Legal development

AML Framework Controls- common failures observed by the FCA SEC and FINRA

Insight Hero Image

    What you need to know

    • The FCA noted common gaps in key areas of financial crime systems and control frameworks, namely: governance and oversight, risk assessments, due diligence, transaction monitoring, suspicious activity reporting.
    • The FCA expects firms to conduct a gap analysis by 17 September, 2021, taking in account the firm's risk profile and requirements under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (the MLRs) and the Senior Managers and Certification Regime (SMCR).
    • The U.S. regulators are focused on due diligence for transactions trading through omnibus, nominee or nesting accounts, especially if such trading involves high risk securities or occurs in restricted markets.

    What you need to do

    • Review the gaps highlighted by the FCA and U.S. regulators and ensure that all necessary steps are taken to gain assurance that the gaps have been addressed (if any). 
    • Review and ensure appropriate risk systems and controls have been implemented to ensure compliance with the relevant and applicable AML/CTF obligations. 

    On May 21, 2021, the Financial Conduct Authority (FCA) published an open letter advising firms of certain expectations, particularly where they observed common weaknesses in firms’ anti-money laundering (AML) systems and control frameworks.  Although the letter is addressed to retail banks, the FCA will expect all firms to take note of its findings and recommendations which relate to the following areas: 

    • Governance and Oversight 
    • Risk Assessments 
    • Due Diligence 
    • Transaction Monitoring 
    • Suspicious Activity Reporting 

    While the findings are not novel, the FCA's approach is clear. Firms are required to complete a gap analysis against each of the common weaknesses by 17th September 2021 and in future engagements, the FCA will ask firms to demonstrate the steps that they have taken to address any gaps and ensure that the financial crime systems and controls are commensurate with the risk profile of their firm and the relevant legal requirements.

    While, the FCA's approach is aligned with the regulatory focus in other jurisdictions, this article will also highlight several emerging issues from the United States. The common failures noted by global regulators are relevant to financial institutions worldwide and serve as a timely reminder of the areas firms should be addressing to ensure their systems and controls remain adequate and robust. 

    Common Control Failings

    1. Governance and Oversight 

    Three lines of defence (3LOD) 

    Firms often blur the responsibilities between the first line business roles and second line compliance roles. The first line of defence, the day to day management and controls should be the responsibility of front office business teams. The second line of defence refers to the functions that oversee risk, such as Compliance. The third line of defence is independent assurance. The FCA noted that first line activities such as due diligence checks or all aspects of customer risk assessment are first line business roles and should not be conducted by Compliance alone. The first line activities should be undertaken by personnel who own and understand the financial crime risk faced by the firm, in order to effectively identify and tackle potentially suspicious activity. The Compliance function's remit is to monitor and independently test the control framework, to ensure that it is in line with the firm's risk appetite and that remit is in direct conflict with their involvement in first line activities.

    The FCA further asserted that the key controls of overseas firms' branches or subsidiaries must be customised to the local requirements and firms should not rely on 'off-the shelf' controls, frameworks, and products.

    Finally, the FCA noted that although sign off by senior management in certain high -risk scenarios is mandated in the MLRs, often firms are unable to evidence that level of governance. The FCA asserted that it is good practice to have a governance committee responsible for key decisions relating to matters such as material financial crime escalations and high risk customer sign-off. The FCA cautioned that enforcement action may be taken, and has previously been taken, where the firms’ governance structure is not adequately designed or effective. Specifically, the FCA highlighted that branches of overseas banks and their senior management must have sufficient understanding of the local regulatory responsibilities and ensure that the three line of defence model has been effectively implemented and appropriately resourced.

    2. Business-wide risk assessment (BWRA)

    The FCA unequivocally noted that "the quality of the BWRAs we have reviewed is poor". Financial crime risks, assessment of mitigating controls, consideration of local risk factors need to be sufficiently detailed and documented. In addition, BWRAs need to be customised to help firms understand their risk exposure and appetite, and to determine the appropriate controls. 

