Money laundering continues to be a major problem in the banking sector, and London’s position as the world’s leading financial centre also makes it an unenviable magnet for dirty cash and suspicious trades. But now the city is trying to fight back.
Financial services firms—including banks, investment firms, and intermediaries (but not general insurers, which are not currently subject to money laundering rules)—will have to file an annual “financial crime report” to the U.K. Financial Conduct Authority (FCA) from the end of this year as part of the regulator’s efforts to tackle fraud and money laundering more effectively.
On July 29, the FCA published policy statement PS16/19, setting out final details of its new annual financial crime report (to be known by the abbreviation “REP-CRIM”). Under the new reporting requirements, around 1,400 firms will need to submit details regarding the number of “politically exposed persons” (such as high-ranking individuals in prominent public functions) and other “high-risk customers” they have dealings with, as well the geographic areas in which those individuals are located.
Firms must also provide data on the number of “suspicious activity reports” (SARs) they have submitted internally, as well as those disclosed externally to the National Crime Agency (NCA)—one of the United Kingdom’s enforcement agencies—or disclosed under a consent order.
The data that needs to be reported will also relate to firms’ compliance with international sanctions and should include details about what they believe to be the top fraud risks the FCA should be aware of.
The FCA has developed a standard template form that firms subject to the REP-CRIM rules will have to submit within 60 business days of their accounting reference date (ARD)—extended from the 30 business day period originally proposed. This means that if a firm has an ARD of Dec. 31, 2016, it would need to file the REP-CRIM by March 27, 2017, at the latest.
To help them come to grips with the new requirements, the regulator will allow firms to submit the data on a “best endeavours basis” for the first year. Furthermore, firms operating within a broader group structure will be able to submit a single financial crime report for a set of regulated firms within the same group, “as long as the firms included all share a common financial year-end.”
At present, the FCA’s approach to develop rules, standards, and controls to deter and uncover incidences of financial crimes relies on the use of ad hoc data requests. The new rules are therefore intended to produce a standardised information flow that the regulator can analyse to spot trends and control failures more effectively. Using the data it collects through GABRIEL, its electronic reporting system, the FCA has said it will publish “aggregated and anonymised financial crime statistics” beginning in 2017.
The finalised rules include a number of changes featured in the original proposals. Among the most significant changes, the guidance now clarifies that a firm only needs to assess the risk of financial crime associated with “high risk” jurisdictions—rather than in all jurisdictions in which it operates—and that firms themselves are able to assess which jurisdictions are “high risk” based on their own assessment.
Also, the questions relating to the firm’s views on the most prevalent types of fraud are no longer mandatory, although the FCA encourages firms to complete that section of REP-CRIM if they can.
Other changes that the FCA has made since its initial consultation mean that firms may apply their own definition of “politically exposed persons” when reporting on such relationships and report on consent SARs as a number, rather than as a percentage. They also only need to provide data on staff with specific financial crime roles. Furthermore, firms may confine sanctions reporting to customer screening information (not payment screening information) and may choose whether or not to answer questions regarding the prevalent types of fraud they have experienced.
“The FCA has already made clear that the increase in quality and quantity of data should allow more desk-based supervisory work. If the FCA's staff are freed up to spend more time on a closely-defined set of risks, one would expect that to help the fight against financial crime.”
Craig Neilson, Partner, Maclay Murray & Spens
However, some firms have raised concerns that in meeting their new reporting duties they might commit an offence of “tipping-off”—an accusation that the FCA rejects.
While the proposed rules may have been watered down, it is not hard to see why the U.K. regulator is focusing on the need to improve firms’ controls and disclosure around financial crime. The first U.K. National Risk Assessment of money laundering and terrorist financing, published in October 2015 by the Treasury and Home Office, found that the City is “highly exposed” to the risk of money laundering. The report concludes that the size and complexity of the U.K.’s financial sector is such that it is “more exposed to criminality” than in many other jurisdictions.
More recently, a report issued earlier this year by anti-corruption body Transparency International criticised the United Kingdom for having “an anti-money laundering system that is easy to bypass in order to launder money with impunity.”
There have been some eye-watering penalties for firms that have failed to implement sufficient anti-money laundering controls in recent years. Standard Bank was fined £7.6m in 2014 for such failings and, last November, Barclays was hit with a £72,069,400 fine for failing to minimise the risk that it may be used to facilitate financial crime. At the beginning of May this year the Financial Times reported that the FCA had written to Deutsche Bank about “serious” and “systemic” failings in its controls against money laundering, terrorist financing, and sanctions, adding that an FCA review was now underway.
However, experts generally welcome the regulator’s approach, with some believing that the reporting requirement is a handy exercise to help firms prepare for the Fourth Money Laundering Directive that is due to come into force in the United Kingdom in June 2017. Also, other jurisdictions have introduced similar financial crime reporting requirements, such as New Zealand and Guernsey in the Channel Islands, which regulators there say have benefitted the sector.
FCA’S APPROACH TO FINANCIAL CRIME
Below is a look at how the Financial Conduct Authority ascertains how firms manage and mitigate financial crime risk.
