By Gaia Udage, Principal Consultant, and Harry Bailey, Compliance Consultant
The UK’s Financial Conduct Authority (FCA) recently reviewed its portfolio of corporate finance firms (CFFs), surveying 303 firms that aren’t currently required to submit financial crime data regulatory returns. A total of 270 firms responded, 31 of which were principal firms with appointed representatives (ARs), and the findings indicated that approximately two-thirds of the respondents may not be compliant with the Money Laundering Regulations (MLR).
Key areas for improvement:
- Lack of business-wide risk assessment: 11% reported that they have no documented business-wide risk assessment. Without this assessment, firms are more susceptible to money laundering and other forms of financial crime
- Missing CDD evidence: 10% reported that they have not retained documented evidence of customer due diligence (CDD)
- Gaps in risk assessments for ARs: 29% of principal firms reported that they don’t assess the financial crime risks inherent to their ARs, with 6% further reporting that they don’t conduct audits or on-site visits, or otherwise monitor their ARs’ compliance with financial crime regulations.
Areas of good practice:
- Regular reporting to senior management: 97% stated that they regularly report to senior management on financial crime matters
- Using a form to assess customer risk: 72% reported that they use a customer risk assessment form
- Risk register and management information: Some of the interviewed firms indicated that they regularly assess and document the risks to which the firm is exposed, therefore maintaining a live register of risks and mitigating measures. Others also indicated using detailed management information to increase financial crime controls.
The FCA’s observations
Through its survey findings, the FCA has highlighted the following focus areas in line with MLR requirements.
Business-wide risk assessments
FCA-regulated firms must take appropriate steps to identify and assess the risks of money laundering and terrorist financing that they’re exposed to. These firms must have a documented business-wide risk assessment to comply with the MLR.
Customer risk assessments
Most firms reported that they build close and enduring business relationships with their clients, enabling them to develop a good understanding of the nature and requirements of those clients. Under the MLR, firms also need to have documented assessments of the risks posed by their clients; they cannot just rely on close relationships to develop an understanding of client risk.
Customer and enhanced due diligence
Strong and long-standing client relationships are central to many CFFs’ business models. However, these relationships cannot replace up-to-date written records of due diligence, including customer screening. Firms must maintain records of CDD and, where appropriate, enhanced due diligence (EDD).
Ongoing monitoring
Firms must conduct ongoing monitoring of their customers, both in terms of analysing transactions and conducting periodic reviews to keep due diligence records up to date.
Transaction monitoring
Many firms reported that they don’t deal with client funds, so transaction monitoring may be less applicable to them. However, firms should consider the sources of all funds they receive, including engagement fees and other administrative payments.
Appointed representatives
The FCA’s rules require firms to effectively oversee the regulated activities carried out by ARs to prevent harm to consumers and the market. Principal firms are required to set up and implement specific policies and procedures to manage the financial crime risks associated with their ARs, including:
- Financial crime risk assessments
- On-site visits or audits (where appropriate).
Next steps
The survey data is being used by the FCA to supervise its CFF portfolio and intervene where firms are falling short. All firms must consider these findings and address any gaps in their financial crime control frameworks.
The FCA is writing to firms who’ve failed to meet regulatory expectations in order to set out the immediate remedial actions expected. The regulator will also follow up with some of these firms in due course to understand what remedial actions have since been taken.