    3. Customer risk assessment (CRA)

    The FCA noted that CRAs are often generic, primarily focused on AML and sanctions and often fail to appropriately document the key risks and methodology (including risks of other types of predicate conduct such as bribery and corruption and tax evasion). As such, the FCA recommended that the risk assessments need to differentiate between money laundering and terrorist financing risks, consider all the risks posed and record the relevant rationale for specific risk ratings and methodology. 

    4. Customer due diligence (CDD) and Enhanced due diligence (EDD)

    CDD and EDD continues to be one of the most common challenges and somewhat of a "low hanging fruit" for regulators. Similar to other regulatory regimes, the FCA has found numerous instances where CDD measures are not adequately performed or recorded. 

    For example, it is recommended that firm's note the purpose and intended nature of a customer relationship, including the source of wealth (SOW) and source of funds (SOF), and assessment of that specific risk and whether it is within the firms' risk appetite. The FCA asserted that firms often confuse the purpose of obtaining SOW and SOF information and use the same documents to satisfy these two distinct requirements. Where this information is not required, firms often did not outline the process for establishing the customer’s SOW and SOF.

    In the light of these findings, firms must ensure that they apply CDD across the board and perform EDD measures in all high-risk situations, as well as evidence what work has been undertaken in accordance with the firm's risk based procedures.

    5. Transaction monitoring

    The FCA noted extensive findings for transaction monitoring. In particular, the FCA cautioned that overseas firms should not rely on group-led transaction monitoring solutions which do not appropriately cater for the risks posed by the business activities and underlying customer base of the regulated entity. 

    In addition, transaction monitoring systems need to address the relevant red flags and typologies and ensure proper calibration. To this end, firms need to customise the relevant thresholds and parameters and cannot simply use ‘off-the-shelf’ calibration. Firms also need to demonstrate how the thresholds would relate to the levels of expected activity of specific customers.

    Understanding the technical set up of the transaction monitoring systems is also essential to ensuring that the system is operationalised to support any changes in the business such that all transactional activity is captured. Effective monitoring requires regular assessments of the data feeds and data integrity of the systems. In addition, firms should ensure that where transaction monitoring triggers an alert, the firm has the appropriately trained staff to investigate the alert, consider the alert against the established customer profile and sufficiently document any decisions made during that investigation. 

    The FCA demonstrated their willingness to enforce these AML/CTF principles in the recent fine for Commerzbank AG. The fine totalled £37,805,400 and constituted a 30% discount for cooperation for failing to put adequate anti-money laundering systems and controls in place. By its own account, Commerzbank determined that its transaction monitoring tool was not fit for purpose and did not have access to key information from certain Commerzbank’s transaction systems, creating the risk that potentially suspicious transactions were not identified. For example, in 2015 Commerzbank London identified that 40 high-risk countries were missing, and 1,110 high-risk clients had not been added to the transaction monitoring tool. The FCA concluded that along with Commerzbank's failures in CDD and EDD processes, it also failed to address long-standing weaknesses in its automated tool for monitoring money laundering risks.

    Similarly, in 2018 AUSTRAC fined Commonwealth Bank of Australia (CBA) $700 million for its AML/CTF compliance and risk management practices in relation to its Intelligent Deposit Machines (IDMs). AUSTRAC noted that inter alia, CBA did not comply with the requirement relating to monitoring of transactions, noting that it did not work as intended with respect to a number of accounts during a certain time period. As a result, CBA made a number of changes including upgrading its technology platforms and enhancing their controls. 
    In order to better tackle transaction monitoring issues, an innovative program has recently been established by five major banks in the Netherlands (ABN AMRO, ING, Rabobank, Triodos Bank and de Volksbank) which allows them to collectively fight against money laundering and terrorist financing via joint monitoring of transactions.  The banks encrypt their transaction data and send it to a central function which then undertakes the monitoring and reports back to each bank or to the Dutch financial intelligence unit if necessary. This progressive approach serves as better practice in identifying suspicious patterns and trends in transaction activity that are part of a wider criminal scheme and would otherwise be difficult to identify for an individual bank with limited visibility. 

