One month to AML deadline for retail banks

Those on the receiving end of the Dear CEO letter on AML have just a month left to review their financial crime controls. Although the FCA’s letter to retail banks does not require a response, the regulator expects firms to have completed and acted on a gap analysis by 17th September.  The supervisory team make it clear that if they think your response is inadequate, they will ‘consider appropriate regulatory intervention’.

The Dear CEO letter, was sent to retail banks on 21st May. It details common shortfalls the regulator continues to identify in relation to anti-money laundering frameworks.

The letter also includes a strongly worded reminder of Senior Management accountability for financial crime prevention, saying “In the supervisory work we conduct, we will continue to consider carefully whether the relevant SMF holders have carried out their responsibilities appropriately.”

By the 17th September all relevant firms must have conducted a gap analysis against the ‘common weaknesses’ identified in the letter. The FCA also expects firms to be able to demonstrate that they have taken tangible action in response to the results of the gap analysis.

Even if, in your firm’s view, your financial crime framework is robust, there should be a record of how your organisation has considered the contents of the letter and what decisions you have taken as a result.


Dear CEO letter – a reminder of key weaknesses

Governance and oversight 

Responsibilities between the first and second lines of defence are often blurred, for example where the compliance team are undertaking activities which should be carried out by the business.

Ownership of key controls are often determined and run by Head Office or Group functions. Where firms are reliant on ‘ready-made’ controls it’s harder to demonstrate assurance. Similar issues arise when controls are outsourced.

There is insufficient evidence of senior management sign off in high-risk scenarios. The letter suggests good practice includes a governance committee responsible for key decision making.

Risk assessments 

The FCA views the quality of business-wide risk assessments as generally poor. This can be due to lack of detail on risks themselves, or inadequate evidence of controls which drive the residual risk ratings. UK branches and subsidiaries are also reminded that they need a separate risk assessment to the Group (if applicable).

Customer risk assessments were also highlighted as an issue, with many considered too generic with insufficient consideration of broader risks and, again, a lack of detail or evidence.

Due diligence 

The FCA continues to see problems with both CDD and EDD. These include the purpose and nature of a relationship, reviewing expected versus actual activity, and analysis of source of funds and wealth.

Transaction monitoring 

Again, issues were identified around use of generic group-led transaction monitoring systems which aren’t appropriately calibrated for the specific UK entity and indeed ‘off the shelf’ calibration from vendors.

The FCA also flagged a concern that firms don’t in fact understand the technical set up of their own systems and are failing to assess their data sources.

Suspicious activity reporting 

As with processes to review alerts, demonstration of the investigation, decision making process and rationale for reporting a SAR, were inconsistent.

The FCA also noted that the process by which employees can raise internal SARs to the nominated officer was often unclear, not well documented or understood.

Not just retail banks…

While the letter is addressed to retail banks, the themes highlighted are consistent with weaknesses we see across the industry. It’s clear from the FCA’s continued communications that regulatory focus on financial crime is going to remain high.

In the recent Business Plan the regulator pointed to greater use of data, a wider sectoral focus  and a commitment to working with partners to increase enforcement when it comes to preventing financial crime. A regular review of financial crime risk controls is a wise precaution for any regulated firm to prevent unwanted attention from the regulator in future.


How we can help 

Bovill sits on the FCA’s Skilled Person Panel for Financial Crime and several of our team have previously worked for the FCA.

We are currently undertaking the gap analysis on behalf of a number of our clients to ensure the September deadline is met.

If you need any independent expertise when conducting the gap analysis or addressing any identified weaknesses in your financial crime framework, please get in touch.