As part of our commitment to supporting senior compliance leaders, FINTRAIL is publishing a series of articles based on interviews with current and former MLROs, designed to provide actionable advice to those holding the money laundering reporting function (SMF17).

We recently published a paper on best practice for managing regulatory enforcement actions, based on our own research and interviews with MLROs at UK payment firms. Our advice in that paper presupposes that a firm is genuinely committed to meeting its anti-financial crime obligations, wants to ensure its programme is fit for purpose, and has an MLRO who is up to the task. However, this may not always be the case, and the pressures for the MLRO will clearly be compounded if the firm is not interested in supporting them. Several interviewees stressed how important it is for MLROs to assess a company’s compliance culture before joining, to avoid falling subject to an avoidable enforcement action, or being in a toxic situation where they are left to shoulder the blame without adequate support.

Advice for would-be MLROs

For any regulated function with significant responsibilities, it’s vitally important applicants don’t get swept up in the recruitment process and take on a role without giving it serious thought.  Prospective MLROs should make the most of the recruitment process to ask the firm - and themselves - the right questions to ensure they don’t regret their decision in the long run.

Recognise this role isn’t for everyone. Be honest with yourself about whether you are ready for the responsibilities that come with being an MLRO.  There is clearly the risk of personal liability if things go badly wrong, but this can seem like an unlikely worst-case scenario.  What is more likely is that you will be personally responsible for facing off to the regulator to justify your firm’s programme and answer for any failings.  Are you happy to take on this responsibility?  Do you have the experience and knowledge to run a programme that successfully identifies and mitigates risk?  Especially if this role is a promotion or a significant step up that seems too good to be true, consider if it is and if you’re happy with what you’re taking on!

Interviews should be a two-way process.  Use them to ask meaningful questions about the firm’s compliance programme, resources, tone from the top, and compliance culture. If it doesn’t feel right, be prepared to walk away.

Do your due diligence. Where possible, look into the firm’s compliance history. Has there been significant turnover of MLROs and key compliance staff?  If so, ask about it during the interview process - there may be a reasonable explanation unrelated to the firm’s compliance performance or culture, but try to bottom this out.  Is senior management forthcoming and open about any previous regulatory engagement, or significant audit findings or self-identified gaps?  Do you know any former employees of the company or is there anyone in your network who can give you an off-the-record view?  As before, if you’re not comfortable with the answers you’re getting (or not getting) consider if you should walk away.

Advice for hiring firms

On the flip side, firms can avoid falling foul of the regulator by ensuring they have a suitable individual in the key position of MLRO, and that they offer them the support they need. A good MLRO can ensure the firm doesn’t come under regulatory pressure in the first place, or can self-identify and report issues to the regulator to ensure a less hostile process. In a worst case scenario, they can capably and successfully deal with difficult enforcement actions. 

Invest time and effort in finding the right person.  It can be very easy for early-stage companies in particular to underestimate the importance of the role of MLRO.  When resources and headcount are stretched, it’s tempting to focus on the business and engineering side, and try to secure relatively cheap compliance resources.  However, this is likely to be a false economy if you end up in hot water and have to devote significant time and money to remedial action and regulatory engagement later on.

Broaden your horizons.  Many firms, especially scale-up companies, look internally when they need to fill the role of MLRO, promoting someone from within the compliance team. This person will obviously have a good understanding of the business - and may be so happy with the promotion they’re not too demanding in terms of salary, or involvement in governance and senior level decision-making.  However, unless they worked very closely with the former incumbent and you have a clear plan for their personal development, they are unlikely to have the full range of skills and knowledge required of an MLRO.  Consider carefully whether such an individual will be the right fit, and how you will support and upskill them if you do fill the role internally.

Be honest. If you already know that your programme has issues, or you’re already subject to regulatory action, you need an MLRO who is comfortable managing this situation.  You may not be able to share specific details, but the more you can tell prospective MLROs about what they’re taking on, the more sure you can be that they're up for the challenge.  A small number of people even thrive on such situations - they essentially act as troubleshooters, repeatedly coming into firms in difficulty to overhaul the programme and get it back on an even keel.  Most candidates who have previously undergone a regulatory action will fall into two camps - either their experience will give them unrivaled insights and make them the ideal candidate, or they will be burnt out from their previous experience and have no desire to go through it again!  Don’t make assumptions - make sure they know what they would be taking on and find out how they would feel about it before offering them the role.

