Close supervisory attention to money laundering compliance backed by a steady stream of enforcement cases has resulted in improved standards of compliance. However, according to the FCA, there continue to be significant and widespread weaknesses in AML and sanctions systems and controls. The FCA’s latest report on its Thematic Review of Small Banks (TR 14/16) concludes that in spite of improvements, firms need to take steps to improve their AML procedures.
Thematic reviews and enforcement
There is also increased focus on individual MLROs with action being taken against them personally where the FCA has found that they have failed to take reasonable care to establish and maintain appropriate AML controls. Individuals can face the prospect of both FCA disciplinary action and criminal liability. For example, HMRC secured the conviction of an MSB owner who provided money remittance services without undertaking customer due diligence checks. The business owner was jailed for a period of 12 months in November 2014. The conviction related to compliance failures and not substantive money laundering.
Lessons to be learnt
Firms should therefore focus resources on the areas identified in the Review and assess the adequacy of current processes. In a speech given on 22 July 2014, Tracey McDermott said that the FCA believed that firms had made progress with their compliance standards, but that the FCA continued “…to see disappointing results from our work in many areas – anti-money laundering controls for example”. The FCA’s view, therefore, is that AML standards remain a problem.
The price of non-compliance?
The FCA has the power to enforce against breaches of FCA requirements (such as FCA systems and controls requirements) as well as breaches of the Money Laundering Regulations 2007. In relation to the latter, the FCA has the power to impose civil penalties on firms for breaches of the ML Regulations under Regulation 42. The FCA can also address AML failings through supervisory action. The FCA’s approach is one of early intervention and addressing emerging risks. Firms may be required to provide undertakings or agree variations to permissions to cease certain lines of business and take remedial action. Of course, these measures are likely to be backed up with attestations provided personally by senior management and the appointment of a Skilled Person. In TR 14/16 the FCA reports that it has taken the following action based on findings in the Review:
- four banks agreed to limit their business activities with high risk customers;
- three of these banks appointed a Skilled Person;
- three other banks are conducting remedial action under the supervision of external consultants; and
- enforcement investigations have been commenced into two banks.
Governance, culture and management information
Culture – Defining your risk appetite and deploying proper resources Culture is a key area of focus for the FCA. Senior management must establish and maintain an ethical and compliant culture within their firms. Embedding the right culture is key, in the FCA’s eyes, to ensuring that firms behave compliantly on a sustained basis. The first step in this process is establishing and communicating the firm’s AML culture and risk appetite. This includes defining the level of risk that the firm is prepared to take on, such as the nature of its customer base and ensuring that appropriate resources are deployed to manage the risks arising from its business. Governance Firms should consider the governance arrangements around AML compliance issues. It is important for firms to be able to demonstrate senior management engagement and establish a forum in which AML issues can be raised and considered at the appropriate level. This may be through a committee structure (such as an AML or Financial Crime Committee) or through separate and regular consideration of AML issues at meetings of the Board, to which all relevant stakeholders (the MLRO and other relevant staff) are invited to attend and participate fully. It should be borne in mind that senior management are required to approve the establishment of a business relationship with a PEP (see Regulation 14(4) of the ML Regulations). The governance structure adopted by the firm can be used to approve onboarding of PEPs and other high risk customers and to ensure that relationships with them are monitored on a regular basis. In relation to monitoring, firms need to ensure that periodic reviews are carried out in relation to high risk customers and that transaction monitoring is also performed. Management Information The FCA suggest that MI should cover key risks, emerging trends, legal and regulatory developments, information on individual business relationships (e.g., the number of high risk accounts opened or closed) and the effectiveness of the AML control framework Foreign Banks The FCA identify specific issues for foreign owned banks in that such banks may adopt the AML compliance standards of the head office’s jurisdiction. This may not in all cases be correctly aligned with UK standards.
