Financial crime risk in the E-Money and Payments sector - time to take action
“Without tougher supervision, EMIs will become a route of choice for those seeking to funnel the proceeds of crime and corruption through Britain—if they are not already,”
Transparency International, December 2021.
With rapidly increasing numbers of customers and funds flowing through accounts, e-money and payments firms’ financial crime controls have attracted growing levels of scrutiny from the Regulator over the past few years. In practical terms, this has meant firms have spent a lot of time dealing with their supervisors at the FCA and facilitating audits at the request of banking partners. For several firms, the increased supervision has led to costly Skilled Person reviews and the potential for enforcement activity and fines, which can deal a hammer blow to firms’ funding and growth aspirations.
The future inclusion of SMCR in the sector signals the FCA’s intent to increase its supervision and drive standards (more from us on this very soon!). For now, let’s look at the reasons why firms might be struggling to get their financial crime framework up to standard.
How and why are firms tripping up?
Having spent a lot of my time over the past 4-5 years working as part of Skilled Person teams and providing advisory work to firms in the sector - I’ve noted several common issues which firms struggle to get to grips with.
Culture
This is one of the most important things for a firm, yet one of the hardest things to get right. For many firms making the shift from viewing themselves as a tech company which provides financial services to a regulated financial services firm which uses tech to innovate, grow and provide a great product is an important moment.
Until firms make that shift in thinking, effecting cultural change for the long-term benefit of the company will be difficult. If Compliance is not a real voice around the table and not part of a firm’s DNA - then poor behaviours will emerge, and corners will be cut no matter how robust the controls are in theory.
Senior management need to ask themselves whether their culture really values financial crime compliance – i.e., do the documented commercial decisions a firm makes reflect the commitments it has made in its risk appetite statement?
A poor culture will prevent middle management from raising issues for fear of looking bad – actively encourage and reward openness and transparency
Incentivise the right behaviours – Compliance is a vital part of a firm’s long-term success, make sure you incorporate strong Compliance behaviours into performance management metrics right across the business and aren’t simply wedded to productivity related KPI’s
Governance
The traditional approach to good governance is anathema to some firms in the sector. Perceived as time consuming, mired in red tape – a business blocker. This can lead to poor oversight of risk and management of a firm’s control framework with decisions being made by the business which aren’t challenged or documented and do not stand up to regulatory scrutiny. Typically, this manifests itself in two ways.
An inability to articulate how or why decisions have been made on key strategic changes to systems and controls.
Failing to document why senior management are comfortable with the content of core documents such as the BWRA and MLRO report.
Whilst it’s true some more traditional governance practices can be overcomplicated - a balance does need to be struck so a proportionate governance framework is in place that’s fully adopted by the firm. Ultimately, a sound governance framework will enable a firm to operate effectively and efficiently whilst ensuring it remains compliant with its regulatory obligations.
Make sure committees are working by sticking to a terms of reference and ensuring members are held to account. Write comprehensive minutes demonstrating the discussions held and actions agreed
For small firms, conflicts of interest can easily emerge as a barrier – consider how involved C-level staff need to be in the day-to-day management of the framework
Be smart with management information (“MI”) – MI must help senior management monitor the risks identified in the risk assessment and enable them to have proper oversight
Dis-jointed frameworks
Where the component parts of a firm’s financial crime framework aren’t well aligned, making sense of something as fundamental as risk appetite can prove challenging and will likely lead to inconsistent outcomes and unmitigated risks being taken.
For some firms their frameworks haven’t kept pace with growth and don’t fit their business model or reflect their international operations, and a well thought out redesign is needed. However, for a lot of firms, Compliance staff turnover creates a cycle where frameworks are inherited and quickly rearranged without time being taken to ensure the framework is coherent and effective. To counter this framework flux, senior management need to see their financial crime framework as a core component of a successful business – and this requires investment.
Write the framework down and keep it simple. Try and reduce duplication which over time results in fragmentation because only one source gets updated, and another is left out of date
Articulate the framework alongside roles and responsibilities – think about the governance, data / technology, people and process aspects of how you operate
Senior management need to get hiring and retention decisions right, particularly in more senior roles and invest in enabling Compliance to build a fully functional and scalable framework
Use automation and AI wisely
At e-money and payments firms, technology is great for operational efficiency and building a business – saving resource, time, and money. The way in which firms have developed their platforms has been copied by the big banks, disrupting the way in which financial institutions and their customers interact. Much of this is down to systems automation. Firms use of automation and AI in financial crime processes can however be problematic if unchecked.
For example, where firms use technology to onboard customers, some firms are unable to evidence how they have gained assurance that the tool they are using to identify and verify its customers works - a packaged sandwich isn’t able to pass as a selfie (true story)! Firms need to ensure AI and automation tools are in scope of second- and third-line reviews. And, on an ongoing basis, firms need to ensure they are on top of system updates and ongoing issues are understood and mitigated where necessary.
Define expected outcomes and encourage professional scepticism. Consider whether systems achieve what you want them to but also that they don’t achieve what you don’t want them to
Ensure AI and automation tools are in scope of second- and third-line reviews
Stay on top of system updates and ensure ongoing issues are understood and mitigated
Transaction monitoring
If a firm hasn’t documented how its off the shelf or proprietary transaction monitoring system has been calibrated to capture the inherent financial crime risks identified in its BWRA, it is going to have a hard time proving system effectiveness. Firms should take heed of the issues identified in the recent HSBC Transaction Monitoring fine.
It’s therefore crucial that firms carry out coverage analysis of transaction monitoring systems rules, scenarios, and thresholds to assess whether relevant typologies are captured.
Use “real” risks in the risk assessment (not just regulatory risks) to help inform monitoring
Document the rationale for the rules, what they apply to and any thresholds set – any rationale is better than no rationale (as long as it makes sense!)
Where changes are made to the rules, document when and why you made the changes and don’t forget to update accompanying policies and procedures
Customer risk and due diligence
The sector is perceived to be something of a softer touch when it comes to getting an account. This naturally attracts would be bad actors. Firms make their processes as user friendly and as swift as possible in a rush to (understandably) get as many customers through the door as possible –this may lead to firms paying little attention to their onboarding controls which can lead to some unwanted entries in the customer list.
Question whether customer risk assessment and due diligence processes work in tandem – does the intelligence you gain from due diligence feed into the customer risk assessment and vice versa?
Staff can only identify and investigate customer risk if they are equipped to do so – staff training and guidance documentation needs to be specific to the business
Use QA on a targeted basis to identify where the process needs refinement. This will help Senior Management make and record decisions where necessary to enhance the controls
Please get in touch if you’d like to get an external point of view on the strength of your financial crime framework and where you should be focussing your attention.
Greg