FCA warns many payments firms risk harm to their customers and the financial system

FCA warns many payments firms risk harm to their customers & the financial system.

On the 16 March 2023, The UK’s Financial Conduct Authority (FCA) sent out its latest “Dear CEO” letter. While the conduct regulator softened up its audience first by complimenting it on the competition and innovation it had observed in the payments sector, it quickly followed up with some harsh criticism.

The FCA said it remained concerned that many payments firms don’t have sufficiently robust controls and that some firms present an ‘unacceptable risk of harm to their customers and to financial system integrity’. It followed up by saying that the risks of customer harm are heightened by the tightening economic conditions and the cost-of-living crisis.

While its missive was mainly directed at e-money, money remittance, and payment processors, the reach and implications of the FCA letter clearly extend far wider than firms in just these sectors. Specifically to firms authorised or registered under the Payment Services Regulations 2017 (“PSRs”) and the Electronic Money Regulations 2011 (“EMRs”) such as Payment Institutions (“PIs”), Electronic Money Institutions (“EMIs”) and Registered Account Information Service Providers (“RAISPs), 

What the FCA expects of financial services firms

The regulatory body told payment firm CEOs they should take action to deliver three key outcomes:

1. Ensure customer money remains safe
2. Ensure their firm doesn’t compromise financial system integrity
3. Meet customer needs, including offering high-quality products and services, competition and innovation, and implement the FCA Consumer Duty.

The FCA letter highlights that, while most financial institutions have focused hard on risk and compliance over the past few years, there are still some gaps that need addressing. Compliance is now more important than ever to prevent criminals from exploiting loopholes and to protect vulnerable members of our society.

This is proving very challenging in the face of rapidly changing technology, the adoption of digital currencies, new laws, and constant evolution in the financial market. These changes make it difficult for payment companies to safeguard their customers’ funds and manage AML compliance adequately. These challenges are even putting these firms at risk of failure.

Outcome 2 – Firms do not compromise financial system integrity

We will focus on outcome 2, Firms do not compromise financial system integrity, which aligns to the FCA’s 2022-20225 strategy which has a strong focus on reducing and preventing financial crime.

The FCA made its expectations clear concerning money laundering and sanctions. All firms subject to the UK’s Money Laundering Regulations must have adequate systems and controls to identify, assess, monitor and manage these risks. They must also ensure they operate effective systems and controls to identify and manage sanctions exposure and risk.

The FCA highlighted that it has seen increasing evidence of financial crime in the payments portfolio as these firms provide bank-like services, are willing to service higher-risk customers and may be a target for bad actors exploiting weaker systems and controls.

The FCA’s approach is designed to ensure that firms do not compromise financial system integrity and is focussed on two priorities

1. Money Laundering & Sanctions
2. Fraud

Priority 1:  Money laundering & sanctions

The first priority in regards to money laundering, the FCA has made it very clear that any firms that are subject to the UK’s Money Laundering Regulations must have in place systems and controls to identify, assess, monitor and manage money laundering risk.  These must be comprehensive and proportionate to the nature, scale and complexity of a firm’s activities.

In regards to economic and financial sanctions, the FCA also set the expectations that regulated forms must ensure that they operate effective systems and controls, in order to identify and manage any sanctions exposure and risk, associated with their customers and business activities.

Material issues identified with financial crime systems and controls

The FCA has emphasised that over the past two years they have identified material issues with financial crime systems and controls including (but not limited to):

• failure to carry out and/or to evidence adequate KYC/due diligence
• business-wide risk assessments not supported by a robust and effective methodology
• enhanced due diligence not adequately risk based and not commensurate to the risk event and/or the customer
• failure to regularly review and refresh risk assessments and control frameworks in an evolving threat landscape
• policies and procedures which are insufficiently detailed and tailored to firms’ business models
• failure to maintain and evolve the control framework, in line with business growth
• failure to ensure name screening solutions from third party providers are appropriately and adequately calibrated to meet their business requirements
• firms unable to reasonably justify and/or verify why their sanction screening solution does not generate alerts against certain names on the UK’s Office of Financial Sanctions Implementation list. 

Actions the FCA expects payment and electronic money institutions to take

The FCA expects payment and electronic money institutions to ensure their anti-money laundering systems and controls are effective and commensurate with the risks in the business, including as it grows over time. 

This includes the expectation that your firm will conduct regular reviews to assess its compliance with anti-money laundering obligations and sanctions requirements, and to work swiftly to remediate weaknesses identified. 

Further the FCA has established a minimum expectation that your firm will comply with its responsibilities under the Proceeds of Crime Act 2002 and Terrorism Act 2000 through accurate and timely submissions of Suspicious Activity Reports (SARs) and to regularly review themes from Suspicious Activity Reporting (SARs) and act efficiently to rectify any issues identified.

Priority 2 – Fraud

The second priority the FCA highlighted was Fraud and in particular evidence that fraud incidents at payment and electronic money institutions is increasing, particularly, in relation to the cost-of-living crisis and they expect firms to take immediate action to address any weaknesses in their systems and controls to prevent fraud.

Common weaknesses identified at payment and electronic money institutions

The FCA has emphasised that over the past two years they have identified common weaknesses including (but not limited to):

• insufficient emphasis on mitigating the risk of fraud against customers and insufficient customer education relating to fraud prevention
• a lack of engagement with industry information sharing bodies
• weaknesses in firms’ anti-fraud systems and controls
• backlogs that have led to fraud reports from consumers not being actioned within a reasonable timeframe by relevant staff
• a high proportion of customer accounts being used to receive proceeds of fraud. 

Actions the FCA expects payment and electronic money institutions to take

The FCA expects payment and electronic money institutions to take immediate action to protect your firm’s customers against the risk of fraud and to ensure that your firm is not being used to receive the proceeds of fraud. 

In particular, the FCA requested that regulated firms should ensure that they:

• review their internal risk appetite statements and policies and procedures to ensure that these adequately address the risk of fraud to its customers
• regularly review fraud prevention systems and controls to ensure effectiveness; and
• maintain appropriate customer due diligence controls (at onboarding and ongoing) to identify and prevent accounts being used to receive proceeds of fraud or financial crime.

Furthermore, the FCA emphasised that firms should take immediate action to protect their customers against the risk of fraud and to ensure that the firm is not being used to receive the proceeds of fraud. This includes reviewing internal risk appetite statements and policies and procedures to ensure they adequately address the risk of fraud, regularly reviewing fraud prevention systems and controls, and maintaining appropriate customer due diligence controls at the onboarding stage and on an ongoing basis.

What could happen if businesses don’t act?

Failure to implement robust compliance could allow financial crime to grow and fraud could become more common, which could put the financial system at risk. The FCA said that if it identifies issues, it will take ‘swift and assertive action’ to protect customers and maintain market integrity.

How Arctic Intelligence can help

Arctic Intelligence is dedicated to supporting hundreds of FCA regulated businesses like yours, including e-money, money remittance, and payments processors.

Our multi-award-winning platforms help our clients identify and assess their business-wide money laundering and terrorism financing risks and build appropriate and proportionate controls to help them mitigate and manage them.

The Arctic Intelligence business-wide risk assessment solutions for Money Laundering, Terrorism Financing, Sanctions, Bribery & Corruption and Fraud help payment and electronic money institutions to meet the FCA’s obligations and reduce the risks of their firm being exploited by organised criminal networks.

Follow us on LinkedIn and Twitter for a daily dose of financial crime news across the globe.