Risk assessment and management
Identifying and assessing risk A key part of the governance framework should be the AML risk assessment – identifying and assessing money laundering risk. Regulation 20 of the ML Regulations requires firms to establish and maintain appropriate and risk sensitive AML policies and procedures including in relation to risk assessment and management. This is reinforced by the Principles and also by the systems and controls requirements contained in SYSC 6. In their Thematic Review, the FCA found that over half of the banks visited had not assessed the money laundering risk inherent in their business. The issue identified by the FCA is that firms have tended to look at risks posed by individual customers and do not look at their businesses holistically. Firms need to ensure that they review and take into account a broad range of risk factors. The FCA make the criticism that certain firms only consider country risk and whether the customer is a PEP. Other risk factors to consider include the nature of the products or services sought, the business that the customer is involved in, the source of funds and the customer’s expected business activity. Customer risk assessments should be recorded and where the firm decides to go ahead with a higher risk relationship it should document its reasons for doing so – i.e., why the identified higher risk factors do not prevent the firm from going ahead with the relationship and how the firm proposes to manage the relevant risks. Resources to manage risks A key issue is ensuring that appropriate resources are deployed to AML functions. Firms should ask themselves whether the MLRO has the appropriate level of skill and experience, whether any other role that the MLRO performs gives rise to a risk of conflicts and whether any further FTEs are required to resource the AML function. The FCA emphasises the need for firms to ensure that they perform proper transaction monitoring and customer reviews and adequate resources need to be available for this. A review of resources should also consider how quality assurance and internal audit review of the AML function and processes are carried out.
Customer due diligence
In its Review the FCA noted that CDD standards had improved and that most banks involved in the Review were adequately identifying and verifying their customers as required. An area of failing, however, was in ensuring that firms captured adequate information as to the nature and intended purpose of the relationship. In fact, the FCA state in their Review that the quality of EDD remains the weakest area for most banks visited in the course of the Review. According to the FCA, over three quarters of the banks reviewed failed to conduct adequate EDD on their high risk relationships. Problems identified by the FCA include:
- what and how much EDD they should collect;
- what they should do with EDD information collected;
- ensuring that the EDD collected is commensurate with the higher level of risks posed by the customer;
- failing to ask prominent PEPs for CDD information;
- failing to establish the source of wealth and source of funds;
- ensuring that adverse information is identified through open source searches and, where such information is collected ensuring that proper use is made of it as part of the AML risk assessment; and
- ensuring that the right quality of EDD is collected on respondent banks.
Regulation 17 of the ML Regulations permits firms to rely on due diligence carried out by, broadly, other firms who are authorised credit or financial institutions. Reliance does not, however, absolve firms from the need to ensure that they comply with their own obligations under the ML Regulations. In this connection, firms need to ensure that the level of CDD or EDD carried out by the other firm on which they are relying is consistent with the risk assessment on the client that they have performed. For example, if a firm categorises a client as higher risk, then the firm must ensure that the firm on which it is relying has performed EDD to the correct standard. This highlights the need for firms to scrutinise the other firm’s policies and procedures for carrying out due diligence.
The FCA found that most banks had an adequate understanding of their obligations under the UK sanctions regime. However, the adequacy and effectiveness of sanctions controls varied significantly. Firms should consider governance arrangements around screening process and where responsibility sits for sanctions compliance. In this connection, the FCA state in the Review that where compliance are not responsible for sanctions issues, oversight of these matters tends to be weaker. Firms should, therefore, consider reinforcing compliance’s role where this is relevant. Firms should ensure that they understand their sanctions screening tools. The FCA expect firms to demonstrate an understanding of how their screening systems have been calibrated, including in relation to such matters as fuzzy matching. The FCA also criticised the fact that some banks did not perform sanctions screening in relation to certain transaction types such as direct debits, cheque and debit card payments. Firms should ensure that sanctions screening is performed against all relevant transaction types, as indicated in Chapter 7 of the Financial Crime Guide.
Training and awareness
Firms need to ensure that relevant and appropriately tailored training is provided to staff in key roles. The FCA found that staff in smaller banks tended to have weaker knowledge of AML and sanctions issues, with the exception of staff in private banks. More worryingly the FCA found that the level of AML and sanctions knowledge among MLROs in a quarter of banks visited was inadequate. The FCA state in their Review that in certain cases firms changed their MLRO due to the FCA’s .
Financial crime guidance
Following the publication of the Thematic Review, the FCA have issued a Consultation on changes to the FCA’s Guidance on Financial Crime Systems and Controls (GC14/7). The proposed changes also take into account issues arising from the FCA’s Review on managing bribery and corruption in commercial insurance broking. The changes proposed by the Consultation in paritcular emphasise the need for firms to enhance management information systems and to perform better and more effective risk assessments. The closing date for the Consultation is 6 February 2015.