The FCA’s Dear CEO letter: Action needed in response to common control failings identified in anti-money laundering frameworks

The Financial Conduct Authority (FCA) has written to CEOs of Annex 1 financial institutions (i.e., firms providing services including some types of lending, payment services and money broking) to set out findings from its recent assessments of firms’ compliance with money laundering regulations. The FCA has requested these firms assess their financial crime controls against four common control weaknesses by September 2024.? Below we summarize the FCA’s findings and provide examples of the related gaps we have seen in our work with Annex I financial institutions.?

Identified control weaknesses

1. Business Model:

The FCA identified the following weaknesses in relation to firms’ business activities and development of financial crime frameworks alongside business growth.??

• Discrepancies between registered and actual activities: Firms are responsible for updating the FCA with any changes to their activities within 30 days of the change. Any discrepancies and/or delays in reporting changes to business activities may indicate a failure to align with regulatory requirements.??
• Failure to develop Financial Crime frameworks in line with firms’ rapid business growth. The FCA concluded, for some Annex 1 firms, financial crime policies, procedures and controls have not kept pace with the size and complexity of the business, resulting in an inadequate financial crime framework. This shortfall poses a substantial risk, indicating a potential gap in understanding, preventing, and detecting illicit financial activities linked to money laundering (ML), terrorist financing (TF) and proliferation financing (PF).??

Based on Protiviti’s experience, we have noted that some rapidly growing firms have not developed mature governance and control frameworks to manage financial crime risk given competing priorities during times of growth and expansion. In these instances, updates to financial crime policies, controls and procedures and reviews of the adequacy of their financial crime teams and training are often de-prioritised.?

2. Risk Assessment:

The FCA noted poor practices in Business Wide Risk Assessments and Customer Risk Assessments including:?

• Business-Wide Risk Assessments (BWRA) are sometimes completely absent or insufficiently documented, preventing firms from having a clear and comprehensive view for evaluating the applicable ML, TF and PF risks and being able to develop appropriate mitigating controls. The FCA explained that firms should review and update their risk assessment methodologies and assessments to help ensure the appropriate risks are identified and assessed, and that the results are used to inform risk-based policies, procedures, and controls.

Based on Protiviti’s experience, we have noted the following examples of weaknesses within the BWRA:?

- There is a lack of senior management involvement in the BWRA process.?

- Firms often view a BWRA as a ‘tick box exercise’ conducted on a standalone basis as opposed to a dynamic risk management tool used to drive and prioritise ongoing updates to the financial crime framework.?

- Firms lack a robust approach with appropriate rigour and detailed methodologies underpinned with analytics and qualitative characteristics to assess financial crime risks.?

• Some Customer Risk Assessments (CRA) are not tailored toward individual customer characteristics, such as nature of business relationship or jurisdiction of business operation. The FCA explained that CRAs should help enable firms to take a holistic view of the risk associated with the customer, and enable firms to apply the appropriate level of due diligence to manage the risks identified.

Based on Protiviti’s experience, we note the following examples of weaknesses within the CRA:?

- Relevant up-to-date data is often unavailable for firms to risk assess their customers appropriately due to inadequate KYC (refer to section 3 below).?

- All relevant geographical risk factors may not be considered in the CRA. For example, some firms only consider country of incorporation, rather than country of operations or connected parties.?

3. Due Diligence, Ongoing Monitoring, and Policies and Procedures:

The FCA found that customer due diligence (CDD) policies and procedures often lack sufficient detail and are outdated, resulting in ambiguity regarding the actions staff should undertake to adhere to their obligations under the Money Laundering Regulations (MLRs). The FCA’s letter explains that firms should review their policies and procedures to ensure clear guidance is provided to staff to ensure compliance with the MLRs.??

Based on Protiviti’s experience, we have noted the following examples:?

- Many firms are doing more DD than what is required by the MLRs, and these deviations above and beyond requirements should be reviewed to help ensure alignment with the risk appetite and staff productivity expectations.??

