On 21 November 2016 the FCA issued a booklet aimed at consumer credit firms setting out good and bad practice on compliance with obligations under the Money Laundering Regulations 2007 (MLR). While directed at consumer credit firms, the booklet is, of course, relevant to all firms subject to the MLR.
Financial crime is one of seven regulatory priorities for the FCA according to its 2016/17 Business Plan. It also remains an area of enforcement focus with the FCA. Most recently, on 12 October 2016, the FCA fined Sonali Bank £3.25m for a series of money laundering systems and controls failings. The Bank's MLRO was also fined and prohibited from holding the MLRO function and from performing any MLRO or compliance oversight function.
The risks posed to consumer credit firms differ from risks for other financial services firms. According to the JMLSG, in the consumer finance context the main money laundering risk arises from an acceleration in the repayment schedule whereby the borrower may seek to use tainted funds to repay borrowings and launder money in that way. Lenders also have to deal with fraud and identity theft issues which can also feed into money laundering concerns.
We set out below the key messages from the FCA together with recommendations on action that firms should take.
Of all the above issues, there are two in respect of which firms should place special emphasis.
Governance: the accountability of senior managers to guard against financial crime is provided for under high level standards in the FCA Handbook in respect of systems and controls. In this regard, a firm must allocate to a director or senior manager (e.g. the money laundering reporting officer) overall responsibility.
It is vital that proper reporting lines are in place and that information can reach management and relevant committees in a timely fashion for consideration and action, where necessary. With the roll out of the Senior Managers and Certified Persons Regime to all financial services firms in 2018, the incentive on managers to ensure that reasonable steps have been taken will be further increased.
There is also the threat posed by cyber attacks and the corresponding need to ensure data security. The growing use of technology in delivering services to clients, the sheer amount of data and its nature makes cyber security a key issue. The Data Protection Act 1998 requires that information must be kept securely and protected against criminals who would, for instance, commit identity theft. Good data security policies and appropriate systems and controls are a necessity in ensuring that staff understand their responsibilities and in demonstrating compliance to regulators, including the Information Commission's office with their growing penalty powers.