While the first half of 2024 is still fresh in our minds, FINTRAIL has paused to reflect on our anti-financial crime (AFC) audits from H1 2024 to identify common findings and focus areas for regulated financial firms.
As always, the regulatory backdrop to these audits has continued to evolve. We have seen changes to the UK regulatory landscape with the introduction of new PEP requirements which came into force in January 2024 and the subsequent FCA consultation on its PEP guidance with updates to be released later this year. There has also been the implementation of the FCA’s 2024/2025 business plan including a commitment to reduce and prevent financial crime with a focus on consumer duty, fraud and financial inclusion. In Europe we have seen the introduction of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) which aims to harmonise AML/CFT measures across the EU. The latter half of the year will also see some big changes with the UK Payment Systems Regulator (PSR) mandatory reimbursement requirements for victims of APP scams coming into force on 7 October 2024 and the introduction of the 6th AML Directive (AMLD) in Europe.
Given the latest changes and pending updates, it is important for firms to stay up to date and continue to evolve and enhance their AFC frameworks. An external audit can help firms identify gaps or areas of weakness and ensure they stay on top of their regulatory requirements.
Key stats
The majority of our critical findings related to customer and payment screening controls and anti-financial crime risk assessments.
High-risk findings tended to relate to policies and procedures, and customer due diligence controls.
The largest number of findings related to customer and payment screening controls.
Policies and procedures
The majority of our findings from the year so far relate to firms’ policies and procedures. In particular, we have repeatedly seen the use of generic policies and procedures that do not align to a firm’s specific product and services or its current systems and controls. For example, policies and procedures have not always been updated to reflect changes to third party systems used or new AML regulatory requirements, despite going through an annual review cycle. This mirrors the findings from the latest FCA ‘Dear CEO’ letter from March 2024 which identified a lack of detail in policies creating ambiguity around the actions staff should take to comply with their obligations under the Money Laundering Regulations.
It is important for firms to ensure their policies and procedures are up-to-date and reflective of the controls and processes in place, particularly in instances where the documents are used for training new employees or are informing key control areas like internal SAR reporting.
Common gaps we have seen in firms' AML policies and procedures include:
No reference to proliferation financing
Not reflecting the latest UK regulatory updates relating to the treatment of domestic PEPs
No reference to Transfer of Funds regulations and the controls in place.
Governance
In terms of governance, FINTRAIL has identified the following themes:
Management information - In some instances firms have been unable to easily retrieve management information on their customers and key controls (e.g. number of customers, average number of transaction monitoring alerts, number of SARs, number of open customer screening alerts). It is important for firms to be able to pull this data for the purposes of reporting, tracking against the firm's risk appetite, and understanding key performance indicators (KPIs) and key risk indicators (KRIs) to help drive decisions across the firm.
Resourcing - We have seen many firms operating a lean AFC team structure, which is aligned to their business model, risks and stage of maturity. However, firms should consider or have in place a resource management plan which identifies the trigger points for hiring additional resources or reshuffling existing capacity. This ensures that resourcing is managed effectively as the firm scales and there is no last minute panicked hiring of resources.
Record keeping - FINTRAIL noted in many instances that the storage of KYC information was unorganised and inconsistent. This includes information saved in different folders which means there is no single view of customer information. Likewise, it was difficult to obtain closed screening or transaction monitoring alerts which meant there was no evidence of alert dispositioning. It is important for this information and any associated decision-making to be easily retrievable on the customer’s file in the event of a law enforcement enquiry, or regulator or auditor request.
Risk assessments
Another key focus area for the FCA this year is business-wide risk assessments (BWRA). The FCA review found that in some instances money laundering (ML), terrorist financing (TF) and proliferation financing (PF) risk assessments had not been carried out at all, and in other instances firms had failed to document the steps undertaken to identify and assess the ML/TF/PF risks.
Similarly, at FINTRAIL we have identified these common findings relating to firms’ BWRAs:
Firms are not documenting their risk assessment methodology comprehensively, particularly in relation to how they calculate residual risk. Often this calculation appears very subjective and excludes a quantitative element.
Firms are grouping and amalgamating various financial crime risks into one within their risk assessments, not taking into account the differences between the TF, ML and PF risk exposure to the business.
Firms lack a control library and appear to be amalgamating controls for the purpose of the risk assessment, which is not always reflective of the control effectiveness or how effectively individual controls are mitigating the inherent risk.
