Dear CEO Letter – Required Actions in Response to Common Financial Crime Control Failings
Introduction
On 5 March 2024, the Financial Conduct Authority (“FCA”) published a Dear CEO letter to Annex 1 firms identifying common failings in financial crime controls.
Firms have been given just 6 months to assess and take steps to resolve any gaps or weaknesses in their financial crime controls.
As part of their assessment, the FCA expects firms to perform a gap analysis against each of the common weaknesses highlighted and their current financial crime controls.
Our team of financial crime experts at Novatus have been supporting a number of firms with this analysis and are currently assisting in remediating the gaps identified.
With the September deadline fast approaching, and in light of the increasing number of questions we are receiving from our clients, we are pleased to provide a more detailed overview of the requirements and our Five Point Plan to compliance.
Scoping
The Dear CEO letter is directed to Annex 1 firms, which includes certain lenders, safe custody providers, financial leasing companies, safe custody providers and money brokers, among others. We estimate that there are 1,000 Annex 1 firms in the UK. If you are unclear whether you are an Annex 1 firm, please contact us for further advice.
The FCA has given firms until September 2024 to assess financial crime controls and take steps to resolve gaps or weak areas.
Firms that fail to take reasonable action in response risk regulatory scrutiny, including possible enforcement action.
Summary of Dear CEO Letter
The FCA has identified four key areas where firms are falling short of the requirements set out in the Money Laundering Regulations (“MLRs”). The FCA expects firms to assess and address each area.
Business Model
Discrepancies were found between firms’ registered and actual activities
FCA Observation: The activities listed on the FCA register did not align to actual business activities.
FCA Expectation: Firms must notify the FCA of any changes to activities undertaken within 30 days of the change.
Inappropriate financial crime controls
FCA Observation: Firms’ financial crime controls have not kept pace with the size and complexity of the business during periods of growth, resulting in inadequate financial crime frameworks.
FCA Expectation: Firms must ensure they are constantly assessing their control frameworks in the context of their business, in particular when the firm has experienced significant change.
Risk Assessment
FCA Observation: Weaknesses were found in Business Wide Risk Assessments (“BWRA”) and Customer Risk Assessments (“CRA”).
FCA Expectation: Firms must review and update their BWRAs and CRAs on an annual basis to ensure compliance with the MLRs and alignment to changes in the business.
Due Diligence, Ongoing Monitoring and Policies and Procedures
FCA Observation: Financial crime policies were perceived to lack the necessary detail leading to ambiguity for staff around the actions required to be compliant with firm requirements in accordance with the MLRs.
FCA Expectation: Firms must ensure that policies and procedures are prescriptive enough to provide guidance for staff and there is sufficient evidence documented.
Governance, Management Information and Training
Lack of resources
FCA Observation: Financial crime teams were seen to be under resourced and therefore unable to carry out their functions effectively. In addition, senior management did not have adequate oversight over financial crime risks.
FCA Expectation: Firms must have sufficient resources to undertake the required financial crime activities, supported by a scientific resourcing model outlining expected FTE required based on activities/processes performed.
Inadequate training
FCA Observation: Firms have not provided employees with the required financial crime training on important topics such as suspicious activity reporting and escalation.
FCA Expectation: Firms must ensure that employees are provided with regular and appropriate training on financial crime legislation equipping employees to manage and mitigate financial crime risk.
Absence of a clear audit trail
FCA Observation: Evidence of governance and management information relating to financial crime was insufficient.
FCA Expectation: Firms need to ensure that financial crime is a standing agenda item at senior management meetings to ensure appropriate oversight, with clear management information available to understand key risk areas and performance against these.
How Can Novatus Help?
Novatus can support your firm in a number of ways to ensure you take a compliant but appropriate and proportionate approach to meeting your financial crime obligations.
Working directly with regulators and industry peers, we deliver cross-enterprise risk management efficiencies and practices that extend beyond regulatory obligations to contribute directly to your business success.
We support our clients across advisory, strategic outsourcing and fully managed solutions.
If you would like to discuss our services further, please contact Francis Stroudley, Head of Compliance Advisory – fstroudley@novatus.global
A Five-Point Plan for Financial Crime Control
1. Performing Financial Crime Control Gap Analysis
Firms must complete a gap analysis of their financial crime controls by September 2024.
Novatus can deliver an independent gap analysis review within 4 weeks, which is proportionate to your business, and benchmarked against your peers. Prioritised recommendations are provided, forming the basis of any remediation work necessary.
2. Designing Clear Remediation Plans
Firms need to actively demonstrate they are testing their policies, controls and procedures and be able to evidence that they are effective and working as intended.
Firms must further be able to demonstrate their policies, controls, and procedures align with the firms’ risk profile and meet the requirement of the MLRs.
Novatus will engage with your senior management and business stakeholders to develop detailed plans for remediation, which will withstand regulatory scrutiny.
We offer flexible support to execute your remediation plan, tailored to your exact requirements. Our recent engagements include: Assisting in defining and setting up a target operating model for financial crime.
Technical SME support in converting both regulatory and best practice into clear actions
Tactical placement of business analyst and project management experts to support client remediation programmes.
3. Aligning Policies to Risk Profile
Firms must be able to publish a remediation plan to the FCA which sets out, actions senior manager ownership and timelines for each action Financial Crime control gap identified.
Novatus will conduct independent testing to ensure that your existing control frameworks are proportionate and appropriate to your business, and policies and procedures have been appropriately embedded within you organization. The ability to demonstrate independent testing of policies enables firms to meet regulator enquiries with confidence
4. Delivering Financial Crime Training
Firms should provide enhanced financial crime training to employees.
Our experienced team of financial crime experts routinely provide training, aligned to our client’s business model to ensure your employees understand their role in meeting financial crime obligations.
We offer tailored training programmes based on exact client requirements, including executive management and Boards who must be in a position to demonstrate oversight.
5. Embedding Risk Assessments within the business
Firms should develop, review and enhance Business Wide Risk Assessments “BWRA” and Customer Risk Assessments “CRA” as appropriate.
We have a tried and tested approach to the development and delivery of risk assessments across businesses of all sizes.
Our Risk Assessment Toolkit accelerates the review process, and ensures our client’s embed a deep understanding of key financial crime risks they face.
