'Dear CEO': The FCA's warning to retail banking about the poor standard of financial crime controls
The Financial Conduct Authority (FCA) recently issued a 'Dear CEO' letter to retail banks as a call for action to be taken in response to common control failings identified in anti-money laundering frameworks.
The Financial Conduct Authority (FCA) recently issued a 'Dear CEO' letter to retail banks to call for action to be taken in response to common control failings identified in anti-money laundering frameworks. The letter was published by the FCA on 21 May 2021.
The FCA expressed that it is "disappointed to continue to identify, across some [retail banking] firms, several common weaknesses in key areas of firms’ financial crime systems and control frameworks" and warned of the significant consequences of poor financial crime controls, both in the form of money laundering and other criminal activity as well as the damage to the integrity of the UK financial market.
As a pointed warning to all CEOs for the future, the FCA stated that persistent failings have resulted in regulatory intervention in the form of the appointment of a skilled person review, business restrictions and enforcement action, and this will continue. To avoid such interventions, now is the time for the retail banking sector to heed the FCA's warning to act on it.
While the contents of the letter will already be familiar to those in the retail sector, the messages and warnings contained within are likely to be equally relevant to other parts of the financial services industry.
Common areas of weakness
As a result of its experience and findings from recent assessments of retail banks’ financial crime systems and controls, the FCA set out six non-exhaustive thematic areas of weakness commonly identified across the sector:
- Governance and Oversight – The FCA found that the responsibilities between the first and second lines of defence within firms are often blurred. This has resulted in a lack of ownership and understanding in some firms of the financial crime risk within business functions as well as a restriction in the ability of the compliance function to independently monitor and test the control framework. The FCA also found that key controls of UK branches and subsidiaries of overseas firms are often determined and run by Group functions, which may not always be appropriate for the local firm's business model, risk exposure and regulatory requirements. Finally, the FCA found that some firms are not evidencing the requisite governance sign-off by senior management of certain high-risk scenarios in accordance with the money laundering regulations.
- Business-wide risk assessment – The FCA described the quality of business-wide risk assessments reviewed as generally poor. Instances of insufficient detail on the financial crime risks to which businesses are exposed were identified. Even when firms have considered and documented their inherent risks, the FCA said that in some cases they have not adequately evidenced their assessment as to the strength of mitigating controls or recorded the rationale for their conclusions as to the level of residual risk to which they are exposed. Issues were also identified in relation to branches and subsidiaries of overseas firms whereby the business-wide risk assessments conducted at Group level are not always appropriate for the specific risks present in the UK.
- Customer risk assessment – The FCA has determined that customer risk assessments are often too generic to consider different types of risk exposure which are relevant to customer relationships. The FCA also cited instances where significant discrepancies exist in how the rationale for specific customer risk ratings are determined and recorded by firms, including a lack of documentation and explanation of assessment methodology. Finally, the FCA found that firms tend to primarily focus on the risks of money laundering and sanctions, which has resulted in other risks – such as tax evasion or bribery and corruption – being overlooked.
- Customer due diligence (CDD) and enhanced due diligence (EDD) – the FCA found that CDD measures are often not adequately performed or recorded. This includes obtaining information as to the purpose and intended nature of a customer relationship, and the assessment as to whether the customer account activity corresponds with what was expected. EDD has been found to be weak in certain instances and does not always mitigate the risks posed by higher-risk customers. The FCA found that firms but do not evidence an adequate assessment of source of wealth (SOW) and source of funds (SOF), which the FCA has stressed are two distinct requirements not to be confused.
- Transaction monitoring – For UK branches and subsidiaries of overseas firms, the FCA said it often see Group-led transaction monitoring solutions which are inappropriate to the business activities and underlying customer base of the local regulated entity. The FCA also found that firms often use "off-the-shelf" transaction monitoring systems that are not properly calibrated to their business activities, products or customers. More technically, the FCA has identified failures to undertake regular appropriate assessments of the data feeds and data integrity of transaction monitoring systems. Finally, the FCA expressed its concerns about transaction monitoring alerts and the discounting of the same, which has resulted in a failure to adequately scrutinise and investigate qualifying transactions.
- Suspicious Activity Reports (SARs) – The FCA has found that the process for raising SARs within firms to nominated officers is often unclear, not well documented or not fully understood. It was also evident that firms are often unable to adequately demonstrate to the FCA their investigation, decision-making processes and rationale with respect to reporting, or not, SARs to the National Crime Agency.
The FCA Senior Management Arrangements require firms to have in place systems and controls to identify, assess, monitor and manage money laundering risk.
The FCA letter was used to remind all senior managers of their responsibility "to counter the risk that their firm might be used to further financial crime" and gave explicit warning that the FCA "will continue to consider carefully whether the relevant SMF holders have carried out their responsibilities appropriately".
Gap analysis: Time is of the essence
The FCA said it expected CEOs, boards of directors, and senior management teams within the retail banking sector to act promptly in performing a gap analysis against each of the common weaknesses that have been identified in respect of anti-money laundering. Although the findings of the gap analysis do not need to be reported to the FCA at this time, they do need to be communicated internally and reasonable steps need to be taken to plug any identified gaps in the control framework. In the future, the FCA may ask firms to demonstrate the action that they took in response to their letter and, where action is regarded to be inadequate, the FCA reserves its power to intervene as the regulator to manage financial crime risk.
The Regulatory, Investigations & Financial Crime team at Clifford Chance regularly advises and assists banks and other financial institutions with the performance of gap analyses across a broad spectrum of risks, including anti-money laundering frameworks.