Measuring the Maturity of Your FinCrime Compliance Programme

Through their recent communications, the Financial Conduct Authority (FCA) and Central Bank of Ireland (CBI) map out clear supervisory expectations of how financial services firms manage their growth and associated risk management framework and governance arrangements. Often it does not keep pace with the growth in business activities; with strategic ambitions outpacing frameworks and capacity.

Considering the rapidly changing environment and emerging risks that the industry faces, firms need to proactively manage the alignment of growth and compliance. To ensure the safety and soundness of firms and to protect their consumers, it is incumbent on firms to assess that their controls and governance model are fit for purpose and support the level of maturity of their operations.

FINTRAIL Maturity Model 

FINTRAIL uses a bespoke Maturity Model to assess maturity levels across different aspects of a firm’s anti-financial crime (AFC) programme. This enables firms to review their operational effectiveness and identify potential capabilities they need to develop or acquire. Firms can also use the model to systematically analyse and assess their progress over time.

Key areas for a financial institution to consider when conducting a maturity assessment of its AFC programme:

  1. Control framework

  2. Documentation and record retention

  3. Governance framework

  4. Staff expertise

  5. Group-wide fincrime awareness

  6. Second and Third Lines of Defence structure

Additional areas where a maturity assessment can be conducted:

  1. Roles and responsibilities

  2. Regulatory, AML and sanctions policy awareness

  3. Audit and conformance structure

  4. Whistleblowing

  5. Learning and development

  6. Systems and controls assessment

  • Due diligence

  • Screening

  • List reviews

  • Transaction monitoring

Below are the definitions that can be applied to measure the maturity levels of areas within the scope of the assessment:

  1. Intelligent - The firm has adopted measures which are capable of meeting both interim and strategic requirements and are tailored to meet all kinds of scenarios. The firm has invested in good governance and has knowledgeable subject matter experts at the forefront of decision making. The firm conducts regular reviews of its policies and procedures, and its three lines of defence structure is well defined and fully functional.

  2. Integrated - The firm has adequate levels of controls to meet regulatory expectations and has robust validation through second and third lines controls. It has an adequately resourced team of anti-financial crime experts supporting all its business teams, with a good understanding of commercial aspects of the business. It conducts regular validation of its three lines of defence structure. 

  3. Defined - The firm has sufficient controls to meet the minimum regulatory requirements with a scope for review on a periodic basis. The firm has a formal approach to decision making and has a good awareness of the requirements for its anti-financial crime framework.  It has a relatively small team of financial crime experts who are not necessarily at the senior management or decision making level.

  4. Fragmented - The firm has some of the required financial crime controls in place but needs to develop consistency around governance and decision making, and to expand and develop its processes to work beyond crisis management.  It also still needs to introduce assurance and quality validation by the second and third lines of defence. The firm requires more expert resources to support all the relevant operational disciplines.

  5. Ad-hoc - The firm has basic levels of controls to combat financial crime. It has poor documentation and governance controls which require immediate review. The firm also lacks the required internal expertise and does not have a defined three lines of defence model.

Why use a maturity model

  1. Current state assessment - A maturity assessment can help a firm to assess the current state of its framework, or a particular aspect of its products and services. It enables the firm to check if it is doing well enough to meet minimum regulatory requirements for fighting financial crime. It gives the firm an overview of its stress acceptance capability and can help prepare for adverse situations like disaster recovery.

  2. Effectiveness: Senior management can identify redundant or ineffective controls, enabling them to redeploy resources to achieve efficiency gains and make the anti-financial crime programme more effective.

  3. Overview of controls - The maturity model gives a bird’s-eye view of the firm’s controls and reveals if the framework is complete or if there are gaps.

  4. Area for enhancements - The model identifies any areas that require attention and lets firms prioritise development areas and remediation exercises accordingly, in order to achieve higher maturity levels.

  5. Better project management - The output from the maturity model can allow firms to apply ‘lessons learned’ and plan future projects in an effective and efficient manner. 

  6. Assessing progress - The assessment provides an objective view of a firm’s process and framework, which enables it to measure its future progress according to objective, consistent evaluation factors.

Difference between a maturity model and a risk assessment

As part of AML regulations, firms are required to complete periodic risk assessments to identify their risks and review their control frameworks.  Per the Financial Conduct Authority (FCA) Handbook (SYSC 4.1.1), all entities are required to conduct a risk assessment which will help them to identify the financial crime risks to which they are exposed and to assess their controls.

A maturity model assessment is advised as part of the FCA IT Maturity Assessment under MiFID II general guidance. The output from a maturity assessment is designed to help conduct an enterprise wide risk assessment, by identifying areas of risk in advance.  It helps firms prioritise the areas of immediate concern, and integrates closely with other operational risk frameworks to remediate the issues.

Examples of a good and bad maturity model

 

FINTRAIL’s maturity assessment process

For our assessment process, FINTRAIL reviews the areas within the scope of the maturity model against the benchmark established by industry peers and minimum standards of operational effectiveness outlined in the relevant regulations.  The steps taken are as follows:

  • Identification of scope and the areas for review

  • Agreement of the factors to be used  to rate maturity levels

  • Project initiation meeting

  • Production of a draft Maturity Assessment report

  • Review of the draft report and incorporation of feedback

  • Submission of final Maturity Assessment report with red-amber-green (RAG) status for individual programme areas

Snapshot of Maturity Model 

CLICK TO VIEW

 

At FINTRAIL we are passionate about combating financial crime. Our unique and diverse team has extensive hands-on experience developing and deploying risk management controls and using real-life examples to bring best practices to life. We provide deep-dive, qualitative assessments of the maturity of financial crime programmes for FinTechs, banks, and other financial institutions. 

If you are interested in conducting a maturity assessment or would like to get a better understanding of the services provided by FINTRAIL, please get in touch.