The FCA's recent 'Dear CEO' letter regarding anti-money laundering systems and controls presents clear enforcement and litigation risks for retail banks.
A month to go
When the FCA wrote its 'Dear CEO' letter to portfolio retail banks on 22 May 2021, highlighting concerns about the quality and effectiveness of anti-money laundering controls, it set a deadline of 17 September 2021 for them to:
- conduct a 'gap analysis' against a set of common control failings identified in its letter; and
- take 'prompt and reasonable steps' to close any gaps identified.
We are aware that since then many retail banks have been hard at work reviewing their AML policies and procedures. Banks that have not completed this work by the FCA's deadline (or are not at least ready to show the gap analysis has been done and any reforms are in progress), are likely to be at risk of regulatory action.
Six key areas to consider
The FCA identified in its letter six key areas of retail banks' anti-money laundering systems and controls where it perceives there are common weaknesses:
- governance and oversight;
- business-wide risk assessments;
- customer risk assessments;
- customer due diligence (particularly enhanced due diligence);
- transaction monitoring; and
- suspicious activity reporting.
Within each area, the FCA made specific observations for firms to consider.
- A clear warning shot from the FCA
Taken together with other recent senior-level messaging from the FCA on the subject of AML controls, we believe this letter should be read as a clear warning to retail banks and the senior managers who work for them. In effect, the FCA is allowing a time-limited opportunity for controls to be improved before it takes further action. There are likely to be negative consequences for retail banks that do not get their houses in order (or do not do so in time).
Although the FCA could certainly point to long standing legal and regulatory requirements in support of its work, the time it has allowed firms to carry out their 'gap analysis' - over a summer when much of the UK is emerging from lockdown and many are in the process of identifying 'new normal' working patterns - seems short.
- Challenging changes
Retail banks should not underestimate the challenges of making changes to their systems and controls in some of these areas. In particular, change control procedures typically restrict (for good reason) rapid changes to core IT systems (such as those that may monitor customer transactions or screen customers for sanctions). Further, reforming human-based systems and controls inevitably takes time, as new policies are written, staff are retrained, new procedures are embedded, and post-rollout testing is done.
The FCA has set a particular challenge for the UK branches of retail banks headquartered outside the UK, that rely on centrally-provided or group-wide services for AML controls in their UK business. Among the work that such firms need to do is to consider whether those centrally-provided services are adequate to meet UK legal and regulatory requirements. These may differ from the requirements in other countries.
Although UK and EU AML rules are based on the FATF Recommendations, which many other countries around the world have also adopted as the basis for their laws and regulations, technical implementations vary considerably across the globe. Sanctions regimes also differ markedly, and are often fast-changing (for example, the UK now has its own sanctions regime post-Brexit). This is an area where the detail matters.
Reforms to group-wide systems and controls are likely to require approval from the centre, associated investment, and sometimes the successful bridging of different cultures and AML regimes worldwide. This can be very challenging.
- A platform for future enforcement and litigation
It is important to understand that the areas of weakness the FCA highlights relate to AML policies and procedures that are not 'optional' or 'matters of good practice' alone. In the UK, they are mandated by one or more of:
- UK financial services regulatory rules (such as those in SYSC 6.3 in the FCA's Handbook);
- the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLRs); and
- the Proceeds of Crime Act 2002 (PoCA).
Although retail banks have some discretion, particularly over how they assess the AML and terrorist financing risks facing their businesses, and exactly what policies, procedures and controls they implement to control the risks identified, it is mandatory to carry out the risk assessment and then to put in place the relevant policies, procedures and controls.
The FCA has already repeatedly taken enforcement action in this area and we expect to see further such action following this 'Dear CEO' letter. Experience suggests that the FCA will in time deploy it, and retail banks' responses to it, as part of its case against non-compliant firms and individuals.
The fact of having been warned by the regulator of the need to focus on particular areas, and given time to make changes, could weaken the counter-arguments of firms and individuals who find themselves in enforcement. Not only could it make it harder for some firms to argue that their controls met legal and regulatory standards, it could also weaken mitigation arguments where controls have fallen short. The FCA's specific prompts about senior manager responsibility, and the need for the gap analysis to be "properly completed and its findings shared internally and acted upon as appropriate", may also make it easier for the FCA to reach a regulatory finding against those senior managers. The end result could be a greater prospect of success for the FCA in the cases it brings, and more severe penalties for individuals.
