During the last two years, the FCA has shown an increased interest in tackling financial crime. A number of thematic reviews have been conducted within the banking, insurance and asset management sectors aimed at assessing firms’ approach and management of financial crime risk, with a particular emphasis on anti-money laundering (“AML”) and anti-bribery and corruption (“ABC”) systems and controls. These thematic reviews were swiftly followed by enforcement actions against a number of financial institutions, the latest being the £7.6 million fine imposed by the FCA on Standard Bank for failings in its AML controls relating to corporate customers connected to politically exposed persons (“PEP”).
Firms, and senior management in particular, would be strongly encouraged to use the first half of 2014 to conduct a review of their AML and ABC policies and procedures, as well as their training programmes to ensure that these adhere to best practice, as expressed by the FCA in their October 2013 Thematic Review into AML and ABC systems and control at asset management firms. We set out a brief reminder of these best practice points below.
The FCA’s decision in Standard Bank plc
On 23 January 2014, the FCA fined Standard Bank plc (the “Bank”) £7.6 million for failures in its AML controls relating to corporate customers connected to PEPs. The FCA found that during the period between 15 December 2007 and 20 July 2011 (the “relevant period”), the Bank failed to take reasonable care to ensure that all aspects of its AML policies were applied appropriately and consistently to its corporate customers linked to PEPs.
The FCA reviewed the Bank’s AML policies and procedures, and found that the Bank had failed to consistently carry out:
- adequate enhanced due diligence (“EDD”) measures before establishing business relationships with corporate customers known to have links to PEPs; and
- an appropriate level of on-going monitoring for existing business relationships by keeping customer due diligence up to date.
The FCA considered these findings to be particularly serious because:
- the Bank provided loans and other services to a significant number of customers who were incorporated or operated in jurisdictions identified as posing a higher risk of money laundering;
- the Bank had identified that it faced issues with its ability to carry out timely on-going monitoring of existing relationships, but failed to take necessary steps to resolve the issues; and
- the FCA had previously taken action against a number of firms for AML failings and had stressed to the industry the importance of compliance with AML requirements.
The FCA added that, in the eyes of the regulator, firms which do not comply with AML and/or ABC regulatory requirements effectively gain a competitive advantage over fully compliant firms.
Why does it matter to asset managers?
Although, this was a case on AML failings focused on commercial banking activity, all regulated firms should take note of the FCA’s statement that failings will be considered particularly serious where firms have not sufficiently heeded guidance published by the FCA on AML and financial crime in general, whether in the form of enforcement actions or in thematic reviews.
Firms should be reminded that in October 2013, the FCA published the findings of its thematic review on “Anti-Money Laundering and Anti-Bribery and Corruption Systems and Controls: Asset Managers and Platform Firms” (TR 13/9), which found a number of common weaknesses across the 22 firms visited by the FCA, in respect of their AML and ABC systems and controls.
The FCA specifically stated that it expects firms to use the findings from that thematic review to assess their policies against the best practice points raised by the FCA. Firms should also take timely action to address any perceived inadequacies in their internal AML and ABC processes to avoid a heavy penalty in any potential enforcement action.
The thematic review: a brief reminder of the main findings
The FCA found that most firms had well-developed AML and ABC procedures, however these did not always reflect the latest regulatory requirements because firms did not always ensure that policies were reviewed and updated on a regular basis, nor did these policies translate into clear procedures to be followed. Particular mention was made of firms’ failure to demonstrate adequate systems and controls to assess ABC risk in relation to dealing with and monitoring third party relationships, such as agents and introducers.
A second area of concern for the FCA centered around senior management oversight and challenge, as well as the perceived lack of proactive management of risk, in particular around EDD and on-going monitoring of high risk customers.
Lastly, the FCA questioned the effectiveness of firms’ training programmes, which were deemed to lack specificity in relation to the particular risks faced by the firm.
The thematic review: detailed findings
The FCA’s findings were divided into five broad categories:
- Governance, culture and management information;
- Risk assessments;
- Specific AML controls;
- Specific ABC controls; and
- Staff remuneration, training and awareness.
Governance, culture and management information
Good Practice points:
- Senior management roles and responsibilities must be clearly defined.
- Firms must have a clear governance structure, with regular committee or board meetings to discuss risks, including AML and ABC risks. These meetings must be supported by good quality MI which contains sufficient granularity to enable senior management to properly discharge their functions.
- Senior management must provide a greater degree of rigour and challenge to the quality of MI, and must ensure that MI is monitored on an on-going basis so that it can be shaped to address new risks faced by the organisation.
- All challenge must be properly documented and meeting minutes must accurately reflect discussions regarding AML and ABC issues.
