Financial crime compliance in unprecedented times – key themes for financial services firms
In a world of increased financial crime threats and challenges as a result of coronavirus, we look at 6 key areas for financial services firms to take action to stay in compliance.
Regulators in all the major financial markets have made it clear that financial services firms must continue to meet their financial crime obligations when carrying out business in the current Covid-19 environment. With the prospect that the coronavirus pandemic will have limited mitigation value should a regulatory investigation into lapsed controls later ensue, we consider below six key areas of focus for financial crime compliance in the current climate.
1. Understanding the new and evolving risk environment
A host of coronavirus-related financial crime risks have emerged as the pandemic has spread. There are many reports that fraud attempts have increased significantly (including income protection scams and fake charity appeals). There has also been an increase in the use of phishing and malware attacks by cybercriminals using plagiarised branding from organisations such as the WHO and an increase in the registration of domain names related to coronavirus. As the pandemic continues, it is likely that criminals will adapt their methods further and seek other avenues by which to exploit victims.
In the UK, the FCA has provided guidance on potential coronavirus scam activity for consumers, including what tactics to look out for. It has also stated that it expects firms to: be taking reasonable steps to ensure they are prepared to meet the challenges that coronavirus could pose to customers and staff; provide strong support and service to customers during this period; and be clear and transparent and provide support as consumers and small businesses face challenges at this time.
Firms should consider whether additional actions may appropriately be taken to protect customers who might be particularly vulnerable to increased fraud threats (and not just those with whom you are already familiar, such as the elderly, but also, for example, those seeking assistance under a government support scheme). Steps might include increasing account takeover controls available to take action in respect of suspicious payments.
Stepping up monitoring of internal fraud will also be important during this time, when staff are physically isolated and may be fearful about cutbacks or redundancies.
Firms should also examine whether there is a need for new systems and controls to be put in place to deal with changes in operations (for example, to deal with increases in contactless card limits). Is there a process in place to re-evaluate these new controls from a risk perspective?
2. Running BAU operations with operational challenges
The operational challenges of maintaining existing controls while staff are remote working and vendors and suppliers have their own challenges can be significant. Firms that have not already done so should consider a risk assessment over the effectiveness and adequacy of existing controls in the current environment – what is working and what is not? Have external vendors have been contacted and has there been a drop in service delivery?
As firms move away from immediate crisis management, documenting specific actions taken to ensure controls are maintained, and noting where resources are focused to manage risk, will be critical in answering any future regulatory questions.
3. Continuing to develop and invest in compliance controls
Many financial services firms will have expended significant resources in recent years on new compliance controls and processes as well as remediation exercises addressing previously identified gaps. Firms will need to carefully evaluate where ongoing work in these areas can be scaled back, or timelines re-examined, in particular in view of any commitments already made to regulators, as well as whether changes would jeopardise their ability to ensure a satisfactory level of ongoing compliance.
Firms should consider evaluating whether there are any key points of remediation which need to continue and, if so, whether they are being considered as a matter of priority.
Where any changes need to be made to existing plans, consider whether there is a need to communicate with appropriate regulators to discuss any delays or prioritisation, particularly where this relates to remediation of any existing supervisory findings.
4. Knowing your (remote) customer
While many firms already deal with their customers without meeting them in person, the current environment presents potential challenges in carrying out customer due diligence.
Among the issues is how to obtain certified copies of identification documents. In the UK, the FCA has provided some guidance on its expectations in this area in light of coronavirus restrictions, but what is appropriate by way of customer due diligence remains for firms to assess on a risk-based approach. Firms should consider whether additional steps can be taken to verify customers' identity where face-to-face contact and/or certification of documentation is not possible. For example, use of additional proprietary screening tools or additional reference letters from professional advisers.
Further, the way in which some customers interact with financial services firms has evolved, with an increase in the use of electronic payments (including digital banking services being used by less experienced users, such as the elderly) and greater demand for loans and/or the amendment of existing products due to business disruption and changes in interest rates. This brings increased challenges in being able to adequately assess the associated financial crime risks. Consider whether additional due diligence and ongoing monitoring checks are required in light of increased lending activity, heightened fraud risk and increased potential for card fraud, fraudulent loan applications and similar. MSBs may be particularly active in the current environment.
Firms should also consider reminding personnel of internal suspicious activity reporting procedures and the need to be alive to potentially suspicious behaviour in the context of the current climate when carrying out customer due diligence and ongoing monitoring.
5. Screening and transaction monitoring when 'normal' has changed
It might also be expected that there will be an increased volume of alerts in screening and monitoring tools, which may make it more difficult to discern between legitimate and potential illegal activities. This may bring challenges, both for the teams that are reviewing alerts and carrying out investigations, as well as for the systems themselves, which may be based on models and algorithms which assume very different patterns of behaviour from those seen under lockdown conditions.
Increased numbers of false positives may be generated as a result of different customer behaviour andadverse media screening might pick up more data as a result of articles about redundancies etc. Understanding what a normal transaction pattern looks like for particular customers in these times may present challenges, and in turn different activity types or ways of using the banking relationship by customers will drive new risks and threats of financial crime to the firm.
Firms will need to assess whether there is enough staff to review alerts in an appropriate timescale and with sufficient expertise, accounting for coronavirus absences and potential slower systems for those remote working. It may also be appropriate to give personnel training on potentially new and/or different suspicious activity, and to ensure that they are aware of the internal suspicious reporting procedures and when they should be followed.
In all the areas discussed here, it is important to ensure a proper understanding of the risks and how these are manifesting themselves for the firm – and to provide senior management with an accurate picture of the situation. This is particularly the case for screening, where the data is more technical in nature, so consider whether additional monitoring or management information should be put in place to allow an understanding of what transaction and alert flows look like, so that appropriate action can be taken to address changes.
6. Operational resilience and cyber incident response
The threat of cyber attack is at a peak in the current climate. Remote working and business disruption is happening at a time when cybercriminals are increasingly active and inventive. In the event of an attack, the compromise of a firm's compliance controls and system, even if short-lived, can trigger widespread disruption and generate substantial additional financial crime risk.
Regulators have focused heavily on the need for firms to have in place robust operational resilience plans, which allow firms to continue to meet their regulatory obligations. This applies equally in relation to financial crime controls. Early in the crisis for the UK, the FCA noted its intention to work with the Bank of England to actively review the contingency plans of a wide range of firms, including to assess operational risks, the ability of firms to continue to operate effectively and the steps firms are taking to serve and support their customers.
Firms should assess whether cyber response plans in place adequately deal with how to contain and/or mitigate financial crime risk if an incident occurs. What happens if customer and payment screening or transaction monitoring systems are no longer accessible or are compromised? What if financial crime personnel are not able to access data needed? Are processes in place to stop transactions and new customer relationships triggered in such circumstances?
Further, where any financial crime operational resilience plans have been used over the past weeks, consider whether those plans need revisiting in light of how well they worked so that they can be used to ensure compliant BAU financial crime operations if a new crisis, or a renewal of the coronavirus crisis, occurs at a future point.
Further information on the increased threat of cyber incidents in the current climate can be found in our recent client briefing.
Conclusion
It is critical that firms ensure that they have the right systems and controls in place to address financial crime risks, and that those systems and controls are re-evaluated in light of the evolving threat environment. The risk of getting it wrong can trigger regulatory scrutiny in the future and therefore ensuring an adequate record of risk-based decisions taken now will help protect against future enforcement risk.