FCA calls on retail banks to address continued weaknesses in AML frameworks

The Financial Conduct Authority (FCA) has recently published a ‘Dear CEO’ letter addressed to all UK retail banks. The letter, originally sent to banks in May 2021, sets out the regulators ‘disappointment’ to continue to identify several common weaknesses in key areas of firm’s financial crime systems and control framework.

Although the FCA saw some effective control frameworks and good practice during its assessments of firms, it expressed concern over the ‘persistent failings’ observed in ‘several cases’ that has resulted in regulatory intervention in recent months.

What were the main issues?

The letter was comprehensive in highlighting weaknesses across the entire AML/CTF control framework, from governance and oversight matters to the quality and completeness of risk assessments, due diligence, transaction monitoring and suspicious activity reporting.   

The issues were very similar to those raised in its 2011 Thematic Review of Banks’ management of high money-laundering risk situations. Does that mean that there has been little to no progress made by firms since 2011?

Firms may say that there has been a lot of change internally and prioritisation of AML risk and compliance since then. This may have included changes such as:

• reorganisation of departments and allocation of more headcount to financial crime and compliance
• more regular discussion and challenge of AML matters at Board and management level
• external, independent reviews carried out regularly by specialist firms
• more investment in training and skills, especially for those with first and second line AML responsibilities
• perhaps, exiting some higher risk relationships

But has all of this change and prioritisation resulted in actual progress, if we assume progress to mean that the bank is better equipped to detect, manage and report suspicious activity and actual breaches? 

Lets look at two particular issues raised by the FCA.

Governance and oversight

The FCA said that ‘firms often blur responsibilities between the first line business roles and second line compliance roles’. The regulator goes on to explain that where compliance departments undertake first line activities, for example, completing due diligence checks or risk assessments, it may result in the first line employees not fully owning or understanding the financial crime risk faced. It also restricts the ability of Compliance to independently monitor and test the control framework. This is an important point because it is the first line that interacts with clients initially and on a day to day basis. They know the client. So, it is essential they really understand the risks and do not rely on the second line to pick up red flags that really only the first line has the opportunity to spot. 

Over the years we have observed that many of our clients have adopted this model of the second line leading on due diligence and risk assessment in a bid to better manage AML risk. This model can and does work but only where the first line is also engaged and working well with Compliance. Often clients tell us about the first and second line ‘divide’ and how difficult it is to adjust this culture. The chances are that your AML/CTF framework is only partly effective if this culture exists. There really is no ‘quick fix’ to this one. But if this is your model (second line leading on AML risk) it is worth reassessing it especially if, after a few years, there is little change in the overall culture. The right leadership, management and training will help, and perhaps refocusing AML/CTF accountability on the first line.

Ownership of Key Controls

The FCA explained that UK branches and subsidiaries are often reliant on ready-made controls, frameworks and products from Group. It gave the example of centralised sanctions screening or transaction monitoring. The issue is that senior management of the UK entity are often unable to assure the effectiveness of the process or whether its fit for purpose in the UK regulatory and legislative landscape. 

This can be a difficult one to manage, and business culture (and of course budgets) is again often at the heart of the issue. UK MLROs sometimes tell us that they don’t feel listened to or supported at a Group level, and even with good intentions and support from the UK CEO, nothing really changes in this respect. We have seen that this can lead to the resignation of a good MLRO.

On a positive note, in recent years we have noticed that in some firms, Head Office want to be more actively engaged with us when we do a financial crime review of the UK firm. They want to understand more about the UK regulatory environment and obligations. This can only be a good thing. Hopefully it will lead to more understanding at Group level of the FCA’s expectations and the challenges that the UK MLRO faces.

Where do you go from here?

The FCA expects firms to complete a gap analysis against each of the common weaknesses it has outlined in the letter by 17 September 2021.

Depending on where you feel your organisation is in terms of maturity, this gap analysis might be a short exercise with relatively few action points. For others however, there may be nervous Board members that could want a more in-depth analysis.

Certainly, a gap analysis is the right place to start, but as we often see, a gap analysis is completed, the gap is plugged with a new control or a remediation exercise, often to reappear again down the line when the intense focus has shifted to another important matter.

Now is a good time to step back and relook at your AML/CTF framework with a different lens, especially if it has been through a lot of change and development in recent years. Are cracks appearing where too many gaps have been plugged without enough foresight or planning? Despite all your efforts, perhaps your team is still spending hours and hours clearing false positives, your business-wide risk assessment is just not hitting the mark, the technology rolled out from group HQ is just not fit for purpose, or maybe your customers are complaining about a lengthy and convoluted onboarding process.

It’s time to modernise your AML framework, make it run smoother and allow you and your team to focus on the truly high risks.

For example, when looking at the wider financial crime risk environment, having better, simpler and clearer documentation that staff can really understand, more accurate and thorough risk assessments based on a smaller, more focused, pool of external resources, having the right MI to allow better decision making. Of course, having the right technologies to enhance these processes is essential.

The challenge

However, this is not necessarily a straightforward exercise. What are some of the challenges that a firm may face?

• Business culture. As the previous examples highlight, the organisational culture is often the first hurdle. It might be a good starting point to examine your culture and identify the key factors that may prohibit your firm from making the progress the FCA is expecting.
• Embeddedness. It’s easy to write a policy, guide or procedure. The hard part is embedding it. Often, staff members are not aware of a policy or procedure (what is expected of them). This then inhibits a consistent approach and is a red flag for the regulator.
• Unsteady MLRO placement. We have noticed that since the introduction of the Senior Managers regime, and steady flow of enforcement actions being discussed or published by the FCA, many firms have seen many MLROs come and go and may have  an ‘interim’ MLRO in place. This may also be the case in the wider financial crime / compliance team. This ‘unsteadiness’ can often delay progress being made.

Final remark

All this being said, it is important to remember why you spend so much time thinking about financial crime risk and compliance. The scale and complexity of the UK’s financial services sector continues to make it attractive for criminals to launder the proceeds of crime among huge volumes of legitimate business. 

The UK’s 2020 National Risk Assessment unsurprisingly reported that the risk score in retail banking remains unchanged since 2017. It is high. Furthermore, the growth and integration of FinTech and the diversification in retail banking presents even more ways to abuse the sector.

Criminals continue to modernise their approach to money laundering, therefore the banking sector must keep up.