UK Medium-Sized Financial Institutions: AML/CTF and Sanctions Opportunities and Challenges

By Alma Angotti, Alexandra Will

A strong and diverse financial services industry in the UK is key to ensure continued domestic economic growth and retain UK’s global competitiveness in a post-Covid-19 and post-Brexit environment. The medium-sized banking sector is a key pillar of the UK financial services industry to achieve these objectives. Medium-sized financial institutions, due to their historic origins, frequently still have a strong regional presence. Their flexible organisational set-ups and diverse business models allow them to quickly adapt to the financial service needs of the wide array of customers they serve. However, the UK medium-sized financial services sector has been faced with various challenges over the past years.

The overall UK financial services sector is characterized by a dominance of the six major groups: Lloyds Banking Group, Barclays, NatWest (formerly RBS), HSBC, Nationwide, and Santander. There are only a few mid-tier competitors of scale. UK Finance reported in 2019 that the six major banking groups combined held approximately £1.8 trillion of retail assets. In comparison, the mid-tier banking segment composed of 14 banks and building societies at that time held approximately £360 billion of assets in total.

This dominance of the large UK players, and the associated challenges, were aptly illustrated by the Financial Times in a recent comparison between the UK and the US. Despite a consolidation of the US market in recent years, the four largest US banks hold just 35% of customer deposits. This percentage increases to well over 50% for the four largest UK banks. In addition, the top UK banks have a particularly large share of cash in low-interest current accounts, which regulators consider as providing a “significant funding cost advantage.” At the height of the pandemic in August 2020, more than 80% of government-backed loans as part of Covid-19 support schemes were provided by the four biggest banks in the UK. In comparison, the four largest US banks only provided 12% of lending in government-back schemes.

Challenges to compete successfully with the major banks on a commercial level can bring with it challenges for Anti-Money Laundering (AML)/Countering of Terrorist Financing (CTF) and sanctions risk management.  The cost of compliance bears more heavily on medium-sized financial institutions, especially in UK’s ever-changing regulatory environment and given the additional compliance requirements as a result of Brexit if operating both in the UK and the EU. However, in addition to challenges, there are also opportunities for medium-sized financial institutions from an AML/CTF and sanctions perspective.


Road Map to Better Practices

Managing the AML/CTF and Sanctions Regulatory Landscape

UK financial institutions face ever-changing regulatory expectations, as well as increased regulatory scrutiny, monetary penalties, and enforcement actions. Fines or actions taken by the Financial Conduct Authority (FCA) and other AML supervisory authorities over the past two years in the AML/CTF space often focused on a failure to put adequate fundamental AML systems and controls in place, specifically the lack of policies and procedures, conducting adequate Customer Due Diligence and performing appropriate transaction monitoring.

The application of a risk-based approach is a central principle of UK AML/CTF regulations. The size of a financial institution, however, does not necessarily translate into less stringent AML/CTF and sanctions regulatory expectations. Medium-sized financial institutions need to meet regulatory expectations by implementing a risk-commensurate approach that fits the institution’s scale, product offerings, customer base, and geographic and sanctions exposure. Specifically, financial institutions are expected to align their programmes with guidance from the FCA and Joint Money Laundering Steering Group in addition to relevant international standards and industry practices. AML/CTF and sanctions compliance programmes will vary in magnitude, size of deposits, and sophistication, based on risk exposure. While access to an appropriate budget will be an important practical consideration, lack of necessary budget will not be a sound excuse for a failure to implement risk-commensurate controls. 

Medium-sized financial institutions can face challenges appropriately staffing their teams with qualified compliance professionals due to the highly competitive marketplace for such professionals and the ability of larger financial institutions with deeper pockets to solicit experienced employees. As such, it is imperative that medium-sized financial institutions maintain rigorous governance, including desktop operating procedures, such that higher attrition rates are less likely to adversely affect the continuity of the compliance programme.

