This article was originally published by Compliance Monitor and i-law.
The Arian Financial case underscores that third-party customer due diligence is not a shortcut. Firms must take active steps to ensure that outsourced checks meet regulatory standards and align with their risk-based frameworks, as well as get to the bottom of any concerns
In November 2024, the Upper Tribunal issued its judgment in Arian Financial LLP v the Financial Conduct Authority [1]. The judgment addressed a decision notice issued by the Financial Conduct Authority in August 2022, which found that Arian Financial LLP (Arian)had breached Principles 2 and 3 of the FCA’s Principles for Businesses (PRIN).
Arian’s role in the Solo Group scandal
The FCA’s action against Arian centred on the interdealer broker services it provided the Solo Group, a network of authorised firms that has been the subject of criminal and civil proceedings in multiple jurisdictions relating to highly controversial cum-ex trading strategies. Its founder Sanjay Shah has recently been sentenced to 12 years in prison in Denmark for tax fraud.
Between January and September 2015, Arian facilitated trades for 166 clients introduced by the Solo Group. These trades involved approximately £37 billion in Danish equities and £15bn in Belgian equities, purportedly to enable withholding tax reclaims totalling £900 million from the Danish and Belgian tax authorities. However, the FCA found no evidence of ownership or custody of the shares in question or of settlement of the relevant trades. Coupled with the enormous trading volumes, these activities were described as indicative of “sophisticated financial crime on an enormous scale”. Arian’s role was deemed pivotal in facilitating these trades, yet the firm’s compliance framework failed to detect or mitigate the associated risks.
FCA allegations: breaches of PRIN 2 and 3
The regulator identified specific deficiencies in Arian’s operations:
- Failure to exercise due skill, care and diligence (PRIN 2): Arian’s AML (anti-money laundering) policies and procedures were not effectively applied, resulting in inadequate risk assessments, monitoring and mitigation of financial crime risks.
- Failure to implement effective systems and controls (PRIN 3): Arian’s internal controls did not detect or prevent the facilitation of fraudulent trading and money laundering.
Although Arian did not dispute the breaches, it challenged the decision notice before the Upper Tribunal, arguing that the proposed financial penalty of £744,745 was excessive. The tribunal agreed and substantially reduced the penalty to £288,962.53. Nonetheless, the findings in the decision notice (published on 10 January 2025 [2]) remain valid and offer valuable insights into a key aspect of the AML/KYC (know your customer) regulatory framework: reliance.
AML/KYC reliance: a compliance banana skin
The FCA acknowledged that Arian maintained a Compliance Manual that contained a customer due diligence (CDD) policy requiring identification and verification of customers as well as beneficial owners. Where the client was an unregulated fund, the firm’s AML Policy also entailed confirmation of checks undertaken on investors to understand source of funds.
The FCA found that when onboarding the clients, Arian received packs of KYC documents from the Solo Group. These included basic corporate and identification documents along with, in some cases, beneficial owner resumés. Arian reviewed the KYC documents to ensure the company name matched all the details provided and the right identification documents in addition to proof of address were included in its KYC packs. However, despite having written procedures for conducting due diligence on clients, Arian decided to rely upon the CDD conducted by the Solo Group in verifying the clients’ source of funds. Arian did not pursue any further information on source of funds prior to commencing trading.
Regulation 39 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017(MLR2017) provides that a business subject to the MLR2017 (a ‘relevant person’) may rely on another relevant person to apply the AML/KYC measures required under the MLR2017. However, the relying party remains liable for any failure to apply such measures.
The same principles applied under regulation 17 of the predecessor Money Laundering Regulations 2007 (MLR2007) and, as the relevant period of Arian’s misconduct was 29 January 2015 to 29 September 2015, the FCA was bound to apply the earlier regulations.
