On 3 October 2018, the FCA published a thematic review on money laundering and terrorist financing in the e-money sector (Thematic Review). This review was conducted to better understand how Electronic Money Institutions (EMIs) assess and mitigate money laundering-related risks.
The findings of the Thematic Review were, in general, positive:
- According to the FCA, most EMIs have effective systems and controls in place, demonstrate a positive culture, have good awareness of their financial crime obligations and service only a few high-risk customers.
- EMIs, in general, have revised and updated their policies and procedures in compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). In particular, e-money issuers must comply with the lower transaction thresholds for the application of Customer Due Diligence (CDD) measures under the MLRs.
- The majority of EMIs monitor transactions effectively, often using automated technological solutions.
- When functions are outsourced to Programme Managers (PMs), adequate governance and audit measures are put in place to manage the risks.
Good practice and recommendations
The Thematic Review provides useful guidance, setting out examples of good and poor practice with regards to Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) controls. More specifically, the FCA notes the following:
- To ensure adequate information management, money laundering risks should be communicated to the senior management of the firm through clear and effective channels, in order to be assessed and managed accordingly. Documenting key financial crime-related decisions and follow-up actions is an example of good practice in this regard.
- Firms must identify and assess financial crime risk on the basis of a proportionate risk assessment. Business-wide risk assessment should be reviewed regularly to include all relevant factors and should be tailored to the nature of the business. It is important to ensure that not only are money laundering risks identified, but also that the appropriate control measures are implemented. Firms should also perform a business-wide risk assessment for each product and programme. The customer risk assessment should facilitate the establishment of an appropriate risk rating for each customer. Having an effective risk scoring method that uses several factors, including geographical location, expected turnover on account and types of products customers will be using, constitutes good practice. By contrast, limiting the customer risk assessment only to corporate customers and excluding retail ones, is an example of bad practice.
- EMIs should put in place risk-based policies and procedures that are approved by senior management and reviewed to adequately reflect risks. Policies and procedures should also be documented and communicated to staff.
- During onboarding, the CDD process should be used to identify and verify shareholders and beneficial owners of corporate customers and screen them against Politically Exposed Persons (PEPs) and sanctions databases. When the CDD process is outsourced to PMs, EMIs should have a good understanding of the PM’s systems and controls either through spot-checking or periodic audits. In cases where e-money products have prescribed or restricted use, EMIs should understand the intended purpose of the customer relationship. In higher risk situations, EMIs should undertake Enhanced Due Diligence (EDD). For instance this would be the case when retail customers exceed their spending limits or the product is deemed as higher risk.
- Ongoing monitoring allows firms to identify unusual activity that may give rise to suspicions of money laundering and/or may require filing of a Suspicious Activity Report (SAR) to the National Crime Agency (NCA). Although not required by law, automated systems may add value to transaction monitoring by dealing effectively with larger volumes of transactions. EMIs should follow a risk-based approach. Producing transaction monitoring reports, which are reviewed by the Compliance Team and conducting spot-checks on accounts where potentially suspicious activity has been identified, are identified as examples of good practice in this regard.
- Importantly, when CDD functions are outsourced to PMs, the legal responsibility always remains with the EMI. In this case, robust governance and oversight are advisable and the EMI must perform effective audits of the PMs, including dip-sampling files, on-site visits and audits.
- EMIs must ensure that their employees are given appropriate training so that they understand the relevant financial crime risks.