Following the FCA’s flurry of activity in 2021 and its recently announced 2022/23 Business Plan on 7 April 2022, the FCA has published findings of its multi-firm review into the financial crime controls of challenger banks.

The review highlights concerns about the adequacy of these banks’ checks when taking on new customers and expects challenger banks to evaluate their approaches to identifying and assessing anti-money laundering (AML) risks, particularly as their customer base and business areas grow.

Challenger banks should note the key findings of the FCA’s review, the wider UK National Risk Assessment which partly prompted this review and the FCA’s Dear CEO Letter from May 2021 addressed to retail banks. See our briefing here on the Dear CEO Letter.

Additionally, challenger banks must be prepared to give the FCA an update on their own financial crime framework as part of monitoring compliance with money laundering regulations - including any changes and remedial activity that may be undertaken.

In the event of enforcement action for AML failings, a failure to carry out a gap assessment and consider changes to their financial crime controls could be deemed to be an aggravating factor in any penalty calculation (see Step 3 of the FCA’s Decision Procedures and Penalties Manual).

Scope of the review

Acknowledging there is no universally agreed definition of the term ‘challenger banks’, the FCA cites the UK’s National Risk Assessment description: “a sub-set of retail banks that aim to reduce the market concentration of traditional high street banks using technology and more up-to-date systems” (Challenger Banks). It is also useful to note that the FCA considers there to be a further subset of Challenger Banks, known as ‘digital banks’ which have the following common features:

  • They primarily offer personal accounts.
  • They operate without a branch network.
  • They provide financial services through smartphone apps.

The scope of the FCA’s review, conducted in 2021, included 6 retail Challenger Banks which primarily consisted of digital banks (over 50% of the relevant firms) and covered over 8 million customers (meaning over 10% of the UK population). The review of financial crime controls covered a broad range of topics:

  • governance and management information;
  • policies and procedures;
  • risk assessments;
  • identification of high risk / sanctioned individuals or entities;
  • due diligence and ongoing monitoring; and
  • communication, training and awareness.

Summary Findings

The FCA did observe the following good practices, praising Challenger Bank innovation and the nature of certain controls operated:

  • Effective and innovative uses of data and information Challenger Banks collected to mitigate risks. These included non-traditional approaches to identify, verify and monitor customers – such as video selfies and mobile phone geolocation data.
  • Evidence of stand-alone financial crime policies and procedures being regularly updated and were tailored to the financial crime risks of their specific business.
  • Some Challenger Banks mitigating fraud risk through incorporating additional monitoring for known fraud typologies at onboarding and as part of account monitoring. This included Credit Industry Fraud Avoidance System checking, as well as checks on customers using multiple devices to manage their accounts.

However, the FCA identified failings outweighing the positive features identified above, highlighting that the National Risk Assessment states “that many challenger banks depend on rapid customer growth for survival”. The FCA are clear in stating that this must not come at the detriment of, for example, complying with customer due diligence obligations as set out in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

The top 4 findings are:

1. Customer risk assessment (CRA)

  • Certain Challenger Banks did not have a suitably developed or detailed CRA and some Challenger Banks did not have one at all.
  • All Challenger Banks should have a suitable CRA – without it, due diligence measures and ongoing monitoring activities cannot be effective or proportionate to a Challenger Banks’ customer base and such risk assessments form the backbone of systems in place to identify, assess, monitory and manage AML risk.
  • Once a CRA is established, they should also be regularly updated to reflect changes to business models, products and customers.

2. Customer due diligence (CDD) and enhanced due diligence (EDD)

  • Whilst basic identification and verifications were met, full customer information was not always obtained (including income and occupation details) to determine a customer’s risk profile. This led to an inability to fully assess the purpose and intended nature of a customer’s relationship, not allow Challenger Banks to fully identify high risk customers and, subsequently, also undermine transaction monitoring.
  • CDD procedures were not always in place at customer on-boarding and the FCA states that transaction monitoring systems alone will not be sufficient, and Challenger Banks must comply with CDD requirements. Inadequate CDD means less effective transaction monitoring.
  • EDD was also not consistently applied, nor documented formally. A clear process for identifying and applying EDD to high risk customers, including other types of high risk customers to politically exposed persons and ineffective transaction monitoring alert management
  • Challenger Banks had inconsistent and inadequate rationales for discounting alerts, lacked basic information in investigation notes and lacked holistic reviews of such alerts.
  • Similarly, transaction monitoring alerts should be reviewed in a timely manner and adequate resources should be in place to enable this. Maintaining adequate resources is, as a reminder, a fundamental FCA threshold requirement (both at authorisation and on an ongoing basis, for regulated firms).
  • The above meant that suspicious activity reports (SAR) were impacted and not necessarily made as soon as practicable, as required under the Proceeds of Crime Act 2002.

3. SAR submissions

  • Noting the substantial increase in the volume of SARs and Defence Against Money Laundering (DAML) reports that Challenger Banks have submitted to the UK Financial intelligence Unity (UKFIU) at the National Crime Agency (NCA), often these reports were for very low amounts which have a lower likelihood of resulting in law enforcement action.
  • Making reports, particularly DAMLs, when exiting customers which do not fit within your risk appetite should prompt Challenger Banks to consider whether such clients should have been onboarded in the first instance. Additionally, Challenger Banks must apply appropriate blocks where transactions are reported and Challenger Banks await a response from the UKFIU regarding a DAML.
  • Finally, the overall quality of SARs can be improved by:
    • Describing why certain transactional data is suspicious.
    • Detail the circumstances giving rise to the suspicion.
    • Use SARs to report suspicious activity, rather than fraud or send information about predicate offences.
  • UKFIU publications, JMLSG guidance and the FCA’s Financial Crime guide all provide further information to help Challenger Banks with their reporting, whilst also considering other channels such as Action Fraud, to safeguard customers.

4. Financial crime change programmes

  • As Challenger Banks grow, either with new products, developing into new areas or taking on new and different types of customers, management must provide adequate oversight and appropriately implement change programmes to align with the nature, scale and complexity of its business and activities.
  • Clear project plans for control changes with key milestones, accountable executives and delivery dates are essential. Also, senior management should track projects and ensuring key deadlines are met.
  • Wider governance, such as Risk Committees, Audit Committees and the CEO should be involved in overseeing material developments in such programmes, to bolster the governance and provide challenge in financial crime change programmes.

Challenger Banks should also not forget their FCA Principle 11 notification obligations. In the context of this review, the FCA identified instances where there have been significant financial crime control failures and the Challenger Bank failed to notify the FCA. This could be prompted by Internal Audit findings, compliance reviews or whistle-blowers which highlight that financial crime control frameworks may not be fully compliant and remedial steps are required.

Summary

The FCA’s identified AML failings are wide-ranging, covering senior management and governance arrangements down to the quality of SAR submissions and the specificity of CDD and EDD checks, echoing and developing on findings from last year’s Dear CEO Letter.

Challenger Banks should conduct a gap analysis of the areas above and promptly work to amend the AML processes and procedures in place as necessary using appropriate resources and considering the breadth of financial crime guidance available to them.