Dear CEO – What the FCA expects you to do
On 5th March 2024, the FCA issued a ‘Dear CEO’ letter to Annex 1 firms (i.e. firms that are supervised by the FCA for AML/CTF purposes only) which reiterated the importance of the ‘…fight against financial crime…’.
It also sets out key areas of weaknesses identified in their recent assessments of such firms and puts an action on all Annex 1 firms to carry out a gap analysis against these weaknesses.
The timeframe given was six months from the date of the letter, which means the gap analysis is expected to be complete by 4th September 2024.
Key weaknesses identified by the FCA
The weaknesses identified in the letter are highlighted below, with some additional thoughts explaining their significance:
Business models:
Financial crime controls are sometimes not updated to keep pace with changes to a firm’s nature or scope of business. Business growth is of course a good thing, but if financial crime controls do not keep pace with that change there is a real danger that the controls no longer provide adequate mitigation of relevant risks.
Business-wide risk assessments:
Financial crime business-wide risk assessments are a vital foundation to ensure that a firm has comprehensive and appropriate mitigating controls. The letter points out that some firms have failed to create such an assessment, in contravention of the Money Laundering Regulations. In other cases, the assessments lacked sufficient detail, used unclear methodologies, or failed to identify controls to mitigate the identified inherent risks. It is important to avoid a ‘one-size-fits-all’ approach to financial crime risk - we have seen business-wide risk assessments that assess dissimilar risks with the same approach, or which fail to apply a logical and measurable methodology to assessing risks and controls.
Client risk and CDD:
The letter identifies weaknesses relating to assessing client risk. In particular, client risk assessments (CRA) that were insufficiently tailored and therefore failed to identify relevant risks, which in turn led to a failure to identify appropriate due diligence measures and controls. It is very important that CRAs take a holistic view of client risk, considering all relevant factors and what they mean. In our experience, it is important that staff are trained and encouraged to take an active, intelligent approach when identifying and assessing risks.
Policies and procedures:
The FCA points out that some of the firms assessed demonstrated weaknesses in relevant policies and procedures. These included a lack of detail, and vagueness relating to actions required of staff. In some instances, policies and procedures had not been updated, leading to the risk that these were no longer providing the required mitigation of identified risks. Not surprisingly, inadequate policies and procedures led to ambiguity and inconsistency regarding risk ratings and controls applied. This was most marked at onboarding.
SDD and EDD:
In some instances, there was a lack of clarity about when and how simplified due diligence (SDD) and enhanced due diligence (EDD) should be applied, which ties in with the ambiguity of controls and a lack of clear, documented reasoning. These weaknesses were not just evident at onboarding - they were also apparent in ongoing monitoring.
Governance and training:
Governance weaknesses were identified, for example, a failure to have financial crime as a standing agenda at Senior Management meetings. Training was also identified in the letter – and in many enforcement actions – as significant weaknesses in several firms. Specifically, the weaknesses stemmed from not treating training as an important pillar of an effective financial crime compliance programme. Training is essential to the effective implementation of risk-based due diligence and controls, and it is important for Senior Management to make it clear that this is an important control. Both a lack of knowledge and a lack of understanding can lead to a ‘tick box’ approach, which enables criminals to circumvent a firm’s controls, leaving it exposed to money laundering, terrorist financing and/or proliferation financing.
What should firms be doing in response to this?
There are several areas that Senior Management, including Business Heads, Heads of Compliance and Money Laundering Reporting Officers, should consider addressing. For example (and not exhaustively):
Does the business-wide financial crime risk assessment have:
-
- At least one senior person in the firm with overall responsibility for the assessment.
- A methodology for the assessment that is created by a person with relevant experience and reviewed by at least one other person. If there is a lack of experience internally consider outsourcing all or part of the risk assessment.
- An agreement at a senior level of the frequency of review of the risk assessment, both on a time basis and triggers.
- A regular slot on the agenda of relevant senior management committees.
Do the customer risk assessments:
-
- Reflect the inherent and residual risk ratings in the business-wide financial crime risk assessment.
