While doing some other research, Mr. Watchlist found a Statement of Principles document from Bermuda that has a really decent enforcement section in it – maybe not as detailed as OFAC’s, but pretty darn close. The document states that the maximum AML/CTF enforcement penalty is 500,000 Bermuda dollars, and that here (Section 5) is what they consider whether or not to impose a penalty:
- (1) The nature, seriousness and impact of the suspected breach, including:
(a) whether the breach was deliberate or reckless; (b) the duration and frequency of the breach;
(c) whether the breach reveals serious or systemic weaknesses of the management systems or internal controls relating to all or part of an institution’s business;
- (d) the nature and extent of any money-laundering or terrorist financing facilitated, occasioned or otherwise attributable to the breach; and
- (e) whether there are a number of smaller issues, which individually may not justify enforcement action, but which do so when taken collectively.
- (2) The conduct of the institution after the breach, including:
(a) the degree of co-operation the institution showed during the investigation of the breach;
(b) any remedial steps the institution has taken in respect of the breach;
(c) the likelihood that the same type of breach (whether on the part of the institution under investigation or others) will recur if no action is taken;
(d) whether the institution concerned has complied with any requirements of the Authority; and
(e) the nature and extent of any false or inaccurate information given by the institution and whether the information appears to have been given in an attempt to knowingly mislead the Authority.
- (3) The compliance history of the institution including:
(a) whether the Authority has taken any previous action resulting in adverse findings against the institution;
(b) whether the Authority has previously requested the institution to take remedial action, and the extent to which such action has been taken; and
(c) whether the institution has previously undertaken not to do a particular act or engage in particular behaviour;
- (4) Conduct consistent with the Authority’s guidance. The Authority will not take action against an institution for conduct that it considers to be consistent with guidance or other materials published by the Authority which was current at the time of the conduct in question.
- (5) Action taken by the Authority in previous similar cases.
- (6) Action taken by other regulatory authorities. Where other regulatory authorities propose to take action in respect of a breach which is under consideration by the Authority, the Authority will consider whether the other authority’s action would be adequate to address the Authority’s concerns, or whether it would be appropriate for the Authority to take its own action.
The next section (section 6) similarly lists out what factors determine the size of the penalty:
- 6.3 The following factors may be relevant to determining the appropriate level of financial penalty to be imposed on institutions. The list of factors outlined is not exhaustive and not all of these factors may be relevant in a particular case, and there may be other factors, not included below that are relevant.
- (1) Deterrence. When determining the appropriate level of penalty, the Authority will have regard to the principal purpose for which it imposes a financial penalty, namely to encourage a high degree of compliance with the Regulations and deterring persons from committing breaches.
(2) The nature, seriousness and impact of the breach in question. The Authority will consider the seriousness of the breach in relation to the nature of the regulation breached. The following considerations are among those that may be relevant:
(a) the duration and frequency of the breach;
(b) whether the breach revealed serious or systemic weaknesses in the institution’s procedures or of the management systems or internal controls relating to all or part of an institution’s business;
(c) the nature and extent of any money-laundering or terrorist financing facilitated, occasioned or otherwise attributable to the breach.
(3) The extent to which the breach was deliberate or reckless. The Authority will regard as more serious a breach which is deliberately or recklessly committed. The matters to which the Authority may have regard in determining whether a breach was deliberate or reckless includes the following:
(a) whether the breach was intentional, in that the institution intended or foresaw the potential or actual consequences of its actions;
(b) where the institution has not followed its own internal procedures and/or Authority guidance, the reasons for not doing so; and
(c)whether the institution has given no apparent consideration to the consequences of the behaviour that constitutes the breach.
(4) Whether the person on whom the penalty is to be imposed is an individual. When determining the amount of a financial penalty to be imposed on an individual operating as a sole trader, the Authority will take into account that an individual will not always have the resources of a body corporate; that enforcement action may have a greater impact on an individual; and further, that it may be possible to achieve effective deterrence by imposing a smaller penalty on an individual than on a body corporate. The Authority will also consider whether the status, position and/or responsibilities of the individual are such as to make a breach committed by the individual more serious and whether the penalty should therefore be set at a higher level.
