Concerned about financial crime? The FCA continue to be…

By Michelle Bailey

In recent months, the FCA have sent out Dear CEO letters to the wholesale broking and payments sector. In these letters they highlighted (amongst other things) AML deficiencies within both sectors and advise that they will be carrying out more work in this area in the coming months.

Some of the findings raised by the FCA are outlined below:

  • Few firms turn away new or existing clients regardless of the level of money laundering risk they pose.

  • Many fail to carry out and/or to evidence adequate KYC / due diligence.

  • Business-wide risk assessments are not supported by a robust and effective methodology.

  • Enhanced due diligence is not adequately risk based and not commensurate to the risk event and/or the customer.

  • Firms fail to regularly review and refresh risk assessments and control frameworks in an evolving threat landscape.

  • Policies and procedures are insufficiently detailed and tailored to firms' business models.

  • Firms fail to ensure name screening solutions from third party providers are appropriately and adequately calibrated to meet their business requirements.

What are we seeing?

Ongoing reviews of client files are incredibly important. We’ve seen first-hand that due to many reasons (though in my personal experience usually a lack of resources) ongoing client reviews are seen as less important than initial onboarding, because the client is already onboarded and trading. However, ongoing reviews are vital because they allow an assessment of the risk posed by the clients on a periodic basis. Questions should be asked such as, has anything about this client changed that would change our risk rating since they were onboarded. Is their structure and ownership still the same, are they still within our risk appetite so that the business can continue trading. If firms are not completing their periodic reviews of clients, they are susceptible to being unable to say whether their clients still fit into the same risk category and the firm’s own risk appetite.

Client onboarding isn’t just about reviewing new clients, it’s also about offboarding existing clients. Firms need to decide based on their own risk appetite when clients should be reviewed for potential offboarding, but as a minimum this should be done at their periodic review. Many firms do not have adequate offboarding policies and procedures in place. Offboarding should also be considered when there are event triggers and at this time it may also be necessary to raise a SAR. Therefore, firms unable to demonstrate adequate offboarding could fall foul of regulatory requirements. Further to this, if the firm is also not completing their ongoing review obligations, they are further unable to determine whether a client should have or needs to be offboarded.

We’ve observed the FCA comment on the inherent risk of a business model itself. We were left with the impression that the FCA had determined that as cryptoasset business has a higher inherent risk than FIAT business, no cryptoasset client could be classified as low risk and therefore simplified due diligence cannot be applied. All cryptoasset clients previously classified as low risk should then be remediated to the new standard (not necessarily EDD). When firms encounter changes such as these, there is also a possibility that firms fail to review and refresh their risk assessments and control frameworks, or to update internal policies and procedures.

Where firms might have inadequate enhanced due diligence practices in place they should invest in external support or software to improve their process. Insufficient EDD can include not understanding the structure of a client, not knowing where source of funds and wealth are from and/or not verifying the information provided for this purpose. Being unable to show that these clients have been escalated for senior management/MLRO approval and even an inability to demonstrate robust sanctions screening, with some clients missing from the screening solution altogether.

Wait, haven’t I seen this before?

I've talked about it before, the FCA also raise the importance of sanctions screening. Many firms use third party providers for their screening solution, but firms cannot just use an ‘out of the box’ solution. They must be able to demonstrate that testing has been carried out to ensure that the level of risk associated with the business and their clients has been reflected within the screening parameters set. Firms must ensure they can demonstrate rigorous testing of the solution and that any changes are clearly documented and reviewed on an annual basis.

Add to this…

The complexities of crypto currency and cryptoasset firms. The UK and the EU have taken slightly difference stances on their respective regulation of crypto assets as we outline in the following blogs on our website https://www.shapesfirst.com/news-views/it-looks-like-crypto-is-here-to-stay, https://www.shapesfirst.com/news-views/markets-in-crypto-assets-regulation. The UK is taking a phased approach towards regulating the cryptoasset sector, in contrast to EU regime and the Markets in Crypto Assets Regulation (MiCA). Firms that operate in both jurisdictions need to consider how they will comply with both regimes (which do differ).

It all sounds a bit gloomy, but…

It’s not so bad. We’ve worked with firms who are actively seeking to strengthen their AML and overall approach to anti-financial crime. We’ve completed ad-hoc file reviews for clients, determining any areas of weakness and remediation requirements. We’ve seen first-hand the positive steps that some firms have put in place to ensure that their staff are fully trained and that their client files; especially for enhanced due diligence stand up to scrutiny, with one firm going beyond expectations to create a clear picture of their clients. We’ve worked with clients to improve their policies and procedures, ensuring they are robust and reflect an ever-changing threat landscape as well as the firm’s own risk appetite.

So what?

Anti-financial crime controls aren’t just regulatory requirements, having robust controls in place makes a real difference to people’s lives. Criminal gangs are using financial services firms to move their money, money that funds the activities that the gallery below is an illustration of. Crime ruins lives, AML controls save lives. If you would like to hear more about how Shapes First can help you play your part to starve criminals of financial resources get in touch.

Previous
Previous

Operational Resilience: What next?

Next
Next

Consumer Duty: Four months from the implementation deadline. Is your firm ready?