Staying on top of new regulations and emerging financial crime risks is a constant challenge for financial institutions. Firms must grapple with a steady stream of new sanctions designations, evolving fraud typologies and terrorist financing threats, and even entirely new regulatory regimes (looking at you, AMLA). This fast-evolving landscape is one reason why most regulators insist on ongoing training on financial crime.

One of the most common pitfalls for financial institutions is relying on an off-the-shelf training programme. There are a plethora of ready-made AML training courses available which tick the box for meeting basic regulatory requirements; however their generic nature means they barely scratch the surface of what you really need to understand. In order to turn training into a key tool in reducing your risk exposure and an opportunity to develop, firms are advised to consider more bespoke options.

FINTRAIL designs and delivers bespoke training sessions tailored to individual firms’ risk profiles, products, geographies and sectors.  Read on to find out why this matters…

The regulatory imperative

In many jurisdictions, financial service firms are obliged to provide financial crime training to their staff. In the UK, for instance, the Money Laundering Regulations set out specific requirements that regulated firms must meet:

• Firms must ensure relevant employees and agents are made aware of the law relating to money laundering and terrorist financing, and the requirements of data protection. 

• Employees must regularly be given training in how to recognise and deal with transactions and other activities or situations which may be related to money laundering, terrorist financing or proliferation financing.   

• Each firm must take account of the nature of its business, its size, and the nature and extent of the financial crime risks it faces.

Let’s take a look at what the regulations actually mean in terms of who needs what financial crime training and when.

One size does not fit all

The UK regulations define ‘relevant employees’ as anyone capable of contributing to the prevention or detection of money laundering, terrorist financing and proliferation finance or the identification or mitigation of the risk of these activities.  In other words, it’s not just the compliance team but also senior management and all sales teams, account managers and other customer-facing roles.  These different roles clearly face varying levels of exposure to financial crime risks and have different levels of existing knowledge.  As a result, financial crime training must be tailored to the specific needs of different employees’ roles and responsibilities.

• Company-wide training: Every employee, from administrative staff to the CEO, should have a basic understanding of financial crime risks. Company-wide training often covers general topics like definitions of anti-money laundering (AML), fraud prevention, and raising concerns. This level of training helps establish a culture of vigilance and ethical behavior across the organisation.

• Compliance teams: Those working in compliance or risk departments require in-depth training to ensure they can manage and monitor the firm’s anti-financial crime policies effectively. They need specialised knowledge of the firm’s obligations under applicable regulations, how to assess levels of risk exposure, how to fulfill KYC requirements and monitor customers’ behaviours, and how to report suspicious activity.

• Senior management and board members: Senior management has ultimate responsibility for the firm’s financial crime compliance framework. It is therefore critical they understand their role in governance and risk oversight, and are well-versed in how to design, implement, and review an effective financial crime risk management program. This level of training should focus on high-level decision-making, understanding risk assessments, and maintaining accountability.

By customising training based on an individual’s role, regulated firms can ensure that everyone has the knowledge and tools they need to meet regulatory obligations and protect the company from financial crime.

It’s not all about AML training

Good financial crime training covers a wide range of topics. The UK Money Laundering Regulations specifically call out money laundering, terrorist financing and proliferation finance, but it’s also vital to understand sanctions evasion, fraud, and bribery and corruption risks amongst others. The depth of coverage required for each topic will vary depending on the firm’s operations, size, and risk exposure - i.e. different firms will require different training content.

Many firms are increasingly choosing to go beyond the main topic areas above, to look at specific topics of relevance to their company or where they have identified particular knowledge gaps.  At FINTRAIL, we have produced and delivered bespoke financial crime training on:

• Financial crime risks for cryptocurrency

• Tax evasion

• Terrorist financing risks for FinTechs

• Tipping off

• Financial inclusion

• Far right extremism

• Building a compliant product

Financial crime training isn’t a one-time exercise 

Finally, the UK Money Laundering Regulations make it clear that it isn’t sufficient to provide training to new employees when they join a firm. Regulations change constantly, as do the financial crime threats a business faces, and the business’ activities and risk profile.  Staff therefore benefit from regular training - both to reinforce key messages and keep information fresh in their minds, and to keep them up-to-date with new regulations and risks.  For most firms, training takes place at onboarding, on an annual basis, and whenever there are significant changes to the regulatory environment or the company’s activities - e.g. if it expands into a new market or customer vertical, or begins offering a new product. Ad-hoc training can also be scheduled in response to identified knowledge gaps or areas of weakness.  

