FCA’s latest Dear CEO letter about doing an AML gap analysis or face regulatory action
On 21 May the FCA published a strongly-worded Dear CEO letter calling on firms to take action in response to common control failings it has identified in retail banking AML frameworks.
And the letter directs and mandates firms
- To bring their FCC systems and controls into line with the firm’s risk profile and ensure they meet the requirements of the MLRs.
- To undertake gap analysis against each of the common weaknesses referred to in the letter to be completed by mid-September 2021, and
- To take prompt and reasonable steps to close any gaps identified.
The letter highlights future Regulatory action
- Inadequate responses to the letter may be met with ‘appropriate regulatory intervention’.
- And Future regulatory engagement will include firms being asked to demonstrate the steps taken to close gaps.
The letter is a good prompt to Accountable Executives
- Whilst the circulation of the letter was limited to retail banks only, it’s nonetheless an important insight into the current FCA agenda.
- It’s also a good prompt to Accountable Executives within a much wider range of financial institutions when reviewing the firm’s AML arrangements.
- Whilst there’s little that is fresh or new here, the letter contains a pointed emphasis on SMF responsibility for all senior managers under SMCR, which underscores the feeling that the FCA may be closing in on individual accountability as one of its next initiatives.
The letter’s overarching theme is that firms are still not adhering to the ‘show your workings’ principle.
- Many may have fair or good controls and processes in place, but struggle to evidence compliance with their own internal requirements because of a lack of detail when recording important decisions – for example,
- Firms are failing to document the rationale for decision making about whether to SAR or in discounting TM alerts; or
- The firm claims that EDD measures have been applied but there’s a lack of evidence as to what specific measures have been taken.
The letter reads like an AML-deficiency ‘greatest hits’ of the last ten years.
- Restating key AML complaints made time and again in enforcement notices, speeches, thematic reviews and supervisory letters with which any financial crime compliance veteran will be familiar, the letter covers old favourites such as
- Blurred responsibilities in the 3LoD model,
- Transaction monitoring [TM] calibration, and
- Lack of detail in customer risk rating decisions.
The letter shows common control failings grouped by category.
We pick out some of the key grievances below, and although the letter is reasonably concise, it’s nonetheless packed with issues to address, and so firms will want to ensure that every point is covered in the gap analysis – a broad brush approach is unlikely to serve, given the tone of the letter:
- Governance and control
- Still now, many years after the 3LoD model was established and embedded across the board in UK firms, the FCA complains of blurred responsibilities between first line business and second line compliance roles.
- Compliance staff should not be undertaking first line activities such as CDD or general first line CRA. Where this happens, it prevents the business from taking ownership or the FC risk or tackling suspicious activity.
- The ability of a compliance function to monitor and test the framework is also compromised where separation of the lines is hazy.
- Interestingly, the letter comes at a time when many firms are concentrating resource on the first line in order to address AML risk ownership, freeing up compliance teams to deliver a service which is more quality than quantity.
- There’s a general focus in the letter on issues arising for overseas-headquartered firms, manifesting here in terms ownership of key controls.
- Ready-made Group functions or controls may not always fit a UK entity’s business model or risk exposure, or comply with UK regulatory requirements. Firms need to avoid a ‘one size fits all’ approach and tailor systems and controls to branch or subsidiary level FC risks.
- Under the MLRs, certain high-risk scenarios require sign-off by senior management. The FCA is concerned that firms don’t always evidence this level of governance, noting that good practice involves firms having a governance committee responsible for key decision-making.
- The gap analysis to be performed will need to consider that any committee arrangements are in place and working well in practice.
- Business Wide Risk Assessments [BWRA]
- Describing many of the BWRAs it has reviewed as ‘poor’, the FCA is clearly of the view that firms are still not on top of this fundamental process in identifying and managing the business’ ML/TF risk profile.
- Group BWRAs conducted by foreign-headquartered entities are unlikely to be sufficient.
- It’s not a sector-specific criticism, with regulators across the board finding fault with BWRAs, whether in the legal, accountancy, estate agency or banking field.
- Something’s not working here, despite the broad range of guidance available to assist firms in completing the process, from the Wolfsberg FAQs, to JMLSG Part I Chapter 4.
- There’s a sense from the FCA that some firms are going through the motions and carrying out a tick-box exercise to the BWRA.
- The BWRA is supposed to be a ‘powerful tool to understand risk exposure and set risk appetite’, but unless firms are genuinely using it as the backbone to the approach to AML compliance (e.g. using when reviewing customer risk rating methodologies and generating meaningful management information from it) the value of the document will be diminished and it won’t be serving its intended purpose.
- Client Risk Assessments [CRAs]
- CRAs are also subject to a withering reproach as too generic, and suffering from a lack of focus on broader FCC risks such as bribery and tax evasion.
- The FCA wants to see more of a bespoke approach to risk-rating different client types, and better evidence to underpin the final rating once scored.
- CDD and EDD
- The FCA wearily repeats a number of observations around poor quality due diligence including the usual critique of Source of Wealth and Source of Funds (SoW and SoF) confusion, issues with recording the nature and purpose of the relationship, measuring actual against expected activity, failure to deal appropriately with PEPs, and lack of evidence of EDD measures more generally.
- Firms will have heard these complaints many times, and whilst SoW/SoF, for example, continues to pose a challenge, we expect to see the FCA getting tougher where these issues are uncovered.
- Transaction monitoring [TN]
- Again, overseas Group solutions come in for censure.
- A failure properly to tailor group-led TM solutions to UK entity business activities and customer base means that some systems are not fit for purpose.
- Firms are also failing to calibrate automated solutions to business activities, keeping the manufacturer’s settings and maintaining alert thresholds which are difficult to justify in view of a specific customer base or product.
- Individuals with responsibility for the operation and effectiveness of TM systems sometimes have little understanding of the technical set-up of TM systems.
- Given the complexities of some of the algorithms in use, it’s not surprising that some senior managers have a hard time articulating the settings and scope of these systems, or talking authoritatively about data integrity.
- Firms need to be careful that there’s someone of appropriate seniority who can cover this side of the process with confidence.
- The rationale for discounting alerts is still not being properly recorded. Investigation may well be taking place but it’s not being captured in the system and firms need to be more robust in the evidence that’s being collected in this regard.
- The FCA notes that the process for internal reporting is often not clear, documented or well understood by staff, leading to tipping off risk.
- This seems surprising given the focus on this regulatory requirement in most training programmes.
- Firms are apparently often still not able to demonstrate the decision-making process and rationale for externalising SARs (or not).