(5) The size, financial resources and other circumstances of the institution on whom the penalty is to be imposed:
- (a) the Authority may take into account whether there is verifiable evidence of serious financial hardship or financial difficulties if the institution were to pay the level of penalty appropriate for the particular breach. The Authority regards these factors as matters to be taken into account in determining the level of a financial penalty, but not to the extent that there is a direct correlation between those factors and the level of penalty;
- (b) the purpose of a penalty is not to render an institution insolvent or to threaten the institution’s solvency; where this would be a material consideration, the Authority will consider, having regard to all other factors, whether a lower penalty would be appropriate; this is most likely to be relevant to an institution with lower financial resources; but if an institution reduces its solvency with the purpose of reducing its ability to pay a financial penalty, for example by transferring assets to third parties, the Authority will take account of those assets when determining the amount of a penalty;
(c) the degree of seriousness of a breach may be linked to the size of the institution; for example, a systemic failure in a large institution with a high volume of business, over a protracted period may be more serious than breaches over similar periods in an institution with a smaller volume of business;
(d) the size and resources of an institution may also be relevant in relation to mitigation, in particular what steps the institution took after the breach had been identified; the Authority will take into account what it is reasonable to expect from an institution in relation to its size and resources, and factors such as what proportion of an institution’s resources were used to resolve a problem.
(6) Difficulty of detecting the breach. An institution’s incentive to commit a breach may be greater where the breach is, by its nature, harder to detect; the Authority may, therefore, impose a higher penalty where it considers that an institution committed a breach in such a way as to avoid or reduce the risk that the breach would be discovered, or that the difficulty of detection (whether actual or perceived) may have affected the behaviour in question.
(7) Conduct following the breach. The Authority may take the following factors into account:
(a) the degree of co-operation the institution showed during the investigation of the breach by the Authority, or any other regulatory authority; and where an institution has fully co-operated with the Authority’s investigation, this will be a factor tending to reduce the level of financial penalty;
(b) any remedial steps taken since the breach was identified, including whether these were taken on the institution’s own initiative or that of the Authority or another regulatory authority;
(c) whether the institution concerned has complied with any recommendations made by the Authority relating to the breach.
(8) Compliance history of the institution. The Authority may take the p r e v i o u s compliance record and general compliance history of the institution into account. This will include:
(a) whether the Authority has taken any previous enforcement action against the institution;
(b) whether the institution has previously undertaken not to do a particular act or engage in particular behaviour;
(c) whether the Authority has previously requested an institution to take remedial action and the extent to which that action has been taken;
(d) the general compliance history of the institution, including whether the Authority has previously brought to the institution’s attention, issues similar or related to the conduct that constitutes the breach in respect of which the financial penalty is imposed; an institution’s compliance history could lead to the Authority imposing a higher penalty, for example where the institution has committed similar breaches in the past; in assessing the relevance of an institution’s compliance history, the age of a particular matter will be taken into account, although a long-standing matter may still be relevant.(9) Other action taken by the Authority. Action that the Authority has taken in relation to similar breaches by other institutions may be taken into account; as stated, the Authority does not operate a tariff system; however, the Authority will seek to apply a consistent approach to determining the appropriate level of financial penalty.
(10) Action taken by other regulatory authorities. Considerations could include, for example:
(a) action taken or to be taken against an institution by other regulatory authorities which may be relevant where that action relates to the breach in question;
(b) the degree to which any remedial steps, required by other regulatory authorities, have been taken (and whether taken promptly).
(11) Bermuda Monetary Authority guidance and other published materials:
- (a) an institution does not commit a breach by not following the Authority’s guidance; however, where a breach has otherwise been established, the fact that guidance had raised relevant concerns may inform the seriousness with which the breach is to be regarded by the Authority when determining the level of penalty;
- (b) the Authority will consider the nature of the guidance when deciding whether it is relevant to the level of penalty and, if it is, what weight to give it in relation to other relevant factors.
Before this list, however, is the following statement – as a principle, this often gets overlooked by institutions and leads them to be overly cautious:
- 6.1 Any fine imposed by the Authority must be appropriate. Section 20 of the Act defines this to mean “effective, proportionate and dissuasive”. The Authority will consider all the relevant circumstances of a case when it determines the level of a financial penalty