FCA webinar: financial crime in the payments and e-money sectors
The FCA hosted a webinar with the NCA focused on financial crime matters in the payments and e-money sectors. There was a clear tone from the FCA in particular that they are generally disappointed with the systems and controls in place across the industry. They stressed how they want to work with the industry to drive up standards, but also reinforced the supervisory tools they have at their disposal and encouraged whistleblowing for those who have concerns but don’t feel able to approach the supervisory teams directly.
We wanted to summarise our key takeaways from the session:
National Crime Agency:
Attendees are likely to have felt a little disappointed by the lack of specific insight here. However, the NCA session gave some important guidance on the suspicious activity reporting (SAR) process. It’s fair to say many of the points were linked to making the NCAs life as easy as possible (“it’s hard to read reports which are written all in capitals”) but ultimately usability counts when we’re looking at the purpose of the SAR regime.
Much like the hardened drug dealer who gets caught because they were pulled over for not wearing a seat belt - don’t draw the negative attention of the authorities through poor hygiene in your SAR quality.
We noted the following points from the NCA which were worth playing back (sub headings added by us):
Structure
Briefly summarise what the criminal property is
Structure in a logical format
Break large text blocks into manageable, readable paragraphs
Don’t leave gaps - if you don’t have the information explicitly state that you don’t have it
Provide a clear chronology of events
Written style
Include references to previous SARs if appropriate - but don’t use internal references that don’t mean anything to the NCA
Avoid acronyms and jargon
Don’t write in all capitals and use good punctuation
Specificity around parties and scenarios
If it relates to a vulnerable person fully describe the vulnerability
Don’t name law enforcement officers, use the force and reference numbers
Include accurate and comprehensive details about the subject
Separate bank account and transaction information, use the standard format
Include your direct contact details in case further information is required
Identify third parties associated with criminal property including dates of birth, addresses etc
Financial Conduct Authority:
The FCA outlined the importance of the Payments sector to the UK economy and consumers whilst making clear it is on the lookout for firms posing serious harm through the use of its supervisory tools and data assessment, using data shared with it by firms and partner agencies, including law enforcement.
The FCA identified six key areas where it continues to identify control failings, expanding upon the issues detailed in its Dear CEO letter to the sector in March 2023. The FCA used real-life examples of enforcement action it has taken against Banks – making clear that the FCA’s expectations are uniform for Banks and Payments firms. We recommend using our gap analysis tools to assess whether you’re vulnerable to similar issues.
There were six key themes in the FCA presentation:
Governance:
Where firms have ineffective governance and oversight arrangements in place, the FCA are clear this directly impacts the effectiveness of a firm’s and its programme managers (where applicable) financial crime systems and controls. Firms must question themselves on how they get comfortable that their Governance arrangements are working effectively.
Oversight of third parties – a lack of effective oversight on third parties leads to ineffective systems and controls - remember you can outsource the responsibility, but not the accountability!
MI – absence or limited non-risk-based MI does not enable senior management to understand the risks the customer book poses or facilitate sufficient oversight
Mind and management – some firm’s senior management have been identified as not being in the UK – this does not meet the conditions set out when firms were authorised / registered
Decision making – firms don’t adequately evidence their decision making / challenge of decisions taken on key components of their frameworks such as risk assessments, risk appetite and policies and procedures
Investment in Compliance – the FCA noted that a fin-techs greatest strength is also its greatest weakness – innovation. Senior management need to be cognisant of this and invest in financial crime compliance as the firm grows, balancing bringing in staff with experience from more traditional banking backgrounds and payments firms who have learnt from the mistakes that newer firms are likely to make
Sonali Bank case study – the FCA drew specific reference to the governance failings identified at Sonali Bank and how this translated into staff not complying with the regulations. We’ve produced self assessment questions for compliance teams and for CEOs who want to challenge themselves on the actions they take and to ensure they don’t fall foul of the same errors.
Customer risk assessment:
Identification of relevant risks – firms with ineffective CRA models can’t identify the risks posed by their customers. Information analysed as part of the scoring process isn’t sufficiently risk based, accurate or may be overly complex to enable firms to identify relevant risks and conduct proportionate due diligence at onboarding and on an ongoing basis, commensurate with the risk posed by a customer
Impact on Transaction Monitoring – incorrect risk ratings impact on a firm’s ability to effectively monitor the customer relationship
Manual overrides – where firms use automated risk assessment models they must be able to clearly articulate their rationale for manual overrides
Guaranty Trust Bank case study – the FCA walked through the associated CRA failings at Guaranty Trust Bank. We have condensed the FCA’s 50 page final notice down to just 19 points for you to consider.
Customer due diligence / enhanced due diligence:
Nature and purpose of account - firms do not record adequate nature and purpose of business account information, this can lead to the customer being given an inadequate customer risk rating, which restricts the effectiveness of event driven and periodic reviews and impacts on the effectiveness of ongoing monitoring
Source of funds (SoF) and Source of wealth (SoW) – some firms do not collect SoF and SoF information and some firms do not appropriately challenge the Sof and SoW information provided by their customers
Ongoing monitoring – where firms have insufficient KYC information held on file, this directly impacts the effectiveness of ongoing monitoring to identify unusual or suspicious activity as the firm does not have relevant information to use as means of comparison
Santander Bank case study – the FCA went through the CDD/EDD failings which formed part of Santander’s £107m fine. We have produced a self-assessment gap analysis for you to identify whether your firms control framework has any of the same issues.
Transaction monitoring:
Calibration – the FCA noted firms are unable to demonstrate how / why they have calibrated their transaction monitoring systems to deliver appropriate risk sensitive monitoring. The FCA continues to find that some firm’s automated monitoring approach generates a disproportionate amount of false positives – a direct consequence of ineffective calibration and testing
Third party outsourcing – where monitoring is outsourced to third parties or entities overseas this impacts on firms ability to report SARs to the NCA – firms should assess whether their outsourcing model enables them to adequately detect and report in line with their legal obligations
RFI responses – firms do not crucially assess responses provided by customers to questions that have arisen during transaction monitoring investigations, taking customer responses at face value
HSBC case study – the FCA touched on the HSBC £63m fine for deficiencies within its transaction monitoring process. We have created a gap analysis tool for you to asses the FCA’s findings against your own firms transaction monitoring systems and controls.
Sanctions:
Reactive approach – the FCA noted that firms often take a reactive approach to Sanctions and aren’t on top of impending rule changes / relevant evasion typologies
Reporting issues to the FCA – the FCA explained that firms are often slow to update the FCA of ongoing sanctions systems and control failures
FCA screening solutions testing – the FCA advised that its testing of firms name screening solutions against the OFSI list is working well. It plans to shortly roll-out its payment screening tool to review firms sanctions screening solutions to identify whether they are correctly calibrated and reflect the nuances of the UK regime.
Fraud:
Priority area - the FCA advised that Fraud remains a key priority for the regulator. It will focus on two key areas: 1. Protection of customers and 2. Identifying whether firms have adequate controls to ensure they aren’t enablers of fraud (mule accounts)
Firms must do more – alongside ID verification, the FCA expects firms to independently assess customers fraud risk at onboarding through use of fraud registers (CIFAS), device use (e.g. number of users known), number of account holders at the customers address and assessment of a customers salary and occupation feasibility.
Questions and answers sessions
There was a good series of pre-submitted and live questions which elicited some practical and useful insights. Our key takeaways:
The FCA was asked about firms where senior management takes an aggressive commercial approach to novel business products with higher risks of money laundering and terrorist financing. It said it expects firms to have an inherent understanding of financial crime risks and to assess the risks of new products to understand the safeguards and controls that are required. These must be implemented before any distribution of the product takes place. It stated a firm with a strong compliance culture would provide effective challenge across the three lines of defence and enable risks to be discussed and effectively mitigated. It also emphasised that the firm’s Board is key and it should be used as part of the firm’s oversight. Where staff have material concerns about the firm’s approach, then options are available in the form of the firm’s own whistleblowing process and the FCA’s whistleblowing channel.
In relation to whether there are any details of supervisor engagement that firms should be preparing for, the FCA stated it is constantly engaged with firms and it is currently engaged with quite a few where issues have come to the FCA’s attention. It stressed firms should be prepared to be scrutinised at any time, so at all times they should ensure their financial crime systems and controls are well documented and they can demonstrate the adequacy of them. When the FCA speaks to firms about their systems and controls, it expects them to engage openly and transparently and to respond to requests in a timely manner.
The FCA will be putting a recording of the webinar on their website for those who want the full details.