Dear CEO… FCA address repeat compliance failings

June 24, 2021

The FCA recently sent a strong worded Dear CEO letter in relation to Financial Crime.

The letter covers several areas where the FCA are continuing to see firms failing to comply with ML regulations for a number of reasons.

There is a common theme throughout, naming a failure to identify risks across differing business units and jurisdiction, and a lack of documentation to support the methodology and rational across risk assessments throughout the AML programme, including Customer Risk Assessment and Enhanced Due Diligence.

This letter quite clearly and rightly states that the Business-Wide Risk Assessment (BWRA) should be used as a “powerful tool to help firms understand their risk exposure, set risk appetite, and inform their mitigating controls”. So, it makes sense that when reading this letter, Financial Crime teams should be clear where they need to start any review.

It is not effective to make an assessment at the group level alone, which this letter reveals is often the case. Each entity in each jurisdiction within an organisation will likely operate differently, meaning the policies and procedures used will be nuanced. However, as we saw in our recent AML Benchmark Report, designing the framework and rolling the assessment out were named as 2 of the top 3 challenges when preparing for a BWRA. Both exercises are far from easy to do given the tools typically used, which brings us onto the lack of documentation. The weapon of choice when trying to tackle your organisations BWRA tends to be a spreadsheet or many spreadsheets. Firms need to be consistent in their assessments across their business units whilst also identifying and acknowledging the different risks similar businesses might be exposed to. A one-size fits all spreadsheet will not accurately reflect this, and if designing regionally specific assessments it is then extremely difficult to collate the results and reflect them in a group level report.

It is unsurprising that the assessment of the controls to mitigate theses inherent risks are lacking in evidence and rational, as again, they are being generalised and documented at the highest level, either meaning the controls are not fit for purpose for some areas of the business, or they are being inaccurately reflected in the report. Either way, its not what the FCA want to see.

This letter does not push for new or additional measures or point the finger at one particular group (though it is still unclear to whom this letter has been sent). It seems to simply ask for more time and care to be taken when understanding an organisations exposure to both ML and TF risks, for this understanding to be explained, and the measures put in place to mitigate these risks be evidenced, and rationalised.

At Arctic, we deliver technology to empower compliance teams to easily design or configure risk models for AML and a wider range of risk domains, enabling them to provide consistent, data driven risk assessment reports for both individual entities and an aggregated enterprise level report.

Our frameworks for Financial Crime Risk Assessments (including ML/TF, Sanctions, ABC, Fraud, Modern Slavery) provide a significate level of detail across the 4 key components of the assessment:

Methodology – provide a standard and documented methodology and taxonomy across the organisation.
Inherent Risk Assessment – use data points to drive consistency and mitigate subjectivity.
Control Assessment – an extensive control library with the ability to record testing and evidence.
Residual Risk – Assessment structure enabling each branch to be assessed separately but with reporting at the group level.

A thorough, defendable BWRA should give businesses the knowledge of where they need to focus their efforts, and when to revise their risk-based approach and the controls that protect their business from ML/TF risks.

Twitter