Skip to content

Dear CEO letter on AML control failures

What has happened?

In June 2021, the FCA issued a Dear CEO letter to the CEOs of retail banks concerning the common themes noted in the FCA’s recent assessments of retail banks’ financial crime systems and controls.

What do you need to do?

The FCA continued to identify several common weaknesses in key areas of banks’ financial crime systems and control frameworks. These areas included:

  • Governance and Oversight,
  • Risk Assessments,
  • Due Diligence,
  • Transaction Monitoring, and
  • Suspicious Activity Reporting

In several cases, these are persistent failings that have resulted in regulatory intervention such as:

  • requiring firms to appoint a skilled person to carry out a detailed review,
  • business restrictions, and
  • enforcement action

The Senior Managers and Certification Regime (SM&CR) places a responsibility on all senior management to counter the risk that their firm might be used to further financial crime. Particular responsibility lies with those SM&CR roles holding responsibility for financial crime, including SMF 17 (Money Laundering Reporting Officer) and Prescribed Responsibility D (Financial Crime). In its supervisory work, the FCA will continue to consider whether the relevant SMF holders have carried out their responsibilities appropriately.

Set out below are some weaknesses commonly identified during firm-specific assessments.

Governance and Oversight


Three lines of defence

Firms often blur responsibilities between the first line business roles and second-line compliance roles. The FCA identified circumstances where compliance departments undertake first-line activities, for example completing all due diligence checks or all aspects of customer risk assessment. The implications of this are that first line employees often do not own or fully understand the financial crime risk faced by the firm, impacting their ability to identify and tackle potentially suspicious activity. It also restricts the ability of compliance personnel to independently monitor and test the control framework.

Ownership of key controls

The key controls of UK regulated branches or subsidiaries of overseas firms are often determined and run by the Head Office/Group functions. The FCA found that these firms are often reliant on ready-made controls, frameworks, and products. In these circumstances, senior management of the UK branch or subsidiary is often unable to demonstrate the assurance work undertaken regarding the effectiveness of those processes or to evidence an adequate assessment of whether they fit with the UK entity’s business model and risk exposure or UK laws and regulatory requirements.

Senior Management sign-off

Sign-off by senior management in certain high-risk scenarios is mandated in the MLRs. However, firms did not always evidence this level of governance.

Business-wide risk assessment

Generally, the quality of the BWRAs reviewed is poor.

Customer risk assessment (CRA)

A common issue identified through supervisory work is that CRAs are often too generic to cover different types of risk exposure which are relevant to different types of relationships. For example, the FCA does not always see firms differentiate between money laundering and terrorist financing risks or the differing risks presented by a correspondent banking relationship as compared to a customer undertaking trade finance activity.

While firms tend to focus on the AML and sanctions risks posed by their customers, the assessment of other risks, for example, tax evasion or bribery and corruption, is often overlooked.

Customer due diligence (CDD) and Enhanced due diligence (EDD)

Frequently, CDD measures are not adequately performed or recorded. Where an expected activity has been recorded, firms do not always demonstrate that they have assessed whether actual account activity is in line with expectations or that they have undertaken appropriate investigations with the customer when it is not in line with expectations.

Some firms’ approach to EDD is weak and does not always mitigate the risks posed by the customer.

Transaction monitoring

For branches and subsidiaries of overseas firms, the FCA often sees group-led transaction monitoring solutions which have not been calibrated appropriately for the business activities and customer base of the UK regulated entity. In these circumstances, firms must test whether the system is fit for purpose for the UK entity and where it is not, either tailor the system appropriately or implement additional risk-based transaction monitoring measures.

Some firms’ transaction monitoring systems are based on arbitrary thresholds, often using ‘off-the-shelf’ calibration provided by the vendor without consideration of its applicability to the business activities, products or customers of the firm.

Suspicious Activity Reports

The FCA has noted instances where the process by which firms’ employees can raise internal SARs to the nominated officer is either unclear, not well documented or not fully understood by staff. An additional concern is that often firms are unable to adequately demonstrate their investigation, decision-making processes and rationale for either reporting or not reporting SARs to the National Crime Agency.

Firms are required to carefully consider the Dear CEO letter and take the necessary steps to gain assurance that their financial crime systems and controls match the risk profile of the firm and meet the requirements of the MLRs.

The FCA expects firms to complete a gap analysis against each of the common weaknesses outlined in its letter by 17th September 2021 and to take prompt and reasonable steps to close any gaps identified. In future engagement with firms, the FCA is likely to ask them to demonstrate the steps taken. Where it assesses firms’ actions in response to the letter to be inadequate, it will consider regulatory intervention.

How can we help you?

If you’d like to know more about how we can help you with your AML or SM&CR arrangements, or any other regulatory compliance issues, our expert team is here to help.

Contact us today on 0207 436 0630 or email info@thistleinitiatives.co.uk.