The Financial Conduct Authority (FCA) has issued a letter (dated 21st May 2021) to CEOs of retail banking firms, which highlights a series of concerns the Supervisory Authority has observed whilst conducting assessments on the Financial Crime Systems and Controls of firms. In the letter, UK’s Supervisory Authority request Senior Management of retail banking firms to undertake a gap analysis to gain assurance that their financial crime systems and controls are proportionate and adequate with their risk profile and remain compliant with the Money Laundering Regulations (MLRs). The letter reminds firms of the SMF17’s responsibilities under Senior Managers and Certification Regime, and instructs firms to conduct a risk assessment by the 17th of September 2021, taking prompt and reasonable steps to address gaps or weaknesses identified.
Whilst the requirement to identify, assess and manage financial crime risk is not new for firms and specifically covered under several provisions including SYSC 6.3 and JMLSG, this is the first time we are aware of an FCA communication asking firms to undertake a gap analysis activity by a certain deadline. Once gaps have been identified, the firms have been requested to share the findings within their firm and deploy a plan to address and remediate such gaps. This will be a key area of supervisory focus and all firms will need to address the FCA’s concerns, evidencing robust assessment, governance, and the ability to implement changes to the control environment as informed by the gap analysis. Furthermore, evidence of these actions shall be requested by the Supervisory Authority in future reviews, and in cases where evidence is considered unsatisfactory, a regulatory intervention might be imposed to manage the financial crime risk posed by the bank.
The letter references the following key areas of concern where significant and common deficiencies are noted. We have included a sample of controls in each theme as a guide, however this should not be treated as an exhaustive list:
Governance & Oversight
3 Lines of Defence (3LOD)
- Ownership and accountability of money laundering and financial crime risks faced by the first line of defence.
- Documented and unambiguous descriptions for roles and responsibilities with clear segregation of duties between operational management and compliance functions in order to prevent second line of defence undertaking activities (such as the completion of customer due diligence and customer risk assessments) that should be owned by first line of defence.
- Dedicated and tailored AML training deployed to raise first line’s awareness of specific money laundering risks and identification of suspicious activities.
- Awareness by Compliance staff of their independency when conducting monitoring and independent testing.
- Clear governance structure with assigned roles and responsibilities, robust MI for the oversight of risk appetite thresholds.
Ownership of key controls
- Robust controls for the management of the policy framework ensuring traceability from laws, regulations and guidance into policy and standards.
- Systems and controls must be tailored and bespoke to the firm’s business activities and in alignment with the financial crime risk exposure posed by the firm, branches and/or subsidiaries.
Senior Management sign-off
- Formal and documented evidence of the first line of defence’s assessments and robust rationales for customers’ approval at on-boarding and at periodic review.
- Formal and documented evidence of Senior Management approvals for all high-risk customers applications. Firms should demonstrate that such matters are formally discussed in a governance committee responsible for decision making for customer approvals or in any matters potentially associated with AML/financial crime escalation issues at onboarding and at periodic reviews.
Business-wide risk assessment (BWRA)
- Formal evidence of a structured Business-wide Risk Assessment methodology comprising a holistic view of their financial crime key risk exposure, documented inherent risks, formal assessment of their mitigating controls and the deriving residual risk once the effectiveness of internal controls have been evaluated.
- Documented evidence of assessment outcomes and action plans tracked at appropriate governance forums with supporting MI.
- Evidence of robust plans for the performance of an annual assessment with supporting resources to deliver the plan.
Customer Risk Assessment (CRA)
- Documented Customer Risk Assessment methodology that considers different types of risk exposure applicable to different types of business relationships.
- Evident distinction between the different financial crime risks presented e.g. money laundering vs. terrorist financing vs. sanctions.
- Special attention to risks associated to Tax Evasion and Anti Bribery and Corruption (ABC).
- Strong rationales for specific risk rating with supporting documentation recording the key risks and the scoring logic results to assess the aggregate inherent risk profile of individual customers.
- Periodic Review (PR), recalibration and validation of the Customer Risk Assessment methodology to ensure it is meeting regulatory requirements and identifying high risk relationships appropriately.
Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)
- Clear and established procedures for the performance of Customer Due Diligence (CDD) throughout the customer lifecycle including scenarios when Enhanced Due Diligence (EDD) is required, ability to understand and evidence knowledge of the customer and of the intended nature and purpose of the business relationship.
- Customer relationship closely monitored to confirm or amend expected account activity. Evidence of appropriate investigation performed in cases where customer activity is not in line with the recorded expectations.
- Robust approach to EDD measures for Politically Exposed Persons (PEP), with documentary evidence of Source of Wealth (SoW) and Source of Funds (SoF). Firms must ensure that the terminology for SoW and SoF is clear to avoid confusion between these separate requirements. Furthermore, firms must have enhanced controls to assess the level of risk associated with a PEP and tailor the level of due diligence applicable on a Risk Based Approach (RBA).
- Customer Risk Assessment (CRA) methodology applied for consistent assessment of the customer and associated controls required.
- Triggers for Periodic Review (PR) and Event Driven Review (EDR) documented and aligned to procedures.
- Documented Transaction Monitoring procedures and scenarios to ensure thresholds and limits allow for identification of unusual or suspicious transactions, clear escalation channels for UAR and the ability to trigger additional monitoring or a review of the customer such as Enhanced Transaction Monitoring or an EDR.
- A library of Transaction Monitoring risk typologies including red flags and threshold calibration that is maintained on an on-going basis.
- Transaction Monitoring Systems appropriately calibrated and tailored to the business activities, products, customers and geographic location of the firm and associated entities.
- Enhanced technical training for control owners or personnel accountable for operating the Transaction Monitoring Systems. Firms must assess the operational effectiveness of these controls and validate the adequacy, accuracy, completeness, and integrity of the data collected for such purposes.
- Documented evidence to support the rationales for discounting alerts generated by Transaction Monitoring systems. Evidence of robust and reasonable explanations to disregard transactions alerts that surpasses the customer’s expected transactional activity.
Suspicious Activity Reporting (SARs)
- Documented SAR’s policy which includes definition of “grounds for suspicion”, procedures and controls in place for Unusual Activity Reports (UARs), how these are managed, prioritised and investigated and clear guidance for the submission of a SAR and/or Sanctions Reporting.
- Procedures which manage onward instruction to exit a customer relationship, taking account the risk of tipping off and consideration for any permissions required to pay away funds.
- Documented evidence to demonstrate that an investigation has been undertaken for SARs with supporting rationales to justify the reasons for reporting or not to the National Crime Agency.
To mitigate supervisory concerns and demonstrate robust systems and controls, the following actions should be undertaken by firms:
- Conduct a comprehensive gap analysis against UK laws, regulations, and regulatory guidance, including an assessment of compliance with policy and risk appetite on the aforementioned key areas.
- Socialise within the firm, findings and/or areas of enhancement within the firm’s financial crime systems and controls identified via the gap analysis review.
- Develop and implement a plan of action with clear ownership, roles and responsibilities, timelines, and robust governance for monitoring the execution of the plan. To demonstrate that those findings have been remediated, agree a method of assessment such as support from Financial Crime Assurance and/or Internal Audit.
- Document clear evidence to demonstrate that the above steps have been undertaken by the firm, which must be available for future reviews.
Our team of highly experienced financial crime specialist have developed a Gap Analysis Template encompassing the above areas of concerns, to assist firms in achieving these objectives in an efficient manner and providing assurance to senior management as to the effectiveness of the firm’s control framework. Our Gap Analysis Template is flexible and can be tailored for each firm in line with their risk appetite and specific policy requirements. We can support firms in the adoption of the template, or indeed provide dedicated experienced support to conduct the assessment on their behalf.
To monitor and ensure compliance with laws, regulations and guidance, we offer Plenitude RegSight, our cloud-based obligations register which catalogues all UK Financial Crime related obligations. This subscription-based service allows firms to easily identify and assess policy compliance within their Policy Framework via the self-assessment tool and keep up to date on new regulations through our monthly horizon scanning service. Plenitude RegSight is the simplest and most effective way to manage Financial Crime Compliance obligations and Policy Framework, providing ongoing assurance in a world of ever-increasing regulation and heightened regulatory scrutiny.
If you would like to discuss how this letter effects your firm, or need help in responding to the request, please reach out to our team at email@example.com.