In October 2013, the Financial Conduct Authority (FCA) published the much-anticipated report of its thematic review into anti-money laundering (AML) and anti-bribery and corruption (ABC) systems and controls at asset management and platform firms. The report follows the FSA/FCA's previous thematic reviews of ABC controls in commercial insurance broking (2010), ABC controls in investment banks (2012), and AML and sanctions controls in trade finance (2013). As with other thematic work, whilst the review is of a particular sector, the FCA expressly expects other regulated firms to consider the findings and examples of good and poor practice.
The FCA found a number of common weaknesses across firms, particularly in relation to ABC controls. "Most firms" failed to demonstrate adequate systems and controls for assessing bribery and corruption risks posed by third parties and for monitoring third party relationships, and had "more work to do" to ensure that bribery and corruption risks were appropriate mitigated. By contrast, whilst there were shortcomings in some firms' AML procedures in relation to (in particular) risk assessment and higher risk customers, most firms had a comprehensive suite of AML policies and procedures.
In this briefing we provide an overview of the FCA's key findings.
- FCA Methodology
The sample of 22 firms covered by the review included wealth and asset management firms, fund administrators and platform firms, with a range of sizes and business models.
In line with the FCA's current supervisory approach, the review was a relatively intrusive one. For example, in assessing whether there was sufficient senior management challenge and oversight of AML/ABC procedures, the FCA looked for documented evidence of senior management challenge during formal management and guidance committee meetings (which at most firms, they found to be very limited or irregular), for evidence of "rigour" in following up on formal actions and issues raised, and for senior management to be able, at interview, to articulate the firm's AML and ABC key risks and risk management arrangements. It is insufficient for Compliance alone to be able to speak to these issues.
- FCA Findings
The report is not always clear, when describing the procedures that firms have put in place, as to whether (a) the FCA considers those procedures to be "good practice", or (b) whether the FCA is simply providing examples of practice for general information. Reading between the lines, however, the following recommendations can be distilled from the report:
- Governance, culture and management informaton
- Firms should be able to demonstrate that senior management are actively engagement in risk management, for example through sufficient engagement by board and management committees, effective flows of good quality MI and appropriate challenge and escalation of issues.
- Governance structures should be appropriately documented with clearly defined senior management risk roles and responsibilities – the FCA found this was generally the case.
- As noted above, senior management should be able to clearly articulate the firm's AML and ABC risks and risk management arrangements.
- Regular MI should be produced. The FCA found that MI was typically produced monthly for management meetings, aggregated quarterly for board-level meetings, and used to inform annual MLRO reports. The "more advanced" firms collated ABC MI on gifts and entertainment, ABC training and information on third party relationships. AML MI typically covered suspicious activity reports (SARs), politically exposed persons (PEPs), new account opening activity, AML training and regulatory developments.
- Firms should challenge the quality of MI to ensure it is meaningful, continually developed and utilised to monitor known risk as well as anticipate emerging risks.
- Firms should ensure that relevant committee meetings document the consideration given to AML/ABC issues, challenge (where relevant), and the closure and resolution of issues (see above).
- Internal audit and assurance capabilities should be appropriately developed and adequately resourced to conduct regular assurance work in this area.
- AML and ABC should not be operated in a "siloed" fashion.
- Risk Assessments
- Regular risk assessments should be used to assess AML and ABC risks. The FCA found that most firms had inadequate controls in this area; risk assessments were sometimes not undertaken, not documented, lacked appropriate consideration of relevant risks and/or were limited to one area of risk. • Risk assessment processes should include collaborative engagement with front line business personnel.
- Risk assessments should include adequate senior management sign-off, review and challenge.
- Risk assessments should be conducted with adequate frequency (and not as a one-off exercise).
- Firms should be able to show how risk assessments were proactively used to inform the implementation of appropriate controls.
- AML Controls
- Firms should ensure their AML policies and procedures are up to date (some firms' policies contained inaccurate references to redundant regulations/rules). • Firms should ensure that their customer risk classification approaches (e.g. categorisation of customers as high/medium/low risk) are properly implemented and documented – the FCA found multiple examples during file reviews of customer risk classification not being recorded or kept up to date. • The definition of "high risk" customers should be clear. Some firms' senior management approval processes were compromised by incorrect, unclear or inaccurate definitions.1
- Firms should ensure that the documentation of CDD information such as ultimate beneficial ownership (UBO), source of funds (SOF) and source of wealth (SOW) is documented. • Where a firm conducts periodic PEP screening (which most do), the firm should be able to evidence that the screening process has been consistently implemented. • Policy documents and PEP definitions should make reflect the corruption risk that is potentially posed by PEPs.
