On 29 June 2021, the FCA published a Dear CEO letter that it had issued detailing common themes coming out of its recent assessments of retail banks’ financial crime systems and controls.

In the Dear CEO letter the FCA reminds firms that the Senior Managers and Certification Regime (SMCR) places a responsibility on all senior management to counter the risk that their firm might be used to further financial crime. Particular responsibility lies with those SMCR roles with responsibility for financial crime, including Senior Management Function (SMF) 17 (Money Laundering Reporting Officer) and Prescribed Responsibility D (Financial Crime). The FCA adds that in its supervisory work it will continue to consider carefully whether the relevant SMF holders have carried out their responsibilities appropriately.

In the Dear CEO letter the FCA sets out certain areas where it has identified common weaknesses in firms’ financial crime systems and control frameworks. These areas include:

  • Governance and oversight. The FCA states that firms often blur responsibilities between the first line business roles and second line compliance roles. The FCA has identified circumstances where compliance departments undertake first line activities, for example completing all due diligence checks or all aspects of customer risk assessment. The implications of this are that first line employees often do not own or fully understand the financial crime risk faced by the firm, impacting their ability to identify and tackle potentially suspicious activity. The FCA also states that the key controls of UK regulated branches or subsidiaries of overseas firms are often determined and run by the Head Office/Group functions. Whilst this is an acceptable practice when done well, the FCA has found that firms are often reliant on ready-made controls, frameworks and products. In these circumstances, senior management of the UK branch or subsidiary are often unable to demonstrate the assurance work undertaken regarding the effectiveness of those processes, or to evidence an adequate assessment of whether they fit with the UK’s entity’s business model and risk exposure or UK laws and regulatory requirements. The FCA has also found that similar issues arise where firms outsource their controls to third parties.
  • Risk assessments. The FCA states that generally the quality of the business-wide risk assessments (BWRAs) it has reviewed have been poor. Also, for UK branches and/or subsidiaries of overseas firms, the FCA has seen BWRAs completed at the group entity level which do not cover specific risks present in the UK, and which require a separate risk assessment. In terms of customer risk assessments (CRAs), a common issue that the FCA has identified is that CRAs are often too generic to cover different types of risk exposure which are relevant to different types of relationships. It has also seen a lack of documentation recording the key risks and the methodology in place to assess the aggregate inherent risk profile of individual customers. It has also identified instances where customer due diligence measures are not adequately performed or recorded.
  • Transaction monitoring. Among other things, for branches and subsidiaries of overseas firms, the FCA has seen group-led transaction monitoring solutions which have not been calibrated appropriately for the business activities and underlying customer base of the UK regulated entity. The FCA has also frequently found that the rationales supporting the discounting of transaction monitoring alerts require strengthening.
  • Suspicious activity reporting. The FCA reports that it has found instances where the process by which firms’ employees can raise internal suspicious activity reports (SARs) to the nominated officer is either unclear, not well documented or not fully understood by staff. Also, the FCA has found that firms often are unable to adequately demonstrate to it their investigation, decision-making processes and rationale for either reporting or not reporting SARs to the National Crime Agency.

Whilst firms are not required to respond to the Dear CEO letter their senior management should take the necessary steps to gain assurance that the financial crime systems and controls are commensurate with the firm’s risk profile and meet the requirements on the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017. Firms are expected to complete a gap analysis against each of the common weaknesses the FCA has outlined by 17 September 2021.