On 21 May 2021, the Financial Conduct Authority (FCA) published a Dear CEO letter to UK retail banks to highlight recent common control failings identified by the regulator in anti-money laundering (AML) frameworks of these entities. The FCA identified the following common weaknesses and themes:
Governance and Oversight
The FCA noted that it is seeing material governance deficiencies. Firms often do not adhere to a three-lines-of-defence model and often confuse the expected responsibilities of the first-line business roles and the second-line compliance roles. First-line employees often do not own or fully own and understand the financial crime risks faced by firms, inhibiting the ability to identify and mitigate potential suspicious activity. This also limits the ability of compliance personnel to independently monitor and test financial crime systems and controls.
The FCA observed that firms frequently place too much reliance on ready-made controls, frameworks, and products. The FCA expects UK-regulated firms using centralised systems for controls such as sanctions screening or transaction monitoring to ensure that UK-specific requirements are taken into consideration to effectively mitigate the risk exposure of the UK firm. Furthermore, firms must be able to document the effectiveness of those processes and be able to evidence that an adequate assessment has been performed specific to the UK business model.
Additionally, the FCA found that firms often lacked governance over senior management approval of high risk scenarios as mandated by the UK Money Laundering Regulations. Firms are required to evidence decisions of financial crime-related escalations, customer approvals at onboarding, and periodic reviews. In addition, firms must evidence the first line of defence’s assessment and rationale for acceptance at onboarding and at periodic review of low risk customer relationships.
The FCA observed that the quality of the businesswide risk assessments (BWRA) has been poor. The FCA expects firms to document in detail any financial crime risk exposure, inherent risks, and evidence the mitigating controls and the remaining residual financial crime risks. The BWRA must take into consideration the specific risk exposure of the UK entity identified through a separate risk assessment.
Additionally, the FCA found that the Customer Risk Assessments are often generic and fail to cover the various types of risks posed by different types of customer relationships. The FCA found discrepancies in how the rationale for specific risk ratings is derived and recorded by firms. In addition, there is a lack of documentation recording the key risks and the methodology in place to aggregate the inherent risk profile of individual customers.
The FCA observed that Customer Due Diligence (CDD) is often inadequate and noted that firms should implement controls relating to expected account activity discrepancies and that appropriate investigations are performed where there is a disparity. Firms must establish clear policies and procedures to fulfil CDD and Enhanced Due Diligence (EDD) requirements.
Further, the FCA identified deficiencies within the approach taken by firms in relation to EDD. For example, firms must be able to document the Source of Wealth and Source of Funds for Politically Exposed Persons (PEP) relationships. The FCA observed that the same documents are frequently used to satisfy the two requirements. Additionally, firms must undertake a risk-based approach when considering the level of due diligence required for PEP relationships. Firms are required to implement EDD measures for all high-risk situations and be able to clearly evidence what actions have been undertaken.
The FCA identified instances where group-led centralised transaction-monitoring solutions were implemented without adequate calibration to incorporate UK-specific requirements. The FCA expects firms to document the rationale for the rules and thresholds used by transaction-monitoring systems to take into consideration the specific business activities, products, and customers of the firm.
The FCA observed that there is a lack of understanding with regard to the technical setup of the transaction-monitoring system where firms have failed to undertake regular appropriate assessments of the data feeds and data integrity of the systems. Firms must also be able to document the investigative steps taken and the rationale for discounting alerts generated by the transaction-monitoring systems and provide evidence and reasonable explanations for the disposition of the alert.
Suspicious Activity Reporting
The FCA found that the process in which employees can raise internal Suspicious Activity Reports (SARs)/Unusual Activity Reports to the nominated officer is unclear, not well-documented or not fully understood by employees, which can lead to tipping off during the course of an investigation. Additionally, the FCA found that there was a lack of documentation for firms to adequately demonstrate the rationale for the reason(s) for reporting or not reporting SARs to the National Crime Agency.
What Does This Mean for Financial Institutions?
The FCA stipulates that firms must undertake a gap analysis against each of the common weaknesses identified by the FCA by 17 September 2021. The gap analysis will provide assurance that the firm’s financial crime systems and controls are commensurate with their risk profile and adherence to regulatory requirements. Furthermore, the FCA expects senior management holding the financial crime function to have sufficient seniority to perform the gap analysis effectively and promptly and for senior leadership to push forward any remediation plans. The FCA also expects firms to demonstrate the steps that were undertaken and provide evidence for future FCA engagements.
How Guidehouse Can Help
Guidehouse can rapidly review and assess your financial crime framework to determine whether it is operationally effective and meets the new regulatory expectations. Guidehouse can identify financial crime framework gaps, advise on optimal solutions to weaknesses identified, and identify areas (e.g., products, services, clients, and relationships) that pose a higher degree of risk. Guidehouse has in-depth knowledge of the regulatory environment, both in the UK and globally, and financial institution processes. Guidehouse’s relevant expertise includes the following:
Guidehouse’s financial crime consultants work with financial institutions of all sizes to build effective and efficient risk management and compliance frameworks to help clients protect against legal, fiduciary, shareholder, and reputational risk. Guidehouse experts include distinguished former prosecutors, regulators, compliance officers, and consultants, who leverage their combined experience to help clients conquer their compliance challenges.
Special thanks to Sanjeev Kanagarajah for contributing to this article.