Example of good and poor practices, which provide guidance that is helpful. Also, this is to a reminder of supervisory expectations.

The FCA has published TR18/3 presenting a outcome from its thematic review of the anti-money laundering (AML) and counter-terrorist financing (CTF) system and controls in thirteen Electronic Money Institutions (EMIs). Also the overview, just focused on EMIs, the findings are of interest to all business within the scope of the Money Laundering Regulations 2017 (MLRs 2017)

The financial crime as an important area in its supervisory activities- also the fact that updating policies and procedures to reflect changes brought about by the MLRs 2017 probably may have been overlooked by some. It’s a right time for business to reflect on AML and CTF systems and controls and check that they are up to date and meeting expectations.

The Context of the Review

The MLRs 2017 came into force on 26 June 2017, and brought two major changes regarding EMI:

1. The monetary threshold was reduced compared to the Money Laundering Regulations 2007. When EMIs are not required to apply customer due diligence (CDD) measures to transactions if their product meets certain conditions
2. Where a transaction is above the thresholds but meets the relevant conditions, EMIs may still apply simplified due diligence in prescribed circumstances, and where they have assessed the risk to be low.

The aim of the thematic review was to increase the FCA’s familiarity with EMIs’ compliance with the MLRs 2017 and, in particular, the specific new rules. The FCA noticed a good awareness as well as understanding among the EMIs of their financial crime obligations, there was a positive culture within EMIs around AML and CTF issues and that most EMIs demonstrated a low-risk appetiteFCA provided all business who participated in the review with individual feedback and did not need to deploy formal supervisory tools to remedy any issues uncovered by the overview.

Good and Poor Practices

The FCA Has presented at high-level examples of good and poor practices witnessed as part of the review, findings.

This finding can be read across to all business in the scope of the MLRs 2017. They are not specific to the e-money sector.

1. Governance, culture, and management information: Business should ensure that senior management is receiving appropriate management information relating to financial crime risks and need to document their AML and financial crime risk appetite. Annual MLRO report was found to be useful for communicating issues and outcomes, which the FCA considered the as good practice

2. Business-wide risk assessment: The FCA set up that the involvement of senior management in the assessment process results in a higher quality risk assessment and means that the risk assessment holds greater weight within the firm. The risk assessment needs to be under constant review, be performed for every product and should be challenged and signed off by senior management.

3.Customer risk assessment:The FCA reiterates that risk assessments must cover all customer types and involve a practical method to establish risk ratings to ensure that firms apply the appropriate level of CDD to all customers. The FCA found that customer risk assessments were not always being performed, and if they were, there were occasions when identifying a client as higher risk did not trigger the appropriate enhanced due diligence (EDD) and enhanced on-going monitoring obligations.

4. Policies and procedures need to up to date, commensurate with the size and nature of the firms, must be risk-based although signed-off by senior management

5. Outsourcing of CDD: when firms outsource the performance of CDD measures to service providers, firms must perform on-going monitoring of the quality of the CDD being performed. Business takes responsibility for the CDD performed by the service providers. The FCA commended firms that had robust audit systems in place for outsourced service providers involving regular and planned assessments, including on-site visits, face-to-face visits, and file checks at the outsourced service provider’s premises.

The FCA also commended business that was using geolocation technology to authenticate a customer’s location for non-face-to-face relationships. Geolocation technology help in detecting cases of multiple and potentially fraudulent applications for accounts from the same IP address.

1. EDD: Business should be running politically exposed person (PEP) and sanctions screens in all cases, and should apply EDD when there is a PEP. The FCA reiterated its guidance that UK PEPs shall be treated as lower risk and therefore can be subject to a lighter version of EDD unless the UK PEP demonstrates any other high-risk factors.
2. On-going monitoring: the FCA is not prescriptive as to how on-going monitoring is done but favors electronic methods so that firms can check a greater volume of transactions and relationships. The FCA found that large firms benefit from a “real-time” and rules-based application, which generates alerts for unusual activity.
3. Training, communication, and awareness: The FCA considered training is focusing only on reporting of suspicious transactions too basic, and this was marked as poor practice. Good practice was the face to face training on AML and CTF risks, including case studies with a final assessment twice a year.

Conclusion

All Business should consider the good and poor practices highlighted by the FCA, and assess their policies and procedures against these. In light of the current regulatory climate, business should also consider how they have modernized policies and procedures to reflect the MLRs 2017, and whether they are confident that policies and procedures are sufficiently strong and effective.