| UK & Europe | Articles
The FCA’s Dear CEO letter asks retail firms to conduct a gap analysis on their AML controls by 17th September and outlines its expectations when it comes preventing money laundering.
The Dear CEO letter, which has not yet been published on the FCA website, was sent to retail firms on 21st May. It details common shortfalls the regulator continues to identify in relation to anti-money laundering frameworks. The messages from the FCA are consistent with what it has said for the last decade and yet the same problems continue to emerge – a clear sign that for many firms a complete change of approach is needed.
The letter also includes a strongly worded reminder of Senior Management accountability for financial crime prevention, saying “In the supervisory work we conduct, we will continue to consider carefully whether the relevant SMF holders have carried out their responsibilities appropriately.”
Dear CEO letter – key weaknesses identified
The FCA outlines several common weaknesses that it continues to see in key areas of firms’ financial crime systems and control frameworks and, in a detailed annexe, lists their observations with some examples of their findings.
Governance and oversight
Between the first and second lines of defence are often blurred, for example where Compliance are undertaking activities which should be carried out by the business.
Ownership of key controls are often determined and run by Head Office or Group functions. Where firms are reliant on ‘ready-made’ controls it’s harder to demonstrate assurance. Similar issues arise when controls are outsourced.
There is insufficient evidence of senior management sign off in high-risk scenarios. The letter suggests good practice includes a governance committee responsible for key decision making.
Risk assessments
The FCA views the quality of business-wide risk assessments as generally poor. This can be due to lack of detail on risks themselves, or inadequate evidence of controls which drive the residual risk ratings. UK branches and subsidiaries are also reminded that they need a separate risk assessment to the Group (if applicable).
Customer risk assessments were also highlighted as an issue, with many considered too generic with insufficient consideration of broader risks and, again, a lack of detail or evidence.
Due diligence
The FCA continues to see problems with both CDD and EDD. These include the purpose and nature of a relationship, reviewing expected versus actual activity, and analysis of source of funds and wealth.
Transaction monitoring
Again, issues were identified around use of generic group-led transaction monitoring systems which aren’t appropriately calibrated for the specific UK entity and indeed ‘off the shelf’ calibration from vendors.
The FCA also flagged a concern that firms don’t in fact understand the technical set up of their own systems and are failing to assess their data sources.
Suspicious activity reporting
As with processes to review alerts, demonstration of the investigation, decision making process and rationale for reporting a SAR, were inconsistent.
The FCA also noted that the process by which employees can raise internal SARs to the nominated officer was often unclear, not well documented or understood.
All regulated firms should take heed
While the letter should undoubtedly be a catalyst for action for retail firms, the themes highlighted in the letter are consistent with weaknesses we see across the industry. And it’s clear from the FCA’s continued communications that regulatory focus on financial crime systems and controls across all sectors are going to remain high – the following are a few indicators:
- FCA’s continued commitments within their Business Plan and Annual Report
- Promises made throughout the UK’s National Economic Crime Plan
- Messages communicated through senior FCA staff speeches, including Mark Steward (Executive Director of Enforcement and Market Oversight)
- Risks highlighted within the UK’s National Risk Assessment (NRA)
- Extension of the Annual Financial Crime Reporting (REP-CRIM) obligations.
Persistent failings have often resulted in more serious regulatory intervention, such as skilled person reviews, business restrictions and enforcement action. Since April 2020, 17 of the 68 skilled person reviews commissioned were financial crime focused (25%) – a significant proportion.
Retail firms – responding to the Dear CEO letter
By the 17th September 2021 all relevant firms must have conducted a gap analysis against the content of the Dear CEO letter. The FCA also expects firms to be able to demonstrate that they have taken tangible action in response to the results of the gap analysis. Even if a firm feels their financial crime framework is adequate, there should be a record of the contents of the letter and your reaction at the appropriate fora within your organisation. The FCA will expect to see the output of the gap analysis in its upcoming round of regulatory visits.
Regulatory intervention can be costly from both an economic and reputational perspective. If you are a regulated firm, it’s a timely reminder to look again at the themes outlined in the letter and consider whether you need to make improvements in your systems and controls.
How we can help
Bovill sits on the FCA’s Skilled Person Panel for Financial Crime and several of our team have previously worked for the FCA.
We are currently undertaking the gap analysis on behalf of a number of our clients to ensure the September deadline is met.
If you need any independent expertise when conducting the gap analysis or addressing any identified weaknesses in your financial crime framework, please get in touch.
