The Financial Conduct Authority (“FCA”) recently published a “Dear CEO” letter that it has issued to firms in its retail banking portfolio.1 The letter shares common themes arising out of the FCA’s recent assessments of retail banks’ financial crime systems and controls.
The letter states that the FCA continues to identify common weaknesses in key areas across some firms’ financial crime systems and control frameworks, including in the areas of Governance and Oversight, Risk Assessments, Due Diligence, Transaction Monitoring and Suspicious Activity Reporting. We have set out details of the identified weaknesses at the end of this article.
The letter also reminds firms that the Senior Managers and Certification Regime (“SMCR”) places a responsibility on all senior management to counter the risk that their firm might be used to further financial crime, and notes that particular responsibility lies with those SMCR roles holding responsibility for financial crime.2 The letter emphasises that as part of its supervisory work the FCA will continue to consider carefully whether the relevant Senior Manager Function holders have carried out their responsibilities appropriately.
Firms are not required to respond to the letter, but are expected to complete a gap analysis against each of the common weaknesses outlined by 17 September 2021. As part of future engagement, the FCA is likely to ask firms to demonstrate the actions taken in response to the letter and, where such action is deemed inadequate, the FCA will consider the appropriate regulatory intervention.
The letter should be read against the environment in which retail banks operate in the UK. In December 2020, HM Treasury and the Home Office assessed retail banking services in the UK as continuing to be at high risk of being abused for money laundering.3 As a result, financial institutions providing personal and business accounts, products and services to retail customers require a high level of vigilance. Notable risks in the UK come from cash-based money laundering (including from illicit drugs trafficking and serious and organised crime), use of the UK’s large financial and professional services sectors and UK-registered corporate structures, fraud, tax evasion, cyber-crime, terrorist financing activity, and the growing number of vulnerable customers who may be drawn in as victims or accomplices. The speed and volume of transactions means that retail banks’ anti-money laundering frameworks require an increasing level of sophistication to manage and mitigate money laundering risks.
The FCA, using its supervision and enforcement powers, will endeavour to ensure that firms meet the requisite standard. As part of its supervision powers, the FCA can appoint a third party “Skilled Person” to produce a detailed report on specified matters. Such appointment can lead to significant costs and operational disruption to allow for the matters to be forensically reviewed and reported to the FCA. Further, the FCA can take enforcement action which can carry graver consequences, including fines and the suspension or prohibition of firms and/or individuals from carrying on regulated activities.
A Dear CEO letter is becoming a common tool used by the FCA to focus firms’ – and more specifically the CEO’s and senior management’s – attention on issues that need to be addressed. In this instance, the letter gives retail banks an insight as to where they and their peers may be falling short of the requisite standard, and lets them know what areas the FCA are likely to be scrutinising in the near future when assessing firms’ compliance with the FCA handbook and relevant legislation.
While this letter was sent to CEOs in the FCA’s retail banking portfolio, the letter should also be a reminder to financial institutions engaged in all lines of business (including wholesale banking) of the FCA’s expectations in the anti-money laundering arena. Anti-money laundering frameworks require a significant investment of time and resources - commensurate with the scale and complexity of the business - in order to effectively identify, assess, monitor and manage money laundering risks.
Annex - Common Control Failings
The weaknesses commonly identified by the FCA in its firm-specific assessments of retail banks are set out in the Annex to the FCA’s letter. Those weaknesses are said to not be exhaustive, but provide a basis for firms to review key controls and assess whether they meet the FCA’s expectations. Below is a short summary of the commonly identified weaknesses:
- Governance and Oversight:
- firms blurring responsibilities between first line business roles and second line compliance roles, such that first line employees often do not own or fully understand the financial crime risk faced by the firm and restricting the ability of compliance personnel to independently monitor and test the control framework;
- UK-regulated branches and subsidiaries of overseas firms being overly reliant on head office/group ready-made controls, frameworks, and products, such that senior management of the UK branch or subsidiary are often unable to demonstrate the assurance work undertaken regarding the effectiveness of those processes; and
- firms not evidencing sign-off by senior management in certain high-risk scenarios, as mandated by the Money Laundering Regulations.
- Business-wide risk assessments (BWRAs):
- poor quality BWRAs - in some instances, insufficient detail on the financial crime risks to which the business is exposed. In other instances, failure to evidence the assessment of the strength of mitigating controls or record the rationale to support conclusions on the level of residual risk; and
- BWRAs completed at the group level which do not cover specific risks present in the UK.
- Customer Risk Assessments:
- too generic to cover different types of risk exposure which are relevant to different types of relationships;
- discrepancies in how the rationale for specific risk ratings are arrived at and recorded; and
- while firms focus on the AML and sanctions risks posed by their customers, the assessment of other risks, for example tax evasion or bribery and corruption, is often overlooked.
- Customer due diligence (CDD) and Enhanced due diligence (EDD):
- CDD measures not being adequately performed or recorded, including in seeking information on the purpose and intended nature of a customer relationship and assessments of that information; and
- some firms’ approach to EDD being weak and not mitigating the risks posed by particular high risk customers. Some firms not evidencing an adequate assessment of source of wealth (SOW) and source of funds (SOF) and an insufficient understanding of the purpose of these distinct requirements.
- Transaction Monitoring:
- group-led transaction monitoring solutions which have not been calibrated appropriately for the business activities and underlying customer base of the UK regulated entity;
- use of ‘off-the-shelf’ calibration provided by the vendor without due consideration of its applicability to the business activities, products or customers of the firm;
- lack of understanding of the technical set up of the transaction monitoring systems from those individuals that have responsibility for its operation and effectiveness; and
- rationales supporting the discounting of transaction monitoring alerts require strengthening.
- Suspicious Activity Reporting:
- the process by which firms’ employees can raise internal SARs to the nominated officer is either unclear, not well documented or not fully understood by staff; and
- some firms unable to demonstrate their investigation and decision-making processes and rationale for either reporting or not reporting SARs to the National Crime Agency.
1 Dear CEO Letter: (Retail Banks portfolio only) common control failings identified in anti-money laundering frameworks in retail banks (2021) (fca.org.uk). The letter was published by the FCA on 29 June 2021. The letter is dated 21 May 2021. The letter was foreshadowed in section 4 (pages 8-9) of the FCA’s Dear CEO letter dated 5 February 2021 titled “Supervision Strategy for the Retail Banking Portfolio”.