Hopefully this close review of the regulations shows the benefits of individualised financial crime training programmes over off-the-shelf courses. Firstly, a bespoke approach ensures that the training is relevant to your company’s specific needs, operations, and risk profile. A generic programme may not address the unique challenges your firm faces, leading to knowledge gaps that could expose you to regulatory and operational risks.

Secondly, bespoke training can lead to better engagement from staff. When training is tailored to their specific role and challenges, employees are more likely to find it valuable and retain the information. In turn, this can improve their ability to detect and report suspicious activities, strengthening your firm’s defenses against financial crime.

Lastly, bespoke training programmes demonstrate to regulators that your firm is taking its financial crime prevention responsibilities seriously. By designing a training programme that reflects your firm's unique risk profile and operational environment, you show a proactive commitment to regulatory compliance and ethical business practices.

If you would like to speak to FINTRAIL to learn more about how we can help you with your training requirements, please contact us.

Examples of our financial crime training projects

FINTRAIL was engaged by Finance Latvia, the industry association representing all major banks in Latvia, to deliver a financial crime training programme to CEOs and board members of Latvian banks. The training included a focus on balancing a risk-based approach with consumer duty obligations, and avoiding unnecessary de-risking.

FINTRAIL has worked with the Centre for Financial Crime and Security at RUSI on various financial crime training engagements, including terrorist financing and AML training throughout Europe. Most recently we have developed targeted training on Russia sanctions reporting requirements and detecting sanctions evasion for financial sector audiences in the Baltics, Denmark and the Netherlands.

FINTRAIL provided board-level senior management training for a banking services provider, designed to increase senior executives’ awareness of risks while scaling the business, and how to adopt a proportionate business-focused risk appetite.   It focused on financial crime risk assessments and risks related to downstream relationships, including an overview of controls and oversight of financial partners, as well as appropriate risk decisions.

FINTRAIL created and delivered three online AML training modules to staff of a European payments firm, focusing on suspicious activity reporting, transaction monitoring, and authorised push payment fraud controls. Each training module included exercises and case study examples to ensure engagement, and was bespoke to the client’s products and use cases.  FINTRAIL was subsequently asked to develop further training to their team in Q3 of 2024.

While the first half of 2024 is still fresh in our minds, FINTRAIL has paused to reflect on our anti-financial crime (AFC) audits from H1 2024 to identify common findings and focus areas for regulated financial firms.

As always, the regulatory backdrop to these audits has continued to evolve. We have seen changes to the UK regulatory landscape with the introduction of new PEP requirements which came into force in January 2024 and the subsequent FCA consultation on its PEP guidance with updates to be released later this year. There has also been the implementation of the FCA’s 2024/2025 business plan including a commitment to reduce and prevent financial crime with a focus on consumer duty, fraud and financial inclusion. In Europe we have seen the introduction of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) which aims to harmonise AML/CFT measures across the EU. The latter half of the year will also see some big changes with the UK Payment Systems Regulator (PSR) mandatory reimbursement requirements for victims of APP scams coming into force on 7 October 2024 and the introduction of the 6th AML Directive (AMLD) in Europe. 

Given the latest changes and pending updates, it is important for firms to stay up to date and continue to evolve and enhance their AFC frameworks. An external audit can help firms identify gaps or areas of weakness and ensure they stay on top of their regulatory requirements.

Key stats

• The majority of our critical findings related to customer and payment screening controls and anti-financial crime risk assessments.

• High-risk findings tended to relate to policies and procedures, and customer due diligence controls.

• The largest number of findings related to customer and payment screening controls.

Policies and procedures

The majority of our findings from the year so far relate to firms’ policies and procedures. In particular, we have repeatedly seen the use of generic policies and procedures that do not align to a firm’s specific product and services or its current systems and controls. For example, policies and procedures have not always been updated to reflect changes to third party systems used or new AML regulatory requirements, despite going through an annual review cycle. This mirrors the findings from the latest FCA ‘Dear CEO’ letter from March 2024 which identified a lack of detail in policies creating ambiguity around the actions staff should take to comply with their obligations under the Money Laundering Regulations. 

It is important for firms to ensure their policies and procedures are up-to-date and reflective of the controls and processes in place, particularly in instances where the documents are used for training new employees or are informing key control areas like internal SAR reporting.

