The UK financial regulator has reviewed asset management and platform firms to look at their crime controls, as a prelude to possible disciplinary action. This article considers the details.

(To register for Compliance Matters, a newly launched publication run by the publisher of this site, click here.)

The UK's Financial Conduct Authority has published a “thematic review” of asset management and platform firms and the efficacy of their financial crime controls, presumably as a prelude to some disciplinary action later in the year. It and its predecessor organisation, the Financial Services Authority, visited 22 firms of all types – wealth/asset management firms, fund firms and platform firms – in 2012-13 and this is the result.

In the review the FCA made it plain that it was interested only in money-laundering and bribery and corruption. It explicitly said that it had no interest in terrorist finance in this instance and did not even mention other financial crimes such as fraud, insider-dealing and market manipulation.

The review started with an observation that the “risk” of money-laundering and corruption may increase wherever there is a big-ticket or "unexpected" transaction. This cuts to the heart of the nature of “suspicion” – the stage of alertness that every firm should reach before sending off a “suspicious transaction report” to the National Crime Agency – as it applies to high-net-worth individuals. It is an old trope that the spotting of “unusual” transactions is not the same thing as the spotting of suspicious transactions because almost all HNW transactions are unusual. The FCA does not tackle this problem with any advice – a position its predecessor the Financial Services Authority always took, no matter how closely it was questioned.

Throughout the report the FCA dwelt on the common problem of bad record-keeping in this area. It thought that clear reporting lines and lines of responsibility for controls against these financial crimes were quite good on the whole. It did not, however, think that the effectiveness of these structures was documented for all to see. At one point it berated firms for not having “customer due diligence” (a stilted phrase from the Basle Group that the EU picked up and started using instead of “know your customer” in 2001) records ready for its people to look at. This, too, was a reference to bad record-keeping. At one firm, the FCA complained, a customer had withdrawn £25 million and this triggered off a transaction monitoring alert, but no evidence was available in the records of who reviewed it or why it was eventually waved through. Not only might compliance officers draw the lesson from this story that good record-keeping is essential; they might also be inclined to think that it is always wise to spend the most effort (record-keeping and otherwise) on customer-files that the FCA is likely to find high-profile.

Hidden in among the detail of the review paper was a compliment for firms: “The type and level of sophistication of transaction monitoring systems and controls implemented by firms is typically dependent on the nature, scale and complexity of a firm's business activities.” This was another way of saying that the firms the FCA surveyed were actually successful in observing the doctrine of “proportionality”.

The FCA looked briefly at the way firms paid and vetted their staff. It was most pleased with those firms that used long-term incentive plans to pay staff extra for their performance as this diffused such rewards over a wider period and was likely to induce a measure of stability. The idea was that one-off bonuses for “performance” were only too easy to use as excuses for corrupt payments for cutting corners or worse. The regulators also approved of the fact that firms typically vetted staff by checking their credit ratings; verifying their names and addresses; looking at their previous employment; searching for County Court judgments; and going to the education authorities for records of that. They also liked the idea of practical training that was aimed squarely at the risks that every firm faced.

Vague

In 2006-7 the old FSA developed a disconcerting habit of stating that this-or-that activity was “good” or “bad” practice with no reference to actual rules or even guidance. The FCA has continued this tradition here, with a battery of assertions – none of which could count in the eyes of the Upper Tribunal that hears firms' appeals against the FCA. For what it is worth, this list of assertions stresses the FCA's desire to see firms spending large amounts of money on the problems of money-laundering and bribery control.

As for the subject of firms using “management information” (an ill-defined term that refers to all the information about operations that staff can gather together for certain purposes) to combat crime, the FCA stresses its preference for a clear definition of “senior management roles”. This phrase is always left vague but the report contains a rare moment of specificity in the context of sign-off for business relationships with “politically exposed persons” and other highly risky customers, where the FCA reveals that it thinks of the money-laundering reporting officer as “senior management”. It does, however, imply that additional involvement from the head of risk, the chief operating officer and the CEO would be preferable.

The FCA also likes the idea of committees composed of senior people meeting regularly to pinpoint risks and – an increasing FCA favourite – the inclusion of staff compliance with money-laundering and bribery controls in remuneration and staff incentive structures. It dislikes the absence of “senior management challenge”, but leaves the reader to guess what this means.

Risk-assessments also find favour with the FCA, especially when undertaken regularly. It also, rather daringly, mentions board-level involvement in sign-off processes as part of senior management's role. Examples of poor practice include ad hoc risk assessments, lack of “dynamism” and the carrying-out of anti-bribery assessments as one-off exercises.

On the subject of money-laundering controls the FCA thinks that it is “good practice” for firms to come up with 'a clearly articulated definition of a PEP' (something that the Financial Action Task Force, the world's AML standard-setter, has continually failed to do for the whole of its history and the FCA along with it). It is also keen to see identification and verification information for customers reviewed periodically and 'refreshed', with a special eye on risks. It does not like out-of-date policies and procedures or failure to conduct 'enhanced due diligence' for PEPs, which admittedly is a legal requirement.

Bribery control

On the subject of bribery control, the regulator is keen to see the rationale for each firm's use of agents and collaborators being documented because these people are thought to be the source of much corruption in financial services. It wants gifts and entertainment policies to be clear and available for all staff, but stops maddeningly short of giving the regulated community something it has long been crying out for: solid guidelines with concrete cash amounts being mentioned for every generic case. It could have done this in April at its inception; the fact that it is not doing so here is a sign that it never will.

The regulator's dislikes, the “bad practices” of anti-bribery control, seem rather irrelevant in an environment where its guidance is so vague. Once again, the emphasis is on tying up large amounts of senior management time. It thinks it is bad practice, for example, for gifts and entertainment activity not to be monitored consistently by senior managers. More realistically, it is concerned that firms are not doing enough to monitor the anti-bribery efforts of their associates and counterparties. The FCA notes in the body of the report that contracts with these people ought to contain a 'right to audit' clause.

“Good practice” for training and awareness includes the rolling-out of good training to all staff; even better training for senior management; tailored training with a special eye on the firm's business activities; periodic reviews; and above all good records of who has been trained and how. These are common sense, as are the FCA's statements of “bad practice”. These include the non-training and non-involvement of senior management; the absence of extra training for new joiners; and the use of training as a one-off exercise.

The tenor of the report might presage a new round of enforcement activity, but the reader is left with a sense that much has been achieved in the past few years in compliance. It states that most firms in the survey did have “a comprehensive suite of AML policies and procedures approved by senior management.” A few years ago this would have been unthinkable.