UK FCA finds gaps in financial crime controls in corporate finance firms

While a recent survey of CFFs by the Financial Conduct Authority (“FCA”) found some evidence of good practice in relation to financial crime controls, it also found that many firms are falling short of requirements. Results from the survey indicate that approximately two-thirds of respondent firms may not be compliant with the MLRs in one or more elements of their anti-money laundering control frameworks.

What the FCA did

The FCA surveyed 303 CFFs not currently required to submit financial crime data returns to the FCA, of which 89% responded. Of these respondent firms, 11% were principal firms with appointed representatives (“ARs”), whereby the AR carries on the regulated activity under the responsibility of the authorised principal firm. Principal firms are responsible for ensuring the AR is fit and proper, and complies with the FCA’s rules.

The FCA’s findings reflect the firms’ responses to its survey.

What the FCA found

The FCA found the following:

Areas for improvement

• Lack of documented business-wide risk assessment (“BWRA”): 11% of all respondent firms reported that they did not have a documented BWRA. The FCA stressed that firms must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which they are exposed, and reminded firms that having a documented BWRA is a requirement under the MLRs.
• Lack of documented customer risk assessment (“CRA”): 27% of all respondent firms reported that they did not use a CRA form, the use of which the FCA considers to be good practice. The lack of the use of a CRA form was even more common among principal firms, with 35% of them reporting no use. The FCA stressed that, even though many respondent firms had built close business relationships with their clients which enabled them to develop a good understanding of the nature of their client’s business and their client’s requirements, firms could not rely solely on relationships to develop an understanding of client risk. The FCA reminded CFFs that having documented assessments of financial crime risks posed by their clients is a requirement under the MLRs.
• Missing evidence of consumer due diligence (“CDD”): Despite many respondent firms having a good understanding of their clients’ businesses due to extensive and sustained engagement, 10% reported that they did not retain documented evidence of CDD. Again, the FCA stressed that longstanding business relationships with clients did not justify the absence of up-to-date written records of due diligence, including customer screening, and reminded CFFs that maintaining records of CDD and, where appropriate, enhanced due diligence is a requirement under the MLRs.
• Gaps in risk assessments for ARs: Although 90% of principal firms surveyed reported that they have clear policies in place governing the financial crime risks posed by their ARs, 29% reported that they do not actually assess these risks, and 19% do not assess the effectiveness of their oversight and their control mechanisms to mitigate these risks. Further, 6% of principal firms surveyed reported that they do not monitor their ARs’ compliance with financial crime regulations, for example by way of on-site visits or audits.

Of the firms which lacked anti-financial crime policies that specifically cover their ARs, many firms (the FCA did not give a percentage) also admitted that they do not independently investigate the reports they receive from their ARs concerning the effectiveness of financial crime controls or concerning events/ incidents, and additionally some firms (again, the FCA did not give a percentage) indicated that their ARs do not verify the source of investors’ funds.

The FCA reminded firms that its rules require principal firms to adequately oversee the regulated activities carried out by their ARs, and that principal firms should implement policies and procedures to manage the financial crime risks associated with ARs including conducting financial crime risk assessments and undertaking on-site visits or audits (where appropriate).

• Ongoing monitoring: The FCA reminded CFFs that they must conduct ongoing monitoring of their customers, both in terms of scrutinising transactions and keeping records relating to due diligence up to date, as required by the MLRs. Even though many respondent firms (the FCA did not give a percentage) reported that they do not deal with client funds, so transaction monitoring may be less applicable to their business relationships, the FCA nevertheless said that CFFs should consider the sources of all funds they receive, such as engagement fees and other administrative payments. It added that CFFs must also conduct periodic reviews of their business relationships with clients, ensuring that CDD remains up to date.

Next steps

The FCA says that it will use the findings from its survey in its supervision of CFFs and will intervene where firms fall short of requirements.

The FCA will be contacting those firms where shortcomings were identified to set out the prompt remedial action it expects, and it will follow up with these firms in due course to understand what they have done.

All CFFs should consider the FCA’s findings and use them to address any gaps in their financial crime control frameworks Failing to do so could lead to FCA supervisory or enforcement action.

How we can help

Our combined legal and consulting teams bring decades of experience in advising on and building BWRA and CRA assessment, customer due diligence and third-party risk management frameworks.

If you would like to discuss any of the issues raised in this article, please get in touch with any of the contacts listed, or your usual contact at Hogan Lovells.

Authored by Daniela Vella, Claire Lipworth and Ann Đoàn.