Currently, the Financial Conduct Authority’s (FCA) method of standardising its approach to financial crime risk is to send out ad hoc requests to firms to get a better sense of the risks they face, and how they identify, manage, and mitigate them.
As the FCA noted in PS16/19: “We do not currently routinely gather information from firms about financial crime, the risks they are exposed to, or how they manage those risks. This affects our ability to operate a truly risk-sensitive supervisory approach in line with global standards. Consequently, we propose to introduce a financial crime return for the first time.”
“We will use the data collected by this return to support our financial crime supervision strategy. Analysing the data will enable us to conduct more desk-based supervisory work than is currently possible. In turn, this will help us identify financial crime risks and trends, as well as possible emerging issues. It will also ensure we have better quality and more consistent comparable data, allowing us to accurately risk-rate firms and better target our specialist resources on firms that pose the highest financial crime risk.”
Read the FCA’s feedback on Chapter 6 of CP15/42 and final rules here.
Brenda Boultwood, senior vice president of industry solutions at governance, risk, and compliance apps provider MetricStream, welcomes the FCA’s move. “Systematic reporting, rather than ad-hoc information requests, will significantly benefit FCA reporting and analytics relating to financial crime,” she says.
Craig Neilson, a partner in the commercial dispute resolution department of commercial law firm Maclay Murray & Spens, believes that the initiative will help reduce financial crime. “The FCA has already made clear that the increase in quality and quantity of data should allow more desk-based supervisory work. If the FCA's staff are freed up to spend more time on a closely-defined set of risks, one would expect that to help the fight against financial crime.”
Catherine Robinson, a solicitor specialising in white-collar crime and regulatory issues at law firm Byrne and Partners, says that the initiative fits in with the FCA’s general approach to making firms more directly accountable for money laundering controls—in the same way that the Senior Managers and Certification Regime that came into force this year specifically designates a Senior Manager function (SMF 17) to take responsibility for money laundering reporting.
“The regulator does not have the resources to proactively investigate whether financial services firms have adequate controls in place to prevent financial crime. Instead, it makes much more sense to push firms to take charge of their own risks and report to the regulator what is going on,” says Robinson.
Samantha Sheen, director of AML for Europe at ACAMS, the Association for Certified Anti Money Laundering Specialists, agrees that the regulator’s approach is pragmatic and realistic. “The FCA’s plans for the next year reflect an acknowledgement that the time has come for the regulator to find a way for it to collaborate with industry to find a way to work ‘smarter, not harder’ to tackle financial crime and mitigate the possible negative impact for customers.”
Some experts—particularly those from a financial technology background—believe that the requirements should not be too onerous, especially for larger firms with more developed IT infrastructures. Jan Hagen, MD for financial crime at consultancy Regulatory Finance Solutions (RFS), says that “compliance with the new rules should be pretty straightforward. The data the FCA is asking for is information you’d expect a fully firing financial crime function to have at its fingertips.”
Jeremy Summers, partner at law firm Osborne Clarke, also believes that many firms that are covered by the rules will already have the data required by the report in accessible form. As a result, “the obligation to submit a standardised format should not represent a significant additional burden,” he says.
However, Summers warns that firms that are unable to answer the questions on the FCA template with relative ease “may find themselves the subject of increasing FCA scrutiny in the future” and therefore advises that they should “consider as a priority why they are not able to access the required information and what steps they need to take in order to be able to do so.”
However, some experts are less impressed. Martin Coyle, senior correspondent at regulatory analyst MLex, says that “the new FCA requirements place yet another reporting burden on already hard-pressed compliance officers,” adding that the benefits “may only emerge once the regulator can draw meaningful conclusions from the data collected.”
Regulatory law expert Anne-Marie Ottaway of Pinsent Masons says the new rules “will put an increased burden on firms who will need to ensure that their internal reporting systems can accurately capture the required data.”
“Firms that haven’t allocated sufficient resources to address their financial crime risks or that make very few suspicious activity reports—given their customer risk—can expect more scrutiny from the FCA,” Ottaway adds.
Some also highlight the fact that while the FCA may be getting more information, it is actually how well the regulator is able to use the data and act on it that counts.
“I question the regulators’ ability to digest all of the information that it will be receiving from these 1,400 firms in an expeditious manner in order to combat financial crime as quickly as needed,” says Lisa Toth, global head of regulation and risk at global capital markets specialist Hatstand.
“Annual reporting, which is due 60 business days post year-end, does not seem to be the most robust way to combat crime. Activities that the regulator may discover could have been going on for more than a year and a half before it is in a position to draw any conclusions. The FCA should be looking to put something in place that is more frequent and structured so that it can leverage artificial intelligence to data mine the information in the reports and help connect the dots,” says Toth.
Continue the conversation at Compliance Week Europe: 7-8 November at the Crowne Plaza Brussels. Join us as we look at changes in global anti-corruption regulations, slave labor risks in your supply chain, and how to detect fraud, to name just a few topics. Learn more