Skip to main content

Clifford Chance

Clifford Chance
All
Regulatory Investigations and Financial Crime Insights<br />

Regulatory Investigations and Financial Crime Insights

FCA Updates Financial Crime Guide: Key Takeaways

This blog summarises key amendments made to the Financial Crime Guide through additional guidance on sanctions, proliferation financing, transaction monitoring, data security, cryptoassets and Consumer Duty.

FCA Updates Financial Crime Guide: Key Takeaways

On 29 November 2024, the Financial Conduct Authority ("FCA") released Policy Statement PS24/17, detailing changes and updates to the Financial Crime Guide ("FCG") introduced via the Financial Crime Guide (Amendment) Instrument 2024 (FCA 2024/46). Many of the changes made to the FCG were expected, having already been detailed in Consultation Paper CP24/9, bringing the FCG in closer alignment with existing sector guidance and legislation in the areas of sanctions, proliferation financing, transaction monitoring, data security, cryptoassets, and Consumer Duty. 

Scope

The amended FCG, effective 29 November 2024, is applicable to all FCA financial crime supervised firms and firms supervised under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the "Money Laundering Regulations"). Whilst the FCG constitutes non-Handbook guidance, as opposed to rules, the FCA expects firms to demonstrate that they have considered the finalised FCG and evaluate their systems and controls accordingly.

Key Changes

Sanctions

The scope of notification requirements as set out in the sanctions chapter has been clarified: under Principle 11 (PRIN 2.1.1R), firms are expected to notify the FCA if they or "their group companies, approved persons, senior management functions, appointed representatives and agents" are targets of UK sanctions or those of another country or jurisdiction. The same expectation arises for electronic money institutions, payment services firms, cryptoasset businesses, 'Annex 1' financial institutions, and their "connected entities".

The FCG now states that firms should "consider" notifying the FCA of suspected sanctions breaches in line with SUP 15.3, for example, where suspected breaches result from significant financial crime systems and controls failures. In our experience this statement is not aligned with the FCA's expectations of some firms, which is that they should report all breaches, not that they should just consider doing so. There is also a clear expectation that firms will perform lessons learned exercises following material sanctions developments to improve their readiness to respond to future events.

Senior managers are now expressly expected to take "clear responsibility for managing sanctions risks" and be "actively engaged in the firm’s approach to addressing the risks of non-compliance with UK financial sanctions" as well as remediate any identified gaps. The FCG requires senior management to be "sufficiently aware" of the firm's sanctions obligations to discharge their functions effectively. This is likely to be a reflection of what many firms have already adapted.

The FCG has also been updated to include more examples of good and poor practice for example, in relation to screening tools (emphasising the importance of understanding their calibration and effectiveness) and Customer Due Diligence/Know Your Customer procedures (citing, for example, a clear expectation that a firm’s CDD processes must include sanctions checks and identify connected parties and corporate structures that may be subject to sanctions).

Proliferation Financing

Proliferation financing ("PF") is now explicitly mentioned throughout the FCG, following a change to the Money Laundering Regulations which requires firms to conduct PF risk assessments and put in place systems and controls to identify PF risks. The FCA decided against a separate PF chapter due to existing sanctions coverage but may add one in the future to enable firms to better identify PF risks. Whilst this could serve to potentially enhance the clarity of potential PF risks, it is noted that extensive Financial Action Task Force and HM Government guidance is already referenced in the FCG in any event.

Money Laundering and Terrorist Financing

Additional good practice recommendations have been added to the FCG in relation to transaction monitoring ("TM"). These include piloting new approaches, taking a holistic view of customer behaviour, recording the reasons for decommissioning automated systems. Poor practices stated include weak control frameworks, poorly calibrated systems, and overreliance on threshold-based TM. Information sharing between firms has also been recognised in the FCG for the first time, bringing the FCG in line with reforms introduced via section 188 of the Economic Crime and Corporate Transparency Act 2023.

The FCG stops short of providing best practice examples in relation to machine learning and AI tools and instead commits to exploring the "safe integration and impact on markets" of these technologies, to be addressed in potential future updates.

Cryptoassets

Cryptoasset businesses registered with the FCA under the Money Laundering Regulations are now required to consult the FCG, and the FCG has been amended throughout to address the particular risks arising from cryptoasset transactions. In this respect the FCG is more detailed. For example, the FCG underscores the limitations of blockchain as a risk assessment tool, and the potential need for Enhanced Due Diligence (EDD) for cryptoasset transactions using privacy-enhancing techniques or products such as mixers, privacy coins, and self-hosted addresses.

Data Security

The FCA has updated the FCG data security chapter, adding self-assessment questions on backing up, updating, and testing critical systems and data, and restoring services after cyber incidents. This chapter now includes examples of good and poor practice relating to basic data security steps including testing, encryption, third-party vetting, training, and system restoration, and includes links to publicly available guidance to assist firms. More guidance on what is meant by post-incident restoration efforts being undertaken in a "timely manner", for example, would assist firms to better understand their obligations following a cyberattack.

Consumer Duty

The FCA has introduced a reminder into the FCG, where relevant, that firms should consider the Consumer Duty alongside their financial crime obligations arising under the FCG. To better synthesise the Consumer Duty, the FCG also now cross-references the rules and the non-Handbook Guidance for Firms on the Consumer Duty (FG22/5), emphasising the need for firms to consider FCA Principle 12, cross-cutting obligations and consumer duty outcome provisions under PRIN 2A.2. Given the infancy of the Consumer Duty regime, the practical impact of these amendments remains to be seen.

Future

The FCA has indicated that future amendments to the FCG are expected, including substantive guidance on Authorised Push Payment and investment fraud, and updated references to anticipated final guidance on a proportionate and risk-based approach to UK Politically Exposed Persons following Guidance Consultation 24/4 (GC24/4). These additions to the FCG, and inclusion of further self-assessment guidance and good and poor practice indicators throughout, would assist firms to better understand their compliance duties and remain ahead of emerging financial crime threats.

  • Share on Twitter
  • Share on LinkedIn
  • Share via email
Back to top

Toolkits & Client Log-in