Royal Bank of Scotland (RBS) has been fined £5.6 million by the Financial Services Authority (FSA) for IT systems failures that could have resulted in terrorist financing.
The FSA says the group did not have adequate systems and controls in place to prevent breaches of UK financial sanctions between 15 December 2007 and 31 December 2008 at its RBS, NatWest, Ulster Bank and Coutts units.
RBS failed to adequately screen both its customers, and the payments they made and received, against the government's Treasury sanctions list, says the watchdog. During the year-long period it did not screen any payments remitted from outside of the UK.
This led to an "unacceptable risk" that the bank could have facilitated transactions involving sanctions targets, including terrorist financing.
According to the FSA, RBS manually entered around 14,000 payment messages worth about £2.5 billion into its gateway application for Swift messages which meant they bypassed the screening software. In addition, the group's automated screening software only covered three out of 47 Swift trade finance message types.
Meanwhile, a failure in the screening software used to check payments against the Treasury list meant it did not block or screen transactions where the beneficiary name was across more than one line in the Swift message. This meant that the technology sometimes failed to pick up exact matches to the Treasury list, a problem not picked up when the software was tested and rolled out in 2006.
Another problem with the software affected its "fuzzy matching" which is supposed to help identify words within payments messages that are mis-spelt or inaccurately translated.
Despite rules designed to ensure firms update their systems' fuzzy matching logic to keep up with changes to the Treasury list, RBS only calibrated theirs once, when it was first installed. When the fuzzy matching logic was finally checked in 2008, several weaknesses were identified that could see payments slip through.
Margaret Cole, director, enforcement and financial crime, FSA, says: "By failing to screen relevant customers and payments against the HM Treasury sanctions list, RBSG left itself open to the risk that it was facilitating terrorist financing."
Nathan Bostock, head, restructuring and risk, RBS says the bank acknowledges the FSA findings adding: "We have taken appropriate action to remedy these issues and continue to enhance our control environment with a view to ensuring a more robust sanctions compliance framework and ultimately that our detection and prevention capabilities are in line with best practice in the market."
The bank received a 30% discount on the fine for settling early.
You can read the full decision notice here.