FCA Highlights Weaknesses in Risk Assessments: Key Takeaways from the Latest Multi-Firm Review

The FCA’s latest multi-firm review highlights significant weaknesses in business-wide and customer risk assessments across financial services, namely building societies, platforms, custody and fund services, payments (e-money), and wealth management firms. Here’s what the FCA identified, and how firms can strengthen their frameworks to meet regulatory expectations. 

FCA recently conducted a multi-firm review on firms focusing on business-wide risk assessment (BWRA) and customer risk assessment (CRA) processes, with the FCA proposing that firms consider its findings and ensure firms continue to review their risk-based approach to financial crime.  

As firms work on approaching and implementing identification, assessment, mitigation, and overall management of financial crime risk, Thistle explores how these crucial findings can help firms go beyond minimum regulatory requirements and exhibit good practice to align with FCA expectations. 

Key Weaknesses Identified by the FCA 

The FCA noted several areas of concern amongst the firms reviewed, including: 

• Lack of detail in BWRAs: The FCA observed an oversimplification of risks and failures to explain how specific risks affect the firm. 

• Lack of quantitative analysis: In some instances, assessments were solely qualitative. 

• Lack of supporting evidence: There was insufficient evidence to support the conclusions that a business is low risk or that controls are effective. 

• Controls not keeping pace with growth: Business growth was outpacing the development of CRAs and controls. 

• Limited senior oversight: There was an evident lack of documented senior management discussion, challenge, and approval of BWRAs.  

Key Learnings from the Multi-Firm Review 

Also, the FCA noted several examples of good practice, including: 

• Comprehensive risk assessments: These consider a range of internal and external factors, and are tailored to the business. 

• Formal annual reviews: Formally re-assessing risks and controls, rather than simple refreshments. 

• Tracking next steps: Monitoring actions resulting from heightened residual risk, with assigned ownership to help with this. 

• Integration of the BWRA and CRA processes: Ensure the risks identified and assessed in your BWRA are appropriately aligned with your CRA. 

• Senior oversight: Documented challenge and approval from committees or senior management. 

What the Review Really Tells Us 

If you are looking for the multi-firm review to provide detailed insights to design your BWRA methodology around, you are going to be disappointed. As outlined above, there are snippets of 'good practice' and 'poor practice', but these lack the specificity to support firms in creating a BWRA that sufficiently supports its purpose — building a framework that mitigates your risks. It is not a regulatory task that simply needs “ticking off” the list; it is an integral tool to combat financial crime. 

There are a number of ways in which firms can conduct their BWRA, and perhaps the reason why the FCA has not provided significant detail in its feedback is to allow firms to create their own path when developing a methodology that is appropriate to their business. But, as the review and other FCA publications and fines highlight, firms are failing to conduct meaningful risk assessments that inform financial crime compliance frameworks and drive financial crime strategy. 

For many, many years, firms would list possible risk events (for example, “a criminal is onboarded and launders their proceeds of crime through the Firm”) with a likelihood score of this occurring and an impact score based on financial loss. These assessments often lacked detail specific to the firm and lacked evidence to appropriately assess the actual risk of materialisation. 

In more recent years, the rise of data has been prolific in enhancing firms’ fight against financial crime, to better inform their identification and assessment of inherent risks. However, we are also seeing firms gather data against a large number of Key Risk Indicators (KRIs) but then fail to consider how these KRIs reflect on risks materialising. 

In short, data-driven BWRAs are the expectation, but firms must not allow this to distract from assessing the actual risks they seek to mitigate. There is still a place in a BWRA for the more traditional likelihood vs impact methodology, with quantitative data evidencing how risks might occur. 

What Firms Should Do Now 

Prior to conducting their next BWRA, firms should re-evaluate their methodology and ensure it produces purposeful results that drive an assessment of risks specific to their business, and ensure controls are appropriately designed based on their risk profile. 

Firms should ask themselves: 

1. Have we identified all potential risks that might occur based on our business model? 
2. Have we appropriately segregated money laundering, terrorist financing, and proliferation financing risks, due to the very different activity bad actors (i.e. large sums vs small sums) would look to facilitate each financial crime through a firm? 
3. Do we have sufficiently robust data to help inform the likelihood of risks materialising? 
4. Are we utilising our financial crime monitoring, and testing and internal audit reviews to assess the effectiveness of our controls to ensure our residual risk is accurate? 
5. Have the results of our BWRA informed the design of our control framework? 

How Thistle Initiatives Can Help 

At Thistle Initiatives, we help firms stay ahead of regulatory change by strengthening their risk and compliance frameworks, offering tailored support that’s practical, proportionate, and effective. 

If you’d like to discuss how we can support your firm in developing a robust BWRA, get in touch with michael.knight-robson@thistleinitiatives.co.uk or call 020 7436 0630 to speak with our team.

Meet the Experts