Warning to financial services firms on anti-money laundering failures

FCA warns firms to do better on risk assessments and training

The Financial Conduct Authority (FCA) has warned over 1,000 Annex 1 firms (lenders, money brokers and financial leasing companies), about serious money laundering failings at the most basic level.

The FCA has written to these firms, making it clear that firms should “complete a gap analysis against each of the common weaknesses we have outlined within six months.” The FCA’s letter also says that in future engagements with the FCA, they expect to be provided with the findings from the gap analysis, the gaps identified, and the progress towards effective policies, controls and procedures. Failing to do so could result in regulatory action. 

The FCA’s review of financial crime controls revealed widespread weaknesses across various areas. Firms were found to be inconsistent in reporting their activities to the FCA, failing to adapt their controls to accommodate business growth, and lacking proper risk assessments. Additionally, the FCA identified shortcomings in due diligence procedures, ongoing monitoring, and the documentation of financial crime-related decisions. The review also highlighted a lack of resources and inadequate training provided to staff, alongside insufficient oversight from senior management. 

Discrepancies between firms’ registered and actual activities

The FCA found a gap between the AML activities the firms said they would undertake when they registered with the FCA, and the activities undertaken when actually asked during the assessment. It is required of registered firms to notify the FCA of any changes or inaccuracies of business details within 30 days of the change. This includes offering different or additional services. Firms should check what activities and details they have told the FCA about, and ensure this remains accurate.

Lack of Financial Crime controls to keep pace with business growth 

The FCA has made clear that business growth should not come at the cost of financial crime controls. They have highlighted firms who have grown rapidly in a short period, but their policies, controls and procedures have not kept pace with the size and complexity of the business.

This includes being able to adequately resource financial crime teams as the business grows, including providing frequent and relevant training. The FCA noted a distinct lack of training, as well as poor senior management engagement. Some money laundering compliance officers were not even involved in reviewing high risk accounts given the pace of growth.

Business Wide Risk Assessments (BWRA) 

It is a requirement under the Money Laundering Regulations for firms to assess the risk of money laundering, terrorist financing and proliferation financing, but in many cases this has not been done or documented. A written risk assessment is required. Even when this was in place, the FCA found the quality to be quite poor. There was a lack of detail and the methodology used was often unclear. 

Some firms, while articulating risks like fraud, were unable to describe the mitigation measures put in place. There was also a lack of review of effectiveness of the risks. The FCA expects firms to identify and assess the ML, TF and PF risks to which it is exposed, including through customers, countries, products, services, transactions and delivery channels.

Customer Risk Assessments (CRA) 

The FCA expects firms to have Customer Risk Assessments in place, in order to categorise clients based on the risk level and then apply the correct level of due diligence. The FCA found that some firms were assigning a risk level to a certain group of customers, but failed to consider individual customer characteristics such as the nature of the business relationship and the jurisdiction of the customer. 

Due Diligence, Ongoing Monitoring, and Policies and Procedures 

The FCA found many of the CDD policies assessed did not have enough detail. Policies were often vague on the actions firms should take on ML, TF and PF risks. Policies were often not up to date, leaving staff unsure of what level of CDD should be applied to different risk ratings. This was particularly apparent when customers were onboarded. Firms’ CDD procedures also lacked detail about when simplified and enhanced due diligence should be applied, and did not state the risk issued to be considered when parties are operating in high risk third countries. 

The FCA also found that similar issues were present in ongoing monitoring policies, with a lack of clarity and detail and a lack of policies explaining procedures for reporting potential suspicious activity. 

Absence of a clear audit trail for Financial Crime related decision-making

Overall, there was a lack of record keeping for financial crime decisions, and a failure in documentation of responses to risks or the rationale and reasoning for why certain decisions had been taken. The FCA found that boards not having financial crime as a standing agenda item was a serious weakness.

The FCA expects firms to establish an independent audit function to subject financial crime controls to adequate challenge. This function should also be able to make recommendations to improve policies, controls and procedures, and to monitor effectiveness and compliance. 

Lack of resources and lack of adequate training

Poor oversight from senior management and a lack of financing and resourcing for financial crime was found to be present in a number of cases. Training on financial crime had also not been given the importance the FCA expects. Employees were not provided with role specific training in many cases, or training did not include important aspects such as reporting suspicious activity. 

The FCA found that the lack of effective training provided to staff was very evident in interviews with employees, who had demonstrated a very low level of financial crime awareness.

From the FCA’s perspective, financial services firms must train employees to understand the law and the risk of ML, TF and PF. Training must be regular and include how to deal with transactions and recognise suspicious transactions. Training must also be recorded in writing.

How VinciWorks can help

Get workers up to speed with the regulations and practices that keep the financial markets running effectively.

The Financial Conduct Authority (FCA) requires the country’s 1.1 million financial services workers to maintain high quality standards by following highly-regimented protocols and procedures for countless regulated tasks and roles. Failure by employees to comply with the requirements of any of a variety of laws and standards relating to the industry can result in fines or worse.

VinciWorks’ FCA training courses are designed to give financial firms all the resources they need to ensure that staff is trained and prepared with everything they need to comply with the FCA’s demands.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.