Common gaps we have seen in firms' AML policies and procedures include: 

• No reference to proliferation financing

• Not reflecting the latest UK regulatory updates relating to the treatment of domestic PEPs

• No reference to Transfer of Funds regulations and the controls in place.

Governance 

In terms of governance, FINTRAIL has identified the following themes:

• Management information - In some instances firms have been unable to easily retrieve management information on their customers and key controls (e.g. number of customers, average number of transaction monitoring alerts, number of SARs, number of open customer screening alerts). It is important for firms to be able to pull this data for the purposes of reporting, tracking against the firm's risk appetite, and understanding key performance indicators (KPIs) and key risk indicators (KRIs) to help drive decisions across the firm.  

• Resourcing - We have seen many firms operating a lean AFC team structure, which is aligned to their business model, risks and stage of maturity. However, firms should consider or have in place a resource management plan which identifies the trigger points for hiring additional resources or reshuffling existing capacity. This ensures that resourcing is managed effectively as the firm scales and there is no last minute panicked hiring of resources. 

• Record keeping - FINTRAIL noted in many instances that the storage of KYC information was unorganised and inconsistent. This includes information saved in different folders which means there is no single view of customer information. Likewise, it was difficult to obtain closed screening or transaction monitoring alerts which meant there was no evidence of alert dispositioning. It is important for this information and any associated decision-making to be easily retrievable on the customer’s file in the event of a law enforcement enquiry, or regulator or auditor request.

Risk assessments

Another key focus area for the FCA this year is business-wide risk assessments (BWRA). The FCA review found that in some instances money laundering (ML), terrorist financing (TF) and proliferation financing (PF) risk assessments had not been carried out at all, and in other instances firms had failed to document the steps undertaken to identify and assess the ML/TF/PF risks. 

Similarly, at FINTRAIL we have identified these common findings relating to firms’ BWRAs:

• Firms are not documenting their risk assessment methodology comprehensively, particularly in relation to how they calculate residual risk. Often this calculation appears very subjective and excludes a quantitative element. 

• Firms are grouping and amalgamating various financial crime risks into one within their risk assessments, not taking into account the differences between the TF, ML and PF risk exposure to the business. 

• Firms lack a control library and appear to be amalgamating controls for the purpose of the risk assessment, which is not always reflective of the control effectiveness or how effectively individual controls are mitigating the inherent risk. 

• Firms are not referencing the sources they use to conduct their risk assessment, taking into account internal data and external factors such as the UK National Risk Assessment.

In relation to customer risk assessments, FINTRAIL has identified the following common themes:

• It is not always clear what specific risk factor is being considered in the risk assessment. For example, we tend to see many firms capturing ‘geography’ as a risk factor but it is unclear what specifically this relates to, i.e. residency of UBO, country of incorporation, or transactional activity. The lack of granularity could influence the overall risk rating of the customer, meaning it is not reflective of the actual risk posed. 

• Firms tend to rate each risk factor equally, which does not always best reflect the customer's actual risk. This could lead to a skewered book of customer risk or an ineffective use of the manual override function. 

Additionally, we have seen multiple occasions where a firm's country risk rating list is not up to date (i.e. not updated with the latest high-risk third countries) and therefore feeds into other control areas incorrectly, such as customer risk assessments or transaction monitoring. This means country risk is not being monitored effectively, potentially exposing firms to countries with high financial crime risk exposure.

Customer due diligence

FINTRAIL observed that most firms are implementing effective customer due diligence controls at onboarding. Across most audits, there has been clear documentation for the customer due diligence process and clear instructions for the onboarding team to implement.

One area where we see firms struggle is the KYC refresh process where there are often backlogs due to both poor customer response time and operationally cumbersome processes which divert resources away from other priority areas. There are often no clearly defined timelines built into the KYC refresh process, or clearly defined outcomes and actions taken in the event of no response from the customer. These areas are critical to build out to ensure the customer is notified with ample time to respond, there are clear ‘request for information’ protocols and schedules of correspondence, and clear timelines and actions in the event of no response from the customer. This is to ensure firms are collecting KYC information in a timely manner and that customer information is up to date. 

Another area of focus relates to firms offering downstream services to other financial institutions or payment service providers. In particular we have seen that these firms have not clearly documented their reliance, oversight or outsourcing framework to ensure the effective oversight of these inherently higher risk relationships. Additionally, for these types of relationships we have seen that firms are not factoring in their clients’ AML/CTF control frameworks in the customer risk assessment.

