- within Criminal Law topic(s)
- with Finance and Tax Executives
- in United States
- with readers working within the Accounting & Consultancy, Healthcare and Oil & Gas industries
The FCA has published its findings on good and poor practice arising from a multi-firm review focusing on business wide risk assessment ("BWRA") and customer risk assessment ("CRA") processes. The review was carried out as part of the FCA's wider financial crime supervisory work and included building societies, platforms, custody and fund services, payment (e-money) and wealth management firms.
The FCA's key findings can be summarised as follows:
- Identifying, understanding and assessing risk: while most firms had a BWRA in place, few were quantifying relevant risks / tailoring the BWRA to their specific business. Some firms could not explain sufficiently how they were managing and mitigating identified risks. A key poor practice point identified was that some firms' BWRAs focussed mainly on fraud or generic risks, often ignoring specific money laundering, sanctions and other financial crime risks with firms therefore over-simplifying the risks to which they were exposed and/or failing to explain how specific risks affect them. The FCA also noted that some firms had concluded that their business was low risk / their controls were effective or mature without appropriate evidence in support.
- Mitigating risk: there was little evidence of how risk assessments, decision-making and monitoring activities are joined up, with few firms having documented actions resulting from their risk assessments. The FCA's view of good practice is that the BWRA should feed into risk appetite, controls testing and the firm's overall risk-based approach, whereas CRAs should directly impact customer due diligence, transaction monitoring and other relevant processes and controls. The FCA also raised a concern in relation to firms rapidly expanding product, service and customer types without considering and ensuring that controls remain appropriate and effective.
- Managing risk: although firms recognised the importance of appropriate governance and oversight, senior management typically appeared to better understand, and be more aware of, fraud risk as compared with other financial crime risks. The review emphasised the importance of regular review of models and processes and that good practice includes quarterly or triggered updates to risk assessments to make sure they are responsive to changes in the risk environment. Some firms have integrated dynamic risk assessments into their financial crime frameworks, mitigating the risk that static processes can lead to outdated risk profiles.
The FCA expressly noted that identified good practice in this area often goes beyond minimum regulatory standards (i.e. a firm which does not adopt all the good practice points identified in the review will not automatically be in a state of non-compliance). However, firms should review the FCA's findings and consider both good and poor practice points in the context of their firm's risk-based approach and existing systems and controls. The FCA will continue to monitor firms through its supervisory work.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
