Contis has been fined €840,000 for several compliance failures, including anti-money laundering and counter-terrorist financing (AML/CTF), information security and business continuity risk.
The Bank of Lithuania has that electronic money institution Contis Financial Services failed to comply with AML/CTF requirements, as well as information security and business continuity risk management.
For this, it has had a monetary penalty imposed and it is obliged to eliminate violations and operational deficiencies.
It has until March 31, 2024, to do this and by June 30, 2024 to provide the audit firm's conclusion confirming this.
The institution, which retired the Contis brand in 2022 and is now part of Solaris Group, is also unable to establish business relations with new distributors and intermediaries, until it is given a separate green light from the central bank
"Solaris always strives to meet the highest standards of compliance,” a spokesperson for Solaris told žž.
“The Bank of Lithuania’s review covered a past period from 2021 to 2022. A core priority for Solaris this year has been undertaking work to successfully deliver remediation actions that were highlighted by this report.”
The spokesperson continued that the company is working closely with the regulator and has proactively implemented the majority of the measures to reflect recommendations given by the Bank of Lithuania.
What went wrong?
Contis failed to effectively monitor its e-money distributors' compliance with AML/CTF rules and, according to the central bank, the distributors' performance verification, risk assessment and audit procedures had significant weaknesses.
These were insufficient to adequately manage the risks of money laundering and terrorist financing. Contis did not ensure effective risk assessment processes for distributors, and did not adequately explain the riskiness of customer portfolios nor the overall risk of the distributors' activity model.
Further, with sources of funds, the company failed to identify risks, including those related to crypto-assets.
The institution's risk assessment procedures for client money laundering and terrorist financing also had shortcomings, according to the central bank. “They did not ensure that the risks posed by customers were properly identified, assessed and that customers were properly divided into risk groups, as well as that measures were taken to manage said risks.”
Contis, whose partnership with Solaris Group began in early 2022, did not ensure that the purpose and nature of business relations with clients were properly determined.
Instead, it delegated this function to the e-money distributors. Here, the Bank of Lithuania found that during auditing for the majority of customers, the distributors either did not fill out the customer familiarisation questionnaires at all, or did not ask the customers questions about the purpose and nature of the business relationship.
“Even after identifying the deficiencies, the institution did not take timely measures to ensure that the distributor properly eliminated them,” the Bank of Lithuania said.
During the audited period, the institution also did not properly regulate the process of monitoring customer business relations, and the implemented scenarios were not sufficient to detect suspicious customer activity in a timely manner, and sufficient human resources were not allocated for monitoring.
In addition, the institution did not ensure proper compliance with information and communication technology (ICT) and security risk management requirements as it failed to apply the second (control) and did not ensure the third (internal audit) lines of defence.
The company also failed to take measures to establish information security-related objectives, measures and specifications of security processes in the agreements with group companies for the provision of services, and the institution did not perform an annual ICT and security risk assessment, and did not submit an operational and security risk assessment report, which needs to be updated annually.
The Bank of Lithuania confirmed that the institution has now taken steps to eliminate the violations in question, and has submitted a plan for eliminating identified deficiencies, indicating what actions it has already taken and plans to take in the future.
This is not the first compliance headache for Solaris this year.
In January, BaFin, Germany’s financial regulator, a ban on Solaris entering into any other new partnerships without first obtaining regulatory approval.
The regulator also ordered the lender to make AML-related upgrades and begin observing “transfer and cash payment limits for certain accounts”.