FCA warns firms over AML failings

What does this mean?

As part of its supervision work, the FCA has undertaken assessments of Annex 1 firms’ financial crime policies, controls and procedures. The letter outlines the key common weaknesses the FCA’s assessment identified and further requirements.

Business models

The FCA notes discrepancies between firms’ registered and actual activities, and the lack of financial crime controls to keep pace with business growth. Firms are required to notify the FCA of any changes within 30 days. Senior managers must consider the size and nature of firms’ businesses when assessing and implementing policies, controls and procedures to ensure they remain appropriate for the size of their business at all times.

Risk assessment

According to the FCA’s assessment, certain firms did not have a business-wide risk assessment (BWRA) in place or it was lacking sufficient detail. Some firms failed to tailor customer risk assessments (CRA) towards individual customer characteristics, and instead assigned a level of risk to a group of customers. Firms should review and update their BWRA and CRAs to identify, mitigate and control risks, as well as ensure regulatory compliance against MLRs.

Due diligence, ongoing monitoring, and policies and procedures

Based on the FCA’s assessment, some firms lacked sufficient detail in policies and procedures, creating ambiguity around actions staff should take to comply with their obligations. The FCA expects firms to ensure they have clear and up to date policies and procedures in place at all times.

Governance, management information and training 

The FCA noted a lack of resources for financial crime, inadequate financial crime training for staff, and the absence of a clear audit trail for financial crime-related decision making. In some cases, financial crime was considered on an exceptional basis in senior management meetings, rather than a standing agenda item.

The FCA expects senior management to take clear responsibility for managing financial crime risks, actively engage in firms’ responses and record those appropriately. Firms should also ensure that staff are aware of the related legislative and regulatory obligations. Depending on the size and nature of the business, firms must also establish an independent audit function with the responsibility to examine and evaluate the adequacy and effectiveness of financial crime policies, controls and procedures.

The FCA is likely to request firms to provide findings from their gap analysis, evidence of the actions taken to address the gaps identified. Firms must demonstrate progress with any remedial work and testing, to show that the policies, controls and procedures are effective and working as intended.

What do firms need to do?

The latest Dear CEO letter is yet another reminder from the FCA of its increasing focus on financial crime prevention. Annex 1 firms should expect the FCA’s enhanced monitoring to continue, but the themes and messages are relevant to all authorised firms.

The regulator expects firms to complete a gap analysis against each of the common weaknesses outlined, within six months. Firms should prioritise the work on gap analysis and ensure that it is completed in a comprehensive and robust manner. The senior managers responsible should have the adequate seniority and experience to effectively carry out the analysis. 

Firms should ensure that all activities, findings and remedy actions are clearly documented, shared internally and acted upon as soon as reasonably possible.

Next steps

The FCA expects all Annex 1 firms to assess their financial crime controls within the next six months, and will continue to monitor firms.