A recent review by the UK’s Financial Conduct Authority (FCA) has highlighted weaknesses in the way challenger banks assess risk.
The review was conducted during 2021 and involved six unnamed challenger banks operating in the retail sector in the UK. It was launched after the 2020 National Risk Assessment (NRA) of Money Laundering and Terrorist Financing raised concerns about some of the speedy onboarding processes used by many challenger banks. “Criminals may be attracted to the fast onboarding process that challenger banks advertise, particularly when setting up money mule networks,” said the FCA.
The term “challenger bank” is a relatively loose term, but the NRA defines it as “a sub-sector of retail banks that aim to reduce the market concentration of traditional high street banks through the use of technology and more up-to-date IT systems.” None of the banks involved in the FCA’s review were named, but examples of challenger banks currently operating in the UK include Monzo, Starling and Monese.
The NRA showed an increase in the number of Suspicious Activity Reports (SARs) from these types of banks, suggesting that some may not be running adequate checks on new customers. The FCA says its review is aimed at money laundering reporting officers and industry practitioners working in financial crime roles. Below we have summarised some of the key findings of the review and will also look at how affected firms can address these issues.
Key findings highlighted by the FCA review
CUSTOMER RISK ASSESSMENTS (CRA)
All firms subject to the FCA’s Money Laundering Regulations (MLRs) must have systems and processes in place to monitor money laundering risk. Customer risk assessments are of course an integral part of any AML programme, however, the FCA found that some challenger banks did not have a very well developed CRA framework – and in some cases did not have a formal CRA in place at all.
“A good CRA framework should be regularly tweaked to ensure it is still fit for purpose for the size of the firm and nature of the business,” says Mike Finlay, CEO of RiskBusiness, a supplier of augmented governance, risk, audit and compliance solutions for the financial services sector. “Online-only banks have seen such rapid growth over such a short period of time, that some may have struggled to keep pace with that change when building their risk management frameworks. The FCA requires firms to keep customer risk assessment frameworks updated so they reflect any changes to their business model and products.”
CUSTOMER DUE DILIGENCE AND ENHANCED DUE DILIGENCE (CDD & EDD)
The FCA says all challenger banks included in the review met the basic requirements of the MLRs, but most did not go beyond that. “Most did not obtain full customer information (for example income and occupation details) to determine their customer’s risk. As a result, they were unable to sufficiently assess the purpose and intended nature of the customer’s relationship with them,” said the review. “Essentially, what the FCA is saying is that challenger banks could do better in this area,” says Finlay. “The more information gathered, the better your dataset will be and the more informed your risk assessments will be overall. It’s about getting a bigger picture, a more detailed view of potential threats – rather than simply ticking a box in order to comply with regulations.”
The FCA says some challenger banks were relying too heavily on transaction monitoring to identify suspicious activity: “No matter how good a transaction monitoring system is, firms must still comply with the relevant CDD requirements. Moreover, inadequate CDD will mean a less effective transaction monitoring system,” it warned.
Firms can address this firstly by complying with CDD requirements and then by ensuring they don’t simply gather as much relevant data as possible about new customers; but also implement the right systems to harness that data to its fullest potential, says Finlay. The FCA found that some firms were not consistently applying EDD and some even had no formal documentation process in place. “It’s all very well gathering as much information as you can, but if that information is not formally documented, contextualised and cross-referenced with other relevant information, it is essentially just gathering dust,” he adds.
FINANCIAL CRIME CHANGE PROGRAMMES
Managing change to financial crime regulation is something that is a huge challenge for firms of all sizes and types. With a tidal wave of sanctions having recently been implemented by many Western jurisdictions in retaliation to the conflict in Ukraine, the burden on firms to manage this area of risk is increasing.
The FCA found that many challenger banks were struggling with financial crime change management, demonstrating “inadequate oversight and a lack of pace in implementation, meaning the challenger banks’ control frameworks were not able to keep up with changes to their business models.”
