If you are an Annex 1 firm, you should be taking action in response to the Dear CEO Letter sent by the Financial Conduct Authority (FCA) on 5 March 2024. This letter is part of the FCA's strategy to reduce and prevent financial crime by addressing anti-money laundering (AML) framework failings. i.e., the failings identified in Annex 1 firms’ financial crime policies, procedures, and controls.
Annex 1 entities include lenders, safe custody providers, money brokers, and financial leasing companies, which are registered for compliance with money laundering regulations but are not otherwise authorised or regulated by the FCA.
If this is you, it is crucial that you take action to address the FCA’s concerns around the failings it identified and ensure compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). The FCA expects you to conduct a gap analysis within 6 months of receiving the Dear CEO Letter.
In this edition of Ask the Expert, our financial services experts look at what the FCA says you should address in a gap analysis.
What are the findings from the FCA assessment?
The areas of weakness the FCA identified include:
Business Model
- Discrepancies were identified between firms registered and actual activities.
Expectation: If there is a change to your business details or an inaccuracy you are expected to notify the FCA within 30 days of the change or becoming aware of the inaccuracy. - Lack of financial crime controls to keep pace with business growth.
Expectation: You should have an adequate financial framework of systems, controls and resources which keep pace with the growth of your business. You should also ensure that employees are trained and that there is engagement at senior manager level.
Risk Assessment
- Absent or inadequate business-wide risk assessments (BWRA) were found resulting in firms not being able to identify the risks they are being exposed to and implement appropriate controls to act as a mitigant.
Expectation: You should review and update your BWRAs so that you can design appropriate mitigating policies, procedures, and controls to target areas of greatest risk to ensure compliance with the MLRs. - A failure by some firms to tailor their customer risk assessment (CRA) to individual customer characteristics.
Expectation: You should review your CRAs to ensure compliance with the MLRs. The FCA expects CRAs to reflect the risks identified in your BWRAs and enable you to take a holistic view of the risks associated with the customer relationship.
Due Diligence, Ongoing Monitoring and Policies and Procedures
- A lack of sufficient detail in due diligence, policies and procedures were identified along with policies that were not kept up to date. Similar issues were identified in relation to ongoing monitoring in addition to ambiguity around the measures that should be applied to monitoring.
Expectation: You should ensure that clear guidance is provided to staff in policies and procedures. Due diligence and ongoing monitoring policies should be appropriately applied to individual customers based on the risk that they pose, and customer due diligence policies should state when and how simplified customer due diligence and enhanced customer due diligence should be applied.
Governance, Management Information and Training
- It was found that some firms had inadequately resourced Financial Crime teams and that there was a lack of appropriate senior management oversight.
Expectation: Your senior management should take responsibility for managing financial crime risks and should be actively engaged in this matter rather than just considering it on an exception basis. As appropriate regarding the size and nature of your business, you should appoint a board member or a senior manager to be responsible for your firm’s compliance with the MLRs. - Inadequate training was also identified as a weakness. Role-specific training was not being provided and some training failed to cover crucial topics.
Expectation: You must ensure that your employees are given regular training so that they are aware of the law in this area and recognise how to deal with money laundering or terrorist financing situations. Your firm should also maintain records of any training given. - There was a lack of record keeping of financial crime decisions resulting in the absence of a clear audit trail to support firms’ financial crime decision-making processes.
Expectation: You should establish an independent audit function depending on the size of your firm and the nature of your business. This role should be responsible for assessing the adequacy and effectiveness of and compliance with your firm’s policies, procedures, and controls.
What actions should I take?
To respond to the FCAs call for an AML gap analysis, you should consider the following:
- Perform a gap analysis against each of the weaknesses detailed above to ensure that your firm’s policies, procedures, and controls are appropriate for the risk profile of your firm.
- Detail your findings and the remedial work required to address any gaps that have been identified.
- Ensure that there is sufficient senior management engagement to enable the tasks to be carried out effectively.
- Make sure that all documentation is kept up to date. The FCA is likely to ask you to provide your findings from your gap analysis, evidence of any actions you have taken and the status of any remedial work to be undertaken.
What if my actions are considered inadequate?
If the FCA considers your actions in response to this letter to be inadequate, it has a range of intervention tools that it can use from requiring third-party reviews to enforcement action which can result in fines or removal from the Annex 1 register.
How can we help?
Our Financial Services solicitors at Harper James can help with aspects of your gap analysis to the FCA, including:
- Queries on interpreting the MLRs, the FCA Financial Crime Guide and the Joint Money Laundering Steering Group (JMLSG) Guidance.
- Reviewing the BWRA.
- Enhancing your policies and procedures.