- Comply with all the requirements of the Money Laundering Regulations.
- Take a holistic approach that considers substance over form and avoid the risk of ‘box ticking’.
- Include specific categories of risk, such as risks relating to products and services, customers and markets, jurisdictions, transactions and distribution channels.
- Incorporate an understanding of the risk continuum.
Are the relevant policies and procedures for onboarding and ongoing monitoring:
-
- Sufficient in detail to avoid any ambiguity.
- Kept up to date. Does each contain a revision date and are those revision dates met?
- Clear on the different controls required for the different levels of risk, and do these controls address areas such as dealing with customers in high-risk jurisdictions?
- Clear in the requirement to fully document the steps taken to ensure high-risk customers are appropriately controlled. Is there a clear audit trail?
Does the firm’s financial crime compliance training programme:
-
- Have visible and positive support from Senior Management.
- Form a part of the information provided to Senior Management and governance committees.
- Provide a role and risk-specific programme.
- Cover all crucial topics relating to AML, CTF and CPF, including legal and regulatory responsibilities, penalties for non-compliance, identifying and applying risk assessments and due diligence, relevant typologies and red flags, and reporting of suspicions.
Are senior management:
-
- Fully aware of their responsibilities and potential liabilities related to financial crime compliance, and taking an active and visible approach to those responsibilities.
- Ensuring that sufficient resources are available to Compliance staff.
- Able to articulate the firm’s financial crime compliance programme, including key risks, controls and residual risks.
- Reviewing appropriate management information provided and challenging that information as appropriate.
Why effective financial crime compliance is so important
According to a 2024 Nasdaq Verafin Global Crime Report, in 2023 more than $3tn in illicit funds flowed through the global financial system. These illicit flows represent the proceeds of heinous and increasingly sophisticated illegal activities. Such crimes cause significant damage to national economies, to industries, firms, and to individuals such as our family and friends.
The perpetrators of such crimes are typically globally organised crime groups, state actors and other looser collectives. Growth in technologies such as artificial intelligence (along with by-products such as deep fakes), advanced push payments frauds, misuse of crypto assets and much more, all contribute to the proliferation of crime.
These illicit financial flows are aimed at financial services firms, for laundering, or for financing terrorism or proliferation. Other criminal activities such as cyber-enabled and cyber-dependent frauds pose a direct threat to firms, their staff and their customers.
It should therefore be no surprise that, for example, the UK government’s Economic Crime Plan has a strong focus on fighting financial crime, nor that the Financial Conduct Authority lists ‘fighting and preventing financial crime’ as its first commitment in its 2024/25 business plan.
Most countries, including the UK, have a clear legal and regulatory framework, requiring firms to take a risk-based approach to managing financial crime risk. These frameworks have been in place for some time and the requirements are usually clearly stated.
However, a review of enforcement actions over the last few years shows repeated failures relating to assessing and mitigating risks, both at a business and at a customer level; inadequate due diligence policies and procedures and their application; record keeping that lacks detail; and inadequate and insufficient risk-based training.
These tie in almost exactly with the FCA findings explained in the ‘Dear CEO’ letter of 5th March 2024.
Related courses
About the Author
Bruce has been working in financial services for nearly 40 years, 25 of these as a learning professional focusing on compliance for a wide range of financial services companies, mainly through the analysis, design, creation and implementation of global training programmes for Tier 1 Banks and FTSE 100 companies. He has been Global Head of Compliance Learning for such firms three times and has provided compliance learning consultancy to similar companies many times.
Bruce has also provided compliance training and consultancy in other fields such as real estate, industrial supply chains, charities, payment services providers, gambling and casinos and many others.
A former Director of Training for CISI, Bruce has extensive experience of compliance and financial services-related qualifications and qualified as a Chartered Accountant with Price Waterhouse (as it was then known).
Bruce provides excellent training events on compliance, with a specific focus on financial crime, including all aspects of anti-money laundering, anti-bribery and corruption, fraud and sanctions.