Times they are a-changing – and so should your business risk assessment

Introduction – The Dear CEO Letter

In May 2021, the UK’s Financial Conduct Authority (“FCA”) issued a “Dear CEO” letter to the retail banking sector.  For those not familiar with these, a “Dear CEO” letter (“Letter”) is a tool used by the regulator to convey it expectations in relation to firms’ compliance with certain regulations.  While not enforceable per se, they’re a useful signalling tool which regulators can later refer to and say, “you were put on notice about our concerns” when they do find problems with a firm’s compliance programme. These letters can also be one of the determining factors of both the size and severity of any disciplinary measures the regulator might later impose.

Retail Bank and Financial Crime Prevention Measures

The FCA’s May Letter focuses on how UK retails banks have been operationalising their financial crime prevention programmes (“FC programmes”). The Letter describes the FCA’s findings from its recent assessments of banks’ systems and controls used to mitigate FC risks.  These findings were grouped in five broad categories: Governance and oversight, risk assessments, due diligence, transaction monitoring and suspicious activity reporting.

The Letter includes a call to action. Banks are required to “take the necessary steps to gain assurance that your firm’s financial crime systems and controls are commensurate with the risk profile of your firm and meets the requirements of the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, as amended (“MLRs”)”. 

This call to action is expected to entail the completion of a gap analysis again each of the findings described by 17 September 2021. It’s expected that this analysis will be completed “promptly”, finding shared internally and acted upon “as appropriate”. Banks are required take prompt and reasonable steps to close those gaps.

Business Risk Assessment Findings

When it comes to the quality of business risk assessments (“BRA”), the FCA found they were not up to the mark. In fact, the FCA describes the quality of the BRAs they reviewed as “poor”.  The Letter identifies several weaknesses:

• Insufficient detail on the FC risks to which the business is exposed,
• Failure to adequately evidence the assessment of the strength of mitigating controls,
• Failure to record the rationale support conclusions drawn on the firm’s residual risk level, and
• Group level BRAs that did not take account of FC risks specific or present in the UK.

Given the ambitious deadline set in the Letter, which required FC compliance teams to scramble and rejig work priorities over the summer, banks might be forgiven for seeing the work required in relation to their BRA as a simple technical refresh of their BRA methodology. In fact, however, this presents a timely opportunity to conduct that all important BRA review.

Reading Between the Lines – BRA Failings

As you read through the detailed findings in the Letter, common failings start to emerge relating to how FC risks were assessed by banks and considered in their BRAs:

1. Inherent FC risks originally assessed had changed over time were not identified and assessed in their BRA.
2. 2^nd line testing results were not being fed into the BRA process, resulting in controls being assessed as more effective than was the case.
3. A confluence of risk had taken place whereby changes to inherent FC risks meant that the overall control framework was no longer mitigating them as intended.
4. The BRA model used was not designed to take account of regional differences in FC inherent risks or was too complicated to adjust to incorporate them.

The resulting risks caused by these failings mean that banks may be exposed to more FC risk than they have the appetite to accept.

The main cause behind these shortcomings may have been that these changes were not captured or considered as part of their BRA review process.

Time They Are a-Changing…

Preparing a good BRA can be a challenge. It’s a bit like mixing cement. It needs the right composition of ingredients to create a sturdy, reliable foundation.  Get the mix wrong and there’s going to be problems. While a BRA will (hopefully) not cause your house to collapse, it does require careful planning, design, calculation, and delivery to be the value-added tool it’s intended to be.

And just like cement, a BRA forms the very foundation upon which an FC compliance programme rests. Relying on simplified due diligence measures for low-risk customers? Your BRA should show that the controls used to mitigate FC risks support the use of this expedited onboarding process. Planning on accepting virtual asset services providers (VASPs) as customers? Your BRA should evidence an assessment of the potential FC risks involved and whether the bank’s existing control framework can effectively mitigate them.

The last 18 months have seen a sea change in the way banks operate and the way their customers access banking services. So too have the tactics used by illicit actors to misuse their services and defraud consumers. Plans afoot to introduce new technology such as eKYC or artificial intelligence-driven monitoring will also bring about change in how banks detect and prevents financial crime. 

