A recent publication by the Financial Conduct Authority (TR18/3) makes clear that identifying and addressing financial crime risks must remain a key priority for those at senior management and board level. The paper sets out the FCA’s findings following its review of anti-money laundering and counter-terrorist financing controls and policies across the e-money sector, which includes pre-paid cards and digital wallets.
While the paper was focused primarily on Electronic Money Institutions and was a timely assessment of specific new rules introduced in June 2017 which impacted upon such institutions, the wider application of the paper’s findings are evident and will likely be of interest to all firms falling within the scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“2017 Regulations”).
The relevant focus areas and corresponding findings can be summarised as follows:
- Governance & Management Information
The importance of record keeping was restated as the paper called for key decisions on financial crime issues and follow-up actions to be documented, warning that failure to do so constitutes poor practice. Regular dialogue between senior management and relevant employees within compliance departments, including ensuring effective channels for sharing Management Information, was identified as a useful way to ensure risks are adequately communicated and managed.
- Money Laundering Risk Assessments
Business-wide risk assessments should be comprehensive, up-to-date and commensurate with the nature, scale and complexity of the firm’s business activities. The paper commends engagement from the board during the preparation of risk assessments, with the evidence suggesting this usually yields a better outcome. This seems an essential requirement bearing in mind the financial and reputational risks that mistakes in this area can produce. It was also clear that the FCA expects bespoke risk assessments to be put in place, which have regard to the firm’s specific business model and offerings.
Having an effective scoring method to identify individual client risk across all client bases, using a variety of factors such as geographical location and the expected products a client will use, was also regarded as essential. However, there has to be follow through and effective use of the data collected. One may have appropriate systems but you need to use these effectively.
- Policies and Procedures
Closely connected to the concept of adequate risk assessments is the recommendation to ensure sufficiently robust policies and procedures are in place in order to mitigate and manage effectively any risks identified. Such policies and procedures must be updated regularly to ensure emerging risks and legal/regulatory changes are considered and encapsulated, with updates being communicated to employees at appropriate intervals. It is important that staff are familiar with policies and have training on how to implement these. Again one can have on paper effective and well- designed policies but if your staff are poorly trained on implementation, these will not serve their purpose.
- Enhanced Due Diligence & Ongoing Monitoring
Certain circumstances, including where firms have identified an increased risk of money laundering or terrorist financing within their client base (or a particular subset within it), will require enhanced due diligence. Those with higher risk clients (such as politically exposed persons) should be taking a risk-based approach here and carrying out enhanced ongoing monitoring where appropriate, ensuring clear processes are in place and sufficiently detailed guidance outlining the firm’s approach to enhanced due diligence is made available to staff.
Firms who outsource the performance of client due diligence retain ultimate responsibility for the service providers’ checks and should take adequate steps to ensure these are being carried out properly. The paper confirms that the FCA expect to see a robust approach to governance and the oversight of service providers where outsourcing arrangements are in place, and suggests a number of mechanisms by which this can be achieved and evidenced. These include auditing at appropriate intervals, carrying out on-site visits and random file checks to ensure that client due diligence policies are being properly adhered to.
- Staff Training, Communication and Awareness
Staff must be equipped with the appropriate skills, knowledge and expertise required to carry out their role. The paper was critical of those firms who base their training materials solely on reporting suspicious activities, and noted that a narrow approach when designing training content may ultimately result in staff failing to apply properly the firm’s anti-money laundering policies and procedures.
In many ways there is nothing particularly new in the FCA Review. As always the burden of compliance and at the same running an effective business, throws up a number of challenges. As many recent cases of cyber- crime have shown, those engaged in money laundering and cyber -crime are skilled at what they do and seem adept at probing into any systemic weaknesses. The rewards appear to justify the effort. Businesses must be equally adept at responding to the challenges and as the paper shows, this requires a good deal of commitment and vigilance within a business.