FCA guidance for firms on financial crime systems and controls during the coronavirus crisis
On 6 May, the FCA published brief guidance as to its expectations of how firms should apply their financial crime systems and controls during the Covid-19 crisis.
In our previous RIFC Insight, Financial crime compliance in unprecedented times – key themes for financial services firms, we anticipated the key issues that firms should consider when managing their financial crime systems and controls during the coronavirus pandemic.
The FCA has now published its own guidance on the subject which contains a high level overview of its views.
As well as flagging the increased risk from cyber attacks and fraud, critically, the FCA has recognised the operational challenges that firms may be facing at present:
- On the one hand, it states that firms should not seek to address operational issues by changing their risk appetite (examples given are by amending monitoring or screening thresholds or triggers in order to reduce the numbers of alerts),
- But on the other hand, the FCA has expressly acknowledged that firms can re-prioritise or reasonably delay some activities, taking a risk-based approach.
The examples given in relation to the latter are ongoing customer due diligence reviews, or reviews of transaction monitoring alerts. The FCA notes that any such changes must be applied on a risk-sensitive basis (for example, do not delay high risk customer reviews unless absolutely necessary) and there should be a clear plan to return to the business as usual review process as soon as reasonably possible.
However, this does appear to be a potential green light for some alerts or monitoring reviews to be disregarded – for the time being at least anyway. This may not amount to a formal relaxation of the Money Laundering Regulations 2017, but it will certainly have the potential to give breathing space to some firms where needed.
Firms should though think twice before downing tools and allowing large backlogs to build up. The FCA has stated that the risks of taking any such actions to amend processes now must be carefully assessed, documented and put through an appropriate governance process, and that it is important that firms notify the FCA of any material issues that are impacting the effectiveness of their financial crime controls or causing significant delays to remediation plans. Carefully documenting steps taken now will be critical to explaining actions taken in the future should the FCA make enquiries.
The FCA's guidance also addresses flexibility within existing requirements for client identity verification, including restating suggested additional verification steps it had set out in its Dear CEO letter of 31 March. The FCA has stated that:
- Firms must continue to comply with their obligations on client identity verification.
- There is existing JMLSG guidance for remote ID&V of customers which gives indications of appropriate safeguards and additional checks which firms can use to assist with verification.
- The guidance does not represent a relaxation of requirements, or suggest that taking one of the suggested additional verification measures in isolation would be appropriate or sufficient verification.
- Any steps firms take to verify identity must be in line with their overall risk assessment and the risk profile of the customer.
The FCA has also provided links to separate guidance from the FCA and PRA on SM&CR arrangements, the application of CDD measures to the Coronavirus Business Interruption Loan Scheme (CBILS) and the Bounce Back Loan Scheme (BBLS), as well as to temporary measure for regulatory reporting.