FCA’s “Dear CEO” letter on AML failings at UK Firms

FCA sets out themes it has identified from recent assessments of retail banks’ financial crime systems and controls 

The FCA has published a “Dear CEO” letter to retail banks on common control failings in AML frameworks (see here). The letter was sent on 22 May 2021 and published recently in anticipation of the FCA’s 2021 Annual Business Plan.  The FCA have confirmed that its Fraud Strategy is a priority area across all markets (see chapter 5). The FCA indicated that they aim to drive down fraud by carrying out proactive surveillance and monitoring and working closely with other anti-fraud partners to maximise its collective fight against fraud; with consumer protection and preventing online harm featuring as particular areas of focus.

Overview 

The letter warns that the FCA believes “action [is] needed” following its review work on AML systems and controls at UK retail banks and sets out the common themes the FCA has identified. The issues summarised in the letter reflect the main areas where, in the FCA’s view, some firms have fallen short of the requirements set out in SYSC 6.3, Money Laundering Regulations (MLRs), and the provisions of the Joint guidance on money laundering and terrorist financing. 

Areas of weakness

The areas in which the FCA considered that weaknesses existed included governance and oversight, risk assessments, due diligence, transaction monitoring and suspicious activity reporting (SARs). For all of these areas, the FCA felt that failure to document processes and decisions was a consistent problem. Further observations the FCA made included:

• Governance: the FCA endorsed the three lines of defence strategy and warned against blurring the lines of business roles and second line compliance roles. It emphasised that sign-off by senior management in certain high-risk scenarios is mandated in the MLRs, however firms failed to show evidence of this level of governance.
• Risk assessment: the letter observed the quality of business risk assessment was inadequate. Customer risk assessments were typically too generic without differentiating between particular risks and adjusting accordingly. Firms tended to focus on the AML and sanctions risks posed by their customers, without adequate assessment of other risks, for example tax evasion or bribery and corruption. Similarly, customer due diligence, and enhanced due diligence where necessary, was inadequately performed and recorded.
• Transaction monitoring: the FCA considered that in some firms monitoring was not calibrated appropriately for the business activities and underlying customer base.
• SARs failings: the FCA was concerned by instances where the procedures for employees to raise internal SARs to the nominated officer were unclear, not well documented or not fully understood by staff. An additional FCA concern was that some firms were unable to demonstrate their investigation, decision-making processes and rationale for reporting or not reporting SARs to the National Crime Agency. SARs are in the spotlight following the FINCEN leak, which has triggered the UK Treasury Select Committee Economic Crime Inquiry into money laundering and consumer protection from economic crime following the pandemic (see here).

Common themes

The letter illustrates several consistent wider regulatory themes. These themes include:

• Focus on operational resilience to ensure adequate systems and controls. The letter reflects an international trend of policy makers and regulators focusing on systems and controls failings in relation to AML compliance. In light of the novel challenges presented by the pandemic, regulators have placed even greater emphasis on assessing whether systems and controls have adequately detected money laundering and fraud. The UK FCA has warned that the pandemic makes it increasingly important to remain vigilant to new types of fraud and to enhance control environments where necessary to respond to new threats. The European Banking Authority (EBA) also recently published guidance that indicates financial institutions need to focus more on assessing their systems and controls to identify, assess and monitor AML risks. The US Federal Reserve, OCC, and other US agencies recently issued joint guidance clarifying the circumstances in which the agencies would take enforcement action for noncompliance with the Bank Secrecy Act (“BSA”) — the joint statement identifies the pillars of BSA/AML compliance programs as a system of internal controls, independent testing, designated individual(s) responsible for BSA/AML compliance, and training. The guidance follows the recent FINCEN enforcement action against Capital One for system and control failings.
• Senior management accountability. Where executives have failed to set a culture of AML compliance from the top, they may face enforcement action for failing to exercise sufficient oversight and/or allocate appropriate resources to evolving threats.
• Increasing regulatory scrutiny and enforcement tools. The letter follows the FCA’s recently launched criminal proceedings against NatWest for alleged breaches of regulations 8(1), 8(3) and 14(1) of the Money Laundering Regulations 2007 (MLR 2007). As we have explored, the sector is  asking whether the FCA may make more extensive use of its criminal powers under the MLR 2007.  The move follows the recent 2 June 2021 Crown Prosecution Service (“CPS”) guidance on prosecuting failure to report cases under s330 Proceeds of Crime Act 2002 (POCA) to indicate that it is possible to charge a person even where there is insufficient evidence to establish that money laundering has actually taken place.  It was also confirmed this month that the EU Commission intends to create a new AML authority that will directly supervise financial institutions with cross-border activities and have powers to impose fines totalling millions of euros for breaches of money-laundering rules.   

Next steps

The firms who received the letter are expected to complete a gap analysis against each of the common weaknesses outlined in the letter by 17 September 2021, taking prompt and reasonable steps to close any gaps identified and demonstrate compliance to the FCA.

The FCA said banks and their senior management should carefully consider the letter and take the necessary steps to gain assurance that their financial crime systems and controls are commensurate with the risk profile of the firm and meet the requirements of the MLRs. Financial institutions need to ensure they do not simply adopt a tick-box exercise in complying with operational requirements and fully understand the processes, even when outsourced to third party vendors.

The emphasis of the letter on the responsibility of senior managers means that those at the top of organisations need to exercise sufficient oversight over and have appropriate understanding of their firm’s AML controls. The FCA warns that the SCMR places a responsibility on “all senior management to counter the risk” and “we will continue to consider carefully whether the relevant SMF holders have carried out their responsibilities appropriately”.

In short, AML will be a focus area for the financial services sector as regulators continue the trend of exercising additional oversight and scrutiny of financial crime controls. The FCA Business Plan confirms preventing fraud by monitoring and surveillance remains of significant importance to the regulator.

A summary version of this blog was published by UK Finance here, and featured in the Members’ News in Brief.