Adequate and Specialized Staffing

During an economic downturn, medium-sized financial institutions may find structuring and maintaining compliance staff difficult due to an institution’s budget restrictions.  Alternatively, during an economic boom, geographic location and limited access to experienced candidates or technical resources could present challenges.

Due to the scarcity of people with technology backgrounds, including data analytics, and developers who can seamlessly coordinate with compliance personnel, medium-sized institutions should particularly focus on retention of their compliance-related tech talent. Medium-sized financial institutions struggling to retain highly specialized, full-time resources may opt for external advisors as an alternative or interim solution. In addition to filling staffing gaps, bringing in external experts for a short period of time will allow exposure to industry better practices and overall broader expertise. While some US regulators have encouraged small and medium-sized institutions to collaborate and share resources to efficiently manage their BSA/AML obligations, a similar approach does not yet exist in the UK. It might be worthwhile discussing this idea at industry forums for UK medium-sized institutions in the future. 

For medium-sized financial institutions operating with a reduced number of compliance resources, it is important to act as quickly as possible when filling vacancies. In some cases, looking for interim contractors or seconded personnel from external advisors, until the appropriate personnel are hired and onboarded, will help to bridge the gap and maintain day-to-day activities. This is of particular importance as hiring for a new role typically takes three to six months in the UK due to notice periods of at least three months. Medium-sized financial institutions can leverage experienced senior consultants with prior experience as (Deputy) Chief Compliance Officers or (Deputy) Money-Laundering Reporting Officers  in a seconded role to uphold responsibilities on behalf of the financial institution. Firms should keep the FCA’s 12-week rule in mind, which allows a temporary replacement of functions falling under the FCA’s senior management regime without FCA approval for up to 12 weeks, making the administrative process less burdensome. Interim cover can help prevent costly remediation that may be required if errors have occurred during a period in which the compliance team was understaffed and thus unable to consistently fulfill its day-to-day obligations.

Authentically Knowing Your Customer Base

Medium-sized financial institutions with personal relationships and regular in-person interaction will be in a better position to know their customers than large financial institutions. Specifically, strong regional ties and relationships might allow a financial institution to gain wider insights into its customer base and understand the common behaviors, customer expectations, and transaction activity for a customer segment compared to larger institutions. This can help to overcome the challenge that medium-sized financial institutions may not always have access to sophisticated technology solutions for monitoring of their customers, which could inhibit their ability to meet compliance requirements.

An essential component of a medium-sized institution’s compliance programme is applying its knowledge of the customer base and aligning it with the sophistication of a meaningful customer risk-rating methodology. Financial institutions should conduct periodic reviews of customer due diligence, leveraging a risk-based approach and trigger events that may cause a change in the customer’s risk profile.

New Products and Services

Medium-sized financial institutions face competition from large financial institutions, evolving consumer behaviors, and digital disruptors, including finance companies, financial technology companies (FinTechs) and online banking companies offering modern-day banking alternatives. When introducing new products and services, UK regulations require that the entity conducts a product risk assessment to uncover potential risk exposure to the institution.  Furthermore, financial institutions should vet the new offerings through appropriate governance committees to serve as an open forum for conflicts, risk areas, formal review, and decision-making.

Digital product offerings including mobile-based customer service, online banking, and online loan applications are the new normal. Medium-sized financial institutions may choose to serve their customers by offering digital products and services, while maintaining a sense of personal connection and assurance; however, financial institutions should evaluate risks and controls in tandem. Institutions need to be conscious that new products that offer new non-face-to-face delivery channels both for onboarding of customers and transaction access change the institution’s risk exposure, making it necessary to adapt the relevant AML/CTF and sanctions-specific controls.

Governing Documents and Risk Assessments

Financial institutions should keep policies and procedures current, comprehensive, and consistent. As a financial institution’s regulatory commitments, product offerings, risk appetite, staffing, and processes evolve, its policies and procedures must be aligned appropriately. Policies and procedures should clearly delineate roles and responsibilities and outline both preventive and detective controls. Furthermore, policies and procedures must be subject to rigorous testing to ensure they are being followed as intended. The need for up-to-date and accurate policies and procedures is fully acknowledged by Compliance professionals across the financial services industry. However, due to lack of resources, turnover of staff, and the need to prioritize urgent tasks, such as remediation of identified significant control gaps, regular maintenance of policies and procedures is still frequently de-prioritised. It is therefore not surprising that the FCA and other supervisory authorities mention lack of policies and procedures as one of the key AML control failures.

It is critical that an organisation develop a thorough understanding of its current product offerings, customers, and geographies before it can understand the potential impact of new business. A comprehensive and well-documented risk assessment, which includes both quantitative and qualitative data, is critical to understanding the overall risk of an organisation’s business. Medium-sized financial institutions benefit from leveraging the results of the risk assessment when discussing future compliance spending with senior management and its board of directors. Based on the assessment of existing business, an organisation should make informed decisions when considering future growth and that it aligns with its overall AML/CTF and sanctions risk appetite. An accurate and up-to-date risk assessment will help an institution to define and implement risk-based controls to comply with relevant UK laws and regulations.

Systems Integration and Meaningful Metrics

For institutions that are growing with reduced budgets and fewer resources, systems integration and navigating investments in technology can be a challenge. Medium-sized financial institutions should ensure data is centralized, complete, and consistent. Institutions should be agile, enhance existing technology as much as possible, and leverage systems that are fit-for-purpose to allow the institution to automate manual processes. Medium-sized financial institutions will benefit from having a flexible core banking system that will allow for ease of integration as their business lines and services evolve. Cost pressures are often more severe at medium-sized financial institutions. Chief Compliance Officers at such institutions will often face strong (initial) headwinds from senior management for requests to introduce new technology to improve compliance-related processes. However, having data available in a centralized, complete, and consistent format will allow the Compliance function to operate more efficiently and effectively. This allows firms not only to better manage their AML/CTF and sanctions risk, but they will often be able to recuperate the implementation costs through savings in the daily control execution. In addition, “better” data can reduce (cost-intensive) remediation efforts many firms are faced with due to poor data quality. 

Furthermore, it is important that an institution’s systems can be leveraged for meaningful automated reporting and transparency, both internally and externally. This is particularly important for medium-sized financial institutions with limited information technology resources. Internal metrics and reporting provide key information for senior management to assess how the institution is doing in meeting its risk management-related objectives and highlights where it is doing well, where it is falling short, and how it can improve.


How Guidehouse Can Help

Guidehouse has experience working with financial institutions of various sizes, including, but not limited to, banks, broker-dealers, money services businesses, marketplace lenders, insurance companies, cryptocurrency exchanges, and FinTechs. Guidehouse consultants include former compliance officers, bankers, senior regulators and prosecutors, law enforcement officials, accountants, and lawyers, all of whom bring significant experience in risk management and financial crime compliance.

Guidehouse has broad expertise working with domestic and international-based financial institutions managing an everchanging regulatory landscape and better practices, including: 

  • Staffing Assessment
  • Compliance Technology Assessment
  • AML/CTF and Sanctions Risk Assessments
  • Know Your Customer/Customer Due Diligence/Enhanced Due Diligence Customer Reviews and File Remediation
  • Transaction Monitoring and Sanctions Reviews
  • Seconded Compliance Roles and Financial Intelligence Unit Augmentation
  • Risk Management Gap Analysis
  • Lookbacks
  • Investigative Due Diligence
  • Customize and Administer Training
  • Operational Effectiveness and Efficiency
  • System Implementation
  • Independent Assessment

Alma Angotti, Partner

Alexandra Will, Director

Let Us Help Guide You

Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.

Stay ahead of the curve with news, insights and updates from Guidehouse about issues relevant to your organization and its work.