Suspicious activity reporting

Mainly identified through file review sessions, FINTRAIL has noted that internal SARs and investigationsdo not always clearly reference reasons for suspicions. In many instances the team could verbally articulate the reasons for suspicion, but there was little documented evidence of this within the internal SAR and investigation notes. This could affect the quality of the external SARs submitted to authorities. The quality of external reporting has been a focus area for many firms in line with Principle 3 on ‘Providing highly useful information’ of the Wolfberg Group’s Principles of Effectiveness. 

Screening

The majority of our critical findings in H1 related to firms’ screening controls, particularly ongoing customer screening. In some instances we have seen firms not conducting ongoing customer screening or being unable to demonstrate this. This is often a result of firms not understanding their third party tooling settings or being unaware that their tools have this functionality. 

Fraud 

In light of the PSR’s policy changes coming into play later this year, we have seen many firms make an effort to get their APP fraud controls into shape ahead of the October enforcement date. With that said, while firms have made appropriate updates to their fraud frameworks, there is often little evidence of documentation of these controls. Additionally, fraud risks and anti-fraud controls do not appear to be documented within firms’ risk assessments. Given the FCA’s focus on consumer duty and fraud this year, this should be a focus area for many firms. 

Compliance monitoring

We have seen from our audits this year that compliance monitoring is last on many firms’ to-do lists. While some companies have a documented compliance monitoring plan, it is rarely implemented due to resourcing, time or priority constraints. This is particularly the case for smaller firms which lack dedicated assurance resources. 

How can FINTRAIL help?

At FINTRAIL we are passionate about combating financial crime. Our unique team of experts is drawn from the industries we support and has deep hands-on experience in developing and deploying risk management controls from leadership roles with leading banks, FinTechs, and other financial institutions. 

We have extensive experience assisting financial services businesses with audits and assurance processes. We have a proven track record of identifying areas where clients can enhance their compliance and make their programmes more effective. Our approach is tailored to the unique circumstances of each client, is regulatory and technology driven, and is focused on providing excellent customer outcomes. We offer our clients pragmatic solutions to the most complex challenges and our goal is to ensure our clients can thrive, free from the negative impacts of financial crime.

If you wish to speak to our team about your requirements for an upcoming audit, please get in touch.

There is never a dull year in anti-financial crime, and 2023 was certainly no exception. From the introduction of the UK’s Economic Crime Bill, to new crypto laws including the EU’s regulation on markets in crypto-assets (MiCA), a global raft of sanctions against Russia, and legislative attempts to rein in the global fraud pandemic, there’s been plenty to keep on top of. 

It’s early days, but there seems no reason to believe 2024 will be any different.  We are already aware of several pieces of legislation due to come into effect this year, and various regulators have clearly signposted their current areas of focus via guidance notices and consultations with the industry.  So let’s read the tea leaves and see what financial institutions can expect in 2024!

FINTRAIL held a webinar on financial crime trends for 2024, and asked the audience what their main areas of focus were for the year ahead. This is how they responded at the end of the session.

Poll: What are your priorities and main areas of focus for 2024? Please select all applicable answers.

Fraud

Fraud is big global news. In the UK, for example, criminals stole over half a billion pounds in the first six months of 2023 alone¹. Traditional methods of deception are as popular as ever, and are being complemented by increasingly sophisticated cyber-attacks and intricate social engineering schemes. 

While regulators everywhere are acutely aware of the issue, the UK is leading the way in terms of a regulatory response.  In 2023, the Payment Services Regulator (PSR) undertook a multi-pronged approach to reduce authorised push payment (APP) fraud within the Faster Payments System, which is due to continue into 2024.  Here’s what to look out for: 

• New mandatory reimbursement requirements, announced in June 2023, are due to come into effect in October 2024. These will require both sending and receiving payment institutions to reimburse all victims of APP fraud in full based on a 50/50 split, with limited exceptions for fraud or gross negligence. Read more in our blog here.

• In 2024 the PSR will be publishing “league tables” of performance on APP fraud in 2023.  Last year’s report on 2022 data called out inconsistent outcomes for victims, and highlighted that certain receiving institutions took in a disproportionate volume of funds derived from APP fraud.  Expect to see more scrutiny of these areas in the 2024 report. Read more in our blog here.

• The coverage of the Confirmation of Payee scheme will be extended in October 2024, with all financial institutions that participate in Faster Payments or CHAPS required to implement the tool.

