According to this most recent “Dear CEO” letter released by the FCA, approximately 1,000 firms are registered as Annex I firms. They are not authorized under the FSMA or subject to FCA regulations. However, the FCA is responsible for supervising their adherence to regulations intended to thwart money laundering, terrorist and proliferation financing.
The FCA indicates that it has “enhanced the monitoring” of these firms and is increasing its “proactive work in this area” because its recent assessment has revealed common weaknesses it has deemed critical including:
- discrepancies between what the firms are registered as doing and their actual activities;
- financial crime controls not keeping pace with business growth;
- weaknesses in business and customer risk assessments;
- lack of detail in policies connected with due diligence and ongoing monitoring;
- lack of resources as well as inadequate training connected with financial crime;
- an absence of a clear audit trail for decision-making related to financial crime.
Emad Aladhal, FCA Director managing a team dedicated to reducing and preventing financial crime and fraud, said that although the regulator has generally seen progress in this area its recent findings highlight “some basic failures amongst Annex 1 firms which are not subject to our full regulatory regime” that “must be addressed”.
Practical advice for firms
Based on the FCA’s more detailed observations, Annex I firms are well advised to review their financial crime systems, policies and procedures and in particular ensure that the following elements are in place.
Business
- The FCA is notified of changes to:
- services being offered;
- core details (such as business address);
- Financial crime policies, controls and procedures are appropriate for the size and complexity of the business.
Staff
- Financial crime teams are adequately resourced and can carry out their functions effectively;
- Sufficient training on financial crime is offered to staff including ensuring that employees are:
- aware of the laws / regulations that apply;
- provided with regular training.
Risk assessment
- The business wide risk assessment is:
- sufficiently detailed;
- clearly articulates the mitigation measures to counteract the risks identified;
- The customer risk assessment is:
- tailored to individual customer characteristics;
- considers all relevant risk factors;
- is effective in managing the risks identified.
Customer due diligence and monitoring
- Customer due diligence and monitoring policies and procedures:
- are up to date;
- are adequately detailed;
- are appropriately applied to individual customers based on their risk profile;
- clearly define when simplified or enhanced due diligence is appropriate;
- outline how and when sources of funds or wealth will be captured;
- are adequate in connection with the investigation and recording of SARs.
Financial crime decision-making
- A clear audit trail exists for financial crime related decision-making including:
- financial crime as a standing agenda item in senior management meetings;
- active engagement by senior management in addressing the firm’s financial crime risk;
- the appointment of a member of the board of directors (or equivalent management body) as the individual responsible for the firm’s compliance with the relevant regulations;
- the establishment of an independent audit function to examine and evaluate the effectiveness of the polices, controls and procedures.
Even in instances where the firm size or operations do not warrant putting in place the systems, policies and procedures outlined above, measures that are appropriate to their specific circumstances are vital.
The FCA is warning that firms who do not address these shortcomings may face regulatory action including enforcement as well as deregistration.
GRIP View
The £264.8 million fine against NatWest in December 2021 demonstrates the seriousness of the issue and the potentially large penalty size when things go wrong.
Although that was a particularly egregious case involving a series of basic flags that should have been investigated fully but were either missed or dismissed, leading to the depositing of an astonishing £264 million in cash by the customer, some of the issues in the case are also highlighted within the letter and notice. For example:
- significant, unexplained and unchallenged changes to the client’s business activities;
- a shift from no cash deposited to large pots of cash deposited (£1.8 million per day!) – highlighting the weakness in internal controls;
- the use of Scottish bank notes – highlighting inadequate as well as not up to date customer due diligence (the heightened potential money laundering risk associated with the use of Scottish notes having been noted by various regulators);
- the lack of challenge and action where issues were noted and/or escalated by staff;
- the absence of a client risk assessment, which would have almost certainly highlighted a higher level of risk; and
- other factors too numerous to mention here.
Even if your firm is not likely to face financial crime exposure in the hundreds of millions of pounds, the possibility of a penalty that is equivalent to the amount laundered as a result of inadequate financial controls should not only be a serious deterrent, but also a prompt to immediate action given the explicit warning by the FCA.