD framework, check out our post Detecting Money Laundering), namely at client identification, risk modelling/classification, post-transaction monitoring and post-detection actions.

If you are looking for more detail, find below the 7 types of shortcomings identified in the NPPS's Statement of Facts and Conclusions regarding this investigation:

• The absence or incompleteness of CDD files – Some clients' identifications, UBOs and activities (and possibly PEPs references) were poorly identified or missing. This resulted in part from poor record keeping, but mainly from poor CDD itself (in many cases, there was no onboarding CDD at all, and periodic CDD was not being done frequently enough).

• The assignment of incorrect risk classifications – Clients were being assigned a wrong or no risk rating at all. Often this was a consequence of the lack of a thorough CDD, as without knowing the clients' identification, UBOs and activities is not possible to perform a proper risk-classification.

• Not having the (periodic) CDD review process in order – The periodic CDD (the periodicity depends on risk classification) and the event-driven CDD were being performed insufficiently or not performed at all, meaning that, in many cases, the information about clients were potentially no longer correct. This failure to conduct a CDD regarding some of its clients happened in spite that ING received information requests from investigative authorities and had signals from its own transaction monitoring system regarding such clients. 

• Not terminating business relationships on a timely basis – The exit process (i.e. the process of terminating a client relationship) was not in order, meaning that the termination of commercial relations with clients deemed was taking too long.

• The insufficient functioning of the post-transaction monitoring system – Various shortcomings, some of which deemed serious, were identified at ING's post-transaction monitoring system/procedures, both at the alerts' generation and at the alerts' handling/investigation phases. Indeed: i) the alerts were poorly set (the number of alerts triggered and the number of accounts for which the alerts were being triggered were limited); ii) the alerts were based on percentage deviation in respect to account history and thus not taking into account absolute size of transactions; iii) the monitoring of the alerts was being done at account level and not at client level (and therefore was incapable of detecting even the most basic forms of smurfing); iv) the input data was often incomplete; v) the (qualitative and quantitative) personnel capacity for the handling of the alerts was deemed insufficient; vi) the effectiveness of these system and procedures was not being evaluated nor updated.

• Classifying clients into the wrong segments – The misinformation about clients (that was caused by the failures in the onboarding and periodic CDD) was leading to a poor client segmentation, meaning that high-risk clients could end up being classified as low-risk clients. Besides, ING did not check whether clients had been assigned to the right client segment.

• Insufficient availability of qualitative and quantitative personnel capacity – The Dutch authorities concluded that ING had had insufficient personnel capacity for many years in the compliance teams dedicated to AML, not only in terms of number of employees but also in terms of level of knowledge and experience.

Examples of clients that were using ING bank accounts to launder money 

The NPPS presented some examples of the clients that used ING bank accounts to perform money laundering and/or corruption activities, including:

• VimpelCom, a Russian telecom company, was found to be paying bribes to Gulnara Karimova, the daughter of the President of Uzbekistan, in exchange for the award of business contracts in this country – between 2007 and 2011, 55 M€ were transferred from an ING bank account held by Watertrail, a subsidiary of VimpelCom, to Takilant, a Karimova-affilliated company based in Gilbratar.

• A Curaçao-based company was found to be laundering money for third parties, having used an ING bank account to make illegal transfers in the worth of 150 M€ between 2010 and 2014.

What happened to ING?

In addition to cooperating with the investigation and acknowledging its mistakes, ING: 

• In mid-2018, agreed with Dutch authorities to pay 775 M€ in penalties (675 M€ as a fine, and 100 M€ for unlawfully obtained gains);
• In Sep/2018, dismissed its CFO, Koos Timmermans;
• Announced a remediation plan, to be put in place over several years under the supervision of DNB, focused on restructuring the bank's compliance framework and culture (strengthening the top management compliance culture; improving governance, policies and tools; hire more [hundreds, according to the media] and better compliance/risk employees).

It is also worth mentioning that, following the investigation pursued by the Dutch authorities, the Banca d'Italia (the Italian banking authority) also started its own investigation regarding ING's AML systems and procedures in what concerns this bank's activities in Italy. The Bank of Italy sent its investigatory conclusions to ING in mar-2019, and apparently the findings were not good... as Banca d'Italia asked ING to stop taking on new customers until there was a plan to remedy the shortcomings.