In other fraud news:

• The UK government launched its national Fraud Strategy in May 2023, which aims to reduce fraud by 10% on 2019 levels by December 2024.  The various measures announced under the strategy - such as a new national fraud squad, replacing Action Fraud with a new reporting system, cracking down on abuse of the telephone network, and engaging the tech industry - are ongoing.  Separately, the Home Affairs Committee inquiry into fraud launched in September 2023 will publish its results sometime this year.

• The FCA issued several guidance documents² on fraud in 2023, which implicitly set out what firms will be judged against in 2024.  The guidance highlighted issues with detecting and preventing money mules due to poor onboarding controls, transaction monitoring, training and governance; poor complaint handling; and poor understanding and response to customer vulnerability.

• A new corporate failure to prevent fraud was introduced in 2023 as part of the Economic Crime and Corporate Transparency Act. The offence is expected to come into force once the government has published guidelines in Spring 2024.
  

Anti-fraud measures are also being taken in other jurisdictions, albeit not at the same scale as in the UK.

• In the EU, the introduction of PSD3 revisions forecast for late 2024 will extend IBAN/name matching verification to all credit transfers, introduce an obligation for payment service providers (PSPs) to increase awareness of payment fraud among customers and staff, and establish a legal basis for PSPs to share fraud-related information in full respect of GDPR via dedicated IT platforms.  

• In the US, federal requirements to report company ownership to FinCEN’s Beneficial Ownership Information Registry went live on 1 January 2024, pursuant to the 2021 Corporate Transparency Act.  It is hoped this will increase corporate transparency and help reduce fraud.

• While there is no proposal on the horizon in the US for an accountability model or a common reimbursement scheme, the biggest US banks decided to begin refunding Zelle scam victims last year, a trend towards collective action which we could see reflected elsewhere alongside a push for greater consumer protection.

Sanctions

The various geopolitical events of 2023 played themselves out in the sanctions world, with new legislation and designations issued in relation to Russia, Hamas, Sudan, Iran and others.  Human rights violations, narcotrafficking and crypto scams were also all in the spotlight. 

• OFSI’s annual report for the financial year 2022 to 2023, published in December 2023, revealed that despite imposing “the most severe sanctions the UK has ever imposed on any major economy”³ on Russia, recording 473 suspected breaches and opening 172 investigations by April 2023, there has so far been zero enforcement for post-February 2022 sanctions breaches in relation to Russia. We predict 2024 will be a more active year for enforcement, as some of those investigations bear fruit.  

• We also predict continuing cooperation between OFSI and the FCA, with the former focusing on enforcement and the latter on ensuring effectiveness. The FCA conducted a targeted assessment of firms’ sanctions controls in 2023 and shared the good and bad practices observed⁴, which will likely form a benchmark for regulatory reviews in 2024.

• In the EU, we predict a push towards standardised enforcement across member states in 2024.  We understand states with a “less mature” track record of sanctions enforcement are being given firm instructions to up their game, as well as training and guidance to help them do so.

• In the US, we predict more of the same from OFAC in terms of the nature of sanctions regulations and enforcement, with the upcoming presidential election likely to shape the strategic priorities. 

• In December 2023, OFAC issued an Executive Order expanding the US’s ability to target financial institutions outside of Russia that facilitate transactions involving Russia’s military-industrial base.  We should see in 2024 how the US intends to use this new measure and whether it will be a significant weapon in its sanctions arsenal, and which Russia-tolerant countries are in the crosshairs.

PEPs

In 2023 the concept of Politically Exposed Persons (PEPs) entered the public consciousness in the UK like never before, with the scandal surrounding the closure of Nigel Farage’s bank account at Coutts and a subsequent review by the FCA into whether PEPs are being routinely denied access to financial services.  

Meanwhile we saw corruption scandals involving PEPs continue to emerge around the world, including two former Latin American presidents censured by the US government over allegations of corruption, a procurement scandal in the Ukrainian Ministry of Defense, ongoing revelations about the UK government’s awarding of contracts during the Covid-19 pandemic, and many more!  

Here’s what’s new for 2024:

• In the UK, new legislation came into effect on 10 January 2024 amending the Money Laundering and Terrorist Financing Regulations and mandating that the starting point for assessing the risk posed by domestic PEP clients is lower than non-domestic PEPs. Read more in FINTRAIL’s blog here.

• The FCA’s review of how financial institutions manage PEP clients, launched in September 2023, is due to be published in June 2024. It will cover how PEPs are defined, how their risk levels are assessed, whether firms are carrying out risk-based and proportionate enhanced due diligence, and how firms take decisions to reject or close PEP-related accounts.

