The FCA recently published its Dear CEO letter (dated 21 May 2021) issued to retail banks requesting for the firms to identify and address common control failings in their anti-money laundering (AML) frameworks by 17 September 2021. In the letter, the FCA detail the common weaknesses identified in its recent assessments of retail banks’ financial crime systems and controls and its expectations for preventing money laundering.
By 17 September, all relevant firms must have conducted a gap analysis against each of the common weaknesses and be able to demonstrate that they have taken tangible steps in response. The senior manager holding the financial crime function is expected to have sufficient seniority to carry out the role effectively and ensure that the gap analysis is completed promptly and its findings shared internally and acted on, as appropriate. The FCA will expect to see the output of the gap analysis in its upcoming round of regulatory visits.
In this month’s insight, we summarise the key themes mentioned in the letter to assist you in your preparation for your gap analysis.
Governance and Oversight
- The FCA highlight that the first and second lines of defence are often blurred, for example, where compliance departments undertake activities that the business should carry out. Resulting in a reduction in first-line financial crime risk ownership.
- Oversight and ownership of key controls, particularly where they are “ready-made” by Head Office or Group functions, are still limiting the effectiveness of controls in the UK branches and subsidiaries. Similar issues arise when controls are outsourced.
- There is insufficient evidence of senior management sign off in high-risk scenarios. The letter suggests good practice includes a governance committee responsible for key decision making and sign-offs.
- The FCA views the quality of business-wide risk assessments as generally poor. Their observations note that there is insufficient detail on risks or inadequate evidence of control strength. This can be due to a lack of detail on risks themselves or inadequate evidence of controls that drive the residual risk ratings. The FCA also observed a failure to assess the UK business individually, with firms often wrapping it into a group assessment.
- Customer risk assessments were also highlighted as too generic with insufficient consideration of broader risks and, again, a lack of detail or evidence. For example, the FCA emphasize firms failing to recognise differences between AML and terrorist financing risks or between correspondent banking and trade finance products.
The FCA continues to see problems with both CDD and EDD. These include the purpose and nature of a relationship, reviewing expected versus actual activity, and analysing the source of funds and wealth.
- Issues were also identified around using generic group-led transaction monitoring systems that are not appropriately calibrated for the specific UK entity and indeed ‘off the shelf’ calibration from vendors.
- The FCA also flagged a concern that firms do not understand the technical setup of their own systems and are failing to assess the integrity of the data sources.
Suspicious activity reporting
- As with processes to review alerts, demonstration of the investigation, decisionmaking process and rationale for reporting a SAR were inconsistent.
- The FCA also observed that the process by which employees can raise internal SARs to the nominated officer was often unclear, not well documented or understood.
In addition, in some cases, persistent failings resulted in regulatory intervention, such as skilled person reviews, business restrictions and enforcement action.