The UK's Financial Conduct Authority has published a 'thematic review' of the efficacy of financial crime controls at asset management and platform firms, presumably as a prelude to some disciplinary action later in the year.
The regulator, in its previous incarnation as the Financial
Services Authority, visited 22 firms of
all shapes and sizes – wealth/asset management firms, fund firms
and platform firms – in 2012-13 and this is the result.
In the review the FCA
made it plain that it was interested only in money-laundering,
bribery and corruption. It explicitly said that it had no interest in
terrorist finance in this instance and did not even mention other
financial crimes such as fraud, insider-dealing and market
What is suspicion?
The review started with
an observation, made in passing, that the 'risk' of money-laundering
and corruption may increase wherever there is a big-ticket or
unexpected transaction. This cuts to the heart of the nature of
'suspicion' – the stage of alertness that every firm should reach
before sending off a suspicious transaction report to the National
Crime Agency – as it applies to high-net-worth individuals. It is
an old trope that the spotting of 'unusual' transactions is not the
same thing as the spotting of suspicious transactions because almost
all HNW transactions are unusual. The FCA does not tackle this
problem with any advice – a position its predecessor the Financial
Services Authority always took, no matter how closely it was
Record-keeping and pay: five out of ten for effort
Throughout the report
the FCA dwelt on the common problem of bad record-keeping in this
area. It thought that clear reporting lines and lines of
responsibility for controls against these financial crimes were quite
good on the whole. It did not, however, think that the effectiveness
of these structures was documented for all to see. At one point it
berated firms for not having 'customer due diligence' (a stilted
phrase from the Basle Group that the European Union picked up and
started using instead of 'know your customer' in 2001) records ready
for its people to look at. This, too, was a reference to bad
record-keeping. At one firm, the FCA complained, a customer had
withdrawn £25 million and thereby triggered off a transaction
monitoring alert, but no evidence was available in the records of who
reviewed it or why it was eventually waved through. Not only might
compliance officers draw the lesson from this story that good
record-keeping is essential; they might also be inclined to think
that it is always wise to spend the most effort (record-keeping and
otherwise) on 'customer files' to which the FCA is like to attribute
a high profile in drawing up a complaint.
Hidden in among the
detail of the review paper was a compliment for firms: “The type
and level of sophistication of transaction monitoring systems and
controls implemented by firms is typically dependent on the nature,
scale and complexity of a firm's business activities.” This was
another way of saying that the firms the FCA surveyed were actually
successful in observing the doctrine of 'proportionality'.
The FCA looked briefly
at the way firms paid and vetted their staff. It was most pleased
with those firms that used long-term incentive plans to pay staff
extra for their performance as this diffused such rewards over a
wider period and was likely to induce a measure of stability. The
idea was that one-off bonuses for 'performance' were only too easy to
use as excuses for corrupt payments for cutting corners or worse. The
regulators also approved of the fact that firms typically vetted
staff by checking their credit ratings; by verifying their names and
addresses; by looking at their previous employment; by searching for
County Court judgments; and by going to the eduction authorities for
proof of their qualifications. They also liked the idea of practical
training that was aimed squarely at the risks that every firm faced.
What the FCA wants
In 2006-7 the old FSA
developed a disconcerting habit, which some commentators have likened
to a slight mental disease, of stating that this-or-that activity was
'good' or 'bad' practice with no reference to actual rules or even
guidance. The FCA has continued this tradition here, with a battery
of assertions – none of which can legally count in the eyes of the
Upper Tribunal, the body that hears firms' appeals against the FCA.
For what it is worth, this list of assertions stresses the FCA's
desire to see firms spending large amounts of money and senior
manpower on the problems of money-laundering and bribery control.
What is a senior manager?
On the subject of firms
using 'management information' (an ill-defined term that refers to
all the information about operations that staff can gather together
for certain purposes) to combat crime, the FCA stresses its
preference for a clear definition of 'senior management roles'. This
phrase is always left vague but the report contains a rare moment of
specificity in the context of sign-off for business relationships
with 'politically exposed persons' and other highly risky customers,
where the FCA reveals that it thinks of the money-laundering
reporting officer as 'senior management'. It does, however, imply
that additional involvement from the head of risk, the chief
operating officer and the CEO would be preferable.
The FCA also likes the
idea of committees composed of senior people meeting regularly to
pinpoint risks and – a well-known FCA favourite – the inclusion
of staff compliance with money-laundering and bribery controls in
remuneration and staff incentive structures. It dislikes the absence
of 'senior management challenge', but leaves the reader to guess what
find favour with the FCA, especially when undertaken regularly. It
also, rather daringly, mentions board-level involvement in
signing-off processes as
part of senior managers' jobs. Examples of poor practice include ad hoc risk
assessments, a lack of 'dynamism' and the carrying-out of anti-bribery
assessments as one-off exercises.
On the subject of
money-laundering controls the FCA thinks that it is 'good practice'
for firms to come up with 'a clearly articulated definition of a PEP'
(something that the Financial Action Task Force, the world's AML
standard-setter, has continually failed to do for the whole of its
history and the FCA along with it). It is also keen to see
identification and verification information for customers reviewed
periodically and 'refreshed', with a special eye on risks. It does
not like out-of-date policies and procedures or failure to conduct
'enhanced due diligence' for PEPs, which admittedly is a legal
No cash limits for bribe-prone payments
On the subject of
controlling bribery, the regulator is keen to see the rationale for
each firm's use of agents and collaborators being documented because
these people are thought to be the source of much corruption in
financial services. It wants policies surrounding gifts and
entertainment to be clear and available for all staff, but stops
maddeningly short of giving the regulated community something it has
long been crying out for: solid guidelines with concrete cash amounts
being mentioned for every generic case. It could have done this in
April at its inception; the fact that it is not doing so here is a
sign that it never will.
A right to audit
dislikes, the 'bad practices' of anti-bribery control, seem rather
irrelevant in an environment where its guidance is so vague. Once
again, the emphasis is on tying up large amounts of senior management
time. It thinks it is bad practice, for example, for senior managers
not to monitor gifts and entertainment activity consistently. More
realistically, it is concerned that firms are not doing enough to
monitor the anti-bribery efforts of their associates and
counterparties. The FCA notes in the body of the report that
contracts with these people ought to contain a 'right to audit'
'Good practice' for
training and awareness, according to the regulator, includes the
rolling-out of good training to all staff; of even better training to
senior managers; of 'tailored' training with a special eye on the
business activities of the firm in question; periodic reviews; and
above all good records of who has been trained and how. These are
obvious common sense, as are the FCA's statements of 'bad practice'.
These include a failure to train and involve senior managers; the
absence of extra training for new joiners; and the use of training as
a one-off exercise.
The tenor of the report
might presage a new round of enforcement activity, but the reader is
left with a sense that much has been achieved in the past few years
in financial crime compliance. It states that most firms in the
survey did have “a comprehensive suite of AML policies and
procedures approved by senior management.” A few years ago this
would have been highly questionable.