Major regulatory change initiatives grab the headlines, but there has been a flurry of AML fines in the last six to twelve months, combined with various announcements and guidelines from regulators across Europe regarding investment firms’ anti-money laundering processes and controls.
The FCA brought its first criminal charges for money laundering against a major high street bank which resulted in a fine of £264.8m, and there has also been other recent large fines for inadequate customer due diligence (CDD), transaction monitoring controls and suspicious activity identification and reporting.
What do regulators expect of asset managers?
Although it is often a challenge to identify specific requirements and expectations, particularly in principles-based regulations, global regulators have been quite direct and consistent in their messaging regarding AML controls and their expectations over the past few years. The FCA has spoken about ‘purposeful AML controls’ and issued a ‘Dear CEO’ letter to retail banks detailing common failings identified in AML frameworks. The Central Bank of Ireland issued AML Bulletin 7 in November last year following on from their ‘Dear CEO’ letter in December 2020 highlighting failings from recent review activity.
In each of these communications they have set out where they have identified failings in financial crimes systems and controls and where firms should be focusing. The themes outlined cover a broad area, but some key focus areas we have picked out include:
1. Governance & Oversight:
- Three Lines of Defence: Blurring of the lines between the first and second lines – in particular Compliance teams taking on first-line activities. Lack of testing in the 2nd and 3rd lines of defence.
- Entity-Level Controls: Group frameworks and controls poorly calibrated or applied to the risks of an individual entity and its customer base
- Senior-Management: Insufficient escalation processes and senior management sign-off where higher-risk factors are identified
- Management Information: Inadequate quantitative and qualitative reporting to enable effective decision making and understanding of if the AML framework is effective
2. Risk Assessments:
- Business-Wide Risk Assessment: Insufficient detail on inherent risks to which the firm is exposed, and inadequately evidenced assessment of control effectiveness. Firms cannot demonstrate processes and controls in place to mitigate risks
- Customer Risk Assessment: Too generic to cover different types of risk exposure and different risks between client types, products and services
- Policies and Procedures: Lack of policies and procedures that sufficiently document the approach to the completion of risk assessments and the methodology employed
3. Due Diligence:
- Outsourcing: Poor oversight over third-parties performing due diligence activities, including a lack of review over the providers policies, procedures and processes. Insufficient oversight of technology solutions of the provider and MI
- Customer Due Diligence: Measures not adequately performed, recorded or assessed – such as seeking information on the purpose and intended nature of a customer relationship and assessing whether activity is in-line with expectations
4. Transaction Monitoring:
- Monitoring Systems and Solutions: Poorly calibrated for the business activities and underlying customer base. Poor tailoring and testing of systems, including data feeds, and relying on ‘off-the-shelf’ solutions and default settings
- Review of Alerts: Lack of supporting rationale for discounted alerts and lack of evidence of investigation performed
5. Suspicious Activity Reporting:
- Internal SARs: Lack of clarity in process for raising internal SARs to the nominated officer
- Reporting Process: Inadequate evidence of investigation, decision-making processes and rationale for either reporting or not reporting SARs
What should we be doing to ensure we are meeting regulator’s expectations?
In our view, firms should be looking to do a thorough review of recent communications from regulators and undertake a detailed assessment against their own frameworks to identify any gaps or weaknesses. This should not just be from direct sector communications, but also taking the learnings from other sectors, as these often highlight areas where regulators are focusing across all different business model types.
In our experience of authorisation and supervisory interactions with regulators, they are continually asking whether firms have reviewed their communications, assessed their own processes and controls against the findings and whether the relevant Boards and Committees have reviewed and discussed the findings of reviews. Regulators also look to refer to identified industry good practice and assess a firm against their peers to identify outliers. We recommend taking a similar approach to reviewing internal frameworks.
Although there is always a strong compliance rationale for undertaking proactive reviews, in our experience there are also significant business advantages and efficiencies that have started through review activity. In recent years we have undertaken a number of projects with clients that have started out with a review of regulatory requirements and expectations but led to the implementation of new technology such as screening and monitoring solutions, workflow integration and digital dashboarding. This has resulted in significant efficiencies and benefits and enabled integration of the AML framework with other frameworks, such as product governance and client onboarding.