FCA Dear CEO Letter: Action Needed by Banks in Response to Identified AML Control Failings

Following its recent assessment of retail banks’ financial crime systems and controls, on 29 June the FCA published its Dear CEO letter sent to banks (on 21 May) expressing disappointment that it has continued to evidence poor practices in key areas of financial crime systems and control frameworks. We summarise the key findings below.

Governance and Oversight

The FCA found that firms continue to blur responsibilities between the first line of defense (1LOD) and the second line of defense (2LOD). For example, all due diligence checks and all aspects of customers' risk assessment are completed by compliance, which restricts the ability of the 2LOD to independently monitor and test the control framework and can lead to gaps in the understanding of risk exposure.

Another area that received the FCA’s attention is an overreliance on head office and group functions of UK-regulated branches or subsidiaries of overseas firms. Senior management and compliance personnel could not demonstrate to the FCA that any assurance work was undertaken regarding the effectiveness of the group processes.

Sign-off by senior management in certain high-risk scenarios is mandated in the Money Laundering Regulations (MLRs). However, firms did not always evidence this level of governance. Where higher risk factors are identified, or where approval of senior management is mandated, the FCA expects firms to have a governance committee responsible for key decision making on matters such as material financial crime-related escalations and customer sign-off at onboarding and periodic review.

Risk Assessments

The general quality of the business risk assessments was poor and, in some instances, there was no detail of the financial crime risks to which the business is exposed. This somewhat defeats the purpose of the risk assessment. In some cases, the FCA noted that business risk assessment was completed at the group level which did not cover specific risks present in the UK. 

Customer risk assessments were found to be too generic to cover different types of risk exposure relevant to different types of relationships. Some firms demonstrated instances where the rationale for specific risk ratings was not clear.

Due Diligence

The most common issue with due diligence measures is the lack of proper due diligence or record that it has been undertaken. In many instances, the FCA found that the purpose and intended nature of a customer relationship and assessment of that information were not done.

In higher-risk cases, the most common weakness continued to be identification and verification of source of funds and wealth. Performing the right level of due diligence is directly linked to robust customer risk assessment, hence failures in both areas are linked.

Transaction Monitoring and Suspicious Activity Reports (SARs)

The FCA continued to see that group-led transaction monitoring solutions have not been calibrated for the business activities and underlying customer base in the UK. Some monitoring systems were based on arbitrary thresholds, often using “off-the-shelf” calibrating provided by the vendor without adequate tailoring or understanding of how the system worked. Furthermore, the rationales supporting the discounting of transaction monitoring alerts was often quite poor and failed to demonstrate the level of investigation undertaken.

Lastly, many firms were not able to demonstrate that the SAR reporting process was clearly documented and fully understood by staff. The FCA found that some firms could not demonstrate their investigation and decision-making processes and rationale for either reporting or not reporting SARs to the NCA.

The FCA expects firms to complete a gap analysis against each of the common weaknesses it identified by 17 September 2021 and warned retail banks that the FCA will likely to ask for evidence to demonstrate the steps that have been taken in the future.

How we can help?

Kroll assists a wide range of financial services firms to identify, remediate and manage regulatory risk in their business, including developing risk assessments, sound due diligence and monitoring practices that are tailored to individual firms. We operate globally, meeting our clients’ diverse needs and giving us exposure to risks associated with countries around the world. We often undertake the review and recommend style assessments for firms identifying hidden gaps in the financial crime systems and control frameworks and provide tailored and practical recommendations on how to address them.

Click here to learn more.