The Financial Conduct Authority (FCA) published a Dear CEO letter to retail banks on common control failings in anti-money laundering (AML) frameworks (see here), sent on 22 May 2021 in anticipation of the FCA's 2021 Annual Business Plan. The regulator has indicated that will aim to drive down fraud by carrying out?proactive surveillance and monitoring, and working?closely with other anti-fraud partners to maximise its collective fight against fraud. Consumer protection and preventing online harm will feature as particular areas of focus.

Areas of weakness

The areas in which the FCA considered there were weaknesses included governance and oversight, risk assessments, due diligence, transaction monitoring and suspicious activity reporting (SARs). Further observations included:

• Governance: the FCA endorsed the three lines of defence strategy and warned against blurring lines between business and second line compliance roles. It emphasized that sign-off by senior management in certain high-risk scenarios is required but that some firms did not have evidence of this level of governance.
• Risk assessment: Customer risk assessments were typically too generic, not differentiating between particular risks and adjusting accordingly. Firms tended to focus on the AML and sanctions risks posed by their customers, without adequate assessment of other risks, for example tax evasion or bribery and corruption. Similarly, customer due diligence, and enhanced due diligence where necessary, was sometimes inadequately performed and recorded.
• Transaction monitoring: the FCA considered that in some firms monitoring was not calibrated appropriately for their business activities and underlying customer base.
• SARs failings: the FCA was concerned by instances where the procedures for employees to raise internal SARs to the nominated officer were unclear, not well documented or not fully understood by staff. An additional concern was that some firms were unable to demonstrate their investigation, decision-making processes and rationale for reporting or not reporting SARs to the National Crime Agency.

Key Points

A number of key points arise from this letter:

• First, firms should expect over the next years a more intrusive FCA approach to their AML systems and controls. The regulator's interest will be aroused by systems and controls weaknesses even if it is not apparent that these have resulted in the facilitation of financial crime. The letter follows recent criminal proceedings for alleged breaches of regulations 8(1), 8(3) and 14(1) of the Money Laundering Regulations 2007 (MLR 2007). As we have explored, the sector is asking whether the FCA may make more extensive use of its criminal powers under the MLR 2007, following US regulators in using the criminal law to tackle financial crime. The letter also follows the recent 2 June 2021 Crown Prosecution Service guidance on prosecuting failure to report cases under s330 Proceeds of Crime Act 2002 (POCA) to indicate that it is possible to charge a person even where there is insufficient evidence to establish that money laundering has actually taken place. 
• Second, the FCA expects senior managers to be able to demonstrate appropriate oversight and understanding of the financial crime risks arising from the businesses for which they are responsible, and how those financial crime risks are addressed by the firm's AML systems and controls.
• Third, the FCA is concerned that firm's AML systems and controls to be calibrated to the risks arising from their business and from their customers. This is a complex process for large financial institutions operating across multiple jurisdictions and product types.
• Finally, as in other areas, making reasonable decisions is not sufficient to satisfy the regulator. Firms need, in the AML area, to be able to evidence decisions and governance processes by sensible record keeping.

Next steps

Those firms that received the letter are expected to complete a gap analysis against each of the common weaknesses outlined in the letter by 17 September 2021, taking prompt and reasonable steps to close any gaps identified and demonstrate compliance to the FCA.

The letter follows the trend of regulators focusing on the role of senior managers and governance in the oversight and implementation of financial crime controls. As firms rely on ever more sophisticated technologies for AML purposes, including customer screening and transaction monitoring, the challenges of ensuring proper understanding and oversight of those technologies and tailoring them to the financial crime risks arising from firms? businesses are set to grow.

As financial crime risks and technologies evolve, AML systems and controls will need to be approached not as a static target but as a never-ending cycle of recalibration and enhancement. It is clearly important that the regulator approaches firms? AML systems and controls on this basis.