Global menu

Our global pages

Close

Financial crime systems and controls during coronavirus situation

  • United Kingdom
  • Financial services disputes and investigations
  • Fraud and financial crime
  • Litigation and dispute management

07-05-2020

As the FCA publishes new information on financial crime expectations for firms’ systems and controls during the coronavirus crisis, Ruth Paley and Hayley Astles of Eversheds Sutherland take a look at the key points for regulated firms to note.

The FCA Business Plan 2020/21 published last month was understandably overshadowed by the COVID-19 pandemic. However, financial crime remains an ongoing cross-sector priority and the FCA was unequivocal that it would be increasing its focus on ensuring that financial institutions have appropriate systems and controls in place to minimise the incidence of accounts being used for fraud, money laundering or other financial crime. Against this backdrop, on 6 May 2020, the FCA published a short statement setting out its expectations on how firms should apply their systems and controls to combat financial crime during the COVID-19 pandemic. The statement recognises that there will be unique operational challenges arising from the crisis, and covers:

  • the need to maintain timely reporting of Suspicious Activity Reports (SARs)
  • the management of transaction monitoring alerts and risk appetite
  • the timing of periodic refresh and customer relationship reviews
  • delays in responses from customers regarding customer due diligence (CDD) information
  • remote verification of customer identity; and
  • reminders of previous advice on SM&CR, business loan schemes and regulatory returns.

Key points

Management of compliance activity, including transaction monitoring

The FCA acknowledges that the current climate has given rise to a number of operational challenges, and that these may be impacting firms’ systems and controls with particular reference to financial crime arrangements. Challenges include high levels of absenteeism, use of the Government’s furlough scheme, and diversion of resource to assist with priority tasks such as assisting firms deliver loans under the Coronavirus Business Interruption Loan Scheme and the Bounce Bank Loan Scheme. As a result, compliance teams will be stretched and trying to juggle multiple priorities.

The FCA has been explicit that firms should not seek to address these challenges through a change in risk appetite, whilst at the same time acknowledging that firms may need to re-prioritise or reasonably delay some activities, using a risk based approach.

In particular, firms have been cautioned against recalibrating transaction monitoring (TM) or sanctions alert systems by changing or turning off existing TM triggers/thresholds, where this would be for the sole purpose of reducing the number of alerts for operational reasons such as a lack of alert handlers.

This will present a challenge for some firms, especially those with smaller compliance teams, where even a small number of absences may result in a significant impact on a firm’s ability to deal with business-as-usual (BAU) compliance actions. The FCA accepts that maintaining the alert system’s pre-pandemic parameters levels may cause knock-on delays in the resolution of alerts, or impact the firm’s ability to keep within periodic refresh and customer relationship review timetables. These delays will be deemed reasonable as long as incurred ‘on a risk basis’, so, for example, low and medium risk customer reviews should be first in line for any revised timetabling, and reviews for high risk customers should not be delayed unless absolutely necessary. There is also an expectation that there will be a ‘clear plan’ to return to the BAU review process as soon as reasonably possible.

More broadly, the current climate serves as an appropriate juncture for firms to review their annual Compliance Monitoring Plans, with a view to triaging planned activity.  In line with the risk-basked approach posited, activity which is integral to maintaining robust systems and controls should be prioritised.  However, firms may wish to delay additional activity which attracts lower-risk outcomes.

As always, where firms amend their controls, documentation will be key. Decisions should be clearly risk assessed, documented and go through suitable governance, with the appropriate level of senior management consideration and sign off.

Customer due diligence

The current situation is also likely to impact activities around the collection of CDD, both for new and existing clients, and the timeliness of customer responses.

In terms of new customers, our colleagues Steve Smith (Partner) and Nick Barnard (Associate) have previously written about the FCA’s ‘Dear CEO’ letter of 31 March 2020 on how firms dealing with retail customers should be dealing with CDD challenges  where restrictions on travel affects their ability to use traditional methods to verify a customer’s identity.  The FCA’s letter signposted a number a pre-existing solutions that were available under the Money Laundering Regulations 2017 (MLR 2017)  and Joint Money Laundering Steering Group (JMLSG) Guidance to verify identity remotely.  Many firms already use a number of these verification methods or are considering ways of deploying additional methods in other to support the growing numbers of people that are facing financial hardship and in need of immediate financial solutions.  Steve and Nick highlighted in their article the potential risk of weakening AML systems and controls in rushing to find solutions, and the exposure this creates for future regulatory and criminal sanctions.

In using either established or new remote verification methods, however, firms will need to be careful to mitigate any risk of unfair treatment of customers.  The effect of COVID-19 means that a much wider group of individuals may now fall within the ambit of being a vulnerable customer.  Firms will want to ensure that such consumers are not excluded from being able to access financial products because the digital solutions on offer are not suitable for their needs.  The FCA has recently made clear on a number of occasions that it expects firms to focus on preventing harm, and not on ameliorating the impact of any misconduct after the fact (for example through redress schemes).  

The FCA’s statement also includes a reminder that where a firm seeks information from an existing customer, Regulation 31 of the MLR 2017 requires the account to be closed where the information is not provided. However, for the time being, firms should make reasonable efforts to collect this information or consider whether there are other ways of being reasonably satisfied with the customer’s identity, before taking a decision to close the account.

It is more important than ever to for firms to ensure that they are acting in the best interests of consumers, and any decisions taken during this period should be considered through the lens of the FCA’s Principles of Business.

Risk identification and notifications to regulators

The detection of terrorist financing is, unsurprisingly, an exception to any revisions to the firm’s arrangements in terms of priorities and the statement explicitly states that firms must not weaken their controls to detect such high-risk activity. The FCA also reminds firms that it expects to receive notification of any material issues that are impacting the effectiveness of firmwide financial crime controls or causing significant delays to remediation plans.

With regard to the identification of suspected money laundering activities through SARs, the FCA has made clear that it will brook no delay in timely reporting.  With new and innovative crimes being perpetrated in exploitation of the pandemic’s global impact, firms will need to remain vigilant and ensure there is a process for spotting new threats and making timely SARs to the regulator in respect of these.

As a more general point, consideration should be given by firms to updating the firmwide risk assessment under Regulation 18 (which should be done at least annually). In particular firms will want to ensure that any fresh fraud and financial crime risks arising from the pandemic are captured and mitigation activities identified.

Comment

Clarity as to the FCA’s expectations is always welcome, and firms will be grateful for the reference to areas where reasonable delays are justified and where adjustments to existing processes can be made. However, whilst the pandemic continues to wreak havoc across all areas of business operations for most regulated entities, this is an enormously testing time for all functions, and compliance teams will continue to have to fire-fight on a number of fronts. The key priority is to remain alert to the ever expanding range of financial crime challenges.

FCA Statement: Financial crime systems and controls during coronavirus situation

FCA Dear CEO letter dated 31 March 2020 

Covid-19: A warning to financial institutions not to neglect customer due diligence

FCA coronavirus (Covid-19) hub

FCA business plan