Will the FCA’s Financial Crime Guide updates go far enough?

30 May 2024 | UK & Europe | Articles

The FCA has asked firms for feedback on proposed changes to the current Financial Crime Guide (FCG). However, it’s currently unclear whether the revisions will go far enough in terms of providing firms with practical, sector-specific guidance. And despite the FCA’s new focus on technology, it’s uncertain whether any technology-specific guidance will provide clear expectations around financial crime systems and controls.

Following the UK government’s Economic Crime Plan 2 (2023 to 2026) and Fraud Strategy, the FCA has initiated a consultation process, asking firms for feedback on their proposed changes to the FCG – the document which sets out the FCA’s expectations around financial crime risk management and that provides examples of best practice. Responses are to be submitted by 27th June 2024.

The FCG proposals encompass a range of expected themes, but do the proposed changes go far enough and give much needed clarity for firms?

Sanctions

Following the unprecedented scale, complexity and size of sanction regimes introduced following Russia’s invasion of Ukraine, the FCA has invested heavily in a programme to test the effectiveness of firms’ sanctions screening arrangements. This programme utilises analytics-based tools to test the effectiveness of firms’ sanctions systems and controls, particularly related to screening. This new focus is evident in the proposed revisions to the FCG across the following areas:

• Reporting requirements;
• Governance arrangements;
• MI;
• Responding in a timely manner;
• Examples of poor/best practice when using screening tools; and
• New guidance on how firms should identify, assess and report potential sanctions breaches.

New guidance across each of these areas is likely to be welcomed by firms given the evolving geopolitical landscape and increased regulatory focus on sanctions, as well as the comparatively limited information available to firms to benchmark their approaches.

In our experience, firms are often unclear about what best practice looks like in the context of sanctions screening systems and often struggle to ensure that such systems are designed and calibrated effectively. Given the complexity of the area, however, it is unlikely that the new guidance in the FCG will include the level of detailed guidance firms need to understand whether their systems effectively deal with common issues in sanctions screening, such as variations in names, simple misspellings, alternative transliterations and the use of nicknames. It is also unclear whether the revised FCG guidance will help firms deal with the ever-present operational considerations that come with implementing an effective sanctions framework – such as ensuring that false positives remain at a manageable level or how to train staff to correctly apply a risk-based approach in the dispositioning of alerts, to ensure that investigations are consistent, and risk based.

In the absence of clear guidance from the FCA, firms will need to ensure that they do not rely on the FCG in isolation when considering if their sanctions arrangements are up to standard, but instead consider broader sources of information such as international guidance and peer benchmarking.

Proliferation financing (PF)

Since the 2022 updates to the Money Laundering Regulations requiring firms to consider PF as part of their risk assessments, the FCA has proposed a greater focus on PF within the FCG.

The FCA’s consultation sets out the proposed changes in this area at a somewhat high level, but it is currently understood to include suggestions that firms incorporate references to PF within their policy and procedure frameworks as well as within their business-wide risk assessment (BWRA) and customer risk assessment (CRA) methodologies.

In our experience, many firms – including more recently established and smaller firms –often already struggle to implement effective BWRAs and CRA methodologies for financial crime more broadly; in the absence of clear, sector-specific guidance from the FCA in the FCG, adding PF into the mix will likely cause further confusion. Likewise, many firms will also struggle to embed the FCA’s broader expectations around PF risk management within their policy and procedure frameworks, including navigating the complexities of record keeping and securing appropriate sign-off from senior management.

Rather than wait for the revised FCG guidance to be published, we would urge firms to consider their strategy for implementing the new requirements around PF within their policies, procedures, systems and controls now.

Transaction monitoring (TM)

In recent publications, fines and speeches, the FCA has repeatedly called out examples of transaction monitoring systems and technology being poorly deployed in the industry. Reflecting this priority, and the content of the FCA’s consultation, the revised transaction monitoring guidance in the FCG is likely to cover the following:

• Good and poor practice when testing controls to ensure firms’ automated triggers are capturing risk appropriately;
• Examples of good practice when switching from one system to another;
• Self-evaluation questions; and
• Good and poor practice when improving the effectiveness of such systems.

While this new guidance should be welcomed by the industry given the lack of specificity in the current FCG, it is unlikely that the guidance will succeed in satisfying the numerous questions we see from firms on a regular basis in relation to transaction monitoring best practice.

For example, many of our clients utilise automated solutions for TM but are not sufficiently involved in the calibration and tuning of such systems to ensure that they are effective. Whilst a data-driven approach is in keeping with best practice, manual oversight is needed to ensure the design and implementation of these systems is capturing suspicious activity and allocating resources in a risk-based way.  Threshold setting should involve some element of customer segmentation, such as by risk rating, industry, or income/revenue. Each firm’s TM system is different, tailored to the unique requirements and situation of the firm. Moreover, each firm has different challenges around data quality and data availability. Considering this, it is likely that any guidance issued by the FCA on areas such as system design and calibration will be too high level to be of practical, every-day use.

Governance and MI is another key common failing for TM, one too in-depth and complex for the FCA to tackle satisfactorily in the FCG. MI should include key performance metrics and be subject to regular review by senior management, allowing for oversight of performance over time and provide the opportunity to scrutinise any gaps in controls or areas of ineffectiveness.

Poor vendor selection is another problem which the revised FCG is unlikely to cover as part of the new guidance on switching from one system to another. We have seen many firms making the mistake of opting for a poorly designed but cheaper system over a system which is operationally streamlined and scalable. Such examples include firms choosing TM systems which do not have the capability to remember previous decisions (machine learning) to save repetitive investigations and decision making by 1LoD teams.

Crypto assets

Since January 2020, the FCA has extended its supervision to crypto asset businesses; the low proportion of successful crypto authorisation applications is a testament to the standard of regulatory expectations to which the FCA is holding these firms.

The revised FCG is likely to provide guidance on the use of blockchain analytics as part of transaction monitoring for crypto assets, information on how to comply with the FCA Travel Rule, and best practice on the screening of outbound transactions to identify crypto asset wallet addresses linked to fraud.

Once again, firms operating in this space should be mindful that the revised FCG is unlikely to touch upon all the complexities and challenges associated with managing the financial crime risks associated with crypto assets and turn to third party sources – such as the Wolfsberg Group response to the EBA consultation on Travel Rule guidelines – instead.

Consumer duty

On 31st July 2023, the FCA’s Consumer Duty came into force. The FCG will remind firms that the Duty must be considered alongside financial crime obligations to ensure that firms act to deliver good outcomes for retail customers.

Striking the balance between effective financial crime controls whilst also providing good outcomes for customers can be difficult – and in our experience, firms are often forced to make trade-offs. For example, firms must take steps to ensure enhanced due diligence is applied to politically exposed persons (PEPs) while ensuring good customer outcomes by not automatically classifying PEPs – and, in particular, domestic PEPs – as high-risk without appropriate risk-based justification.

The decision to off-board customers is another area where these two concepts are at odds. Firms must ensure that their customers’ KYC profiles are complete, accurate and up to date whilst also giving customers sufficient opportunity and flexibility to update their information before a relationship is terminated.

Firms currently balance the competing requirements of the Duty and their financial crime obligations on a case-by-case basis; this is unlikely to change in the new world of the revised FCG.

How we can help

Our team of financial crime specialists can help you to ensure your systems and controls reflect current and upcoming regulatory guidance and examples of industry best practice, such as those outlined in the revised FCG.

We have extensive experience working alongside the regulator in helping firms to review and remediate their financial crime frameworks.