FCA has finally published the Dear CEO letter it sent to retail banks on 22 May on AML failings.
The letter sets out the common themes FCA has observed and highlights its disappointment that it continues to find certain common weaknesses. FCA has taken action on persistent failings, including requiring skills persons reviews, imposing restrictions on business and taking enforcement action. The letter focuses on:
- Governance and oversight: the 3LOD does not always work as first and second line roles are often blurred, such that first line employees often do not own or understand the risks and compliance personnel cannot adequately monitor and test the control framework. Also many firms, especially those with head offices overseas are often too reliant on ready-made controls such that local senior management cannot show what they have done to assess the controls’ effectiveness. Similar issues arise when firms outsource their controls. Finally, firms do not always evidence senior management sign off for high risk situations or good practice around those controls;
- risk assessments: business wide risk assessments are generally poor, while customer risk assessments are often generic. FCA found instances where key risks and methodology for arriving at risk assessments is lacking or where there are inherent discrepancies. Often, also, they focus on AML risks and do not consider other financial crime risks customers pose;
- due diligence: CDD is often not adequately performed or recorded, and firms’ approach to EDD is sometimes week and does not mitigate the risks the customer poses. Many failings come in not identifying the SOF and SOW of PEPs, and in failing to tailor EDD required on a particular PEP. Firms often don’t understand SOF and SOW and rarely use it unless mandated;
- transaction monitoring: overseas firms will often use group-led monitoring not appropriately calibrated for the UK, and often calibration is set by off the shelf products. Firms also often fail to provide good rationales for discounting alerts; and
- suspicion reporting: employees are often not clear on how to raise internal SARs and FCA found an instance of a customer being potentially alerted to concerns because the investigators lacked training. It also found firms often could not properly explain decisions to report, or not to report, to NCA.
FCA warns firms that all senior management is responsible for countering the risk that the firm might be used to further financial crime, but especially the SMF17 function holder and the person with Prescribed Responsibility D.
Firms do not need to respond to the letter, but FCA expects them to complete a gap analysis against each of the weaknesses identified in the letter by 17 September and to take prompt and reasonable steps to close any gaps identified. FCA is likely to ask firms to show what they did in future engagement.