Anti-money laundering compliance - what does the FCA expect in 2023
16 January 2023
16 January 2023
The FCA has kicked off its 2023 focus on anti-money laundering (AML) with fines against two banks for AML compliance failures. This comes on the back of enforcement action against six further regulated firms or individuals in the past 12 months, for failures related to AML systems and controls.
With AML compliance at the top of the FCA's enforcement agenda for the coming year, Ashurst's financial crime specialists take a look at the root causes of AML failings in recent enforcement cases and highlight five key takeaways for firms to consider.
A unifying theme of the FCA's recent decisions is the identification of AML compliance failures in the absence of direct evidence that money laundering has occurred. Principle 3 of the FCA's Principles for Business requires a regulated firm to "take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems". The breadth of Principle 3 permits the FCA to sanction firms for compliance failures in relation to their AML systems and controls, without identifying specific breaches of the UK Money Laundering Regulations.
We see the FCA examining the risk of money laundering, created by inadequate systems and controls, rather than focusing on whether criminal activity has, in fact, occurred.
Here is our analysis of key takeaways from recent enforcement decisions in which we identify the FCA's expectations of regulated firms in relation to AML compliance.
A recurring theme is the FCA's expectation that regulated firms can produce evidence of their assessment of the money laundering risk posed by individual customers. The regulator views the risk assessment as a key tenet of a firm's AML compliance framework.
Failure to maintain records of historical risk assessments and customer risk designations was highlighted by the FCA in a number of Final Notices, in addition to inconsistencies in the approach of regulated firms to risk-rating their customers. The FCA has emphasised that customer risk designations should be based on individual assessments rather than a broad view derived from a customer's geographic location. Similarly, customer risk ratings should be reviewed periodically to ensure the frequency at which each risk level is monitored does not become a limiting factor in the accuracy of a risk assessment.
The FCA has stressed that risk assessments are a component of AML compliance frameworks in their own right, as distinct from the additional measures required where customers pose a higher risk from a PEP or sanctions perspective. The FCA has been critical of firms where it was found that they had no formal risk assessment of customers, except for politically exposed persons and individuals linked to sanctioned countries.
|Area for action: Firms should take a cost-effective but dynamic approach to mitigating risk. Firms should deploy tailored risk assessments that can be calibrated for changes to the shape, size and offerings of the firm. Ultimately the firm should be able to stand behind its risk assessment: Not only should it articulate where the genuine risks are within the organisation, but it should be clear what action is being taken and the rationale for doing so in light of the risks.
A common criticism of regulated firms is their failure to carry out adequate customer due diligence (CDD) and enhanced due diligence (EDD) at the point of onboarding a customer. In a recent Final Notice, the FCA found that a bank relied on due diligence carried out by group entities in other states in the knowledge that the required standards under the UK Money Laundering Regulations would not be met. Similarly, the FCA criticised another bank for failing to adequately establish the source of funds and wealth of higher-risk customers.
|Area for action: Firms should ensure that the AML framework is proportionate. The key controls such as onboarding and screening need to address the actual risks that demand any heightened scrutiny. Enhanced due diligence, for example, doesn’t just mean doing more, rather any additional steps need to be informed by the specific risks that have been identified.
The requirement for regulated firms to have ongoing regard to their regulatory requirements and the expectations of the FCA was reiterated in recent Final Notices.
In particular, the FCA has criticised firms for failing to adequarely follow up on outstanding CDD and EDD document requests, in addition to calling out firms who have prioritised opening accounts with new customers over the periodic review of existing accounts.
The FCA has made clear its expectation that firms should have ongoing regard to guidance and other decisions it publishes in relation to financial crime failures in regulated firms. Recent Final Notices have referred expressly to other Notices or guidance on AML weaknesses, and have criticised firms for failing to have regard to this body of information when addressing their own compliance frameworks.
|Area for action: Firms should ensure that adequate ongoing monitoring procedures are embedded throughout the business. Opening new accounts will generate revenue, but failing to review existing accounts does not help the firm to grow safely. The latter must be prioritised to understand the evolving risk already within the firm, alongside new business.
Adequate training of staff in relation to financial crime risks and regulations was identified as a weakness in recent Final Notices. For example, in relation to one bank, the FCA found that: (i) induction AML training was not specific to its products and customers, and tailored training was not offered based on an individual's role or responsibilities; (ii) the bank did not maintain an AML training log; and (iii) inadequate training formed the background to other failures identified in relation to risk assessments, due diligence and ongoing monitoring.
More generally, the FCA has expressed concern that inadequate training leads to employees charged with due diligence responsibilities having insufficient knowledge of the relevant regulatory requirements to carry out their role.
|Area for action: Firms should make sure that training is effective, robust and commercially relevant. When training is tiresome and unnecessarily onerous, it loses its effect and creates the risk of neglect. The Senior Managers Regime holds named senior staff accountable, but the rest of a firm's employees with insufficient knowledge of the regulatory requirements will be called out by the regulator, as the FCA has done most recently.
Another recurring theme is the failure of regulated firms to effectively implement remedial improvements in response to historical reviews of their AML systems and controls. The background to a number of recent enforcement decisions included internal and external compliance reviews which identified the original compliance failures that formed the basis for the sanction in the Final Notice. The FCA drew attention to the fact that failures which formed the basis of its decisions had been identified and addressed inadequately on previous occasions by a number of firms.
For example, the FCA criticised regulated firms where they failed to take adequate steps to address compliance deficiencies which were identified during historical reviews of AML systems and controls. In particular, the FCA stressed that it expects remedial action plans to be followed through to completion, and it criticised firms for leaving key actions unresolved.
|Area for action: Firms should uplift risk considerations in a targeted manner, which is proportionate to cost, capacity and organisational structure. This targeted uplift will avoid instances of relapse or recidivism when implementing required remedial improvements to AML systems and controls. A fit-for-purpose programme, which is defensible and prepared for audit, will keep key elements such as ongoing monitoring and training at the forefront of the compliance agenda.
Authors: Ruby Hamid (Partner Dispute Resolution) and Anthony Asindi (Associate Dispute Resolution), Matthew Russell (Partner, Risk Advisory), and Tristan Bramble (Executive Risk Advisory)
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.