- A regulatory and a criminal law issue
The FCA has multiple enforcement powers in this area. In some cases, it could not only take enforcement action against firms and individuals through its usual civil/regulatory enforcement process (based on its own rule book, including the Senior Managers and Certification Regime). It could as an alternative prosecute them before the Crown Court (based on the MLRs and PoCA).
Where a bank's AML controls are perceived as weak, there need not have been actual money laundering before the FCA can take action.
The FCA has made clear in its public messaging over recent months, for example in its 2021-22 business plan, that it is increasingly willing to take a robust position and use litigation to test the extent of its powers.
Being the subject of successful civil/regulatory enforcement action could have severe consequences for a retail bank or member of its staff. However, where the FCA takes action on the basis of the criminal law, the consequences could be even more severe. Apart from reputational damage and the risk of penalties (including fines and, for individuals, the potential for a prison sentence), under English law a criminal conviction could restrict or debar a bank from competing for some types of public contract, affect its ability to obtain or maintain the licences it needs to do business, or end a staff member's career in financial services on the basis that they are no longer fit and proper to carry out a regulated function.
For retail banks operating in the UK and elsewhere, the consequences of a conviction in the UK - under laws outside the UK - could also be severe and unpredictable.
- I don't work for a retail bank… should I care about this?
Although the FCA addressed this 'Dear CEO' letter to certain retail banks, we believe it is likely to reflect the FCA's approach towards some other types of regulated firm as well, particularly payment services firms, electronic money firms, and some building societies. These are also often bound by the same or similar legal and regulatory requirements, and in some cases (seen from a customer's perspective) they provide similar services. They also often use the services of retail banks to carry on their own businesses. These firms would also in our view be well advised to be aware of the FCA's work.
- Some key questions to mitigate risk
As retail banks finalise their work following this 'Dear CEO' letter, we would suggest that in the month they have left before the FCA's 17 September deadline, they take a step back and consider some key questions for each of the six key areas that the FCA identified in its letter.
- What AML and terrorist finance risks are our controls in this area trying to stop? Are we confident we know what those risks are, that we have documented them, and thought about them again recently?
- How do our controls in this area currently work? Are we confident that our staff on the ground know how they work? Does senior management's understanding of what we do align with what we actually do? How good is the MI they are getting about financial crime?
- Are we sure that the policies, procedures and controls we have in this area are tailored to the risks we identified – for each area of our business?
- For firms taking a global or region-wide approach to AML controls: were the controls we use in our UK business designed with UK requirements in mind, or have they been adapted to meet them? Are we sure the AML and terrorist financing risks in the UK are the same as elsewhere? Are there any areas where risks in the UK are seen as higher, and so UK controls need to be tighter? Have we looked at this again since Brexit?
- How good do we think our current controls are at actually stopping the risks we have identified? Focusing on the end results from our system, rather than the system itself, do we think we are managing the risks (particularly customer risks) we have ourselves identified? Can we give strong and frequent examples of where the controls have worked to prevent harm?
- How would we evidence our approach to the FCA or a Court if we had to? Is it set out comprehensively in written policies, procedures and controls? Do we have clear records of any AML incidents, or would we have to resort to unstructured data (such as email) or the knowledge/expertise of a single key individual to prove what we do/did? How can we capture that information in a more structured way?
- If our people were asked by the FCA or in Court about how our controls in this area work, could they articulate them clearly? Would their answers align with our documented policies and procedures, or would they say something different to what is written down? Do they need any more training? Do we need to amend the written policies and procedures so they more accurately reflect what we do?
- Would we have to rely on any external parties (for example third party vendors of IT systems) to explain how our systems work and how they are configured? Who decided what the systems we use for AML controls should do – us, or the vendor? Have we captured all the key information in our internal policies?
- If we are making changes to our systems and controls (particularly changes that can't be completed before 17 September 2021), do we have a clear specification, budget and a timeframe for them? Could we evidence that confidently if required? Are we confident that we could provide FCA with regular updates on our progress?
- Are we sure we have closed off all our past regulatory change projects in this area, particularly any changes we made when the MLRs were amended in 2017 (with the Fourth EU Money Laundering Directive) and in late 2019 / early 2020 (with the Fifth EU Money Laundering Directive)? Have we implemented any changes we agreed with FCA or other authorities in the past?
- When was the last time we did compliance testing in this area?
- When was the last time that internal or external audit looked at this area?
- Have any audit recommendations in these areas all been followed up / closed out?
If you would like to discuss any of these issues further, please contact: