FCA publish REP-CRIM data
The FCA have published their summary of 5,685 REP-CRIM submissions from over 2,300 different firms between 2017-20.
This data alone lacks a lot of important contextual information, so we’re limited on what we can take from it. The FCA use this data in line with a range of other data sources to maximise its value. However, some key messages are highlighted below:
For the year 2019/20, firms which submitted the REP-CRIM collectively employed around 17,403 full-time people. The FCA estimate that this alone costs £1.1bn and that doesn’t include the role played in financial crime prevention by others such as relationship managers, branch staff etc or technological costs and other third party spending. The need to streamline, automate and operate genuinely risk-based controls has never been starker.
Data is provided on countries considered high risk by number of respondents. The FCA are keen to emphasise that the table does not represent the opinion of the FCA. Other than the high risk third countries lists (UK and EU) there is little in the way of defined governmental / regulatory rules here. Firms spend a lot of time developing and maintaining their own high-risk lists. There’s no clear regulatory steer on what is right – but there is definitely censure if its wrong (see 4.62). Publication of this data is useful, but risks creating a virtuous circle of increased country risk ratings if not kept in check.
Five firms contributed 90% of the total true customer sanctions matches (2,191) and payment matches (5,438).
Three firms are responsible for 60% of the 480,000 SARs submitted to the NCA in the last year.
The number of high risk customers has reduced by over 25% since 2017 to 735,000. Although in real terms this is a material reduction, no context is provided with regards to total customer populations so it is difficult to make any meaningful comment on this data point.
760,000 customers were exited for financial crime reasons last year. The big question is where did they go and how many of them were part of the 2.05 million customers refused for the same reasons?
Perhaps the most important message in the whole report is the FCAs concerns around data quality. When REP-CRIM was introduced it was on a best endeavours basis, but now expectations are that returns are comprehensive, accurate and consistent. The FCA cite missing or unusual responses. Issues and errors can be indicative of cultural or systems and controls deficiencies and will definitely act as a red flag.
What might the future hold?
REP-CRIM has evolved over the last three years, and it is positive that the FCA are enhancing their use of empirical data. The FCA recognise one of their key priorities is to “ensure the firms we regulate are effective in preventing financial crime through sound controls.” In its current format, REP-CRIM does not in itself inform a view on effectiveness.
Context: increased use of data analytics to spot trends and insights from the data may draw out more interesting conclusions. For instance, is there correlation with firms with highest proportion of high risk customers, highest number of SARs and highest number of exits. It would be reasonable to expect a degree of correlation between data points such as this.
Answering the “so what?” Perhaps a process such as REP-CRIM can never really work to assess effectiveness, but there is definitely scope for more contextual or “so what” information requirements. These might relate to monitoring and assurance activity, or specific risks and issues. Ultimately the “so what” would likely require more qualitative assessments such as MLRO reports and business risk assessments to garner real meaning.
Data quality: The FCA need to be wary of data requirements driving the wrong behaviours. For example, if reporting a greater number of PEPs increases regulatory scrutiny then firms may feel incentivised to change definitions, thresholds or approaches to reduce the apparent exposure. Deeper assessment of data quality, reliability and plausibility may emerge to mitigate against any gaming of the process.
Focus: We have been told by the FCA that part of their supervisory strategy is to go deeper and narrower in certain areas, as opposed to scratching the surface across the whole financial crime controls landscape. Perhaps the topics for greater scrutiny will be driven partly by the REP-CRIM data.
Firms need to recognise that the data they provide will be used, both in isolation and in aggregation. Quality and accuracy are key. We advise being cognisant of the data you are providing and how it might be used or interpreted by the FCA. Proactive commentary on the data through regular supervision could allay concerns.