Global financial institution ING announced Tuesday that it has reached a €775 million (U.S. $900 million) settlement with Dutch authorities to resolve its money laundering case. A close reading of the enforcement action offers numerous lessons for compliance and risk officers.

Under the settlement agreement with the Dutch Public Prosecution Service, ING will pay a €675 million fine and €100 million in disgorgement concerning serious shortcomings in the execution of policies to prevent financial economic crime at ING Netherlands. According to the Public Prosecution Service, ING Netherlands violated the Money Laundering and Terrorist Financing Act, a law that aims to prevent financial crimes. Under this Act, gatekeepers must, among other things, conduct customer due diligence and report unusual transactions to the Netherlands’ Financial Intelligence Unit (FIU).

Several criminal investigations by Dutch police into corruption and money laundering in recent years revealed that suspicious persons and legal entities held accounts with ING Netherlands. During one investigation in February 2016, authorities discovered that lax customer due diligence controls led ING Netherlands to accept clients without sufficiently investigating the risks. Furthermore, client relationships and bank accounts were insufficiently monitored, and its compliance staff lacking. Such compliance failures allowed ING Netherlands to engage in countless instances of money laundering and corrupt practices between2010 and 2016. 

In responding to the settlement agreement, ING CEO Ralph Hamers said in a statement, “As a bank, we have the obligation to ensure that our operations meet the highest standards, especially where it comes to preventing criminals from misusing the financial system. Not meeting those standards is unacceptable, and ING takes full responsibility.”

Compliance failures

The Public Prosecution Service’s investigation uncovered several compliance risk management shortcomings by ING Netherlands that are described in greater detail below:

ING Netherlands had incomplete or missing customer due diligence (CDD) files. In some instances, the identification and verification details of clients and their ultimate beneficial owners, including Politically Exposed Persons (PEPs), were missing. Thus, ING Netherlands could not have been sufficiently aware of the activities of its clients, the Public Prosecution Service’s fact-finding report states.  

ING Netherlands failed to exit business relationships in a timely manner. On numerous occasions, ING Netherlands carried out a comprehensive CDD study years after the customer acceptance took place. Only then did it decide to exit client relationships that were deemed to pose a high risk to the bank. 

Although it’s impossible to say exactly how many money laundering and corruption red flags ING Netherland missed, Dutch prosecutors said this figure had to have been “significant,” based on the number of ING Netherlands clients and the number of transactions made. Nor is it possible, Dutch prosecutors said, to know with any real certainty exactly how much money clients laundered through ING's bank accounts over the years. 

ING Netherlands incorrectly assigned risk classifications. ING Netherlands did not request underlying documents from some of its bank clients. “If this did happen, no—or insufficient—action was taken if clients did not provide the requested information,” thePublic Prosecution Service’sstated in its fact-finding report.  This is due, in part, to the fact that ING Netherlands carried out insufficient customer due diligence when entering the business relationship, according to the report.  

“If no or inaccurate risk classifications are granted, a CDD review will not take place, for example, or will be overdue,” the fact-finding report states. “Another consequence is that the monitoring of the client and the transactions during the business relationship cannot take place properly, and the risk that money laundering signals are missed is considerable.”

ING Netherlands failed to have the CDD review process in order. ING Netherlands had a CDD review policy in place, stipulating that CDD reviews must take place after a certain period, depending on the risk classification, or following certain risk events. The criminal investigation found, however, that such reviews did not take place. As a result, ING Netherlands in many cases did not check whether information known about a client was correct, or whether a change in ownership structure or in business activities had occurred. The bank further missed internal signals that should have led to a CDD review, such as requests for information about clients from investigative services or signals originating from their own transaction monitoring system.

ING Netherlands’ post-transaction monitoring system was insufficient. The criminal investigation revealed various and serious shortcomings in ING Netherlands’ transaction monitoring processes. This concerned shortcomings that concerned both the generation of alerts, as well as the examination and handling of these red flags. As a result, ING Netherlands has for years not taken sufficient measures to identify unusual transactions and missed potential money laundering signals from 2010 to 2016.

“Only the proverbial tip of the iceberg was investigated. In short, the bank recognized insufficient risks of money laundering,” the fact-finding report states. “If an unusual transaction was nevertheless recognized, these were often not reported to the FIU, or reported too late.”

ING Netherlands classified its clients in the wrong segments. Within ING Netherlands, clients are divided into so-called “customer segments,” under which it adapts its risk management measures to the type of client and products supplied in that customer segment. The investigation revealed, however, that ING Netherlands did not have a sufficient grip on the correct segmentation of its clients, causing “high-risk clients” to be classified into a lower risk customer segment, with less stringent monitoring controls. 

ING Netherlands had insufficient resources. Findings from the criminal investigation further revealed that ING Netherlands for many years made insufficient investments both in its transaction monitoring system and in the personnel responsible for uncovering red flags and carrying out CDD investigations.

“The compliance department was understaffed and insufficiently trained,” the Public Prosecution Service stated. “The system for monitoring transactions was—partly because of the limited personnel capacity—set by the bank in such a way that only a limited number of money laundering signals were generated. 

According to ING, there was no evidence or indication that bank employees actively cooperated with clients who used, or may have used, banking services for potential criminal activities. Nor did the investigations find any evidence or indications that bank employees received personal gains. 

“The identified shortcomings that occurred in the period investigated are not attributable to some individual persons, but rather collective shortcomings at all responsible management levels,” ING stated. This included the business, compliance, and control functions.  

Dutch authorities also highlighted these shortcomings: “The responsibility for compliance with the [Money Laundering and Terrorist Financing Act] was vested in three different parts of the bank. None of these parts overlooked the whole.” 

ING looks to patch the holes

Vincent van den Boogert, CEO of ING in the Netherlands, said that it has since undertaken various initiatives to further strengthen its compliance risk management efforts. This includes implementation of an enhanced know-your-customer (KYC) program and enhanced client-activity monitoring capabilities.

ING Netherlands has also centralized and simplified operational KYC activities into one “KYC Centre” across divisions, introducing standard processes and tooling, allowing ING Netherlands to manage these activities more effectively. Additionally, it has set up client risk committees across business units, deciding on client on-boarding and exit escalations to ensure KYC risk mitigation. 

The bank also now has in place an engagement program “to strengthen the internal compliance culture and awareness by better enabling employees to act in both the letter and the spirit of the law, empowered by their organization and supported (and enforced) by compliance departments,” the bank announced.

ING Netherlands said it further remains actively involved in, and contributes to, the Financial Expertise Centre, a partnership between Dutch authorities that have supervisory, control, prosecution or investigation tasks in the financial sector cooperate with those financial sector actors to strengthen the integrity of the sector. It does this by taking preventive action to identify and combat threats to this integrity. ING said it has also joined forces with DNB (the central bank of the Netherlands) and the Dutch Banking Association (NVB) “to harmonize efforts and knowledge in the fight against financial crime and actively participates in various taskforces and project teams in this field.” 

In March 2017, ING announced that it has also received information requests from the U.S. Securities and Exchange Commission and that it continues to cooperate with these requests. Based on the settlement agreement with Dutch authorities, ING said it expects this matter will be resolved with the SEC “without further payment or the imposition of further conditions.”