- Some firms do not have clear desktop operating procedures that address policy requirements, nor do they enable team members to understand why they are doing what they are doing, leading to inconsistent and incomplete handling of end-to-end processes.?

4. Governance, Management Information, and Training:

The FCA identified weaknesses across financial crime team resourcing, training, and governance:?

• Inadequately resourced financial crime teams, including lack of appropriate senior management oversight was identified, indicating a potential lack of commitment and priority in combating financial crime within the firm.

Based on Protiviti’s experience, we have noted the following examples of weaknesses within resourcing:

- Financial crime teams are sometimes staffed with inexperienced resources, often due to rapid growth and lack of operational capacity.?

- The distribution of resources within financial crime teams is sometimes not aligned to the prioritisation of tasks, indicating a potential mismatch between the allocated resources and the critical risk areas requiring attention.?

- Firms sometimes lack appropriate senior management oversight of the financial crime framework, resulting in a potential lack of strategic guidance and coordination in combating financial crime.?

• Lack of emphasis on financial crime training was noted, with crucial topics not being covered and a minimal role-specific training provided, raising concerns about the competence of staff in recognizing and addressing potential financial crime risks. The FCA require firms to provide employees with regular appropriate training in how to recognise and deal with ML/TF related situations and maintain a record of the this.?

Based on Protiviti’s experience, we have noted the following examples of training related weaknesses:?

- Firms sometimes fail to invest sufficient time and/or resources into providing adequate targeted training on identification of ML/TF/PF red flags.?

- Role-based training is often not detailed enough and sometimes not performed at all.?

• Weaknesses in firms’ governance and management information (MI) were found, particularly in relation to record keeping of financial crime decision-making, indicating potential gaps in accountability and oversight. Clear documentation of decisions made by senior management with a suitable rationale must be retained to demonstrate compliance and respond effectively to regulatory inquiries. In addition, financial crime compliance should be given sufficient importance and discussed as a standing agenda item during senior management meetings.

Based on Protiviti’s experience, we have noted the following examples of weaknesses with governance and MI reporting:??

- Challenges with obtaining accurate and relevant data are prevalent in many firms, especially due to varying formats of data collection across business units. Some firms do not have appropriate data validation or reconciliation controls to support MI reporting development.?

- For the reasons noted above, some firms struggle to provide consistent and credible reporting to senior management. This can lead to insufficient understanding of financial crime risks by senior management and potentially misinformed decision-making.?

What do firms need to do?

Firms’ senior management should review the Dear CEO letter alongside the UK 2017 Money Laundering Regulations, JMLSG guidance and the FCA handbook.??

A comprehensive gap assessment of firms’ financial crime frameworks (including policies, processes and procedures) must be performed against the four areas highlighted above by September 2024. Senior management should be actively involved in overseeing and owning the gap assessment, which should be clearly documented and readily available for the FCA upon request.??

Following the gap analysis, actions to remediate identified gaps should be promptly reviewed and agreed with buy-in from the 1st and 2nd lines of defence. A remediation plan should be developed, with actions reasonably prioritised using a risk-based approach and adequate resources allocated. Progress against the remediation plan should be closely monitored by senior management and regularly reported to stakeholders including the Board and Internal Audit. Closure of gaps should be clearly documented and evidenced, and available to share with external reviewers including regulators if requested.

How can Protiviti help??

Protiviti’s Financial Crime Compliance team has a proven methodology to conduct risk-based reviews and gap assessments to FCA regulatory requirements. Our specialised services are designed to identify both areas for uplift and opportunities where efficiencies could be gained, subject to internal approvals. We also provide robust project management capabilities coupled with financial crime expertise to comprehensively support and manage every aspect of the gap assessment and subsequent remediation actions.

Connect with Our Expert Specialists?

This blog has been contributed to by Stephanie Yuen , Maya Vithlani (née Parmar) , Melissa Ferri , and Ken Irving.? ?

If you would like to discuss your approach to financial crime compliance, please contact Melissa Ferri ([email protected] ), Christine Reisman ([email protected] ) or Bernadine Reese ([email protected] ).?

?

?