Action required: The FCA highlights common anti-money laundering weaknesses in retail banking

In May, the FCA made it clear that they expected to see a huge improvement in firms’ financial crime systems and controls. David Geale wrote to all CEOs of retail banks carrying on business in the UK. The letter highlighted common control failings identified in anti-money laundering (“AML”) frameworks. Within the letter, the Director of the FCA’s Retail Banking and Payments Supervision expressed the Regulator’s disappointment in continually finding the same weaknesses in key areas of firms’ financial crime systems and controls, including:

Governance and Oversight;
Risk Assessments;
Due Diligence;
Transaction Monitoring; and
Suspicious Activity Reporting.

This letter was much blunter than others. It reminded Senior Management of their responsibility “to counter the risk that their firm might be used to further financial crime.” Specifically, the FCA calls out the Senior Manager Function (“SMF”) 17 as holding responsibility for financial crime.

Additionally, the FCA required all retail banks to complete a gap analysis against the weaknesses outlined below by 17^th September 2021, to ensure they are meeting regulatory expectations. If gaps are identified, the FCA expects firms to act swiftly to remediate any gaps found. Although the FCA states a response to the letter is not required, the Regulator notes it is likely to request evidence of the gap analysis in any future engagement, such as a regulatory visit.

Whilst the FCA’s letter was specifically targeted at retail banks, a number of the weaknesses identified are prevalent in all firms. Therefore, although they are not under the requirement to complete a gap analysis by 17th September, other firms should take note of the FCA’s expectations and use this as an opportunity to mark themselves against these.

Findings

The FCA highlighted a number of areas in which recent regulatory visits and s166 reviews have identified failings across multiple firms. The FCA Financial Crime Guide provides a number of “examples of poor practice” across firms’ AML frameworks, and therefore the majority of the weaknesses are not new. This is likely why the FCA has used the term “disappointing”, indicating their exasperation at the failure to address these issues.

Governance and Oversight

Blurring of the three lines of defence, with the second line of defence (Compliance) completing a number of first line activities, such as customer due diligence on-boarding. This consequently leads to front line staff not owning or fully understanding the firm’s money laundering risks, which impacts their ability identify unusual or suspicious activity. Further, it restricts Compliance’s role in monitoring and providing assurance on the framework.
An over-reliance on Head Office/Group controls, leading to a “one size fits all” approach for key controls such as transaction monitoring and sanctions screening. This leads to controls not being fit for purpose or aligned to UK branches/subsidiaries money laundering risk.
Insufficient governance structures for certain regulatory required high risk approvals, as well as not meeting “good practice” such as having committees responsible for key financial crime decisions and escalations.

Business-Wide Risk Assessment (“BWRA”)

The quality of firms’ BWRAs was found to be “poor". In particular, a number of firms fail to adequately identify and/or assess all inherent money laundering risks to which they are exposed.
Firms also fail to appropriately assess the effectiveness of the controls in place to mitigate the identified risks, which leads to firms being unable to truly understand the residual risk. Notably, both this and the identification of inherent risks are specifically covered in the Wolfsberg Group’s 2015 Risk Assessment FAQs, and therefore are not new expectations.
For UK branches and/or subsidiaries of overseas firms, BWRAs had not been adapted to cover the specific risks of the local UK business and instead placed an overreliance on the risk assessment conducted by the Head Office.

Customer Risk Assessment (“CRA”)

CRAs were deemed to be too generic to appropriately assess the various risks firms were exposed to, such as not distinguishing between money laundering and terrorist financing, the latter being a significant inherent risk for retail banks.
Limited detail and significant discrepancies identified in the rationale recorded by firms when assessing the risk of a customer. This is compounded by a number of firms not having a documented CRA methodology to illustrate how inherent customer risks are assessed.
Interestingly, the FCA also highlighted that the majority of firms overlooked other financial crimes in their CRA, such as tax evasion and bribery and corruption, both predicate offences of money laundering.