The FCA found that while it was in principle open for Arian to rely on the Solo Group’s CDD, for that reliance to satisfy regulation 17 MLR2007 it needed to comply with the prevailing Joint Money Laundering Steering Group (JMLSG) Guidance. This provided pro forma AML certificates that third parties could provide firms as part of the reliance mechanism. The Guidance also stated that the decision to rely on a third party’s CDD had to be part of a risk-based compliance framework with the circumstances in which reliance may be justified clearly set out in the firm’s AML policy.
However, the FCA deemed that although Arian did receive AML certificates from the Solo Group (albeit in some cases it commenced trading before receiving any certificates in breach of JMLSG Guidance and its own AML policy), Arian had no procedures governing reliance on third parties. Staff were not required to justify waiving the firm’s standard due diligence measures by reference to relevant customer risk assessments. As the decision notice stated, “Even if Arian did consider that it might be able to rely upon due diligence conducted by the Solo Group, it ought to have carried out a risk-based assessment regarding whether it was appropriate to do so, taking into consideration factors such as the nature of the customers and products and sums involved.”
The FCA therefore found that in relying on the limited documentation it received from the Solo Group, Arian failed to gain a sufficient understanding of the source of funds and wealth of the Solo Group clients.
Key lessons for firms
Exercise rigorous oversight
The FCA’s action against Arian underscores that reliance on third party CDD is not a shortcut to compliance. It is not simply a question of obtaining assurances from the third party as to the checks it has conducted. Firms must take active steps to ensure that third party checks meet regulatory standards and align with their own risk-based frameworks, ensuring the business knows who it is dealing with and the purpose of the relationship.
Conduct thorough risk assessments
Risk assessments are the foundation of AML compliance, enabling firms to:
- Identify high-risk clients: shell companies and other entities without transparent structures, particularly in cases where transactional activity is not commensurate with such corporate profiles and the purpose of the business relationship is unclear, should trigger enhanced due diligence. It is important to note that reliance under regulation 39 MLR2017 is not available where enhanced due diligence is required.
- Adapt compliance procedures: the FCA found that Arian’s Compliance Manual and AML Policy did not provide for reliance on third parties. In implementing risk-based financial crime policies and procedures, it is vital that measures are tailored to address specific risks posed by clients or business activities.
In Arian’s case, the lack of documented risk assessments weakened its ability to demonstrate the reasonableness of its procedures to the FCA when the worst came to the worst.
Be bold and ask the question
Arian retained an external compliance consultancy during the relevant period of the FCA’s investigation. Although the consultancy did not escape criticism, the FCA did find that it had advised the firm on multiple occasions that the Solo Group clients were shell companies and did not appear to have any funds. The decision notice indicated that Arian was reluctant to question the Solo Group on the nature of the clients’ activities, stating that it was “none of their business”.
In fact, it was very much Arian’s business to establish this. The fact that it delegated follow-up with Solo Group (such as it was) to the consultants was, in the FCA’s view, simply to “allay any fears” and although the consultants eventually became more comfortable with the clients’ trading strategy following a call with Arian, there was “no evidence that Arian gained an actual understanding of the nature and purpose of the Solo Clients’ trading beyond simply ‘investing’ and engaging in Dividend Arbitrage with large dividend yielding stocks…” The evidence only suggested that the consultants stopped raising it as a compliance issue.
The lesson? If you have reasonable grounds to doubt the veracity of what you are being told, you need to get to the bottom of it and ask the question.
Keep records
The maxim ‘if it isn’t written down, it didn’t happen’ remains as relevant as ever. Proper documentation enables firms to:
- Demonstrate compliance: provide evidence of due diligence and decision-making processes.
- Respond to regulatory inquiries: address concerns with clear, factual records.
Arian was unable to demonstrate the reasonableness of its approach to the Solo Group clients because it failed to make and retain contemporaneous records justifying its decision-making. Clear audit trails are vital, as the FCA tends to treat after-the-event assurances with short shrift.
Notes
[1] [2024] UKUT 00352 (TCC).
[2] www.fca.org.uk/news/press-releases/fca-fines-arian-financial-llp-failings-relating-cum-ex-trading
Want to hear more from us? 
