Why the FCA are disappointed with banks’ failure to embrace AML

NatWest has recently pleaded guilty to three counts of failing to comply with anti-money laundering (AML) legislation. The bank’s CEO Alison Rose said that the bank “failed to adequately monitor and therefore prevent money laundering by one of our customers between 2012 and 2016.”

This news will undoubtedly add to the disappointment expressed by industry regulator, the Financial Conduct Authority (FCA) in its missive to the CEOs of all UK Retail banks, which it sent this summer. It said although it had witnessed evidence of effective control measures, it was left disappointed to continue to identify some key weaknesses of some firms’ financial systems and control frameworks. These included governance and oversight, risk assessments, due diligence, transaction monitoring and suspicious activity reporting.

Failure to comply is significant

Banks are expected to adhere to regulations laid out in the amended Money Laundering and Terrorist Financing Regulations 2019. And failure to comply is significant, as NatWest is finding out. Not only can the banks suffer fiscally (significant fines) and reputationally (it doesn’t look great) but under the Senior Managers and Certification (SMCR) all senior management are responsible for their firms countering risk from financial crime and they can be held personally liable for infringements. The tone of the FCA letter implies ‘no more Mr Nice Guy’ – they will start to come down hard on banks who don’t now toe the line.

The FCA gave the banks the deadline of 17 September to conduct a gap analysis to identify specific weaknesses and areas of risk. And now they’re expected to put in place measures to address any weaknesses identified. Of course, one of the main problems in AML and regulations such as KYC (know your customer) is data quality. Firms’ controls and their adherence to AML is only as good as their data. So – broadly – what should firms be doing right now to improve their AML controls and address data issues?

• Identify the gaps in your financial control frameworks: this is something banks should have done for 17th September – and if they haven’t, they need to get to it asap. This gap analysis gives you a framework to work with and objectives to meet.
• Conduct independent financial crime risk assessments: this is essential – an objective assessment of the risks financial crime poses to your bank is imperative and needs to be mobilised asap.
• Design and implement assurance models: the regulator expects organisations to check that teams are following the agreed processes and procedures - these simple activities help spot where deviations have crept into process and allows course corrections to take place. 
• Design and deliver financial crime compliance training to staff: one of the weakest links in AML adherence is your staff – unless they are completely up to speed on latest regulations and expectations of how they have to execute controls, then problems will occur. Data quality can suffer too e.g. if they’re unsure of what data to gather and how to gather it.
• Help ensure your control framework meets regulatory expectations: organisations must have adequate and independent controls in place across all three lines of defence with clear and useable reporting to relevant governance groups.

Time will tell how well banks have sat up and listened to the ‘Dear CEO’ plea of the FCA. But they are running on borrowed time – the FCA will really start to come down hard on AML regulation breaches. After all, it’s in everyone’s interest to root out the financial criminals.