Preventing the use of the legitimate financial system to launder the proceeds of crime continues to be a priority area for the UK’s Financial Conduct Authority (FCA).1 As an authorized firm, you’re expected to implement proportionate and effective systems and controls to identify and mitigate the risk of your business being used for illicit purposes. Falling short of the regulator’s expectations could result in your organization facing serious financial penalties.
In this article we’ll review fines issued by the FCA over the last year to help you understand key pitfalls to avoid.
Financial crime obligation breaches cost firms over £20 million in fines
In 2023, almost 40 percent of the total value of fines published by the FCA arose from authorized firms’ breaches of their financial crime obligations, amounting to a total of £20,618,700.2 In 2024, regulatory interest in firms’ efforts to detect and prevent financial crime shows no signs of waning. The FCA has signaled its intention to raise standards in authorized firms, both through more proactive assessments and increased focus on investigating and prosecuting offenders.3 Enforcement decisions thus offer valuable guidance in understanding what firms’ obligations look like in practice and serve as a timely reminder as we approach this next critical juncture in the compliance calendar.
Both the FCA’s rules and the relevant regulations4 require firms to adopt a risk-based approach to the management of financial crime risk. This means you must:
- identify and understand the money laundering, terrorist financing, and proliferation financing risks your business faces;
- design systems to mitigate these risks; and
- prioritize and allocate resources to those areas where the risks are most acute.
Moreover, you must periodically review your systems and controls to account for emerging risks to the business, and to ensure your measures remain appropriate.
Fines in 2023: common challenges
Poor management of financial crime systems and controls can manifest in various ways—and, invariably, expose you to both regulatory and reputational consequences. Financial penalties imposed by the FCA over the last 12 months revealed several issues across the compliance spectrum.
On a sliding scale of one to five—the higher the level, the more serious the breach—each of the four cases reviewed below was assessed as being at level four, evidencing serious or systemic weaknesses that created a significant risk of financial crime. Below are recurrent themes throughout these cases that you should be aware of as you head into 2024.5
1. Inadequacy of business-wide and individual risk assessments
In one case, the lack of a BWRA meant that the firm was unequipped to make informed, risk-based decisions when identifying, assessing, and managing financial crime risk. This was a crucial step in properly addressing the risks associated with individual business relationships and transactions. Though a risk management framework was in place, this could neither substitute nor compensate for the absence of such a critical document. Failure to identify the risks faced by the firm meant that subsequent measures could not be properly aligned, nor could such measures take account of the higher-risk factors that the firm had to mitigate.
Similarly, the FCA found on several occasions that, in the absence of a proper customer risk assessment (RA), firms were unlikely to be apprised of the risks posed by their customers. Criticisms were levelled at:
- ‘Formulaic’ customer RAs that provided inadequate narratives as to how risk ratings had been applied. Lack of analysis regarding the impact that CDD information had on the customer relationship meant that the rationale for both initial and ongoing risk ratings was unclear.
- ‘Rudimentary’ risk matrices that failed to enable an understanding of the ‘full picture’ of financial crime risks associated with a customer.
- Failures to gather essential information, including in relation to the purpose and intended nature of the business that prospective customers were going to undertake; the likely size or frequency of their intended transactions; their source of wealth; and their source of funds.
2. Insufficient know your customer (KYC), customer due diligence (CDD), and enhanced due diligence (EDD)
A thorough customer RA assists firms in determining the correct level of CDD to be applied, including whether EDD is warranted, both at onboarding and throughout the customer relationship. Unsurprisingly, the shortcomings detailed above carried implications for the quality of CDD and EDD measures applied thereafter.
The FCA highlighted instances where:
- Reliance had been placed on due diligence carried out by financial institutions in jurisdictions which did not have UK/EU-equivalent AML requirements; and staff had received no clear guidance on the information required to be obtained as a prerequisite to onboarding.
- CDD was not kept up to date, thereby preventing an assessment as to whether the risks posed by customers had changed—and whether they had increased.
- No EDD had been completed in circumstances where the customers represented a significant departure from the firm’s usual institutional and regulated client base; were not physically present for identification purposes; and where several other risk factors were present.
3. Lack of ongoing monitoring and periodic review
Poor quality client information obtained at onboarding compounded deficiencies in firms’ review processes. Key findings included:
- KYC periodic reviews that were insufficient to adequately reassess the customer relationship for changes in the risk profile. Review forms consisted of a 'cut and paste' of the original information provided by the customer, and were signed off despite lack of adequate EDD, missing documents and discrepancies on file.
- Inadequate periodic CDD and EDD reviews, where the frequency of reviews was determined not by the risk rating of a customer, but rather by trigger events.
- Inadequate resourcing, where staff were pressured to prioritize the opening of new accounts over the periodic review of existing accounts.
- Inadequate monitoring of customer transactions, where transaction monitoring parameters reflected a one-size-fits-all approach and were not specific to the types of customers and sectors serviced by the firm. Information about anticipated account activity was not retained in the firm’s internal systems, thereby inhibiting analysis of a customer’s expected versus actual activity.
4. 'Red flags’ missed
Penalty decisions illustrate not only the regulatory consequences of poor compliance, but also the harms that such failures can produce. The FCA expressed concerns over several ‘red flags’ that were missed or ignored because of the weaknesses identified. Examples included:
- Acceptance of large cash deposits that exceeded anticipated activity on the account, in circumstances where the cash had originated from overseas withdrawals and/or the customer was associated with higher risk jurisdictions. Staff were overreliant on uncorroborated customer explanations regarding source of wealth and source of funds, together with limited documentation from non-EEA financial institutions which provided little information.
- Complex trading executed on behalf of customers whose profiles indicated they were highly unlikely to meet the scale and volume of the purported trading.
- Circular patterns of extremely high value over-the-counter equity trading, back-to-back securities lending arrangements and forward transactions, in circumstances where the trades had no apparent economic purpose except to transfer funds from one entity to associated parties.
Towards effective compliance
The FCA’s recent enforcement actions serve as a potent reminder to firms as to what an effective financial crime program ultimately seeks to achieve. As articulated by the regulator:6
"Money laundering is not a victimless crime. It is used to fund terrorists, drug dealers, and people traffickers as well as numerous other crimes. If firms fail to apply money laundering systems and controls, they risk facilitating these crimes.
As a result, money laundering risk should be taken into account by firms as part of their day-to-day operations, including those in relation to the development of new products, the taking on of new clients and changes in its business profile. In doing so, firms should take account of their customer, product, and activity profiles and the complexity and volume of their transactions. "
The cases highlight the fact that a one-size-fits-all approach to financial crime risk management is not sufficient. Rather, you need a dynamic risk and control framework that’s tailored to your customers, products, and transactions. Anything less could leave your organization exposed to the risk of facilitating financial crime, and costly regulatory and reputational consequences.
2. https://www.fca.org.uk/news/news-stories/2023-fines. The total value of fines published by the FCA in 2023 amounted to £52,802,900.
4. In particular, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (often referred to as the MLR).
5. Enforcement decisions reviewed here are contained in Final Notices dated 10 Jan 2023; 11 Jan 2023; 12 July 2023; and 29 Sept 2023.
6. See Final Notice dated 12 July 2023 at [4.11]-[4.12].