Controls without evidence? Why regulators demand more than good intentions.
I was surprised…. no actually it was more like alarmed… to see the findings of the FCA’s most recent multi-firm work on corporate finance firms.
In case you missed it, the FCA surveyed 303 corporate finance firms who are not required to submit the FCA’s financial crime data return (REP-CRIM). Of the 270 firms who responded:
11% did not have a documented business-wide risk assessment (BWRA). 16% of the principal firms who responded were in this category.
10% said they did not retain documented evidence of customer due diligence.
29% of the principal firms who responded said they do not assess the financial crime risks inherent in their appointed representatives (ARs).
27% of respondents did not use a form to document customer risk assessment.
Having worked at the FCA for fifteen years, I cannot stress enough the importance of documenting your financial crime controls. If it’s not written down, did it even happen? Without proof, it’s only your word. There’s nothing to show for the hard work you did. There’s no archive, no history of information for your successors to draw on. And perhaps more importantly, there’s nothing to show an auditor or the regulator if they were to ask.
We recently held a roundtable focusing on governance in financial crime. We talked there about the “power of proof”. For senior management this is often about how good the management information (MI) is. But Board and committee minutes are also important. I have reviewed countless sets of minutes as a regulator, and nearly all of them don’t say enough about the discussion and challenge which took place around a decision.
I used the word alarming as the things I’ve highlighted in the bullets above are legal requirements under the Money Laundering Regulations – firms must have a documented BWRA, they must have documented assessments of the risks posed by their customers and they must maintain records of CDD. FCA rules require principal firms to adequately oversee the regulated activities carried out by their ARs, including financial crime risk assessments and on-site visits/audits (where appropriate).
It doesn’t need to involve mountains of paperwork – in fact, concise and clear is far more effective. For some of our clients, we’ve been developing regulatory roadmaps focused on specific topics, such as BWRA or failure to prevent fraud. These roadmaps capture the firm’s progress in a particular area of controls, clearly highlighting what’s been achieved, any remaining gaps, and the plans in place to address them. It’s something which can be given to the regulator immediately and links your controls together in a way which is cohesive and easy to understand.
Questions you can ask yourself:
If the FCA reviewed your financial crime policies, MI, BWRA and customer files tomorrow, what kind of story would that tell about your control framework?
Thinking about the major decisions your business has made over the past six months regarding financial crime controls — where are these documented? Can you show the journey, via documentation, of how you arrived at those decisions and what senior management involvement or challenge there was?
What about the more day-to-day documents? When were your policies last reviewed and is there an audit trail of the changes? Are you documenting the customer due diligence and risk assessments you are carrying out on your customers, and any changes at periodic review?
For principals, how can you demonstrate that you have adequate oversight of your ARs, including the financial crime risks they face?
Our recent Dear CEO letter highlighted the importance of high quality and reliable financial crime assurance. As always, if you need our help, or would like to discuss how a regulatory roadmap might benefit you, get in touch: sam.jarvis@avyse.co.uk