- Where 'reliance' is placed on other regulated firms (pursuant to regulation 17 of the Money Laundering Regulations (MLR)), firms should ensure that their reliance arrangements are adequately monitored and controlled; for example, by ensuring that the underlying CDD records are readily accessible and consent from the third party to be relied upon can be demonstrated.
- When undertaking transaction monitoring (a requirement of regulation 8 of the MLR), firms should ensure that monitoring alerts are reviewed in a timely fashion and the results of investigations are recorded.
- Transaction monitoring arrangements should be documented. This was a particular issue at some firms where transaction monitoring was outsourced to intra-group functions.
- The MLR require CDD information to be kept up to date. The "refresh cycle" for high risk customers was typically one year.
- ABC Controls
- Firms should ensure that their ABC systems and controls cover all ABC risk areas, including in particular third party relationships and payments, and are not limited to gifts and entertainment (G&E).
- G&E procedures2 should be clear so as to enable them to be applied consistently – some firms' procedures were "vaguely defined and open to interpretation".
- Firms should consider how they can use MI to monitor G&E, including cumulative expenditure.
- Firms should consider whether it would be helpful to record/to be able to provide evidence of G&E requests being declined in light of ABC risks. The FCA did not go so far as to say this is required, but noted that some firms were able to provide this information.
- Firms must have policies and procedures that clearly define the "third parties" that present a corruption risk, and which set out the firm's approach to the assessment, identification, selection and monitoring of third parties. Given the heavy emphasis on this area in previous FSA/FCA publications, and the fact that third party due diligence and controls are a key element of "adequate procedures" under the Bribery Act, it is perhaps surprising that firms' procedures in this area were not more developed. Whilst there is always scope for debate on the proper extent of due diligence, it is difficult to justify having procedures which are "not clearly defined" and which feature "weak due diligence and oversight arrangements" with respect to agents and introducers used to develop new business opportunities.
- The rationale for commission payments should be documented.
- Commission payments should be regularly monitored and reported on to senior management.
- Relevant contracts should include appropriate ABC provisions. Interestingly, the FCA observed that some third party arrangements "did not always include appropriate clauses in relation to bribery and corruption or the "right to audit"" – but failed to clarify its expectations in relation to the use of audit clauses or exercise of audit rights. Firms will clearly need to have considered the use of such clauses and, depending on their risk profile, implemented these with respect to some (higher risk) third party relationship types.
- Risk assessments of third party relationships should be kept up to date on a risk-based review cycle.
- Firms should have third party payment controls in place. The report provides some examples of such controls but relatively little clarification as to what the FCA considers is or is not appropriate.
- Staff remuneration should incentivise staff to adhere to compliance-related objectives, which should form part of performance management metrics.
- Risk-based staff vetting controls should be in place. Most firms had implemented such controls, including enhanced vetting for approved persons. Some firms periodically repeated vetting for existing staff "but this is generally an area for further development".
- First must, of course, have appropriate training programmes. Consistently with previous publications, the FCA regards as "good practice" periodic basic training (typically repeated every 1-2 years) coupled with tailored training for relevant functions/roles. The FCA observed that most firms needed to do more to ensure that training was relevant to the firm's risks, was tailored, and had a strong practical dimension.
- Training should include "relevant third parties such as agents, introducers, or staff operating in outsourced functions". It is of course likely to be impracticable to train all the third parties that pose some corruption risk, so the key will be to assess which third parties, on a risk-based approach, should receive some form of training, and what form that training should take. The first step, therefore, remains the identification and risk categorisation of the types of third parties used by the firm, as highlighted above.
- Appropriate arrangements to govern training may include monitoring staff completion activity and incentivising staff to adhere to training requirements through performance management protocols.
This much-anticipated report provides relatively little new insight into the FCA's expectations of firms in respect of ABC compliance. What is striking is that "many firms" had failed to implement adequate third party ABC systems and controls despite the FCA's previous publications and enforcement actions in this area. Whilst the report reflects some element of 'regulatory expectation creep', the FCA's key criticisms are of firms' failure to follow the existing good practice points in the FC Guide.