The Financial Conduct Authority (“FCA”) has sent a Dear CEO letter (the “Letter”) to Annex 1 Firms warning them about common failings found in their ability to prevent money laundering, terrorist financing and proliferation financing (hereafter “Financial Crime”). This forms part of the FCA’s enhanced monitoring of Annex 1 Firms in relation to their Financial Crime controls and its increasingly proactive approach in enforcing its regulatory expectations.
The FCA is asking Annex 1 Firms to carry out a gap analysis against the failings it has identified in the market, and to take immediate steps to close any identified gaps, with the implication being that the FCA will carry out further reviews to assess how firms have performed in this regard.
Annex 1 Firms are therefore being expected to carry out an audit of the Financial Crime controls, to ensure that they are relevant to their business, appropriately correlated to the risks the business faces and suitably comprehensive and embedded – with the likelihood of regulatory consequences if this cannot be evidenced.
Who is this relevant to?
The definition of ‘Annex 1 Firms’ under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the “MLRs”) covers to a wide range of business types, including lending, financial leasing and payment services firms, but which are not authorised persons for the purposes of the Financial Services and Markets Act 2000 (for example, lenders that do not carry out consumer credit activities would be an Annex 1 Firm).
Whilst not authorised under the UK financial services regime, such firms are registered and supervised by the FCA for compliance with the MLRs – giving the FCA substantive powers to take action if they believe the firm is not complying with the MLRs.
What concerns has the FCA raised?
The FCA has carried out a review of Annex 1 Firms’ Financial Crime policies, controls and procedures, and found a number of common weaknesses in crucial areas:
Business Model
- Discrepancies between Annex 1 Firm’s registered and actual activities
The FCA found that there were discrepancies between the activities Annex 1 Firms told it they would undertake when they registered against the activities they undertake during the assessment – meaning the FCA was not being given adequate visibility of a firm’s risk profile, hampering their ability to adequately supervise the firm.
- Lack of Financial Crime controls to keep pace with business growth
The Letter reminds firms that senior managers must consider the size and nature of its firm’s businesses when assessing and implementing controls, policies and procedures, ensuring that they remains appropriate as the business grows - the FCA raised concerns that some Annex 1 Firms had failed to adequately resource their Financial Crime teams in light of their growth, leading to capacity issues in the practical application of controls.
Risk Assessment
- Weaknesses in Business Wide Risk Assessments (“BWRA”)
BWRAs were found to be absent or of poor quality, lacking in detail and clarity in their methodology. The FCA expects BWRAs to identify and assess the Financial Crime which the firm is exposed to in light of its customers, the geographical areas it operates in, its products/services, delivery channels and transactions – with a failure to do so meaning Annex 1 Firms are unable utilise its resources to focus on the areas posing the greatest Financial Crime risk to its business.
- Weaknesses in Customer Risk Assessments (“CRA”)
CRAs failed to be tailored to customers’ characteristics. In many instances no assessment of the Financial Crime risk that an individual customer posed was carried out and so there was an improper assessment of the level of customer due diligence (“CDD”) required to mitigate that risk. Annex 1 Firms must review their CRAs to ensure compliance with the MLRs, taking a holistic view of the Financial Crime risk associated with individual customers, considering all factors and applying the correct level of CDD.
Due diligence, Ongoing Monitoring and Policies and Procedures
- Lack of detail and confusion for staff who are required to comply with MLR obligations
The FCA found that policies and procedures lacked detail on: the level of due diligence to be applied; ongoing monitoring of customers; and procedures for investigating and recording suspicious activity reports (“SARs”). Policies were vague, out of date and ran the risk of non-compliance with the MLRs. This resulted in inadequate CDD policies and ambiguity over the level of CDD required, particularly evident at onboarding. Policies and procedures must be reviewed regularly and provide appropriate guidance to staff on complying with the MLRs; this should include information on CDD and when a particular level should be applied.
Government, Management Information and Training
- Lack of resource for Financial Crime teams and inadequate Financial Crime training
The FCA found that many Financial Crime teams were not adequately resourced and lacked appropriate oversight from senior management. Training given to staff was not role-specific or given the importance it demands. The FCA expects senior management to take clear responsibility for management of Financial Crime risk, including taking appropriate measures to ensure staff are regularly trained on crucial areas to ensure Financial Crime awareness, such as SAR reporting.
- No audit trails in respect of Financial Crime decision-making
The FCA found weaknesses in Annex 1 Firms’ governance and management information relating to record keeping for Financial Crime decisions, including a failure to document how they have responded to risks or rationale for decisions. The FCA expects senior management to be actively involved in their firm’s approach to Financial Crime and Annex 1 Firms would be expected to appoint one member of its Board or senior management to be responsible for compliance with the MLRs.
These represent significant gaps against some of the key requirements under the MLRs which, along with the fact an industry letter has been sent, emphasises the significance the FCA is placing on these issues.
What next?
Annex 1 Firms are expected to undertake assurance work to ensure that their Financial Crime framework are commensurate with its risk profile and meet the requirements imposed by the MLRs. As part of this The FCA expects Annex 1 Firms to carry out a gap analysis against the common weaknesses outlined above within six (6) months, taking prompt and reasonable steps to address the gaps identified.
The FCA has warned that it is likely to request details of these assurance projects in due course (including methodologies and details of outcomes). If these cannot be provided or do not meet regulatory expectations, the FCA will consider regulatory intervention, such as third party reviews, as well as enforcement action that could result in fines and/or the removal of a firm’s registration.
How can we help?
We are experienced in helping Annex 1 firms with establishing their Financial Crime frameworks, including carrying out gap analyses of existing practices. If you would like to discuss the expectations around the FCA’s gap analysis request, or would like to explore how to complete the project, please do not hesitate to contact us.
Additionally, CMS can assist with a wider range of remedial actions, including:
- Drafting or updates to policies and procedures to ensure compliance with the MLRs and other legislation;
- Delivering training to staff, including at board and senior manager level; and
- Implementation of systems and controls to mitigate Financial Crime risk.
Please contact us if you would like assistance with your Financial Crime obligations.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.