This article was originally published by Thomson Reuters,19 July 2021 and is reproduced with permission from the publisher.
Amidst a flurry of recent activity in the AML space, the FCA published a “Dear CEO” letter regarding failings they continue to identify in retail banks’ (Banks) AML frameworks.
The FCA expects Banks to complete a gap analysis against the common failings identified by 17 September 2021. Thereafter, Banks should work promptly to close any gaps.
Whilst the FCA has explicitly addressed all senior management within Banks, it has suggested that the Money Laundering Reporting Officer (SMF 17) will be under particular scrutiny given their responsibility for financial crime.
The FCA is likely to ask Banks to demonstrate the steps they have taken in response to the letter in any future engagement with the regulator. The FCA warned that persistent AML failings have already resulted in Skilled Persons reviews, business restrictions and/or enforcement action.
In the event of enforcement action for AML failings, a failure to take the prescribed steps set out within the letter could be deemed to be an aggravating factor in any penalty calculation (see Step 3 of the FCA’s Decision Procedures and Penalties Manual). Therefore, the content of the Dear CEO letter should be heeded.
The top five takeaways are:
1. Governance and Oversight
Three Lines of Defence
Banks must have a clear three lines of defence (3LOD) AML model that is broadly structured as follows:
- First line = business function;
- Second line = compliance, legal and risk functions;
- Third line = internal audit function.
The FCA’s concern is that it has encountered firms that blur the first and second lines of defence, often with the compliance function completing both, which can compromise their ability to independently monitor and test the control framework.
Banks should review their 3LOD model to ensure that it reflects the above. Staff training should also explain the 3LOD model so that all employees are aware of their roles and responsibilities, and how this fits into the wider model.
Ownership of Key Controls
UK regulated branches and subsidiaries of overseas firms must ensure that their AML systems and controls are tailored to the financial crime risks of the UK business.
The FCA’s concern is that systems and controls are often governed by an overseas headquarter and may not apply to the UK branch, or may be set up so that oversight of the UK branch is limited.
Banks forming part of an overseas group should review their AML systems and controls, including transaction reporting and sanctions screening, and tailor these as necessary to ensure the UK branch has full oversight and control of those systems.
High and low risk factors call for a different level of internal sign-off within a Bank. Nevertheless, the FCA expects Banks to document the decision process relating to all risks.
For example, high risk decisions must be signed off by senior management and the FCA expects this to be done and documented via a governance committee (or something similar).
For lower risk factors, the FCA expects first line of defence staff to document their assessment for accepting this risk at on-boarding and periodic review.
Therefore, Banks should review their “triage” process which identifies high, medium and low risks and ensure that the appropriate sign-off process is in place and understood by the 3LOD. All decisions taken in respect of such risks must be documented and retained for a minimum of six years in line with the statutory review period.
2. Risk Assessments
Business Wide Risk Assessments
Banks should establish comprehensive business wide risk assessments which include financial crime. Such risk assessments should:
- sufficiently detail the inherent risks faced by the business (particularly risks present in the UK for overseas headquartered Banks);
- document the assessment of the strength of any mitigating controls implemented; and
- document the rationale for conclusions drawn on the level of residual risk faced.
The FCA’s concern is that without a comprehensive risk assessment, a Bank’s oversight of its total risk exposure is likely to be restricted. Similarly it is unlikely to be able to effectively set its risk appetite or inform its mitigating controls.
Customer Risk Assessment (CRA)
Banks must ensure that their CRAs:
- cover different types of risk exposure which are relevant to different types of relationships (e.g. there should be a distinction between money laundering risks, terrorist financing risks, tax evasion risks and bribery and corruption risks);
- document the rationale and methodology for applying specific risk ratings.
The FCA’s concern is that without including sufficient detail above, the CRA is too generic and the risk is, therefore, inadequately assessed and documented.
3. Due Diligence
Banks must ensure that adequate due diligence has been carried out on all customers. Employees should also document where they have undertaken appropriate investigations into the customer as part of the due diligence process.
The FCA’s concern is that weak due diligence procedures do not mitigate the risks posed by customers. For example, the FCA has found that a firm was unable to evidence an adequate assessment of the source of wealth and source of funds after it had identified a Politically Exposed Person (PEP).
Good quality due diligence training should be provided to all applicable staff to ensure familiarity with the processes. Similarly, AML policies should provide employees with a clearly articulated definition of a “PEP”, “source of wealth” and “source of funds”, along with other key concepts, to ensure these are understood.
4. Transaction Monitoring
Banks must have effective transaction monitoring procedures in place. Where the Bank is part of a foreign headquartered group, it is imperative that the systems are tailored to the UK business and provide UK senior management with sufficient oversight and control. Off the shelf systems should be used with caution.
Employees responsible for the systems and their effectiveness must be in a position to explain the technical set up of the systems, along with how they apply to the Bank’s business activities, products and customers.
The FCA’s concern here is that, without a good understanding of these matters, there is a high risk that the transactions monitoring system will inadequately flag suspicious activity.
Banks must have a clear and well documented Suspicious Activity Report (SAR) process that is communicated and understood by relevant staff, e.g. in staff compliance training and documented in a compliance handbook.
Similarly, when determining whether to report a SAR, the Bank must document and record the decision-making process for either reporting or not reporting to the National Crime Agency.
The FCA’s concern is that, without a robust SAR process in place, employees are unlikely to know what to do in the event of suspicious activity, and risk tipping off the customer.
To sum up:
The AML failings identified by the FCA are wide-ranging, covering top level governance right down to front line staff. The FCA appears to be taking a hard line, forewarning that MLROs in particular will be scrutinised in the first instance.
Prior to the 17 September 2021 deadline, all Banks should conduct a gap analysis of the areas above and promptly work to amend the AML processes and procedures in place as necessary.
Should any Banks require further information on the Dear CEO letter and/or the next steps to conduct the gap analysis, our team at DLA would be delighted to assist.