• In similar moves in the Netherlands, the Dutch Banking Association and the Dutch Central Bank have announced that Dutch banks are also now expected to focus on individual customers’ actual risk profile and to take less invasive due diligence measures for lower-risk PEP clients.

How we can help

At FINTRAIL we help banks, payments institutions, e-money institutions, virtual asset service providers (VASPs) and other regulated institutions around the world to reduce their exposure to financial crime and ensure regulatory compliance.  We do this through the provision of the highest quality consultancy services, based on deep sectoral experience and pragmatism.

We offer support through:

• Consultancy projects and advisory services

• Transformation services

• Audits and assurance

• Remediations and regulatory enforcement support

• Outsourcing and flexible resources

• Training services

If you would like to discuss any of the topics raised above, or need help enhancing your anti-financial crime programme or ensuring your team is ready for the year ahead, please do get in touch.

¹. UK Finance Half Year Fraud Update 2023
² FCA’s "Proceeds of fraud - Detecting and preventing money mules" and “Anti-fraud controls and complaint handling”
³ OFSI Annual Review 2022-2023, Strengthening Our Sanctions
⁴ FCA, Sanctions Systems and Controls

In December 2023, the UK government announced changes to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLRs”) in relation to the treatment of Politically Exposed Persons (“PEPs”) entrusted with prominent public functions in the UK (“domestic PEPs”).  These changes came into force on 10 January 2024.

The update means that under the MLRs, when dealing with domestic PEPs (or a family member or known close associate of a domestic PEP) the starting point for banks and other regulated firms is to treat them as inherently lower risk than non-domestic PEPs. This means that firms must apply a lower level of enhanced due diligence (“EDD”) to domestic PEPs compared to non-domestic PEPs, unless other higher risk factors are present (i.e. risk factors other than the PEP status itself).

With this move, the government is encouraging regulated firms to take a more proportionate and risk-based approach to the treatment of domestic PEPs.  This follows reports that a number of individuals that hold a prominent public position have encountered difficulties accessing financing services.  

The new requirements largely mirror guidance previously published by the Financial Crime Authority (FCA) on the treatment of PEPs, but now enter into law for the first time.  In parallel with this regulatory change, the FCA is undertaking a review of the treatment of domestic PEPs, with a report due to be issued in June.

However, the proposed changes have not been universally well received by industry experts, and have caused elements of confusion around how they should be implemented.  For example, practitioners have questioned when enhanced measures will be applied and how higher risk factors will be identified, given the initial level of EDD is now low (i.e. how will firms know if there are any higher risk factors if they are not carrying out robust EDD?). The regulation is not prescriptive in this regard; and as such the onus is on firms to determine what “higher risk factors” may be and how they are to be determined by lower levels of EDD. This has raised the question of whether a firm that does not perform full EDD (per the regulations) and misses something will be deemed wilfully blind or reckless? Will it run the risk of regulatory blowback or prosecution? The upcoming FCA report may provide more clarity, given the speed with which the changes have entered into law, regulated institutions must use their own judgment in the meantime.

Commentators have also expressed concerns that the UK MLRs now do not align with the Financial Action Task Force (“FATF”) recommendations, specifically Recommendations 12 and 22 which require firms to implement measures to prevent the misuse of the financial system by PEPs, and Recommendation 10, which requires firms to take additional measures beyond performing normal customer due diligence on PEP customers. 

Given the regulatory focus on this topic, FINTRAIL has designed a checklist of points to consider for PEP customers across the anti-financial crime framework.

Download the PEP Guidance Checklist

What areas does the checklist cover?

READ NEXT: Navigating New FCA PEP Guidance

As UK fraud watchers will be well aware, the UK’s Payment Systems Regulator (PSR) has embarked on a multi-pronged approach to reduce authorised push payment (APP) fraud within the Faster Payments System. As well as new mandatory reimbursement requirements due to come into effect in 2024, the PSR hopes to motivate regulated firms to improve their fraud controls by publishing performance data. This will show how much money connected to APP fraud is sent and received by each payment firm, and how firms perform when it comes to reimbursing victims.

The PSR has published the first ‘league tables’ today, showing data for 2022. The stats cover the UK’s 14 largest banking groups (‘directed firms’, which are obliged to report APP fraud data), plus nine other smaller firms that were among the top 20 highest receivers of fraud.

