The Financial Conduct Authority (FCA) on the 22nd May sent a letter to unnamed members of the Retail Banking community in the UK regarding common anti-money laundering control failures. The letter is the most transparent and unequivocal warning that the FCA has issued and is a departure from the normal manner in which they communicate with the financial sector. The FCA usually identify areas of concern in their final warning notices and expect financial institutions to analyse the notice and apply the learning lessons within their organisations. In this letter they are clearly specifying the areas of concern and what actions are expected to be undertaken. Furthermore, there is a clear indication as to the consequences of not adhering to this letter in the form of skilled persons review or enforcement action being implemented. Whilst this letter is addressed to the retail banking community, other sectors such as investment or private banking should also take heed. The inclusion of the specific law, regulation and guidance removes any ambiguity as to what the FCA will be assessing.

The letter identifies those that have responsibility for financial crime within an institution. The key point is the emboldened use of “all” management. There are specific responsibilities for the SMF 17 MLRO and the “Senior Manager” who can be one and the same but not in every firm. Quite often in smaller firms the ‘Senior Manager’ who has the prescribed responsibility ‘D’ (overall allocation for the maintenance of effective AML systems and controls) will be a Board Member and the MLRO will report to them. The FCA are warning all 1st line of defence business leaders that they need to be engaged in this activity, which many, up to now, have considered the responsibility of the MLRO. The FCA will be measuring the Senior Manager against the FCA handbooks on Systems and Controls, Principles for Business and Code of Conduct.

In relation to the specific area’s firms should consider the following;

Guidance and Oversight – The FCA are clearly articulating that 1st line of defence has the responsibility for their client and the actions of their client. Historically, firms have dealt with AML or Fraud risk only but it is apparent that the FCA expect firms to be able to articulate the specific criminal risk that they may be exposed to. Firms will need to understand how their products may be used to facilitate different crimes e.g. human trafficking, illegal drug trafficking or organised property crime and how their control framework needs to be adjusted to counter the threat.

Large global firms will need to ensure that centralised controls may be applied in a systematic approach across the institution and will need to be calibrated, taking the UK requirements into consideration. The Senior Manager and MLRO will need to understand the design, implementation and operating effectiveness of Name Screening and Transaction monitoring systems. They must also be able to demonstrate that they have reviewed the inputs to the system, especially the completeness, accuracy and lineage of the data that is provided. It is also quite apparent that the FCA expect there to be local management sign off to confirm that UK regulations are being complied with.

Risk Assessment – this is the fundamental building block for an effective financial crime framework. Whilst most firms conduct an annual enterprise-wide risk assessment, the lack of detailed specificity in those areas that represent a higher residual risk will require additional deeper reviews to be undertaken.

Customer Risk Assessment – The methodology of how a customer risk assessment is constructed is fundamental. Firms must be able to demonstrate a clear rationale as to which components they have considered and how they have determined the risk weighting of each component. In 2022, firms will need to further consider the risk of proliferation financing into their models.

Customer Due Diligence – the main requirement is for firms to determine whether the client is acting in line with expectations. This is more than just applying transaction monitoring to the solution, but will apply to all aspects of client engagement. This will be quite challenging and will require firms to clearly understand their clients, rather than just verifying their identity periodically.

Transaction Monitoring – this is a particular concern of the FCA and UK based MLRO’s will need to ensure that they understand and have approved the calibration of the transaction monitoring system. Data is also an important consideration; it will be essential to understand where it has originated and how it has been distorted within the firm.

SARs – detailed procedures and key operation documents will be required to demonstrate that appropriate investigation and decision making is recorded.

The FCA have specified what action they consider is required and a deadline of a complete gap analysis by 17th September 2021. The implication is that following a review, if any gaps are identified, firms should have high level plans in place and begin to start immediate remediation. There is also a clear expectation that some form of attestation will need to be made to the senior governing committee responsible for financial crime as to whether the banks controls are meeting the appropriate legal and regulatory requirements. This is a very short timeframe for such an exercise to be completed. The FCA meet with firms on a risk-based basis, but many of the larger and more systemically important banks often engage on a monthly basis. Post September this will be on their agenda and there is a threat of regulatory action if the FCA consider that a firm has not responded appropriately.

If you wish to discuss any of the implications of this “Dear CEO letter” and what actions can be taken to meet the UK requirements, please contact a member of the Gracechurch Financial Crime Prevention team.

John Flynn
18 August 2021