Navigating the disconnect: latest FCA Dear CEO letter shows fundamental AML issues remain

unsplash-image-ipuiM-36tAg.jpg

The FCA have issued another Dear CEO letter in relation to financial crime. We’re seeing the same points, the same messages, the same persistent failings. So let’s take a look not only at what the FCA are saying, but why they are still having to reiterate the same points they’ve been making for years.

The letter, dated 21 May 2021 but not yet published on their website, recognises that “action [is] needed in response to common control failings in AML frameworks”. The letter talks about recent reviews of Retail banks, we’re not clear who exactly it was sent to, but we do know the findings are applicable to all sectors and firms should take action.

The language used is strong for the FCA and there is a particular focus on SMF holders (not just the SMF17) and how the FCAs supervisory work will focus on whether “SMF holders have carried out their responsibilities appropriately”.

The letter should be a (further) wake up call to SMF holders to ensure effective systems and controls are in place to manage financial crime risk. And although recipients don’t have to respond to the letter, they have been instructed to complete a gap analysis by September this year.

SMCR places a responsibility on all senior management to counter the risk [of] financial crime. Particular responsibility lies with those roles holding responsibility for financial crime, including SMF17 / MLRO and Prescribed Responsibility D. In the supervisory work we conduct, we will continue to consider carefully whether the relevant SMF holders have carried out their responsibilities appropriately.
— David Geale, Director, Retail Banking and Payments Supervision, FCA

Summary of the letter:

The findings in the main are not new, however there are some notable emphasis points.

Governance and Oversight:

  • Still the FCA observe blurred lines between the first and second lines of defence, noting in particular where second line are undertaking what may be deemed a first line activity – and the resultant reduction in first line financial crime risk ownership.

  • Additionally, oversight and ownership of key controls – particularly where they are “ready made” by Head Office or Group functions - is still limiting the effectiveness of controls in the UK branches and subsidiaries.

  • Finally, escalated sign-off requirements of higher risk situations is noted as being a regulatory requirement. Interestingly, the FCA cite good practice as sign off through a committee, which may not be consistent with the emphasis on SMF responsibilities.

Risk Assessments: 

  • Business risk assessments: The FCA pull no punches in describing the quality of business risk assessments as being generally “poor”. Their observations are fundamental and broad, whether it be insufficient detail on risks or inadequate evidence of control strength. They also note a failure to individually risk assess the UK business, with firms often wrapping it into a group assessment.

  • Customer risk assessments: As with the business risk assessment, the FCA comments are broad and scathing. They note CRAs being too generic, failing to recognise differences between AML and terrorist financing risks or between correspondent banking and trade finance products. There are also issues with how the risk rating rationales are being recorded or the robustness of the methodology in place. Finally, the focus tends to be on AML / sanctions but overlooks bribery or tax evasion risks. 

Due Diligence:

  • All the observations around poor quality due diligence which we have seen in numerous papers, speeches and enforcement notices from the FCA such as: purpose and nature of relationship; linking expected and actual activity; effective differentiation and analysis of source of funds and wealth; are repeated.

Transaction Monitoring:

  • Issues around Group / Head Office led systems which are not appropriately calibrated for the specific business activities of and customer base / activity of the UK entity were noted.

  • Additionally, arbitrary thresholds or out of the box settings are still being used without due consideration of relevance or applicability to the business. Firms struggled to demonstrate how the thresholds in place relate to the levels of expected activity of their customers.

  • Furthermore, an overall lack of understanding of the technical set up of systems was evidenced by those with responsibility for its effective operation. This included a failure to perform regular assessments of data feeds / integrity.

  • Poor quality discounting rationale for TM alerts failed to demonstrate that appropriate investigation had taken place or why the transaction was not deemed to be suspicious. They also noted a failure to use due diligence already undertaken to validate transactional information as part of an alert review.

Suspicious Activity Reporting:

  • Rather surprisingly, the FCA observed that the process by which employees can raise internal SARs to the nominated officer was often unclear, not well documented or understood. If there’s one thing we would think mandatory AML training would achieve it would be this core purpose of the AML regime.

  • Similarly to the alert adjudication process, demonstration of the investigation, decision making process and rationale for reporting (or not) a SAR was weak and inconsistent.

 
unsplash-image-3fPXt37X6UQ.jpg

Why the disconnect:

None of the points above are new. In fact, many of the points raised can be traced back to the FSA’s June 2011 paper “Banks’ management of high money-laundering risk situations” and numerous other publications since then.

I don’t think any of the firms, or SMF17s, going into these reviews will have felt their systems and controls were perfect, but also I’m sure they weren’t expecting things to be as bad as the FCA have stated. And although the regulations and regulatory expectations continually evolve, these seismic gaps suggest a fundamental disconnect between what firm’s think good looks like and what the FCA expects to see. This must be frustrating to the senior management of these firms who have continued to invest heavily in financial crime controls.

There’s no end of guidance and source material for firms to use, but much of it lacks specificity or practical application. But that in itself doesn’t explain the disconnect.

For me, there are a range of complex issues, many of which sit outside the pure financial crime framework, and are wider organisational challenges:

  • Complexity: whether you look externally at the range of regulation or internally at structures, procedures and expectations, firms are inherently complex. Whilst any individual process might be “straight forward”, it sits in a complex web

  • Cost pressure: as a commercial organisation there is a continual cost pressure. This means there is always downward pressure on time and capacity – this means quality suffers

  • Competing priorities: the breadth and depth of obligations on individuals is extensive and much wider than just financial crime prevention. It’s not easy to objectively prioritise these obligations, other than in retrospect because something has gone wrong

  • Culture: naturally, the prevailing culture in a firm or department will influence people’s propensity to document and follow procedures

  • Capability: firms are so large and have so much to deliver against it simply isn’t possible to have sufficient highly capable individuals in the right roles

  • Control: finally, the way the firm’s governance operates plays a huge role. Senior management’s ability to be well informed and ask meaningful and challenging questions will influence compliance effectiveness. Insight will come from MI, monitoring / assurance but also from clear risk ownership in middle management.

 
unsplash-image-MPu7kSboG8E.jpg

Ensuring systems and controls are effective:

  • Firstly, it’s important to recognise that this isn’t just about easy wins. Procedures, guides, expectations can very easily be written and implemented. The challenge is how they are embedded and this plays to the six Cs outlined above.

  • Of course, there are easy wins to take. Is there really any excuse for any member of staff not knowing how to report a suspicion?

  • A focus on purpose may help prioritise the processes and procedures you want to focus on. Once you can prioritise what you need to have working, you can look at it in the context of all the other obligations your firm and individual employees are under.

  • An external perspective can be incredibly valuable. Seasoned consultants who have spent a lot of time with other firms can help shape your perspectives. An MLRO role can be a lonely place. Having a trusted advisor you can discuss matters with informally can pay huge dividends. You should seek insight from your immediate peers, but also across the regulated sector. Don’t think too narrowly about the input and perspectives you’re receiving.

We can help you embed purposeful AML controls, bring you constructive challenge and industry insights. Get in touch to discuss how.

Richard

contact@avyse.co.uk

Previous
Previous

Skilled person review: prevention is better than cure (Part 1)

Next
Next

The national risk assessment and your risk lists