29 October 2021

Are your firm's financial crime trends in line with the rest of the market?

THE FCA HAS PUBLISHED RECENT FINANCIAL CRIME DATA

Earlier this month, the FCA published aggregate data from annual financial crime returns (referred to as REP-CRIM) that it received for the reporting periods 2017-18, 2018-19 and 2019-20. This revealed some interesting trends over that time, for firms currently required to report.

The key trends

The FCA's data identified:

an overall decline in the number of politically exposed persons (PEPs) that firms are reporting as customers;
an overall decline in the number of non-EEA correspondent banking relationships that firms – particularly wholesale firms – are reporting;
an overall decline in the number of customers that firms are categorising as 'high risk' for AML purposes (and therefore subject to enhanced customer due diligence). Declines in the number of 'high risk' customers were particularly clear in the retail lending, retail investments and retail banking sub-sectors. There were, however, increases in the number of 'high risk' customers reported by firms in the pensions and investment management sub-sectors;
a general overall increase in the number of suspicious activity reports (SARs) (relating to money laundering rather than terrorist financing) that firms are submitting. There were increases across all sub-sectors of the financial services industry, not only in the number of internal SARs that firms are handling, but also in the number of SARs that firms are making externally to the National Crime Agency (NCA), and in the number of SARs that contain a request for a defence against money laundering. Retail banking is strongly represented in these numbers. The FCA found that in 2019-20, close to half of the internal suspicious activity reports in issue came from 3 firms, and the same 3 firms also contributed over 60% of the SARs reported to the NCA;
an overall decline in the number of SARs relating to terrorist financing that firms are submitting under Terrorism Act 2000;
a material increase in the number of firms across the financial services sector using automated sanctions screening tools, and an increase in the number of 'confirmed true' sanctions matches measured at payments level (though 'confirmed true' sanctions matches measured at customer level declined over the period);
the number of customers that firms exited / off-boarded more than doubled over the period, and likewise there was an increase in the number of customers refused services for financial crime reasons;
the number of full-time equivalent staff that firms employed in financial crime roles varied over the period, however there was an overall increase (from around 15,700 in 2017-18 to around 17,400 in 2019-20). The FCA estimates that in 2019-20, firms were spending around £1.1bn annually in dedicated staff time to combat financial crime (excluding the costs of IT systems and costs of staff not wholly dedicated to that role);
firms' top fraud concerns remaining similar over the period, with (i) phishing; (ii) identity fraud/identity theft; and (iii) cyber-related fraud, including computer hacking, all featuring significantly; and
there was an increase over the period in both customers and unknown third parties as suspected perpetrators of fraud.

The FCA's paper explains a number of important limitations and other factors influencing the dataset, for example:

the number of firms submitting REP-CRIM reports also increased over this period;
given the way the reporting obligations are structured, the population of firms reporting was not static; and
there were specific reasons for some of the trends, for example changes in 2017 to the FCA's guidance concerning PEPs (see FG17/6) are likely to have contributed to the overall decline in the number of PEPs being reported during the period.

Even taking those into account, however, these statistics overall seem consistent with an increasing focus by firms on mitigating the risk of financial crime. Aspects of them (for example the numbers of customers off-boarded for financial crime reasons) arguably provide evidence of firms 'de-risking' their customer bases. That aside, it seems clear, however, that the FCA's repeated messaging over the last 5 years about the importance of systems and controls against financial crime, has not gone unheeded.

More firms will have to submit data in the future

Currently, the REP-CRIM reporting obligation applies to most FCA-regulated firms that are subject to the Money Laundering Regulations 2017, although there are some exceptions (see SUP 16.23). Importantly, for example, under current rules firms do not have to report if they have lower than £5m total reported revenue and only have certain limited permissions. The existing rules were introduced in 2016 and the FCA's first analysis of this data was published in November 2018 covering the 2016-17 reporting period.

The scope of the REP-CRIM reporting obligation is being widened. In March 2021, the FCA published a policy statement confirming its decision to extend the REP-CRIM obligation to approximately 4,500 additional firms (around 7,000 in total). The aim of this extension is to ensure that a broader subset of firms provide REP-CRIM information, and to broaden the dataset available to the FCA. Firms coming into scope as a result of these changes will have to submit their first REP-CRIM within 60 business days after their first accounting reference date falling after 30 March 2022.

Data of more than academic interest

When REP-CRIM was first introduced in 2016, questions were asked in the market about the purpose for which the FCA would use the data (not least because obligations on firms' MLROs to produce periodic reports were already in existence, and those reports were often shared with the FCA).

Over time, the FCA has given some indication of the types of analysis that it carries out using REP-CRIM data. For example, in a speech in 2018, it indicated that it was using artificial intelligence and machine learning, and combining REP-CRIM data with other information available to it "to paint a detailed picture of what a good and bad firm looks like", so as to "focus [its] attention on those that show up at the bad end of the spectrum". In 2020, the FCA published a data strategy for the organisation, and its 2021-22 Business Plan reaffirmed the organisation's commitment to becoming more data-driven ("We will be more data-driven to find and stop harm quicker, and will respond faster and more assertively to new challenges…", p6).

Alongside the aggregate REP-CRIM data published earlier this month, the FCA made clear that it is "developing new analytical tools to assess the effectiveness of firms’ systems and controls and analyse larger amounts of data". Its stated aim: "to better identify inherent money laundering risks as part of our new proactive data-led AML supervisory approach".

In the circumstances, firms would be well advised to consider the aggregate REP-CRIM data that the FCA published earlier this month, against their own internal financial crime MI (as well as their own previous REP-CRIM returns if they submitted these). The data the FCA has published – albeit in aggregate – is of practical and not just academic interest. Firms experiencing different or contrary trends to those that the FCA is observing in the rest of the market might well want to examine why. Without good reason, they could potentially result in the firm becoming subject to further FCA interest.