On 20 December 2021, the UK Joint Money Laundering Steering Group (JMLSG) published amendments to its existing guidance concerning the monitoring of customer activity, which are currently pending with the HM Treasury for ministerial approval. Although the obligation for firms to monitor customer activity existed prior to the updates, JMLSG have made the guidance more prescriptive regarding expected elements and obligations. Money Laundering Officers (MLROs) of regulated entities should take the pending amendments as an opportunity to review whether their current approach to ongoing monitoring of customer activity is in line with expectations and would pass a regulatory inspection.
The recent NatWest fine, issued in the same month, is a stark reminder of the possible consequences of a failure to meet ongoing customer monitoring obligations: The UK’s Financial Conduct Authority (FCA) announced on 13 December 2021 a fine of £264.8 million for National Westminster Bank Plc (NatWest), a subsidiary of NatWest Group plc for failings under the Money Laundering Regulations 2007 (MLRs 2007). The case had gained substantial public attention as it was the first time the FCA initiated criminal proceedings against a financial institution for alleged AML failures. NatWest, which pleaded guilty in October 2021, had failed to adequately monitor a customer’s activity between 2012 and 2016. Shortcomings included its automated transaction monitoring system incorrectly recognizing some cash deposits as cheque deposits and a failure to review and update the customer’s risk profile despite substantial deviation from expected customer behaviour.
In its amendment to Section 5.7, Monitoring Customer Activity JMLSG highlights that a firm’s “monitoring arrangements should be risk based, driven by the nature, size and complexity of the firm’s business and form part of its financial crime control framework”. This stresses the importance of the incorporation of a risk-based approach. As one of the core principles of UK money laundering regulations, risk-appropriateness applies to every element of a firm’s financial crime control framework, including ongoing customer monitoring. This is reiterated several times throughout the updated Section 5.7, which refers to risks relevant to the firm, firm’s specific risk exposure in addition to the explicit mentioning of a risk-based approach.
The JMLSG update also bears good news for UK MLROs – MLROs were in the past often hesitant to switch off existing transaction monitoring rules, even if a rule was identified as not being effective to detect financial crime. They feared risk exposure and potential fines if there could be a possibility of a monitoring gap because of decommissioning an ineffective rule. The JMLSG guidance now explicitly highlights that - as part of the dynamic process of regularly reviewing the effectiveness of transaction monitoring arrangements – MLROs may decide to "reallocat[e] resources from less productive or less efficient monitoring arrangements (i.e. activity that never or seldom contributes to the management of financial crime risk) to higher priority risks to ensure that monitoring provides more effective outcomes.” Where MLROs make use of this option, they need to appropriately document their rationale that justifies this decision.
Finally, the updated guidance recommends that firms should establish an appropriate level of governance within their framework for the oversight, review and approval of monitoring processes and parameters, including the due documentation of the monitoring arrangements and rationale. Examples provided include the definition of roles and responsibilities, measuring of effectiveness and relevance of monitoring arrangements, change management and approach and governance for resource reallocation. The requirement of duly documenting appropriate governance is tightly linked to the application of a risk-based approach. During supervisory visits, he FCA frequently identifies weaknesses in an institution’s documentation of its risk-based approach.
The pending JMLSG update should serve as a trigger for MLROs to review their transaction monitoring rules and the documentation of the governance of those systems. Monitoring should follow a risk-based approach driven by a firm’s risk assessment. Although monitoring processes can be outsourced, firms remain responsible for their regulatory obligations. There is an expectation that firms should be identifying both known and evolving financial crime risks and typologies and incorporating these into existing monitoring rules, whilst also regularly reviewing current rules and thresholds to ensure they remain effective and applicable to their business and customer activities.
For identified gaps or weaknesses, firm’s need to establish an action plan for the timely remediation of relevant issues and monitor its execution.
Guidehouse can rapidly review and assess all elements of your firm’s financial crime framework to determine whether it is operationally effective and meets the expected regulatory developments in the UK, EU and globally. Guidehouse can also support you in the development and execution of action plans to remediate any identified gaps. Guidehouse’s relevant expertise includes:
Financial Crime Solutions