Arab Bank: The tyranny of KYC
The fine handed out to Arab Bank for allegedly financing Hamas poses fundamental questions for the banking industry.
Just what should a bank know about its client, and when should it know it? And who should penalize them when they fail to know what they should?
These are some of the many complex issues that arise from the verdict in the Arab Bank case, in which a New York court found that bank guilty of aiding Hamas by doing business with some of its operatives a decade ago. The plaintiffs argued, and the court agreed, that Arab Bank had helped to finance more than 20 suicide bombings in Tel Aviv and Jerusalem.
There are several points for discussion here. One is that all but one of the 150 Hamas leaders and operatives Arab Bank were accused of doing business with were not on US, UN or European Union lists of terrorists at the time that they were clients of the bank.
So, point one:
Is a bank guilty of terror financing if it acts for an individual who is not on a sanction list but who later is considered a terrorist? Should a bank make that call in the first instance, and how much should it be expected to know? The one who was on the list, Arab Bank says, was Sheikh Ahmed Yassin, Hamas’s leader, who spelled his name differently in bank records to the spelling on the blacklist (a common problem with Arabic names transliterated into the Roman alphabet).
How rigorous should compliance checks be around the spelling of client names? And is it remotely conceivable that Arab Bank could have failed to identify the leader of Hamas on its client list? A common question at moments like this is: “What does this have to do with the US?” But this one’s easily answered: the plaintiffs are victims or family members of victims from the various attacks, and are all Americans, which means they have recourse in federal court under the Antiterrorism Act of 1990. But there is a valid question about what the finding means for non-American victims, and where they might seek redress.
Arab Bank claimed to have documents and account records that would be to its benefit, but that it was unable to provide them to the court as evidence because of Jordanian privacy rules (Arab Bank, though founded in pre-Israel Jerusalem in the 1930s, is now headquartered in Jordan). The Central Bank of Jordan backed this up in a statement, saying it was confident in the strength of Arab Bank’s operations and compliance procedures. But the judge said jurors could be told to infer from the bank’s failure to provide the information that it did business with terrorists. Is this fair? Should foreign countries’ privacy laws be respected when undertaking trial in a different jurisdiction?
These questions are all worth asking because an enormous variety of institutions are now finding themselves under US penalty for questions of terror financing (see also Credit Lyonnais, Bank of China), the Foreign Corrupt Practices Act (Goldman Sachs, SG), money laundering or sanction breaches (HSBC, BNP, Standard Chartered). Notably, just one name on that list of banks is American.
The considerable jurisdiction the US gives itself on these matters is a function partly of its currency being the vehicle of most global trade, and partly because most banks have an office in the US and therefore submit to US regulation.
It makes it more important than ever for banks elsewhere in the world to be clear on just what the US considers to be illegal.