- Senior management must be able to clearly articulate the firm’s AML and ABC polices and the relevant risks faced by the organisation.
- Firms must have clear policies for the escalation of issues.
- Firms need to build additional capability in their internal audit and assurance functions to enable them to carry out regular reviews and assessments of AML and ABC risk frameworks.
Good practice points:
- Risk assessments should be carried out regularly in order to identify, assess and manage AML and ABC risks. These risk assessments should be properly documented with appropriate consideration being given to all relevant risks.
- The results of the risks assessments should be used to inform the implementation of additional controls, if necessary.
- Senior management should be fully engaged with the risk assessment process.
- The risk assessment process should follow a consistent methodology to categorise and identify risk.
- Firms should adopt a collaborative approach to risk assessment, and must ensure that front-line business personnel as well as compliance personnel are engaged in the process of assessing risks.
- Risk assessments should not be limited in scope to a specific country or to specific products. Instead firms should use these risk assessment as an opportunity to carry out a holistic review of their worldwide operations and/or product offering.
Specific AML controls
Good Practice points:
- Firms need to have clearly drafted and risk-sensitive AML procedures which require staff to pro-actively identify business relationships which pose the greatest AML risk. These policies should contain clear definitions of any potential risks. The FCA found that most definitions in AML policies did not clearly identify the corruption risks associated with PEPs. Similar findings were made in relation to documenting the ultimate beneficial ownership of companies, customers’ source of funds and their source of wealth.
- Senior management should demonstrate a clear support for the AML policies, which must be communicated to all relevant staff.
- Policies must be reviewed regularly to ensure that they do not contain inaccurate or out of date references.
- Firms must ensure that AML policies are effectively implemented through appropriate procedures.
- Customer Due Diligence (“CDD”) information must be kept up to date, with regular refresher cycles for high risk customers, typically requiring an annual review of the relevant documentation. Where reliance is placed on third parties to carry out CDD, firms must ensure that they have appropriate structures in place which allow them to exercise adequate oversight of the effectiveness of such arrangements.
- High risk customers must be subject to appropriate EDD and regular on-going monitoring.
- Transaction monitoring alerts must be reviewed expeditiously and the results of any further investigation must be accurately recorded.
Specific ABC controls
Good Practice points:
- Firms’ should put in place comprehensive ABC policies which encompass all risks relevant to the organisation, e.g. third-party relationships and commission-sharing agreements.
- ABC policies and procedures must contain clear definitions of what constitutes “third parties” with a relevant risk assessment. The firms’ approach to the assessment, identification, selection and monitoring of third parties must also be clearly set out.
- Gifts and hospitality policies should contain clearly defined procedures for the approval of gifts and hospitality requests to enable these policies to be applied consistently. These should include clear escalation procedures as well as definitions and further guidance, as appropriate.
- Firms should consider implementing gifts & hospitality specific MI to enable them to track cumulative expenditure over the years.
- Firms should consider documenting refusals to gifts and entertainment requests in order to be able to demonstrate the effective working of their ABC policies, where appropriate.
- Where firms receive commissions from or pay commissions to third parties, the rationale for such commission payments must be clearly documented. Third-party relationships must also be subject to regular reviews depending on their level of perceived risk.
- Firms should consider whether third party contracts need to contain ABC clauses, including “right to audit” clauses, and ensure that contracts are amended to reflect this where appropriate.
- Firms should put in place robust operational controls to monitor, review and approve third party payments.
Staff remuneration, training and awareness
Good Practice points:
- Staff remuneration must be linked to compliance and not just to financial performance.
- Firms should put in place appropriate staff vetting procedures.
- Firms must have in place appropriate training which is tailored to the individual’s specific roles. Generic training would be acceptable provided that it is supplemented with specific training with a strong practical dimension.
- Existing employees must be subject to periodic refresher trainings, usually annually or every two years depending on their role.
- Firms should also assess whether some third parties or employees working in outsourced functions also need to attend specific ABC and AML training.
Based on the above, we would advise firms to ensure that any review of their AML and/or ABC policies is well-documented, with sufficient attention being given to any potential findings or control enhancements at the appropriate governance committees.
Particular attention should also be paid to any procedures firms have put in place for providing guidance on the application of their AML and/or ABC policies, as well as for the monitoring of compliance with AML/ABC policies and procedures.
During the review process, and subsequently, all challenge or detailed discussions at Board or governance committee level should be accurately reflected in meeting minutes. Such documentary evidence could prove helpful to evidence that a firm operates to the required regulatory standards, if challenged by the FCA. It may also provide a degree of protection for senior management who are increasingly being asked by the FCA to provide personal attestations as to the adequacy of their firms’ systems and controls.