The gap analysis required by the Letter may also result in significant change needing to be made to banks’ compliance programmes. Whether it’s a remediation exercise to resolve a backlog of transaction monitoring alerts or updating procedures to ensure source of wealth and funds are established and recorded for PEPs, these can all have an impact on a bank’s BRA results.

Mind the Gap Between Your Analysis and your BRA

The Letter’s call to action is, in effect, the same exercise banks would otherwise need to perform when reviewing their BRA. It would therefore make sense for banks and other regulated firms to leverage gap analysis work to review their existing BRA results.  

The call to action requires that banks undertake measures to address any gaps – i.e., control framework improvements. Now this may sound counter-intuitive – why would a bank want to write into its BRA the work it needed to fix gaps in its FC compliance programme? Isn’t this the same as waving a red flag in the direction of the FCA and saying, “Look, we have problems!”.  Ironically, this has the total opposite effect. Incorporating this information as part of your BRA review demonstrates to the regulator that your bank:

• Undertook the analysis required by the Letter and recognises the link between work needed and the FC control framework used to mitigate its inherent FC risks,
• Understands how the analysis may influence the overall results of its BRA, and taken steps to update it, and
• Took account of whether the outcome of the analysis changed the bank’s overall FC risk appetite and if so, what that will mean in practice.

Even if your scheduled BRA review is not due until 2022, finding gaps in your FC compliance programme might well justify completing that review earlier.

Updating Your BRA Should Not Be the Same as Completing Your Income Tax Return

The MLRs require that BRAs be documented and kept up to date. Guidance provided by the Joint Money Laundering Steering Group suggests that BRAs be reviewed at least annually, recognising that a BRA is not a one-time exercise. However, where changes occur that might impact a BRA’s results, and, in turn, the bank’s understanding of its FC risk exposure, a mor frequent review may be warranted.

The problem? Most firms found the initial preparation of their BRA to be a painful exercise. Arctic’s 2021 Benchmark Report noted that almost 70% of respondents said the BRA process tool them up to 6 months to complete. This was usually because it was manually prepared, often with eye-wateringly complex spreadsheets. Very few compliance team members could explain to senior management how the scoring and weighting worked, what the final residual risk rating meant or what inherent FC risk factors were the drivers of risk for different business lines.

Worse, if staff who designed the BRA resigned, or if it was prepared by an outside advisory firm, those staff left trying to wrap their heads around the methodology used found it as daunting as trying to complete their personal income tax return!

Inevitably, the idea of needing to revisit the BRA and review its results, is one that some FC compliance staff are keen to avoid any more frequently than once a year.  Over 50% of the respondents to Artic Benchmark Report review their BRA once a year while 13% do so every two years. The problem with this is that it can leave a bank with an unmitigated FC risk exposure that accumulates over months before it is detected and assessed.

Using this opportunity to review your BRA also allows you to determine if some of work needed on controls the last time the BRA was undertaken, needs follow through or is has also been detected by the Letter’s required gap analysis. It can be easy for needed control improvements to drift of the agenda, especially given the event of the last 18 months.  Arctic’s Benchmark Report notes that many controls identified by regulated firms in their BRAs had been assessed as not yet tested or requirement some form of improvement.

Managing these types of risks can be made a great deal easier by converting the BRA process into a programmatic one. It allows the bank to focus on analysis and not spend most of the time on spreadsheet management and manual data entry. Automating the BRA process also allows for variations to be incorporated around inherent FC risks that are regionally different across a bank’s group, without requiring complex mathematic gymnastics. It can also provide a means to track planned control changes and their resolution in one single tool. Finally, employing the use of a programmatic BRA tool also facilitates a data-driven outcome that can be readily explained and generated at any time to the FCA, if requested and for the bank’s senior management.

Concluding Thoughts

While the FCA’s Letter may have come as a surprise project for most banks this summer, it opens the opportunity for banks and other regulated firms to consider if there might be a way to work “smarter not harder” with it comes to setting up and reviewing their BRA. The Letter’s call to action will inevitably require that banks review of existing BRA results. Leveraging this exercise to review your BRA is not only smart but just makes good common sense. And now might be the perfect time to explore whether it’s time to say good-bye to those painful spreadsheets.

Follow us on LinkedIn and Twitter for a daily dose of financial crime news across the globe.