Deadline approaches for retail firms to perform gap analysis of weaknesses identified in May 'Dear CEO' letter

Firms regulated by the FCA are required to implement systems and controls to mitigate financial crime risks. In May 2021, the FCA issued a ‘Dear CEO’ letter directed at the retail banking sector, highlighting a number of shortcomings identified in relevant firms’ anti-money laundering frameworks.  Relevant firms are expected to conduct a gap analysis by 17 September 2021 to determine whether their systems and controls present any of the weaknesses identified by the FCA.

The FCA concluded that while it saw some examples of good practice, overall it was “disappointed to continue to identify, across some firms, several common weaknesses in key areas of firms’ financial crime systems and control frameworks” across certain areas (summarised below).

Governance and oversight

Under FCA systems and controls requirements, firms should implement a ‘three lines of defence,’ model –  namely ensuring that business roles (first line), compliance roles (second line) and internal audit roles (third line) are distinct and have separate, defined responsibilities. Senior management should appropriately oversee risks and controls, and controls should be tailored to mitigate individual risks.

The FCA highlighted that firms often did not follow the three lines of defence model correctly. It found that there was a blurring of responsibilities between the first line and second line roles, with circumstances being identified where compliance departments were undertaking first line activities such as completing due diligence checks or aspects of customer risk assessment.  This can heighten risk as it makes it difficult for compliance to independently monitor these controls.

Attention was also given to firms operating UK-based subsidiaries where key controls remained the responsibility of the Head Office. Although ownership at the head office level can be acceptable when done well, the FCA found that firms were unable to demonstrate how centralised policies and processes at head office were adequate for the firm’s UK business model and risk exposure or UK laws and regulatory requirements.

Finally, in some instances, firms did not have governance processes for senior management to review and sign off on higher risk scenarios.

Business-wide risk assessment (BWRA)

A critical step to mitigate financial crime risks is a comprehensive BWRA to help firms understand their risk exposure, set risk appetite, and inform the design of mitigating controls.

According to the FCA, the quality of BWRAs was generally poor, and in some instances there was insufficient detail on the financial crime risks to which the business was exposed.

Customer risk assessment (CRA)

Firms should ensure that the assessment of compliance risks such as tax evasion or bribery and corruption is not overlooked by focusing only AML and sanctions risk posed by customers. All customers should be appropriately assessed on a risk basis, with a holistic approach adopted to ensure that compliance risk is fully understood and appropriately mitigated.

The FCA identified that that CRAs are often too generic. Examples included firms that did not differentiate between money laundering and terrorist financing risks, or the different risks presented by a correspondent banking relationship compared with a customer undertaking trade finance activity.

Due Diligence

Firms should ensure that appropriate procedures are in place to collect and accurately record customer due diligence (CDD). Further, the use of CDD information should not stop at the onboarding stage; procedures should be in place to enable ongoing monitoring, to ensure that customer activity aligns with the CDD information collected.

Failure to accurately record and act on CDD information was a key shortcoming identified in the FCA report. The FCA noted that often, once CDD information is recorded, firms do not always demonstrate that the customer activity is in line with the activity expected, or that appropriate investigations have been undertaken with the customer when it is not in line with expectations.

In relation to Enhanced Due Diligence (EDD) the FCA found that some firms’ approaches are weak and insufficient to mitigate the risks posed, for example, where a politically exposed person (PEP) has been identified but there is no adequate assessment of the source of wealth (SOW) and source of funds (SOF). The FCA’s recommended approach to mitigate PEP risk can be found here.

Transaction Monitoring and Suspicious Activity Reports (SARs)

Firms operating in multiple jurisdictions should ensure that their transaction monitoring processes are sufficiently tailored to meet UK regulatory obligations. Firms should also take steps to ensure, including by way of procedures and training, that the process and obligation to submit SARs are communicated to staff.

A common failure in transaction monitoring for branches and subsidiaries was ‘group-led’ transaction monitoring which has not been calibrated appropriately to reflect its UK activities and customer base. The FCA noted that the transaction monitoring systems of some firms were based on an arbitrary ‘off-the-shelf’ calibration. Firms need to be able to demonstrate how the thresholds would relate to the levels of expected activity of specific customers.

It also identified instances where firms failed to assess alerted transactional activity against the established customer profile to validate the source of funds for high-value transactions.

In order for transaction monitoring to be effective, firms need to demonstrate that the systems are adequate to identify risk for the activities of their customers and understand how to appropriately investigate any risks that are identified.

With respects to SARs, although most firms had a SAR reporting process in place, it appeared that this was sometimes not fully understood by staff. Additionally, firms were unable to adequately demonstrate their investigation and decision-making processes and rationale for either reporting or not reporting SARs to the National Crime Agency (NCA). To mitigate against this risk, firms should ensure that employees understand their obligations in relation to SARs and that there is clear line of reporting.

Remediation Steps

Relevant retail firms have until 17 September 2021 to undertake a gap analysis and promptly close any gaps identified. The FCA indicated that, in future engagement with firms, they will ask for evidence of the steps that have been taken in response to the issues identified in the letter. Although not specifically targeted to firms outside retail banking, the FCA letter provides helpful insights into the regulator's expectations for systems and controls to mitigate financial crime risks.