Firms are not referencing the sources they use to conduct their risk assessment, taking into account internal data and external factors such as the UK National Risk Assessment.
In relation to customer risk assessments, FINTRAIL has identified the following common themes:
It is not always clear what specific risk factor is being considered in the risk assessment. For example, we tend to see many firms capturing ‘geography’ as a risk factor but it is unclear what specifically this relates to, i.e. residency of UBO, country of incorporation, or transactional activity. The lack of granularity could influence the overall risk rating of the customer, meaning it is not reflective of the actual risk posed.
Firms tend to rate each risk factor equally, which does not always best reflect the customer's actual risk. This could lead to a skewered book of customer risk or an ineffective use of the manual override function.
Additionally, we have seen multiple occasions where a firm's country risk rating list is not up to date (i.e. not updated with the latest high-risk third countries) and therefore feeds into other control areas incorrectly, such as customer risk assessments or transaction monitoring. This means country risk is not being monitored effectively, potentially exposing firms to countries with high financial crime risk exposure.
Customer due diligence
FINTRAIL observed that most firms are implementing effective customer due diligence controls at onboarding. Across most audits, there has been clear documentation for the customer due diligence process and clear instructions for the onboarding team to implement.
One area where we see firms struggle is the KYC refresh process where there are often backlogs due to both poor customer response time and operationally cumbersome processes which divert resources away from other priority areas. There are often no clearly defined timelines built into the KYC refresh process, or clearly defined outcomes and actions taken in the event of no response from the customer. These areas are critical to build out to ensure the customer is notified with ample time to respond, there are clear ‘request for information’ protocols and schedules of correspondence, and clear timelines and actions in the event of no response from the customer. This is to ensure firms are collecting KYC information in a timely manner and that customer information is up to date.
Another area of focus relates to firms offering downstream services to other financial institutions or payment service providers. In particular we have seen that these firms have not clearly documented their reliance, oversight or outsourcing framework to ensure the effective oversight of these inherently higher risk relationships. Additionally, for these types of relationships we have seen that firms are not factoring in their clients’ AML/CTF control frameworks in the customer risk assessment.
Suspicious activity reporting
Mainly identified through file review sessions, FINTRAIL has noted that internal SARs and investigationsdo not always clearly reference reasons for suspicions. In many instances the team could verbally articulate the reasons for suspicion, but there was little documented evidence of this within the internal SAR and investigation notes. This could affect the quality of the external SARs submitted to authorities. The quality of external reporting has been a focus area for many firms in line with Principle 3 on ‘Providing highly useful information’ of the Wolfberg Group’s Principles of Effectiveness.
Screening
The majority of our critical findings in H1 related to firms’ screening controls, particularly ongoing customer screening. In some instances we have seen firms not conducting ongoing customer screening or being unable to demonstrate this. This is often a result of firms not understanding their third party tooling settings or being unaware that their tools have this functionality.
Fraud
In light of the PSR’s policy changes coming into play later this year, we have seen many firms make an effort to get their APP fraud controls into shape ahead of the October enforcement date. With that said, while firms have made appropriate updates to their fraud frameworks, there is often little evidence of documentation of these controls. Additionally, fraud risks and anti-fraud controls do not appear to be documented within firms’ risk assessments. Given the FCA’s focus on consumer duty and fraud this year, this should be a focus area for many firms.
Compliance monitoring
We have seen from our audits this year that compliance monitoring is last on many firms’ to-do lists. While some companies have a documented compliance monitoring plan, it is rarely implemented due to resourcing, time or priority constraints. This is particularly the case for smaller firms which lack dedicated assurance resources.
How can FINTRAIL help?
At FINTRAIL we are passionate about combating financial crime. Our unique team of experts is drawn from the industries we support and has deep hands-on experience in developing and deploying risk management controls from leadership roles with leading banks, FinTechs, and other financial institutions.
We have extensive experience assisting financial services businesses with audits and assurance processes. We have a proven track record of identifying areas where clients can enhance their compliance and make their programmes more effective. Our approach is tailored to the unique circumstances of each client, is regulatory and technology driven, and is focused on providing excellent customer outcomes. We offer our clients pragmatic solutions to the most complex challenges and our goal is to ensure our clients can thrive, free from the negative impacts of financial crime.
If you wish to speak to our team about your requirements for an upcoming audit, please get in touch.