Last month, the FCA published a press release highlighting gaps in financial crime oversight arrangements. Whilst the press release pointed to work the FCA has done surveying corporate finance firms, the messages resonated with us in the context of the work we do with other types of firms. The survey results have some key messages that all firms should reflect on, particularly given the FCA’s focus on Financial Crime.
Business Wide Risk Assessments
The FCA found that 11% of the firms surveyed had no documented business wide risk assessment (BWRA) in place. Having a BWRA in place is a requirement of the Money Laundering Regulations and a good BWRA is essential in enabling a firm to understand the financial crime risks it faces. It’s important to remember that a BWRA isn’t a one-time event – it needs to be maintained and updated regularly to take account of changing internal and external risks. The FCA note this in their survey results, highlighting the maintenance of a ‘live’ BWRA as an example of good practice they observed during their work with corporate finance firms.
Beyond regulatory requirements and FCA expectations, it also makes operational and commercial sense to have a good understanding of the financial crime risks you face. Without that understanding, how can you be sure that you’re directing resources in an efficient and effective way to manage your financial crime risk?
Even though the need for a good BWRA is generally understood across all sectors, we still work with a large number of firms where there either is no BWRA in place or where it’s inadequate or not properly maintained. All firms should take the opportunity to consider whether their own BWRA would stand up to regulatory scrutiny.
Customer Risk Assessment
All firms subject to the Money Laundering Regulations are required to assess the risks posed by customers with the assessment informing the financial crime controls needed to manage those risks. The FCA notes in their survey findings that the nature of corporate finance business means that there is often a close and enduring working relationship between the firm and the client, so the firm will often know the client very well. However, it also notes that 27% of the firms surveyed reported that they don’t use a customer risk assessment form.
Whilst the use of a form for assessing customer risk is not a specific requirement, doing so can add structure and consistency to the process. Without a structured approach to assessing customer risk that takes account of the underlying risk factors, it’s very difficult to demonstrate that the firm applies the same risk assessment standards to all customers. It’s also difficult to demonstrate that the risk controls applied to each customer are appropriate to the risk that the customer poses.
As with the BWRA, we still find firms that don’t use a structured approach to assessing customer risk, with some firms thinking that close client relationships mean that there is no need for it. We also find some firms that use structured customer risk assessments, but with a process that skims the surface of risk, not taking proper account of things like occupation or jurisdiction risk. All firms should take the opportunity to review their customer risk assessment process and consider whether it underpins effective financial crime risk management arrangements.
Evidence of control operation
The FCA survey results reported that 10% of respondents indicated that evidence of customer due diligence is not routinely retained. The FCA points again to the “strong and long-standing client relationships” that many corporate finance firms have, but highlights that this doesn’t mean that up to date written records of customer due diligence aren’t needed.
This is something we often see with wealth management and financial planning firms, where the advisor may have a very long-standing relationship with the client, knowing their background well enough to have confidence in their identity and source of funds. Indeed, this type of close relationship can make it more difficult to re-verify customer identity, because the adviser may be reluctant to request up to date due diligence documentation for fear of offending the client. However, this always brings us back to an old adage that’s a favourite amongst the regulatory community – “if it’s not written down, it didn’t happen”.
Every firm should make sure that it has controls in place to record evidence of customer due diligence to enable it to demonstrate that it has managed the financial crime risk posed by the customer. Knowing a customer really well just doesn’t meet the brief, you need to have hard evidence of checks being carried out that align with the firm’s processes and controls.
Third party risk
The survey results also touch on the risk that Appointed Representative (AR) relationships bring, highlighting failures among the principal firms in the surveyed population to carry out a financial crime risk assessment on their ARs. The survey also highlighted failures in the oversight of the AR arrangements – something that has been a general regulatory focus for several years now. Whilst this feedback directly impacts those firms with ARs, it also has read-across to firms that rely on third parties to operate financial crime controls. A platform firm won’t necessarily be responsible for the regulated activities of an IFA user in the same way that a principal firm will be for an AR. However, if it relies on customer due diligence carried out by the IFA, the platform is effectively relying on a third party to help it meet its own regulatory obligations.
We often see cases of principal-AR relationships or more general third-party reliance where the firm acting as principal or relying on the other firm does so without real oversight or challenge of the AR or third party. In any of these circumstances, the firm must understand the risk that the AR or third party brings to it and satisfy itself that robust controls are in operation to manage that risk. In the case of an AR arrangement, we would generally expect the principal to specify the standards that the AR must adhere to and to monitor that it is doing so. In the case of third-party reliance, the firm won’t necessarily have the ability to set standards for the other firm to work to, but it should at least assess the processes and controls that the third party operates to ensure that they align with the firm’s expectations. The firm should also oversee the operation of those controls with respect to the shared clients, to ensure that the controls are working as intended.
All firms should take the opportunity to ensure appropriate consideration of third-party arrangements as part of BWRA and control frameworks, including ensuring appropriate oversight of associated financial crime risk management.
How Square 4 can support
We can help you with reviewing the appropriateness and effectiveness of your current financial crime control framework or we can help you to build new controls. We have expertise in supporting firms with all aspects of financial crime, including BWRA, building controls, testing effectiveness of existing controls, calibration, testing of ongoing monitoring arrangements and general financial crime health checks. Reach out if there’s any aspect of your financial crime framework that you’d like to discuss.
Nicky Green – Author & Advisory Director
Chloe Curtis – Principal Consultant
