9 October 2018

E-money firms have good habits when monitoring bad practice

On 3 October, the FCA published its Thematic Review into Money Laundering and Terrorist Financing Risks in the E-Money Sector ("the Thematic Review"). The publication received little fanfare as broadly, the E-Money firms ("EMIs") that responded to the Thematic Review did not display significant weaknesses with financial crime or anti-money laundering controls. Instead, in many cases, E-Money firms actually showed examples of 'good practice' – which the FCA has published, providing other players in the market with a helpful insight into how to correctly manage money laundering and terrorist financing risks.

Deep dive into a small pool

Despite only thirteen firms participating in the Thematic Review, each one was subject to an on-site review - including staff interviews, systems walk-throughs and customer file reviews – and a pre-visit review of documentation requested by the FCA. This was complemented by a 'desk based' review of data held by the FCA on EMIs, which included business models, customer numbers and their geographical locations. In light of all of this, the findings of the Thematic Review still amount to a comprehensive review of the sector.

Positive results

The results of the Thematic Review were positive: the FCA found a prevailing culture of understanding financial crime risks and general compliance with the Money Laundering Regulations 2017 ("MLRs") across the firms it reviewed. It has speculated that owing to the relative infancy of the sector, most firms have come into existence since the creation of the UK's anti-money laundering regime (the precursor to the MLRs was the Money Laundering Regulations 2007). However, the FCA has advised other EMIs to take note of the good practice examples cited in the Thematic Review as a means of gauging the efficacy of their own controls, and whether or not they could be improved.

However, it could also be said that any firm subject to the MLRs would be wise to take note, as the majority of these practices are applicable to a wide range of regulated firms, not just EMIs.

Practice makes perfect

Below is a table that consolidates all of the good practice examples from the Thematic Review, alongside the specific business area to which they relate^[1]:

Business area	Good practice example
Management information	Ensuring that key decisions on financial crime issues and follow up actions are documented, including deadlines and the individual(s) responsible for delivery.
Management information	An annual MLRO report was found to be a useful tool for communicating outcomes and issues.
Business risk assessment	Business wide risk assessments enable high-risk customers to be identified so that enhanced due diligence (EDD) and enhanced on-going monitoring can be put in place.
Business risk assessment	Business wide risk assessments are performed for each product and programme to identify financial crime risks, as well as risk assessing PMs and customers during on-boarding.
Customer risk assessment	Having an effective risk scoring method to identify individual customer risk, using factors such as geographical location, expected turnover on account and types of products customers will be using.
Policies and procedures	Clearly setting out the behaviours expected of staff and the consequences of not following the firm's AML policies and procedures.
Customer due diligence	Using site visits as part of their on-boarding of PMs to achieve an increased understanding of the PM's systems and controls.
Customer due diligence	Spot-checking the quality of CDD carried out by PMs, by having access to the PMs' records and systems to ensure they are complying with the EMI's policies and procedures.
Enhanced due diligence	An EMI with concerns about a customer contacted a merchant directly to obtain a more detailed understanding of the customer's business, including source of wealth and source of funds.
Ongoing monitoring	Spot-checks are performed on accounts where potentially suspicious activity has been identified to ensure decisions are appropriate and documented.
Ongoing monitoring	Daily and weekly transaction monitoring reports including information on loads, spending, jurisdiction and loading method were compiled at one large EMI. These reports were reviewed by the Compliance team.
Ongoing monitoring	The principal firm performs its own transaction monitoring of their PM's underlying customers to ensure compliance with regulation 38(3) of the MLRs.
Outsourcing	Where transaction monitoring had been outsourced to a 3^rd party provider, the EMI received adequate management information and conducted regular on-site visits to ensure outsourced processes were being conducted effectively.
Outsourcing	Having an annual audit plan for PMs, taking a risk-based approach and not applying a 'one size fits all' model, to ensure appropriate ongoing monitoring and oversight.
Training, communication and awareness	Face-to-face training at one EMI consisted of two sessions a year and a final assessment. It included case studies which complemented online training material.
Training, communication and awareness	Ensuring staff attend industry events on AML and share relevant information with other members of staff.
Training, communication and awareness	On-boarding teams based overseas not given access to systems until they pass basic training. Further training was subsequently provided on a regular basis through quarterly on-site visits by the Compliance team.

The above table is a helpful indication of how the regulator has sought to interpret various aspects of the MLRs. For those that are well versed in the MLRs or their 2007 predecessor, none of what was stated should come as a surprise.

And now the bad news…

Whilst the results of the Thematic Review where broadly positive, there were still isolated examples of poor practice that the FCA witnessed. These are listed in the table below:

Business area	Poor practice example
Management information	Outcomes of discussion on money laundering and terrorist finance were not recorded – including responsibility for actions and deadlines.
Business risk assessment	Generic risk assessments not tailored to the firm's specific business model and product offerings.
Customer risk assessment	Risk scoring methodology developed for corporate but not retail customers.
Customer risk assessment	Risk assessments that do not cover all customer types at on-boarding.
Policies and procedures	Lack of clarity over when to perform EDD.
Customer due diligence	Failing to assess the nature and intended purpose of the relationship.
Enhanced due diligence	Unclear EDD processes, inadequate guidance to staff including a lack of detail on the types of information acceptable as evidence of source of wealth and source of funds.
Ongoing monitoring	Failure to assess the purpose and intended nature of the business relationship or transaction, which inhibits the ability to perform effective ongoing monitoring and the identification of suspicious transactions.
Outsourcing	Conducting and managing PM assurance assessments with limited resources.
Outsourcing	Interactions between EMI and PM do not include discussions around financial crime matters.
Training, communication and awareness	Narrow financial crime training based solely on reporting of suspicious activities.

Further guidance on what constitutes good and poor practice in the financial crime space can be found in the FCA's Financial Crime Guide and the Joint Money Laundering Steering Group guidance on Anti-Money Laundering.

Here to help

Taylor Wessing have acted for EMIs and are also well placed to advise on financial crime and anti-money laundering controls. Please contact one of the experts in our Financial Services & Competition team to discuss further.

^[1]References to 'PM' are references to a Programme Manager