Anti-Money Laundering Procedures - A UK Regulatory Focus
The UK Financial Conduct Authority (FCA) recently warned Annex 1 firms about common financial crime control failings in its 5 March 2024, Dear CEO letter.
While the types of business under focus in this letter are registered unauthorized firms, this letter is a good reminder to the broader financial sector of the wider implications and tone of the FCA in its 3 years strategy and goals for fighting financial crime. This article will take a look at the common failings pointed out in the letter, which in our view, are valuable for all compliance officers when looking at their internal Anti-Money Laundering (AML) programs, and what lessons can be learned for the authorised buy side investment managers.
Financial crime controls should keep up with business growth
Although this may be an obvious observation, we have noticed a common theme of gaps in overall compliance risk management, and in particular with regards to AML procedures. If we apply this learning to investment managers, actionable wins are:
- Reassessing the contracts a firm agreed with any third-parties (fund administrators included) for AML and client onboarding checks. Does that agreement still make sense for your business, and will it still be robust in 2-3 years? Is the third-party prepared to upscale, provide more dedicated resources or relationship management in order to service your business properly? Investors are expecting costs around their fund management to be allocated appropriately – which does not mean as cheaply as possible. The AML outsourcing or procedures that worked for a start-up will not work for an established business.
- Senior management are accountable for the effective control of their business, therefore if we focus our attention onto the Money Laundering Reporting Officer (MLRO) and Compliance Officer, which often are the same person, there ought to be senior management challenge over whether they have implemented timely and appropriate controls or testing as the business has grown or changed. Have they taken reasonable steps to be well informed of key strategic or commercial changes in their firm, such that compliance resource or implementation has been both enabling and risk-weighted?
Which segways into risk assessments – the absolute bedrock of starting any internal implementation program. Firms highlighted in the FCA’s letter failed to conduct appropriate risk assessments, or failed to understand the impact of the risk and what realistic mitigating actions would look like. Risk can never be zero, however residual risk is still something to be sensibly managed, not just stated as such. The FCA sets out AML risks as Money Laundering (ML), Terrorist Financing (TF) and Proliferation Financing (PF). Firms are expected to have included these within their risk assessments, in suitable detail, and developed methods to counter these risks. Appropriate insight should be included on sanctions lists, markets where the firm is exposed (where there are multiple offices), or whether investor relations and sales teams are properly trained to raise suspicions to the MLRO, and aware of their obligations to do so. Key questions an investment firms should be asking themselves are: Is the operations team able to spot erroneous transactions? Is the feedback process between the fund administrator and the UK investment firm fine-tuned to alert the business to suspicious transactions?
Due diligence, ongoing monitoring and policies and procedures
A title so clear it was taken directly from the letter itself - and clarity is where the FCA had found firms lacking in their Customer Due Diligence. Vague language on what to do if risks were identified, lack of detail on when simplified versus enhanced due diligence should be applied, as well as out of date policies and procedures to go with it, were just some of the issues in the cases highlighted.
We see some of these processes fall apart when key staff leave, or where insufficient senior manager importance is placed on updating these policies and procedures (or having them in the first place). On occasion, we casually hear that all AML risk is handled “elsewhere,” meaning the fund administrator (it isn’t). The firm (particularly UK AIFMs) are still responsible for that oversight, and taking the approach of assuming “all is well” without a thorough update of its annual due diligence questionnaire (DDQ), is not acceptable. Internal risks should still be part of the equation and circling back to the first point, what was a businesses’ AML procedures a year ago may not be as fit a year later.
Not all firms have the resources to dedicate to hours of policy update, nor are they aware of deficiencies if staff are hard pressed on the constant change of regulatory requirements and scrutiny. The FCA have shown in this letter that there is no tolerance for such weaknesses - preventing financial crime and ultimately preventing investor, or customer, losses are paramount.
A quick checklist to recap:
- Are the policies in place actually relevant to the business, and will they last 12 months if there is about to be strategic or rapid growth?
- Are the key persons responsible for those policies competent, experienced, and knowledgeable enough to hold teams or staff to account if actions digress from written policy?
- Is AML and its oversight integrated into the compliance monitoring programme?
- Are AML failings, findings or updates relayed back to senior management (i.e. governance) so that the business is aware of its own risks and mitigating actions?
Governance, training and senior management
Compliance training is usually carried out in regulated investment firms at least annually to maintain the most up to date knowledge of staff – with specific higher risk areas or teams given extra training as needed. This was another deficiency seen by the FCA in Annex 1 firms. Training is an easy win to mitigate risks in financial crime, and ensuring staff have access to the most relevant materials should reduce instances of human error around onboarding, know your customer (KYC), or even reporting suspicious behaviour.
How we help
ACA’s AML and Financial Crimes practice offers advisory services and solutions to assist financial services firms in addressing threats and regulatory obligations associated with financial crime. We work with investment advisers and broker-dealers, among others, to assess risk, develop policies and procedures, and perform independent tests and gap analyses. Our support can incorporate our ComplianceAlpha® regulatory technology and managed services to help your firm meet its data screening, ongoing monitoring, remediation and reporting needs.
Reach out to your ACA consultant, or contact us to find out how ACA can help you meet your AML requirements.