Skilled person review: prevention is better than cure (Part 1)

We have been appointed to the FCA skilled person panel (Lot B: Governance, Lot C: Risk, Lot D: Conduct and Lot E: Financial Crime). For more details please see our skilled person services page.

Purpose

Regulators use a variety of tools to monitor specific firms’ compliance with regulatory requirements. We have been involved significantly with financial crime skilled person reviews (FSMA section 166) as well as US Monitors. We wanted to share our experiences to highlight key learning points for firms in all sectors.

This blog series is written from the perspective of an external auditor such as a Regulator, Skilled Person or Monitor but we have focused on areas that we think will actually serve a useful purpose for our clients in the regulated industry.

This two part blog series will cover:

Part 1:

• What give us the credentials to discuss this?

• What are the common underlying issues that led to increased regulatory scrutiny?

Part 2

• Why had the firms not resolved them on their own?

• What was the impact on the firm of the regulatory intervention?

• Are the outcomes worth it?

At the end of each section we have sought to distill the key learning points. The purpose of this is to serve as a checklist to reflect against and to challenge yourself on.

If you are required to appoint a skilled person – get in touch, we aren’t on the panel (yet!) but we can still be your skilled person. Alternatively, if you want the best team on your side, let us partner with you to help you navigate the process. Your skilled person and advisor will be with you for a long time and the relationship is pivotal to your success.

Credentials

Over the last few years, our team have been involved with many firms who are under regulatory scrutiny. Regulators worldwide continue to take robust action against firms perceived to have weak systems and controls for preventing financial crime.

Some of the largest pieces of work we’ve done recently has involved firms under formal regulatory scrutiny:

• Two foreign banks in London as the skilled person

• One foreign bank in London and two payments firms where we advised them through their skilled person reviews

• One global bank under a US Department of Financial Services monitor arrangement

Our extensive experience places us in an excellent position to help you achieve your purpose.

What are the common underlying issues?

The overall theme of the issues we have seen is a failure to maintain effective systems and controls proportionate to the financial crime risks. Whilst there are a broad range of underlying issues they generally fall into two groups:

We have gone into greater detail below on the key themes and underlying issues across all of the institutions we have reviewed and helped.

Previous warnings or commitments unaddressed, or not addressed sustainably:

In our experience, without exception, the most severe regulatory intervention has happened where firms have failed to take sufficient and appropriate action to address previously identified weaknesses. This has included specific recommendations made by Regulators in previous visits or public statements as well as issues identified internally.

This should not be a call for firms who feel they have addressed all previous issues to relax, however. The question inevitably comes down to how effectively matters have been addressed. The recent FCA Dear CEO letter to Retail firms not only highlights the need for controls to be effective, but also the requirement to ensure they are well embedded.

We have observed firms who could demonstrate that historic issues were addressed at a point in time. However, they had failed to recognise that mitigating activities had since drifted, or in some instances been stopped entirely. This suggests a “ticking the box” mentality rather than development of sustainable controls.

• Firms are expected to address all identified issues and deliver against recommendations. If things are left to drift or ignored, this will not be viewed favourably

• Controls need to be sustainable. This means they are well documented, communicated and there is meaningful reporting resulting in conscious understanding of why the control is in operation

• Firms must know how compliant they are in almost real time. Compliance monitoring and audit functions need an extensive and continuous remit to independently validate compliance levels

Inability to articulate risks and controls clearly:

The way individuals, and collectively firms, talk about their risk and control framework has a significant impact on outcomes. An effective framework is a cohesive one. It means all key personnel have a consistent and accurate understanding of risks and controls in place.

If messages provided are inconsistent, it creates doubt around the cohesion of the framework in place. A skilled auditor will explore these inconsistencies with a view to determining the “actual” answer, and in turn, the delta in understanding.

Not only must messaging be cohesive, it also needs to be plausible. That is that the articulation of risks and explanation of controls is objective and proportionate (for example, the firm isn’t trying to suggest it is low risk when peers all deem themselves high risk) and the explanation of controls is proportionate.

• A consistent and objective understanding of inherent and residual risk needs to be demonstrated both through documentation and discussion

• All senior managers need to be able to articulate the risks and controls in a consistent manner, albeit it is reasonable that their level of insight is proportionate to their role

Missing the “low hanging fruit”

We have observed a number of firms failing to get some of the basics right. These types of failings can suggest to an auditor that the firm is not taking the process seriously, that there are resource issues, or that compliance is just “lip service” with key processes in place which are unsupported by a strong control environment.

Examples of what we have seen include failing to produce MLRO reports or producing very poor ones; producing management information but not identifying the messages contained within it; or providing untailored “out of the box” training. Many firms are able to explain how things work, but struggle to demonstrate this in practice because decisions or processes are not documented.

Whilst some of this “low hanging fruit” might not be the big ticket controls which directly mitigate risks, we have seen that they sometimes receive disproportionate levels of focus from Regulators.

Many firms fail to maintain an overarching view of the controls they have in place. This reduces their ability to both articulate the controls, but also to critically assess the purpose of the controls. By focusing on control purpose, we find that firms can ensure all controls add value.

•             Have a control inventory and challenge yourself on how well controls work as a self-complementing ecosystem

•             Don’t use the MLRO report to theoretically detail what the control environment is, use it to inform management on risks, issues and future threats

•             Write it down. If it isn’t written down you can’t demonstrate to Regulators that you actually did it

Three lines of defence

Most firms will describe themselves as utilising a three lines of defence model. However, we find many firms failing to really embed the model that they describe.

Although frequently cited that the first line own the risk, a firm’s ability to demonstrate how this is achieved is often limited. Lack of decision making in the first line leads to too many decisions and sign offs occurring in the second line. This inherently undermines the second line’s ability to operate independently.

Additionally, the business-critical nature of onboarding decisions or alert adjudication going in to the second line always takes precedent to “less important” tasks like oversight. 

• Ensure everyone understands what three, distinct, lines of defence means

• Ensure your three lines of defence model actually operates as described – both in principle and in practice

• The first line needs to be equipped to make their own decisions unless there are truly exceptional circumstances

• Maintain the independence of your second line function. If they are executing controls themselves or making risk decisions, they will have to mark their own homework

• Business pressures can easily distract second line functions from performing their stated purpose – challenge yourself on whether this might be a risk

Systemic failings in key controls

Perhaps unsurprisingly, systemic failings in key controls have a high likelihood of inviting regulatory scrutiny. Yet, it is common to see firms with known material deficiencies in KYC or transaction monitoring processes.

Such failings are often well known within firms, even if they are not well understood. For instance, large backlogs of cases might be impacting business as usual activities. Sometimes the firm may be treating the symptoms, but not looking further into the root cause.

We have increasingly seen some firms not know when transaction monitoring systems have been turned off or are not working as intended. This is often due to a lack of technical expertise on the system operations and also a shared ownership across lines of defence and bank locations (such as head office or offshore processing centres) of data capture and monitoring systems.

• Senior management and assurance functions need to be asking questions which drive towards understanding of root cause

• Consider the cost implications of only reacting to the issue rather than improving the process

• Key processes and controls need to be identified as such and have their critical nature appreciated

Coming up in Part 2

In next week’s blog, we’ll look more at

• Why had the firms not resolved them on their own?

• What was the impact on the firm of the regulatory intervention?

• Are s166 / monitor reviews effective?