2018年10月9日
On 3 October, the FCA published its Thematic Review into Money Laundering and Terrorist Financing Risks in the E-Money Sector ("the Thematic Review"). The publication received little fanfare as broadly, the E-Money firms ("EMIs") that responded to the Thematic Review did not display significant weaknesses with financial crime or anti-money laundering controls. Instead, in many cases, E-Money firms actually showed examples of 'good practice' – which the FCA has published, providing other players in the market with a helpful insight into how to correctly manage money laundering and terrorist financing risks.
Despite only thirteen firms participating in the Thematic Review, each one was subject to an on-site review - including staff interviews, systems walk-throughs and customer file reviews – and a pre-visit review of documentation requested by the FCA. This was complemented by a 'desk based' review of data held by the FCA on EMIs, which included business models, customer numbers and their geographical locations. In light of all of this, the findings of the Thematic Review still amount to a comprehensive review of the sector.
The results of the Thematic Review were positive: the FCA found a prevailing culture of understanding financial crime risks and general compliance with the Money Laundering Regulations 2017 ("MLRs") across the firms it reviewed. It has speculated that owing to the relative infancy of the sector, most firms have come into existence since the creation of the UK's anti-money laundering regime (the precursor to the MLRs was the Money Laundering Regulations 2007). However, the FCA has advised other EMIs to take note of the good practice examples cited in the Thematic Review as a means of gauging the efficacy of their own controls, and whether or not they could be improved.
However, it could also be said that any firm subject to the MLRs would be wise to take note, as the majority of these practices are applicable to a wide range of regulated firms, not just EMIs.
Below is a table that consolidates all of the good practice examples from the Thematic Review, alongside the specific business area to which they relate[1]:
Business area | Good practice example |
Management information | Ensuring that key decisions on financial crime issues and follow up actions are documented, including deadlines and the individual(s) responsible for delivery. |
Management information | An annual MLRO report was found to be a useful tool for communicating outcomes and issues. |
Business risk assessment | Business wide risk assessments enable high-risk customers to be identified so that enhanced due diligence (EDD) and enhanced on-going monitoring can be put in place. |
Business risk assessment | Business wide risk assessments are performed for each product and programme to identify financial crime risks, as well as risk assessing PMs and customers during on-boarding. |
Customer risk assessment | Having an effective risk scoring method to identify individual customer risk, using factors such as geographical location, expected turnover on account and types of products customers will be using. |
Policies and procedures | Clearly setting out the behaviours expected of staff and the consequences of not following the firm's AML policies and procedures. |
Customer due diligence | Using site visits as part of their on-boarding of PMs to achieve an increased understanding of the PM's systems and controls. |
Customer due diligence | Spot-checking the quality of CDD carried out by PMs, by having access to the PMs' records and systems to ensure they are complying with the EMI's policies and procedures. |
Enhanced due diligence | An EMI with concerns about a customer contacted a merchant directly to obtain a more detailed understanding of the customer's business, including source of wealth and source of funds. |
Ongoing monitoring | Spot-checks are performed on accounts where potentially suspicious activity has been identified to ensure decisions are appropriate and documented. |
Ongoing monitoring | Daily and weekly transaction monitoring reports including information on loads, spending, jurisdiction and loading method were compiled at one large EMI. These reports were reviewed by the Compliance team. |
Ongoing monitoring | The principal firm performs its own transaction monitoring of their PM's underlying customers to ensure compliance with regulation 38(3) of the MLRs. |
Outsourcing | Where transaction monitoring had been outsourced to a 3rd party provider, the EMI received adequate management information and conducted regular on-site visits to ensure outsourced processes were being conducted effectively. |
Outsourcing | Having an annual audit plan for PMs, taking a risk-based approach and not applying a 'one size fits all' model, to ensure appropriate ongoing monitoring and oversight. |
Training, communication and awareness | Face-to-face training at one EMI consisted of two sessions a year and a final assessment. It included case studies which complemented online training material. |
Training, communication and awareness | Ensuring staff attend industry events on AML and share relevant information with other members of staff. |
Training, communication and awareness | On-boarding teams based overseas not given access to systems until they pass basic training. Further training was subsequently provided on a regular basis through quarterly on-site visits by the Compliance team. |
The above table is a helpful indication of how the regulator has sought to interpret various aspects of the MLRs. For those that are well versed in the MLRs or their 2007 predecessor, none of what was stated should come as a surprise.
Whilst the results of the Thematic Review where broadly positive, there were still isolated examples of poor practice that the FCA witnessed. These are listed in the table below:
Business area | Poor practice example |
Management information | Outcomes of discussion on money laundering and terrorist finance were not recorded – including responsibility for actions and deadlines. |
Business risk assessment | Generic risk assessments not tailored to the firm's specific business model and product offerings. |
Customer risk assessment | Risk scoring methodology developed for corporate but not retail customers. |
Customer risk assessment | Risk assessments that do not cover all customer types at on-boarding. |
Policies and procedures | Lack of clarity over when to perform EDD. |
Customer due diligence | Failing to assess the nature and intended purpose of the relationship. |
Enhanced due diligence | Unclear EDD processes, inadequate guidance to staff including a lack of detail on the types of information acceptable as evidence of source of wealth and source of funds. |
Ongoing monitoring | Failure to assess the purpose and intended nature of the business relationship or transaction, which inhibits the ability to perform effective ongoing monitoring and the identification of suspicious transactions. |
Outsourcing | Conducting and managing PM assurance assessments with limited resources. |
Outsourcing | Interactions between EMI and PM do not include discussions around financial crime matters. |
Training, communication and awareness | Narrow financial crime training based solely on reporting of suspicious activities. |
Further guidance on what constitutes good and poor practice in the financial crime space can be found in the FCA's Financial Crime Guide and the Joint Money Laundering Steering Group guidance on Anti-Money Laundering.
Taylor Wessing have acted for EMIs and are also well placed to advise on financial crime and anti-money laundering controls. Please contact one of the experts in our Financial Services & Competition team to discuss further.
[1] References to 'PM' are references to a Programme Manager