Due Diligence

Purpose and intended nature of a business relationship continues to be often over-looked by firms when on-boarding a new customer, as well as updating this information when conducting a KYC periodic review. Further, when firms have recorded expected account activity, they are failing to adequately document their assessment of whether actual account activity is in line with expectations.
Enhanced due diligence (“EDD”) was also found to be inadequate across some firms, with a particular focus on insufficient due diligence conducted on politically exposed persons (“PEPs”). This included:
- No risk based approach to the due diligence in line with the Regulations and FCA Guidance;
- Limited assessment of the PEP’s source of wealth (“SOW”) and (“SOF”); and
- A misunderstanding of the differences between SOW and SOF.
Lastly, many firms failed to understand and assess higher risk customers’ SOW and SOF; which although not a regulatory requirement, has been a regulatory expectation for some time.

Transaction Monitoring

Firms are still using “off-the-shelf” solutions, utilising scenarios, rules and thresholds which are not proportionate to the Firm’s size, business model, products and customers.
For UK branches and/or subsidiaries of overseas firms, there is an overreliance on Group-led systems, which have not been sufficiently calibrated to the transaction profile of the UK entity.
Some firms lack the necessary understanding of the technical set up of their transaction monitoring systems, and fail to conduct a regular assessment as to whether the system is working effectively, and whether data feeds and data integrity are appropriate.
When discounting transaction monitoring alerts, firms struggle to demonstrate sufficient investigation of the transaction, as well as limited rationale explaining why the transaction is not unusual or suspicious.

Suspicious Activity Reports (“SARs”)

Insufficient and ineffective SAR guidance was identified by the FCA in a large number of firms, meaning internal SARs raised by staff members were unclear and lacked detail. Further, firms generally did not adequately document the reason and rationale for reporting or not reporting a SAR to the National Crime Agency.

Reoccurrence of failings

The failings identified through FCA visits and Skilled Person reviews are not new. So, why do firms continually struggle to meet the expectations of the Regulator? With the FCA, the Joint Money Laundering Steering Group (“JMLSG”), the Wolfsberg Group and others, all providing various guidance, it should be straightforward. But in reality, it is far from it.

During the last 18 months of uncertainty, firms could be forgiven for prioritising matters over AML controls, and with an economic downturn, criminals find new ways to attempt damage the UK’s financial services integrity, leading to risks continually evolving. Add in the requirement that firms are not permitted to take a ‘one size fits all approach’ to their AML frameworks despite industry guidance being created for the masses, and keeping up with regulatory expectations is challenging. Therefore, this latest communication from the Regulator should be used by firms’ senior management as an opportunity to understand further what the FCA expects from their AML framework, and conduct a thorough and honest self-evaluation, before further action is taken by the Regulator, which would only lead to the ever-increasing cost of Compliance.

How can we help?

BDO has long been a trusted partner of the FCA, having conducted circa a third of financial crime Skilled Person reports in recent years; allowing us to understand in detail the challenges firms face when trying to meet the FCA’s expectations. BDO has supported a number of firms in uplifting and remediating AML frameworks through:

Conducting a detailed gap analysis of a design framework against regulatory requirements, industry guidance and good practice.
Developing quantitative and qualitative business-wide risk assessments which identify and assess money laundering risks to help inform a firm’s AML framework.
Enhancing policies and procedures, to not only meet the standards outlined above, but also which are proportionate to the firm’s size, business model and risk profile.
Re-engineering a target operating model, which meets the FCA’s expectations in the first line owning and understanding the money laundering risk and allowing Compliance to conduct ongoing monitoring and quality assurance, as well as enhance efficiency and effectiveness.
Creating a robust governance structure which gives senior management the appropriate oversight of the firm’s financial crime risks and issues.
Remediating customer KYC populations to the standards necessary to combat money laundering.
Supporting firms in implementing and fine-tuning transaction monitoring and screening systems which are in line with the firm’s business activities, products and customers.
Delivering training to first line, second line and third line of defence to effectively manage their AML responsibilities.

If you have any queries relating to the information above or would like to have an initial conversation with us, please get in touch with our team, speak to Fiona Raistrick or Michael Knight-Robson.

Subscribe to receive the latest BDO News and Insights

Please fill out the following form to access the download.