PLENITUDE INSIGHTS: Opinion on FCA's Dear CEO Letter to Retail Banks

In the letter, UK’s Supervisory Authority request Senior Management of retail banking firms to undertake a gap analysis to gain assurance that their financial crime systems and controls are proportionate and adequate with their risk profile and remain compliant with the Money Laundering Regulations (MLRs).  The letter reminds firms of the SMF17’s responsibilities under Senior Managers and Certification Regime, and instructs firms to conduct a risk assessment by the 17th of September 2021, taking prompt and reasonable steps to address gaps or weaknesses identified.

Whilst the requirement to identify, assess and manage financial crime risk is not new for firms and specifically covered under several provisions including SYSC 6.3 and JMLSG, this is the first time we are aware of an FCA communication asking firms to undertake a gap analysis activity by a certain deadline.  Once gaps have been identified, the firms have been requested to share the findings within their firm and deploy a plan to address and remediate such gaps. This will be a key area of supervisory focus and all firms will need to address the FCA’s concerns, evidencing robust assessment, governance, and the ability to implement changes to the control environment as informed by the gap analysis.  Furthermore, evidence of these actions shall be requested by the Supervisory Authority in future reviews, and in cases where evidence is considered unsatisfactory, a regulatory intervention might be imposed to manage the financial crime risk posed by the bank.

The letter references the following key areas of concern where significant and common deficiencies are noted.  We have included a sample of controls in each theme as a guide, however this should not be treated as an exhaustive list:

Governance & Oversight

3 Lines of Defence (3LOD)

• Ownership and accountability of money laundering and financial crime risks faced by the first line of defence.
• Documented and unambiguous descriptions for roles and responsibilities with clear segregation of duties between operational management and compliance functions in order to prevent second line of defence undertaking activities (such as the completion of customer due diligence and customer risk assessments) that should be owned by first line of defence.
• Dedicated and tailored AML training deployed to raise first line’s awareness of specific money laundering risks and identification of suspicious activities.
• Awareness by Compliance staff of their independency when conducting monitoring and independent testing.
• Clear governance structure with assigned roles and responsibilities, robust MI for the oversight of risk appetite thresholds.

Ownership of key controls

• Robust controls for the management of the policy framework ensuring traceability from laws, regulations and guidance into policy and standards.
• Systems and controls must be tailored and bespoke to the firm’s business activities and in alignment with the financial crime risk exposure posed by the firm, branches and/or subsidiaries.

Senior Management sign-off

• Formal and documented evidence of the first line of defence’s assessments and robust rationales for customers’ approval at on-boarding and at periodic review.
• Formal and documented evidence of Senior Management approvals for all high-risk customers applications. Firms should demonstrate that such matters are formally discussed in a governance committee responsible for decision making for customer approvals or in any matters potentially associated with AML/financial crime escalation issues at onboarding and at periodic reviews.

Risk Assessment

Business-wide risk assessment (BWRA)

• Formal evidence of a structured Business-wide Risk Assessment methodology comprising a holistic view of their financial crime key risk exposure, documented inherent risks, formal assessment of their mitigating controls and the deriving residual risk once the effectiveness of internal controls have been evaluated.
• Documented evidence of assessment outcomes and action plans tracked at appropriate governance forums with supporting MI.
• Evidence of robust plans for the performance of an annual assessment with supporting resources to deliver the plan.

Customer Risk Assessment (CRA)

• Documented Customer Risk Assessment methodology that considers different types of risk exposure applicable to different types of business relationships.
• Evident distinction between the different financial crime risks presented e.g. money laundering vs. terrorist financing vs. sanctions.
• Special attention to risks associated to Tax Evasion and Anti Bribery and Corruption (ABC).
• Strong rationales for specific risk rating with supporting documentation recording the key risks and the scoring logic results to assess the aggregate inherent risk profile of individual customers.
• Periodic Review (PR), recalibration and validation of the Customer Risk Assessment methodology to ensure it is meeting regulatory requirements and identifying high risk relationships appropriately.

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

• Clear and established procedures for the performance of Customer Due Diligence (CDD) throughout the customer lifecycle including scenarios when Enhanced Due Diligence (EDD) is required, ability to understand and evidence knowledge of the customer and of the intended nature and purpose of the business relationship.
• Customer relationship closely monitored to confirm or amend expected account activity. Evidence of appropriate investigation performed in cases where customer activity is not in line with the recorded expectations.
• Robust approach to EDD measures for Politically Exposed Persons (PEP), with documentary evidence of Source of Wealth (SoW) and Source of Funds (SoF). Firms must ensure that the terminology for SoW and SoF is clear to avoid confusion between these separate requirements. Furthermore, firms must have enhanced controls to assess the level of risk associated with a PEP and tailor the level of due diligence applicable on a Risk Based Approach (RBA).
• Customer Risk Assessment (CRA) methodology applied for consistent assessment of the customer and associated controls required.
• Triggers for Periodic Review (PR) and Event Driven Review (EDR) documented and aligned to procedures.

Transaction Monitoring

• Documented Transaction Monitoring procedures and scenarios to ensure thresholds and limits allow for identification of unusual or suspicious transactions, clear escalation channels for UAR and the ability to trigger additional monitoring or a review of the customer such as Enhanced Transaction Monitoring or an EDR.
• A library of Transaction Monitoring risk typologies including red flags and threshold calibration that is maintained on an on-going basis.
• Transaction Monitoring Systems appropriately calibrated and tailored to the business activities, products, customers and geographic location of the firm and associated entities.
• Enhanced technical training for control owners or personnel accountable for operating the Transaction Monitoring Systems. Firms must assess the operational effectiveness of these controls and validate the adequacy, accuracy, completeness, and integrity of the data collected for such purposes.
• Documented evidence to support the rationales for discounting alerts generated by  Transaction Monitoring systems.  Evidence of robust and reasonable explanations to disregard transactions alerts that surpasses the customer’s expected transactional activity.

Suspicious Activity Reporting (SARs)

• Documented SAR’s policy which includes definition of “grounds for suspicion”, procedures and controls in place for Unusual Activity Reports (UARs), how these are managed, prioritised and investigated and clear guidance for the submission of a SAR and/or Sanctions Reporting.
• Procedures which manage onward instruction to exit a customer relationship, taking account the risk of tipping off and consideration for any permissions required to pay away funds.
• Documented evidence to demonstrate that an investigation has been undertaken for SARs with supporting rationales to justify the reasons for reporting or not to the National Crime Agency.

To mitigate supervisory concerns and demonstrate robust systems and controls, the following actions should be undertaken by firms:

• Conduct a comprehensive gap analysis against UK laws, regulations, and regulatory guidance, including an assessment of compliance with policy and risk appetite on the aforementioned key areas.
• Socialise within the firm, findings and/or areas of enhancement within the firm’s financial crime systems and controls identified via the gap analysis review.
• Develop and implement a plan of action with clear ownership, roles and responsibilities, timelines, and robust governance for monitoring the execution of the plan.  To demonstrate that those findings have been remediated, agree a method of assessment such as support from Financial Crime Assurance and/or Internal Audit.
• Document clear evidence to demonstrate that the above steps have been undertaken by the firm, which must be available for future reviews.