Examples of good and poor practices provide helpful guidance, and a reminder of supervisory expectations.
The FCA has published TR18/3, setting out the findings from its thematic review of the anti-money laundering (AML) and counter-terrorist financing (CTF) systems and controls in 13 Electronic Money Institutions (EMIs). Although the review only focused on EMIs, the findings have wider read-across and therefore are of interest to all firms within scope of the Money Laundering Regulations 2017 (MLRs 2017).
Indeed, given the FCA’s current focus on financial crime as a priority area in its supervisory (and enforcement) activities — and the fact that updating policies and procedures to reflect changes brought about by the MLRs 2017 perhaps may have been overlooked by some — now is a good time for firms to reflect on AML and CTF systems and controls and check that they are up to date and meeting expectations.
The Context of the Review
The MLRs 2017 entered into force on 26 June 2017, and brought about two key changes specific to EMIs:
- First, the monetary thresholds for when EMIs are not required to apply customer due diligence (CDD) measures to transactions if their product meets certain conditions were reduced compared to the Money Laundering Regulations 2007.
- Second, where a transaction is above the thresholds but meets the relevant conditions, EMIs may still apply simplified due diligence in prescribed circumstances, and where they have assessed the risk to be low.
The purpose of the thematic review was to increase the FCA’s knowledge of EMIs’ compliance with the MLRs 2017 and, in particular, the specific new rules.
The FCA found that there was a positive culture within EMIs around AML and CTF issues, a good awareness as well as understanding among the EMIs of their financial crime obligations, and that most EMIs demonstrated a low risk appetite. The FCA provided all firms who participated in the review with individual feedback, and did not need to deploy formal supervisory tools in order to remedy any issues uncovered by the review.
Good and Poor Practices
The FCA has presented its findings, and set out high-level examples of good and poor practices witnessed as part of the review. These findings are not specific to the e-money sector, however, and can be read across to all firms in scope of the MLRs 2017:
- Governance, culture, and management information: firms need to document their AML and financial crime risk appetite and should ensure that senior management is receiving appropriate management information relating to financial crime risks. The production of an annual MLRO report was found to be helpful for communicating issues and outcomes, which the FCA considered as good practice.
- Business-wide risk assessment: the risk assessment needs to be under constant review, be performed for every product, and should be challenged and signed off by senior management. The FCA found that the involvement of senior management in the assessment process results in a higher quality risk assessment and means that the risk assessment holds greater weight within the firm.
- Customer risk assessment: the FCA found that customer risk assessments were not always being performed, and if they were, there were occasions when identifying a client as higher risk did not trigger the appropriate enhanced due diligence (EDD) and enhanced on-going monitoring obligations. The FCA reiterates that risk assessments must cover all customer types and involve a practical method to establish risk ratings to ensure that firms apply the appropriate level of CDD to all customers.
- Policies and procedures: must be risk-based, up to date, commensurate with the size and nature of the business, and signed-off by senior management.
- Outsourcing of CDD: when firms outsource the performance of CDD measures to service providers, firms must perform on-going monitoring of the quality of the CDD being performed. Firms retain ultimate responsibility for the CDD performed by the service providers. The FCA commended firms that had robust audit systems in place for outsourced service providers involving regular and planned assessments, including on-site visits, face-to-face visits, and file checks at the outsourced service provider’s premises.
The FCA also commended firms that were using geolocation technology to authenticate a customer’s location for non-face-to-face relationships. Geolocation technology assists in detecting cases of multiple and potentially fraudulent applications for accounts from the same IP address.
- EDD: firms should be running politically exposed person (PEP) and sanctions screens in all cases, and should apply EDD when there is a PEP. The FCA reiterated its guidance that UK PEPs shall be treated as lower risk and therefore can be subject to a lighter version of EDD unless the UK PEP demonstrates any other high-risk factors.
- On-going monitoring: the FCA is not prescriptive as to how on-going monitoring is done, but favours electronic methods so that firms can check a greater volume of transactions and relationships. The FCA found that large firms benefit from a “real-time” and rules-based application, which generates alerts for unusual activity.
- Training, communication, and awareness: face-to-face training on AML and CTF risks, including case studies with a final assessment twice a year, was noted as good practice. The FCA considered training focusing only on reporting of suspicious transactions too basic, and this was marked as poor practice.
Firms should consider the good and poor practices highlighted by the FCA, and evaluate their own policies and procedures against these. In light of the current regulatory climate, firms should also consider how they have updated policies and procedures to reflect the MLRs 2017, and whether they are confident that policies and procedures are sufficiently robust and effective.