The FCA recently published a speech by Sarah Pritchard, the Executive Director of Markets and International, from the Future of Non-Financial Risk and Control across the 3 Lines of Defence (XLOD Global, New York). In this speech, Ms. Pritchard alluded to the need for regulators to act promptly when they are alerted to new threats on the horizon.
Regulators do not operate on the front line in the same way as law enforcement or financial institutions do. Financial services firms aim to ensure positive relationships with the regulator by demonstrating effectiveness in their financial crime control frameworks in order to build trust. Law enforcement and Financial services business therefore have the greatest opportunities, supported by Technology Partners to make the greatest difference in helping to prevent financial crime or at a minimum detect and report it, to bring those responsible to account and create a “brighter world”.
Ms. Pritchard acknowledges this point when suggesting financial crime controls are most effective if they are calibrated to the current threats and risks, and places focus on the first line of defence, asking them to self-diagnose through exploratory questions:
❗How often do you review the threats and risks and controls in place to mitigate these?
❗How does your company identify potential threats?
❗Are there feedback arrangements between departments on the front line who may experience financial crime first hand and other financial crime functions?
❗Are you updating and revisiting your controls in line with changes in threat? Are these agile?
❗Are you raising customer awareness of risks?
❗Are you thinking about how financial crime risks can be reduced when new products or services are designed?
❗Have you considered Consumer Duty requirements when considering the design, implementation and operation of Financial Crime controls from the outset?
The focus is important for two reasons. Firstly, financial institutions have faced an unprecedented period of regulatory change, whether that be Money Laundering Regulations or Sanctions evolution in response to the Russian invasion of Ukraine that has led to primary focus on controls being assessed with compliance focus. This is often seen as a compliance remit. Feedback received in respect to the recent review of the ML/TF regulatory regime suggests that a literal translation approach may have led to a tick-box implementation, and experience shows us organisations have implemented expensive off-the-shelf solutions, that may help them to demonstrate compliance, but does not mean these controls are truly effective.
Secondly, there has been a shift in approach by the government, as highlighted by the latest Economic Crime Plan (2023-2026), which indicates a move to an outcomes-focused approach aiming to drive resource towards agreed priorities (which may translate to ‘threats’). This is refreshing and a positive step. In order to achieve this we need to look at both first and second lines of defence to support the outcomes that will result in a reduction financial crime. How can we best achieve this?
At the heart of a threat will be a typology (a classification or categorisation based on its characteristics or features) and associated modus operandi (the method or patterns of operation, techniques, tactics or behaviours). These cannot be identified or understood without relevant intelligence or through deeper analysis or investigation.
Whilst intelligence is provided by regulators and law enforcement bodies, a vast quantity of high-quality intelligence is published by wider public and private bodies. What if they miss something they ‘ought to have known’? Resource is not infinite, so how do organisations prioritise their focus? How do they translate the unstructured intelligence?
Even where organisations are able to dedicate sufficient resource to horizon scanning or threat intelligence activities, we frequently identify problems linked to the difficulties associated with translating the intelligence into risk indicators. This in turn may lead to risks being unmitigated, pressure on poorly designed controls and at worst, gaps leading to threats crystallising which can be catastrophic. Whilst it is great to see the government plans, which include greater attention and intent to agree common standards on risk indicators, organisations may not be able to ‘wait-and-see’ before taking action. How can organisations avoid failures?
The cause of high blood pressure may differ from patient-to-patient and therefore requires the doctor to tailor the medication/treatment individually. Similarly, not all threats will apply to each organisation in the same way due to differences in organisations’ relative size, where they operate, the products and services they offer and types of customers they serve. So too, organisations will need to tailor the controls they implement according to the unique threats, risks and their associated risk level. Implementing downstream controls in a ‘plug and play’, ‘out-of-the-box’ manner, without adequate understanding of the inherent threat and risk landscape, and how this is impacted by the system or control you seek to implement can lead to failures, but also in turn, poor customer outcomes and at worst harm, a principle the UK's Consumer Duty aims to prevent.
The Business Wide-Risk Assessment is the primary opportunity for firms to identify the relevant threats they face, drawing upon available intelligence and assessing the probability and impact of threats. By structuring this into relevant risk indicators, organisations can start to identify their priorities for control design, control operation and control oversight (which the author also alludes to as a weakness when discussing the FCA’s sanctions oversight workstream) whilst using this capability also to understanding cross-framework control effectiveness and so to establish better outcomes.
Acuminor is a financial crime intelligence business. By gathering, analysing and translating this complex intelligence landscape into threats and risks, our solutions enable an intelligence-led Business Risk Assessment allowing you to work in partnership across both first and second line, considering both compliance requirements but also to help you diagnose your specific threats and risks fast. In turn the platform, Risk Assessment Professional enables your organisation to assess the effectiveness of your existing control framework, and where required, identify how this can be augmented through it’s design or operation, underpinned by a high-quality evidence-base.
If you’d like to speak to the Acuminor team about how we might be able to support you or your organisation please contact sales@acuminor.com and check out acuminor.com