To address this, the FCA says firms should be doing the following:
- have clear project plans for control enhancements, outlining key milestones, accountable executives and delivery dates;
- ensure senior management are tracking projects and key deadlines are being met;
- ensure the Risk Committee, the Audit Committee and CEO are involved in overseeing material developments to these programmes, for governance purposes.
According to a KPMG, building an effective system for managing changes to financial crime regulation involves three key steps: 1. Identifying the firm’s global footprint. 2. Drafting a framework and 3. Implementing a pilot programme to assess its effectiveness. “By creating a sustainable inventory, and implementing an effective change management programme thereafter, an institution can meaningfully enhance its control environment, ease the challenges of expanding into new businesses and markets, and help minimise regulatory and legal risks,” it says. Of course, all of this takes considerable time to get right, which the FCA acknowledges is a contributing factor to why these relatively new entities may still have work to do in this area. Good communication and meticulous documentation is vital to ensuring financial crime change programmes continue to improve and are always on the agenda, says Finlay. “It can’t be something that is assigned to an individual and then left to them to manage; it must be continuously monitored and discussed, with potential changes prepared-for well in advance – and with full accountability from those in senior roles. Challenger banks were very keen to become regulated entities and so managing the responsibility that comes with this should be taken seriously.”
INEFFECTIVE TRANSACTION MONITORING ALERT MANAGEMENT
The FCA’s review found the following problems in the management of transaction monitoring alerts:
- inconsistent and inadequate rationale for discounting alerts by alert handlers;
- a lack of basic information recorded in the investigation notes;
- a lack of holistic reviews of the alerts.
The FCA also found that some firms simply weren’t allocating enough resources to this area, meaning alerts weren’t dealt with quickly enough in some cases and this was in turn impacting how soon a Suspicious Activity Report was submitted to the UK Financial Intelligence Unit (UKFIU). “A firm must have adequate resources in place to holistically consider customers’ activity as part of its review of transaction monitoring alerts,” says the review. “This should include reviewing what the firm knows about the customer, including previous alerts and information it collected on the customer, including income, the nature and purpose of account and payment references.”
“The FCA makes reference again to a ‘holistic’ – or 360-degree – view of customer activity, which is so important,” says Finlay. “This again comes down to data management and adequate allocation of resources. By definition, an ‘alert’ is something that provides warning, it notifies you of something; i.e. it is not designed to be ignored or addressed later. Firms should also consider whether the thresholds they have in place for alerts are appropriate as having too many alerts which turn out to be false positives can lead to complacency, allowing real issues to slip through the net.”
Part of the reasoning behind the review was to investigate an increase in the number of SARs and Defence Against Money Laundering (DAML) reports being submitted to the UKFIU by challenger banks. Many of the DAMLs were in relation to customers that were being exited from the business due to them not fitting with the firm’s risk appetite. The FCA questions why these individuals were allowed to open an account in the first place, suggesting that “better controls and risk assessment may have identified them sooner.”
Some challenger banks have also not been quick enough to implement restrictions on customers who have been the subject of DAMLs, which the FCA says is down to a disconnect between the relevant function receiving court orders and processing SARs, and the relevant compliance teams.
Other issues highlighted in this area included a lack of clarification about data submitted to the FCA – i.e. challenger banks are submitting transaction data, but not explaining why they believe it is suspicious; and using SARs to incorrectly report fraud (when they should be reserved for the reporting of suspected money laundering.)
“This all suggests that some challenger banks are perhaps struggling to determine what types of activity should be reported to the regulators and how best to interpret the data they collect on this matter,” says Finlay. “Ensuring the right expertise is dedicated to money-laundering reporting is essential, as is the avoidance of siloed working between departments. The recent FinCEN files scandal evoked outrage at how poorly many of the world’s biggest banks were managing their AML initiatives. Challenger banks, being more adaptable and efficient than their traditional counterparts in many ways, have an opportunity to lead the way in tackling this issue, with the right technology and relevant expertise.”