    6. Suspicious Activity Reports (SARS)

    The FCA noted that better policies and procedures are required around escalations, documentation and staff training in relation to SARs. Firms are expected to demonstrate their investigation, decision-making processes and rationale for either reporting or not reporting SARs. Ashurst recently published an article outlining AUSTRAC's guidance on submitting more effective suspicious matter reports (SMR). Specifically, the following should be considered when creating an SMR:

    • full visibility of suspicious activity;
    • effective description of red flags;
    • documenting an appropriate crime type keyword;
    • documenting ECDD actions performed and findings;
    • including all relevant know your customer (KYC) information;
    • clear and structured reporting; and
    • timely SMR submissions.

    Further details on each requirement are outlined in the article. 

    Emerging Findings from the United States Regulators

    The Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) are the FCA's counterparts in the United States. FINRA's annual findings report on the Examination and Risk Monitoring program and the SEC's bulletin note several control failings in the AML frameworks. Some of the emerging issues are highlighted below. 

    Low priced securities and other fraud with Omnibus Accounts

    The SEC has cautioned firms about the risks arising from illicit activities associated with transactions in low-priced securities through omnibus (nominee or nested) accounts, where the identity of a foreign financial institution’s underlying customer or the ultimate beneficial owner of the funds and securities are unknown to a firm because of the omnibus account structure. Even though, the ultimate beneficial owner in this case may not be the firm's "customer" for the purposes of CDD and EDD rules, there are circumstances where this information needs to be considered as part of the firm's AML control framework. Some of the red flags below may denote high risk situations and therefore require further due diligence.

    • An account is opened in the name of a foreign financial institution, that sells shares of stock on an unregistered basis on behalf of customers.
    • The account is using a master/sub structure, which enables trading anonymity with respect to the sub-accounts’ activity, and engages in trading activity that raises red flags.
    • There is a sudden spike in demand and price in, a thinly traded or high risk security.
    • The customer’s activity represents a significant proportion of the daily trading volume in a thinly traded or high risk security.
    • The customer is domiciled in, or is doing business in a jurisdiction that is known as a bank secrecy haven, tax shelter, high-risk geographic location.
    • The customer for no apparent reason engages in transactions involving certain types of riskier securities, such low priced securities or bearer bonds, which although legitimate, have been used in connection with fraudulent schemes and money laundering activity.
    • A customer buys and sells securities with no discernable purpose or circumstances that appear unusual.
    • Two or more unrelated customer accounts at the firm trade an illiquid or higher risk securities suddenly and simultaneously.
    • The customer appears to buy or sell securities based on advanced knowledge of pending customer orders.

    Therefore, firms need to take further due diligence where trading occurs through omnibus, nominee or nesting accounts, especially where red flags are present.

    Due Diligence in Restricted Markets

    In addition to transacting in omnibus accounts in high risk securities, firms should also conduct reviews for foreign nominee accounts that appear to have been opened to invest in the initial public offerings, and subsequent aftermarket training, in products, or in markets that are restricted. FINRA specifically outlined the required due diligence where accounts are opened at the discretion of others, or multiple accounts are opened using the same foreign bank or multiple accounts are opened with the same employer and email domain. However, more broadly, FINRA's findings suggest that firms should be more diligent in designing controls that monitor trading in restricted or emerging markets. 

    Ashurst regularly advises and assists financial institutions with the performance of gap analysis across a broad range of risks, including anti-money laundering frameworks.

    Authors: Tanya Raitsina, Director; Tim Brookes, Director; Ruby Hamid, Partner; Neil Donovan, Senior Associate; Samantha Carroll, Counsel; and Kim Yen Nguyen, Associate.


    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, all part of the Ashurst Group. 

    The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst.  Some members of the Ashurst Group are limited liability entities. 
    Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provide services under the Ashurst Consulting brand. Ashurst Consulting services do not constitute legal services or legal advice, and are not provided by Australian legal practitioners. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services. 

    For more information about the Ashurst Group and the services offered, please visit

    Liability limited by a scheme approved under Professional Standards Legislation (Ashurst Risk Advisory only).


    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.


    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest