Insights from the FCA’s Dear CEO Letter: Addressing Financial Crime Risks in Annex 1 Firms
Annex 1 firms include, but are not limited to firms carrying out the following activities:
- lending including factoring and commercial transactions
- financial leasing
- trading on own account
- safe custody services
- money broking
- portfolio management advice
- safekeeping and administration of securities.
The FCA’s findings are set out across four critical areas:
1. Business model
The FCA identified discrepancies between the activities that firms told the FCA that they undertook at the point of registration and the activities that these firms actually engaged in. Annex 1 firms must notify the FCA of changes to their business activities that may impact the firm’s classification as an Annex 1 firm. Firms must notify the FCA of these changes within 30 days of the date of change. Likewise, where MLR Individuals change, firms must notify the FCA accordingly.
Business growth without evolving financial crime systems and controls was also identified by the FCA as an issue amongst Annex 1 firms. Shortcomings included failure to update policies, procedures and controls, as well as inadequately resourcing financial crime teams alongside business growth.
2. Risk assessment
The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (the “MLRs”) requires all in scope firms to undertake and maintain a business-wide risk assessment (“BRA”) of the money laundering, terrorist financing and proliferation financing risks to which the business is subject. Firms must also undertake risk assessments on their in-scope customer relationships.
The FCA noted that many Annex 1 firms did not have a BRA in place, and in other instances, the quality of the BRA was poor in terms of detail and methodology in place. Absent or ineffective BRAs can lead to a failure to identify and thus control the risk of financial crime.
The FCA’s letter noted that some firms failed to apply customer risk assessments appropriately, meaning that these firms did not effectively assess the subsequent level of customer due diligence required to mitigate those risks.
3. Due diligence, ongoing monitoring and policies and procedures
Customer due diligence (“CDD”) policies and procedures amongst the review population generally lacked quality and sufficient detail, leaving employees of these firms working with vague procedures and therefore delivering inconsistent or inadequate due diligence. CDD procedures were also weak in directing employees to implement simplified or enhanced due diligence.
CDD policies and procedures were also considered to be weak in terms of setting clear standards and requirements for ongoing monitoring.
4. Governance, management information and training
The FCA reported that of the firms reviewed, some did not have adequate resources in place to effectively deliver the systems and controls, and that senior management did not provide adequate oversight of the delivery of financial crime systems and controls.
Employees were often not adequately trained, meaning that they did not have sufficient awareness of financial crime and the risks to their business. Firms were also lacking in delivering timely training and maintaining evidence of training that had been delivered.
Decisions made in relation to financial crime were not supported by evidence or an audit trail of debate and challenge. Many firms did not have financial crime as an agenda item in senior management meetings, and as such, it did not receive the attention that is warranted.
Firms’ systems and controls were often not subject to independent review by an internal audit function or competent third party. This absence of assurance can leave senior management unaware of any absence or weaknesses in the financial crime systems and controls.
What next?
The FCA expects the senior management of Annex 1 firms to consider the contents of the Dear CEO Letter, and carefully think about any steps that should be taken to gain assurance that their systems and controls are operating effectively and as expected. The FCA will ask for evidence of this gap analysis, should they engage with Annex 1 firms.
The letter explicitly states that Annex 1 firms should, within the next six months, complete a gap analysis against the common weaknesses identified in the letter, and should take prompt action to remediate those weaknesses. Firms must record evidence of the gap analysis and the steps taken to close the gaps identified.
How Waystone Compliance Solutions can help
We have a strong track record of supporting Annex 1 firms with developing their systems and controls to manage the risk of financial crime. We can support firms with:
- undertaking the mandatory gap analysis
- remediating or advising on how to close gaps identified during the gap analysis
- supporting the enhancement of business risk assessments, customer risk assessments and their methodologies
- implementing proportionate and adequate policies and procedures
- delivering training to employees of in-scope firms
- carrying out periodic independent assurance of the firms’ financial crime systems and controls advising individual customer onboarding matters.
If you would like to find out more about this topic or how we can help you to manage the risk of financial crime, please reach out to your usual Waystone representative or contact us below.