Preventing the use of the legitimate financial system to launder the proceeds of crime continues to be a priority area for the UK’s Financial Conduct Authority (FCA).1 As an authorized firm, you’re expected to implement proportionate and effective systems and controls to identify and mitigate the risk of your business being used for illicit purposes. Falling short of the regulator’s expectations could result in your organization facing serious financial penalties.
In this article we’ll review fines issued by the FCA over the last year to help you understand key pitfalls to avoid.
In 2023, almost 40 percent of the total value of fines published by the FCA arose from authorized firms’ breaches of their financial crime obligations, amounting to a total of £20,618,700.2 In 2024, regulatory interest in firms’ efforts to detect and prevent financial crime shows no signs of waning. The FCA has signaled its intention to raise standards in authorized firms, both through more proactive assessments and increased focus on investigating and prosecuting offenders.3 Enforcement decisions thus offer valuable guidance in understanding what firms’ obligations look like in practice and serve as a timely reminder as we approach this next critical juncture in the compliance calendar.
Both the FCA’s rules and the relevant regulations4 require firms to adopt a risk-based approach to the management of financial crime risk. This means you must:
Moreover, you must periodically review your systems and controls to account for emerging risks to the business, and to ensure your measures remain appropriate.
Poor management of financial crime systems and controls can manifest in various ways—and, invariably, expose you to both regulatory and reputational consequences. Financial penalties imposed by the FCA over the last 12 months revealed several issues across the compliance spectrum.
On a sliding scale of one to five—the higher the level, the more serious the breach—each of the four cases reviewed below was assessed as being at level four, evidencing serious or systemic weaknesses that created a significant risk of financial crime. Below are recurrent themes throughout these cases that you should be aware of as you head into 2024.5
In one case, the lack of a BWRA meant that the firm was unequipped to make informed, risk-based decisions when identifying, assessing, and managing financial crime risk. This was a crucial step in properly addressing the risks associated with individual business relationships and transactions. Though a risk management framework was in place, this could neither substitute nor compensate for the absence of such a critical document. Failure to identify the risks faced by the firm meant that subsequent measures could not be properly aligned, nor could such measures take account of the higher-risk factors that the firm had to mitigate.
Similarly, the FCA found on several occasions that, in the absence of a proper customer risk assessment (RA), firms were unlikely to be apprised of the risks posed by their customers. Criticisms were levelled at:
A thorough customer RA assists firms in determining the correct level of CDD to be applied, including whether EDD is warranted, both at onboarding and throughout the customer relationship. Unsurprisingly, the shortcomings detailed above carried implications for the quality of CDD and EDD measures applied thereafter.
The FCA highlighted instances where:
Poor quality client information obtained at onboarding compounded deficiencies in firms’ review processes. Key findings included:
Penalty decisions illustrate not only the regulatory consequences of poor compliance, but also the harms that such failures can produce. The FCA expressed concerns over several ‘red flags’ that were missed or ignored because of the weaknesses identified. Examples included:
The FCA’s recent enforcement actions serve as a potent reminder to firms as to what an effective financial crime program ultimately seeks to achieve. As articulated by the regulator:6
"Money laundering is not a victimless crime. It is used to fund terrorists, drug dealers, and people traffickers as well as numerous other crimes. If firms fail to apply money laundering systems and controls, they risk facilitating these crimes.
As a result, money laundering risk should be taken into account by firms as part of their day-to-day operations, including those in relation to the development of new products, the taking on of new clients and changes in its business profile. In doing so, firms should take account of their customer, product, and activity profiles and the complexity and volume of their transactions. "
The cases highlight the fact that a one-size-fits-all approach to financial crime risk management is not sufficient. Rather, you need a dynamic risk and control framework that’s tailored to your customers, products, and transactions. Anything less could leave your organization exposed to the risk of facilitating financial crime, and costly regulatory and reputational consequences.
Sources:
1. https://www.fca.org.uk/publications/business-plans/2023-24
2. https://www.fca.org.uk/news/news-stories/2023-fines. The total value of fines published by the FCA in 2023 amounted to £52,802,900.
3. https://www.fca.org.uk/publications/business-plans/2023-24
4. In particular, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (often referred to as the MLR).
5. Enforcement decisions reviewed here are contained in Final Notices dated 10 Jan 2023; 11 Jan 2023; 12 July 2023; and 29 Sept 2023.
6. See Final Notice dated 12 July 2023 at [4.11]-[4.12].