The performance tables will give firms that are successfully reducing APP fraud losses a competitive advantage, as they will enable customers to see how well individual banks perform in reducing fraud and how well they treat victims.

Key takeaways

1. There are inconsistent outcomes for customers reporting APP fraud. Some firms automatically reimburse victims nearly all of the time, others only make partial reimbursements, and others only consider claims in very narrow circumstances. This inconsistency should reduce with the introduction of mandatory reimbursement for all PSPs in 2024.

In terms of value reimbursed, the figures range from 91% (TSB) to 10% (Allied Irish Bank GB). In terms of volume, they range from 94% fully reimbursed plus 4% partially reimbursed (TBS), to 6% fully reimbursed plus 8% partially reimbursed (Monzo) and 12% fully reimbursed (Allied Irish Bank GB).

NB: PSRs are not currently required to reimburse victims of APP fraud. However, as of 2019, participants in the APP Contingent Reimbursement Model Voluntary Code (‘CRM Code’) have voluntarily agreed to reimburse fraud losses. To date there are nine firms signed up, representing the UK’s major banks with over 90% of the market in payment volumes. These firms would therefore be expected to have much higher reimbursement figures.
 

2. The data showing which firms receive the most money generated by APP fraud indicate a massive degree of variation, indicating fraudsters have identified which firms have weak controls and are actively exploiting them.  Newer and smaller PSPs typically have disproportionately higher rates of fraud than larger, more established firms.  The PSR notes these firms are in the much earlier stages of preventing fraud than major banks, and are not part of the voluntary CRM code. 

For non-directed PSPs (i.e. smaller firms), the rates of fraud-related funds received range from £10,355 per £1m received (Clear Junction) down to £334 (JP Morgan/Chase).  The figures were still widely discrepant but over a smaller range for directed PSPs, ranging from £696 per £1m received (Metro Bank) to just £44 (Santander).

Reasons for some firms having high rates of receiving fraud could include fewer, poor or delayed onboarding checks which would allow fraudsters to open and close accounts before being caught, or weaknesses in inbound transaction monitoring which prevent incoming fraudulent funds being identified and held.

NB: The PSR notes that some firms provide payment accounts to customers but do not manage the customer relationship themselves (e.g. banking-as-a-service providers).  The PSR states that irrespective of whether the firms manage the customer relationships themselves, they retain the regulatory responsibility and are expected to ensure their partners manage the risk of onboarding new customers, conducting identity checks, and monitoring transactions effectively.
 

3. Firms have started to address control gaps, and the PSR believes the situation may have improved over 2023 given greater levels of awareness and industry initiatives, but more still remains to be done.

Outcomes

While these figures date back to 2022, they conclusively show that there is a huge gulf in levels of exposure to APP fraud across the UK payment industry.  Many firms need to radically up their game to prevent themselves being used by fraudsters, and there is a clear imperative to do so given the incoming mandatory reimbursement requirements.  Put simply, unless the most exposed firms are able to reduce the value of fraudulent funds they receive, the resultant reimbursements could put them out of business.

The PSR has said it expects firms to start working “now” to implement the new requirements, beginning by allocating appropriate resources, moving towards adopting a stronger risk-based approach to payments, and making better decisions on when to intervene and hold or stop a payment. 

There are numerous anti-financial crime controls which play a role in reducing APP fraud exposure:

• Customer due diligence, including identity verification

• Customer risk assessments, including both customer as fraudsters (receiving funds) and victims (sending funds)

• Ongoing monitoring, including transaction and other activity monitoring

• Information sharing mechanisms and responsiveness to peer institutions and law enforcement

• Use of internal data and financial intelligence

• Robust assurance of fraud controls

• Staff training

How we can help

FINTRAIL is here to help PSPs adapt to the new requirements. Over the last five years we have worked with a range of institutions to successfully reduce their APP fraud exposure.

We offer a range of innovative, data-driven services to improve the effectiveness of your fraud controls and enable better identification of fraud risks. For firms considering where to start, we can conduct a thorough, data-driven risk assessment to identify current weaknesses in frameworks and controls and recommend practical enhancements that will reduce your potential liability exposure. This may include product and feature changes/enhancements, customer vulnerability assessments, new transaction monitoring scenarios, or enhancements to your customer risk assessment model. We can also conduct targeted audits of existing controls, or provide assurance and validation of programme changes being introduced to meet the new reimbursement requirements.

Get in touch with our team to learn more.