Lessons to be learnt from the FCA’s recent Financial Crime control review
The FCA’s Financial Crime control review
On 22 April 2022, the FCA published its most recent review of financial crime controls observed as part of a thematic review on several challenger banks. Following its review, the FCA made eight observations regarding weakness in controls and three areas of good practices that firms can learn from. The FCA’s review was undertaken with six challenger retail banks serving over eight million customers and offering similar products and services to traditional retail banks, meaning that e-money issuers and payment service providers were excluded from its scope.
Although the thematic review was concerned with challenger banks in particular, the FCA’s findings were consistent with the gaps we often identify when auditing all types of firms, from start-ups in the payments space to large established investment brokers. The various risks that firms can be vulnerable to if the appropriate controls are not implemented can cause detriment to not only the firm, but also to its customer base, and if significant enough, to the industry.
Below is my analysis of the FCA’s observations and what you should be considering as part of your next compliance framework review.
Customer Risk Assessments (CRAs), Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD)
Not having an effective customer risk assessment in place will prevent the firm from understanding a potential/current customer’s overall risk, which will in turn not allow the firm to apply the relevant due diligence measures (i.e., if a potential/current customer is high risk and should be subjected to EDD measures but has been incorrectly assigned a low/medium risk, and as such is only required to pass CDD). Additionally, due diligence practices omitting key information i.e., why the customer wishes to use the firm’s services, or the customer’s income and occupation details to confirm their source of funds, also prevent the firm from creating a profile on the customer to understand that customer’s risk in its entirety.
A firm should have an adequate risk assessment framework in place, whereby the Business Risk Assessment (BRA) informs the Customer Risk Assessment and vice versa. Customer due diligence should be dynamic throughout the business relationship, using the information available to constantly analyse the customer base.
Financial Crime compliance frameworks
Implementing and properly managing a financial crime compliance framework is a key contributing factor to mitigating not only real, but also emerging risks – including any risks presented following a change to business model/growth in activities or customer base. Such frameworks should reflect the firm’s aims, captured in a project plan. The project plan should be continuously reviewed by senior management to ensure that the firm is on target and meeting all deadlines.
The firm’s systems and controls must be proportionate and implemented on a risk-based approach; dynamic enough to grow and develop as the firm does.
Transaction monitoring
The monitoring of customer transactions remains a vital part of AML/CTF as it allows firms to understand their customers and what ‘typical’ customer activity should look like. This will in turn allow firms to identify and stop suspicious activity. Transaction monitoring should incorporate a risk-based approach and can be either manual or automated. Should an automated approach be taken, firms must ensure that there are parameters and typologies assigned in the system and that techniques are in place to both prevent and detect unusual activity and patterns that may constitute money laundering or terrorist financing. If the system generates alerts, the alerts should be reviewed in their entirety and in a timely manner; firms should have adequate rationales for discounting alerts; and sufficient information should be recorded when investigating transactions.
Documenting these rationales is key and procedures must be detailed and kept up to date.
Suspicious Activity Reports
When submitting SARs, firms must ensure that they have included adequate information in the report i.e., the reason(s) for determining the transaction as suspicious; and the circumstances that gave rise to a suspicion of money laundering.
Firms must also ensure that the appropriate time has elapsed since submitting a DAML SAR to NCA, while waiting for a response from the NCA, prior to continuing with a transaction.
Principle 11 Notification
In compliance with the FCA’s Principle 11 requirement, firms must ensure that any significant weaknesses in the financial crime prevention framework are reported to the FCA.
What should firms do to meet the FCA’s requirements?
Firms must therefore ensure that they continuously assess their financial crime risks and evaluate the relevant controls in place to mitigate these. Firms must adapt their controls to the growth of their customer base and to the expansion of their business activity.
Anti-money laundering, counter-terrorism financing and sanctions practices continue to be regarded as key priorities in financial crime detection and prevention, and firms must undertake these practices to ensure that their internal processes are effective in preventing financial crime from being executed within their business.
How can we help you?
We can aid with ensuring that your firm has implemented controls that are appropriate, fit for purpose and relevant to the firm’s business activities. This will enable your firm’s internal practices to be reflective of good practice and meet the FCA’s expectations. Whether it be a focused AML audit, financial crime compliance, advice on control implementation, or a review of the firm’s risk management framework – we can help you take comfort that your controls are up to the FCA’s expectations.
If you’d like to know more about how we can help meet your requirements or any other aspect of FCA compliance, our expert team is here to help.
Contact us today on 0207 436 0630 – or email info@thistleinitiatives.co.uk.