The FCA is currently consulting on updates to the FCG. This blog considers the regulatory priorities, highlighted in the consultation, that firms should turn their attention to right now.
Senior management should take greater responsibility for financial crime risks.
In line with recent regulatory focus on senior management accountability and oversight, the FCA plans to incorporate, for the first time, an expectation that senior management take clear responsibility for managing sanctions risk, in the same way that they are expected to do for other risks faced by the business. The FCA’s expectation is that senior management are able to evidence their active engagement in managing and mitigating the risks of non-compliance with sanctions and remediating identified gaps.
Review readiness to respond to future sanctions events.
Recent geopolitical events, and the unprecedented scale and complexity of subsequent sanctions, highlighted the importance of preparation. Ongoing assessment of jurisdictional and customer risk helps ensure firms can respond to such significant changes in a timely manner. The self-assessment questions proposed in the revised FCG encourage firms to evaluate the effectiveness of their risk assessment, policies and procedures and MI in identifying emerging sanctions events.
Management information (MI) must be sufficient for senior management to understand sanctions risks.
In addition to the existing FCG guidance on financial crime MI being expanded to incorporate sanctions risks, the proposed guidance requires that senior management are “sufficiently aware” of the firm’s obligations in relation to financial sanctions such that they can discharge their functions effectively.
Consider ‘sophisticated’ transaction monitoring technologies that provide a more holistic view of financial crime risk.
As more firms move away from transaction monitoring systems that work on a transaction-by-transaction basis, flagging fund movements that exceed rule-driven thresholds, the proposed guidance recognises that more ‘sophisticated technologies’, such as machine learning tools or artificial intelligence, can provide a more rounded view of customer behaviour and show how a customer fits into broader networks of activity to help more effectively detect suspicious activity. Specifically, firms should consider whether such arrangements are fit for purpose and clearly understood. However, the FCA intends to maintain its existing position that automated transaction monitoring is not always the right solution. It will not be required where firms’ existing manual processes already achieve an effective outcome, and firms will be required to demonstrate that processes have been adopted relative to their risk exposure.
Apply a Consumer Duty lens to decisions on managing financial crime risk.
Decisions must be taken not only through the lens of risk management, but also through the lens of the consumer. Examples of such considerations are broad-ranging and include customer communications when dealing with security or fraud concerns; engagement with customers during customer due diligence processes; or providing adequate information on their application or application outcome for products and services.
Risk assessments should be up to date, comprehensive, and forward-looking.
The FCA has proposed several additions to the FCG provisions covering risk assessments and, for the first time, highlights that firms should assess their exposure to proliferation financing risks as part of their risk assessment. When assessing sanctions risks, firms should consider which business areas are most likely to interact with individuals on the Consolidated List, either through provision of services or resources or through ownership and control. Firms should also consider the areas of their business which engage in prohibited services or transactions or rely on prohibited third parties.
Business resilience is not a standalone consideration, and has financial crime implications.
Systems play a crucial role in ensuring key controls function effectively and help mitigate financial crime risk. The proposed guidance includes self-assessment questions covering key risks such as data storage, system outages and incident response. This reflects the FCA’s wider focus on operational resilience and further highlights the importance of considering the impact of systems dependencies for financial crime controls.
Cryptoasset firms registered under the MLRs should consider the FCG.
Cryptoasset businesses registered under the Money Laundering Regulations 2017 (MLRs) were brought within the FCA’s supervisory remit for anti-money laundering and counter-terrorist financing purposes in June 2020. The FCA proposes that cryptoasset businesses should consult and apply the FCG when considering the design of their financial crime-related systems and controls. Implementing the FCG early will not only help firms demonstrate compliance with their obligations under the MLRs and UK sanctions regime, but will also help prepare them for the UK’s future regulatory regime for cryptoassets.
‘Travel rule’ updates provide greater clarity on expectations.
The ‘Travel Rule’ (in force since 1 September 2023) requires cryptoasset businesses in the UK to collect, verify and share information about cryptoasset transfers. The FCA proposes updating the FCG to include a reference to the Travel Rule within the customer payments section of the FCG, and highlights that the section setting out examples of good and poor practices in the FCG is equally relevant to inter-cryptoasset transfers as to wire transfers. Helpfully, the FCA also plans to provide guidance material for cryptoasset firms in the FCG, including with respect to compliance with the Travel Rule.
Overall, the FCG consultation reflects key thematic developments and emerging financial crime priorities over recent years, highlights some newer areas of focus for the FCA and provides some welcome clarity on the FCA’s expectations of firms when assessing the adequacy of their financial crime systems and controls. It is not just about adhering to the letter of the law but embracing the spirit of it. To navigate these changes, the FCA’s self-assessment questions and examples of good practice should help firms critically consider existing practices against the regulator's expectations. After all, it's the wise who lead, and the informed who stay ahead of the curve (or regulatory scrutiny, in this case).