FCA: future financial crime focus
Holly takes a look at the direction of travel of FCA supervision for financial crime
In my last couple of blogs (“FCA visits” and “common mistakes”) I’ve covered some current topics and challenges firms are facing and now I’m turning my attention to look forward. You might expect me to talk about AI and machine learning here, and whilst the focus on new technologies by firms and the FCA is inevitable, I think it would be a mistake to jump straight to that. Much like my one-year-old, run before you can walk comes to mind. Let’s be realistic. Before firms consistently get the basics right in terms of data, risk assessments, processes etc. it will be rubbish in, rubbish out. So here are my thoughts on three areas the FCA are really directing their steely gaze towards in the financial crime space and some things you can do to get ahead of these.
The focus on a data-led approach
For the FCA to use data in a smarter way they need a good amount of it to start with. But what helps feed a data-led approach? In practice, we have seen the number of firms that are required to submit an annual financial crime data-return (REP-CRIM) jump up and this now includes the likes of crypto asset businesses. The FCA has also been vocal in actively using information from multiple sources including transaction reporting data, whistleblowing intel, their wider “intelligence” capabilities, sanctions related synthetic data testing and relationships with overseas regulators and bodies to name a few.
The FCA aspires to use this data to identify outliers, trends and drive a risk-sensitive and targeted supervisory approach. In June 2023 an FCA speech on culture talked about the conscious effort the regulator is putting into improving their data expertise and they’ve even opened an office in Leeds to focus on this exact thing. Their ambition is only going to increase, along with the amount of data received and analysed.
But of course, the challenge for the FCA is how to analyse this. If we take REP-CRIM as an example, one of the questions is how many of your customer are high risk. What’s ‘riskier’, a firm saying they have 30% of their total customer base as high-risk or a firm who says they have 0%? You could argue both ways.
An increasingly data led regulator is an inevitability, but what does this mean for you?
Data can tell lots of different stories and the way(s) in which the FCA decide to read it can have material impacts for firms. This is why firms need to be on top of their own data and understand what the statistics mean below the shiny KRIs / KPIs surface.
Having automated systems which can generate statistics accurately and quickly is going to become increasingly important as data requests will likely become more in-depth and the FCA’s expectations of firms in this area rising on par with their own. We see firms who do not have the IT capabilities to easily answer the most simple of data requests… “how many customers do you have?” (is a genuine example). Firms come unstuck when data returns are completed inaccurately as internal systems can’t pull the data, don’t speak to each other well or the process is overly manual. Firms can be viewed as outliers when the reality is much more complex than this. When the regulator ask questions, firms need to be able to give consistent, comprehensive and compelling responses quickly. As a minimum, test yourselves on how easily you can report on some of the most basic data points such as:
How many customers do you have across each line of business?
What is the breakdown by risk rating, country, product, channel and customer type?
How many PEPs do you have – including breakdown by risk rating?
How many TM rules do you have by product type?
How many alerts are generated on a monthly basis against each product type, how long does it take to close alerts and how many are outside of SLA
What are your volumes of exits by client type, risk rating and reason
What level of FTE are focused on financial crime prevention - either directly, or indirectly? How have you determined that this provides sufficient capacity?
By being able to answer these questions firms will be able to (a) respond to regulators quickly and confidently and (b) direct their fin crime resources to the areas representing the greatest risk.
As a side note, I would expect the FCA to keep reviewing the data points within REP-CRIM and it’s been a few years since we’ve received an analysis of the REP-CRIM returns by the FCA, so some things to keep an eye out for.
The impact of cryptoassets registration
A few years ago the FCA described the cryptoasset activity in the UK as ‘small, complex and evolving’. I would argue the word ‘small’ perhaps needs re-thinking now. Before crypto firms had to be registered with the FCA, many established firms would take an approach of being risk averse when it came to crypto exposure. However, times have changed and as cryptoassets activity now fall under registration of the MLRs, this is an area which firms are going to have to deal with more and more. Here are some questions firms are asking themselves:
To what extent do you have crypto exposure? This doesn’t have to be something as clear as offering the exchange of crypto assets directly, but it could be that one of your existing customers decides to engage in crypto asset activity and pays funds generated from this into your account. This is something which many firms will have to tackle and whilst no one can seem to agree on exactly how many people in the UK have invested in crypto, what they can agree on is it’s in the millions.
Have you included this area with your risk appetite framework and risk appetite statement clearly enough, so staff are aware of your firm’s position?
Is crypto exposure clearly recorded in the business-wide risk assessment to cover the inherent risks this exposes you to, what systems and controls do you have to mitigate these, and what residual risk remains?
How would you identify crypto exposure through your customer risk assessment, transaction monitoring and / or periodic review process?
Are any bespoke controls required in order to manage your exposure?
Are staff adequately trained and have sufficient awareness of financial crime red flags in this space?
An evolving approach to supervising payments firms
Payments firms are receiving more and more supervisor attention. I’m certainly not saying the likes of foreign banks (which used to take up much of the spotlight) have been forgotten about but there does seem to be an increasing regulatory focus on payments firms. Supervision teams are also starting to lean into the non-financial crime elements of payments compliance during reviews and so the scope of assessment is getting more challenging. Also, the tolerance to firm’s not taking action and not uplifting systems and controls is getting slimmer and slimmer. We’re seeing a trend towards earlier enforcement referrals and in short, more serious action happening quicker than it used to. In July the FCA said “a fin-techs greatest strength is also its greatest weakness” a nod to the fact that controls need to be better aligned to more traditional firms. The “we’re not a bank though” argument will not cut it with the regulator.
A recent Dear CEO letter back in March 2023 made clear the FCA remained concerned that many payments firms do not have sufficiently robust controls and set out what good looks like in terms of outcomes they would hope to see. I’m not going to reel the letter off word for word, but this is just one example of the regulator putting information out there on what they expect to see. We know there are lots of other regulatory publications to keep on top of too, including s166 Requirement Notices, speeches, blogs etc. and we’ve tried to make your lives as easy as possible by distilling key messages into free gap analysis templates – go on, have a gander.
Payments firms need to get on the front foot:
Consider the data related points raised above
Self assess the effectiveness of your internal governance arrangements - are they talking shops or do they drive meaningful actions?
Outline how compliance capacity and capability has scaled (or will scale in the future) in line with the growth of the business - is this a good story?
Commission an independent review – done by a competent firm this could be the key to staving off a skilled person review, and will no doubt help gain comfort from your banking providers.
Contacting us
Financial crime compliance remains at the forefront of the regulatory agenda. By being aware of the FCA priorities you will give you and your firm the best possible chance to meet and exceed their expectations. What’s not to love? If you’d like to chat this through more, please get in touch.
Holly