Common Control Failings Briefing
Lesson learnt from regulatory reviews
- In May 2021, the FCA has sent a letter* to the CEOs of retail banks to warn them to take action in response to common control failings identified in anti-money laundering.
- The FCA expressed its disappointment in persistent failings that resulted in regulatory intervention.
- The FCA reiterated the responsibility of all senior management to counter financial risk, and gave a deadline of the 17th September 2021 for retail banks to perform a gap analysis against each common weaknesses.
- Although the letter is address by the FCA to retail banks, the common failings are useful and applicable to all industries and firms subjected to Anti Money Laundering regulation (MLRs).
- Failing to perform the analysis could have serious consequences for non-compliant firms as the regulator provided this warning to firms.
Three lines of defence (3LOD)
The three lines of defence model not appropriately applied as the second line of defence completing check that ought to remain with the client facing first line of defence.
“In our experience, firms where those in business roles fully understand the relevant risks and know that part of their role and responsibilities is to help mitigate those risks, are significantly better at mitigating risks than their peers.”*
Ownership of key controls
UK Regulated branches or subsidiaries of overseas firms where controls are conducted by Head office, outsourced externally or to group function can struggle to demonstrate how the model is fit for the UK entity’s business model and risk exposure.
“[…] any systems or controls which are not bespoke [should be] reviewed and tailored to the financial crime risks within their firm, branch or subsidiary.”*
Senior Management sign-off
Evidence of sign-off of material financial crime related escalations is sometimes lacking and the governance framework not adequate to meet the MLRs requirements.
“We have previously taken enforcement action where firms’ governance arrangements were not adequately designed or effective.”*
Quality of BWRAs
The FCA is critical of BWRA that can either have insufficient detail on the financial crime risks exposure, may not adequately asses the mitigating control, lack the rationale to support the level of residual risk, or lack of UK specific risk assessment
“Where used correctly, the BWRA is a powerful tool to help firms understand their risk exposure, set risk appetite, and inform their mitigating controls including the customer risk assessment and levels and types of customer due diligence.”*
Generic CRAs
Risk exposure must be assess for each different types of relationships, different risk (e.g. differentiating between money laundering and terrorist financing risks) as well as inconsistent methodology applied for risk ratings.
“:[…] while firms tend to focus on the AML and sanctions risks posed by their customers, the assessment of other risks, for example tax evasion or bribery and corruption, is often overlooked..”*
Purpose and intended nature of a customer relationship
The FCA is highlights the importance of seeking and assessing that information. Lack of evidence of the assessment that the activity of the customer is in line with expectations was observed or that appropriate investigation has been made.
Weak enhanced due diligence
Risks posed by certain customer is not always mitigated appropriately. The risk-based approach may sometimes not tailored to the specific customer, and the purpose of obtaining different information not well understood.
“In some instances, […] firms have identified a Politically Exposed Person (PEP) relationship but do not evidence an adequate assessment of source of wealth (SOW) and source of funds (SOF).”*
Differentiating Source of Wealth and Source of Funds information
The regulator sees lack of risk-based measures to establish the customer SOW and SOF, and clarify that SOW and SOF are distinct requirements.
“For example, we identified a case of crystallised money laundering risk where failure to conduct adequate EDD led to the firm being used as a conduit to launder the proceeds of an overseas fraud.”*
Evidence of investigation
The FCA has reiterated that firms must clearly evidence that the work was undertaken when applying EDD measures in all high-risk.
Transaction monitoring systems
Firms must test whether their system is fit for purpose for UK entity and tailor systems or implement additional risk-based monitoring where appropriate. The individuals responsible for the system operation and effectiveness must understand its technical set up.
The FCA prompts firm to assess the calibration of their systems, the adequacy of thresholds, the adequacy of data feeds and its integrity.
Discounting rationale should be strengthened.
“Discounting rationales often fail to demonstrate the level of investigation undertaken or record a sufficient explanation as to why activity is no longer considered unusual when scrutinised against the customer’s expected activity.”*
Escalation path & decision-making process
Firms’ employees must know how to raise internal SARs to the nominated officer – this should be well documented and fully understood by staff.
The investigation and decision making process and rational for either reporting or not to the National Crime Agency must be documented
Next Steps
Meeting Senior Management Function Responsibilities
The FCA letter prompts firms to review their anti-money laundering framework and reinforces the senior management function’s responsibilities.
Mobilising the team around this goal can be a challenge especially in a business transformation context that many firms are currently experiencing.
GDFM can support you and your team addressing this challenge in a pragmatic way.