FCA Issues Warning to CEOs to Improve Anti-Money Laundering Controls
The FCA have issued a stark warning to the industry with its latest in a series of publications regarding money laundering control failings. On 5 March 2024, the Financial Conduct Authority (FCA) issued a letter to CEOs of ‘Annex 1’ financial institution firms, highlighting weaknesses in their financial crime reduction policies and procedures. The FCA has also instructed these otherwise unregulated firms to adopt certain standards to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). Firms have 6 months to undertake a gap analysis of their financial crime controls, and firms have been put on notice to expect an increasingly proactive regulator in this space.
KEY TAKEAWAYS
The Dear CEO letter serves as a reminder to firms of the increasing weight and focus the FCA place on financial crime prevention. The FCA will continue to strengthen their supervision and we can expect punishment for non-compliance to become more common and stringent. This should come as no surprise to the industry, given the UK’s recent Economic Crime Plan (2023 – 2026) and clear objectives to tackle money laundering. The FCA’s 2022 – 2025 Strategy follows this national imperative, stating “the importance of financial services in global economic activity” , further underlined by the FCA’s February 2024 publication with four focus areas and the FCA’s 2024/25 Business Plan Commitment 1: reducing and preventing financial crime; all of which point to greater FCA supervisory and enforcement activity in this space.
Firms should prioritise the gap analysis exercise and address any failings identified. They should ensure appropriate individuals, within senior management, complete a comprehensive, targeted analysis of anti-money laundering controls, and document evidence of actions taken to address failings and the implementation of remedial action. Ongoing horizon scanning and continuing to review further FCA publications and guidance is a must, to ensure firms are keeping track of and responding to future FCA money laundering activity, which is undoubtedly to follow throughout 2024 and beyond.
The common failings and necessary improvements steps are discussed in turn below.
Business Model
The FCA noted discrepancies in regards to some firms’ activities, with some firms failing to notify the FCA about a change in the activities they reported to undertake versus the activities actually undertaken.
Firms are responsible for notifying the FCA of any change to business details within 30 days, beginning with the date of the change or the discovery of information inaccuracy. This includes informing the FCA of a change to core business details, such as the registered business address or the substantive Annex 1 specified activities undertaken.
It is the responsibility of senior managers to consider the size and nature of firms’ businesses when assessing and implementing policies and procedures, to ensure that these are appropriate for the business, at all times. The FCA noted that where firms had experienced significant growth, firms had not enhanced their financial crime policies and procedures accordingly. Related failures identified include: a lack of financial crime training for employees, lack of engagement from senior management and lack of senior management involvement in operational activities to oversee compliance.
The result is inadequate financial crime frameworks which fail to mitigate the risk of financial crime.
Risk Assessments
The FCA highlighted certain firms fail to maintain sufficiently detailed Business Wide Risk Assessments (BWRA), and in some cases there was a complete absence of such assessments. This is despite the requirement under the MLRs to identify and assess the money laundering, terrorist financing and proliferation financing risks. Considerations in a BWRA include: the geographic areas in which the business operates, the products/services dealt with by the business and delivery channels with which the business engages.
Detailed BWRA allow firms to have clear oversight of the potential financial crime risks to which they are exposed as well as being able to design, implement and critique controls to mitigate those risks specific to their business.
Additionally, some firms assigned a level of money laundering risk to a group of customers instead of tailoring Customer Risk Assessments (CRA) towards individual customer characteristics. Tailoring CRAs allows firms to identify the specific risk level of the customer, reflecting BWRAs, and to then apply the proportionate level of customer due diligence. Customer risk considerations include the nature of the business relationship and the jurisdiction in which the customer operates in.
Due Diligence, Ongoing Monitoring and Policies and Procedures
The FCA found firms to lack sufficient detail in CDD policies and procedures. Failings in this regard included:
- out of date policies which risks non-compliance with current legal and regulatory standards;
- ambiguity surrounding the actions required by employees to ensure compliance;
- inadequate customer due diligence measures being undertaken. In particular, there was evidence of simplified customer due diligence being undertaken where enhanced due diligence measures are be required by policy; and
- for ongoing monitoring policies and procedures, a lack of clarity resulting in what monitoring was taking place and how it was achieved (also related to the quality of suspicious activity report policies).
Appropriate and effective due diligence measures both at the onboarding stage and on an ongoing basis are crucial as a preventative measure to assist firms avoid engaging in money laundering schemes. This is a key requirement of the MLRs, designed to maintain the integrity and reputation of the UK financial markets.
Governance, Management Responsibility and Training
It is the responsibility of senior management to govern financial crime risks, engage in firms’ responses and audit the adequacy and effectiveness of any such controls and procedures. The FCA’s assessments identified a lack of resources for Financial Crime, inadequate training and an absence of a clear audit trail for Financial Crime related decision-making.
For example, financial crime was being considered on an exceptional basis as opposed to treating the risk of financial crime with the same weight as other risks posed to the business. If appropriate depending on the size and nature of the business, firms should appoint a director or member of senior management to be responsible for MLR compliance.
On demand, firms must be able to present an audit trail of those policies and procedures implemented to address any gaps, in addition toas maintaining a clear audit trail to evidence the decision-making process where financial crime is concerned.