FCA WANT ‘holistic’ and ‘dynamic ‘Financial crime risk EWRA &CRAs

Financial services firms have been advised to ensure their financial crime risk assessments are holistic and dynamic, following a regulator’s criticisms of how some firms have conducted them.

• The Financial Conduct Authority (FCA) identified shortcomings with the business-wide risk assessment (BWRA) and customer risk assessment (CRA) systems and controls in place at some firms following a “multi-firm” review.
• https://www.fca.org.uk/publications/good-and-poor-practice/risk-assessment-processes-and-controls-firms-our-findings

The FCA identified Examples of poor practice.  

• Firms putting too narrow a focus on “fraud or generic risks”, and paying insufficient attention to other risks like money laundering, sanctions, corruption or terrorist financing.
• Firms oversimplify the risks they are exposed to [and] fail to explain how each risk affects the firm,”
• Firms’ risk assessments are “missing quantitative analysis” and, in some cases, that firms had assessed their business as being at low risk, or that their controls were adequate, without “appropriate evidence” to substantiate that rating.

Further findings from the review – which involved building societies, platforms, custody and fund service providers, payments providers, and wealth management firms – identified problems with how some firms mitigate risk.

In this regard, the FCA said it found examples of failures by firms to ensure CRAs keep pace with the growth of their businesses, as well as gaps in recording actions taken in response to the risk assessments.

In other cases, the review found,

• A lack of thought was given to whether controls were appropriate before product or service offerings were expanded.

The way firms manage financial crime risks identified in their assessments also came in for criticism. The FCA said examples of poor practice included:-

• A lack of evidence of senior oversight and a lack of testing of risk assessment processes.

However, the FCA did also highlight examples of good practice. This included:-

• Firms having “integrated dynamic risk assessments into their financial crime frameworks” and
• Linking their risk assessment findings to the business’s broader appetite for risk and wider compliance processes.

David Heffron and Nicholas Kamlish at Pinsent Masons offered the following thoughts:-

Heffron said:

• “An important point to remember in relation to financial crime risk assessment is that it needs to be holistic, with an eye on the broader context.
• In particular, while preventing fraud is obviously vital, regulated firms and their leadership must not lose sight of money laundering, terrorist/proliferation financing, sanctions and bribery risks.”
• “Further, firms must bear in mind that financial crime risk assessments do not exist in a vacuum: they must inform and be linked to due diligence, ongoing monitoring and other risk controls, including operational resilience arrangements.
• The FCA’s review will be salutary reading for professional services firms expecting to fall within the FCA’s anti-money laundering supervisory remit.”  
• https://www.pinsentmasons.com/out-law/news/challenge-professional-services-fca-anti-money-laundering-oversight

Kamlish added:

• “The FCA’s message from this review and recent cases [Monzo]  is clear: financial crime risk assessment is not a ‘one-shot’ process.
• https://www.fca.org.uk/news/press-releases/fca-fines-monzo-21m-failings-financial-crime-controls
• The regulator expects firms to ensure that business and customer risk assessments remain dynamic and responsive to emerging risks and regulatory requirements, with appropriate and evidenced senior management challenge, governance and oversight.”
• https://www.gov.uk/government/publications/proposed-amendments-to-the-money-laundering-regulations-draft-si-and-policy-note/the-draft-money-laundering-and-terrorist-financing-amendment-and-miscellaneous-provision-regulations-2025-policy-note
• “Firms which do not keep their risk assessments up to date, especially when they have expanding customer types and products, can expect skilled person reviews, requirements on permissions (VREQs/OIREQs) and potentially enforcement investigations,” he said.

The review is part of wider supervisory work the FCA has been undertaking in line with the objective in its 2025-2030 strategy to fight financial crime.

• https://www.fca.org.uk/publication/corporate/our-strategy-2025-30.pdf

The FCA sees regulated firms as “a vital line of defence against the criminal misuse” of financial services and expects them to adopt proportionate and effective controls to mitigate relevant financial crime risks.

SOURCE

https://www.pinsentmasons.com/out-law/news/financial-crime-risk-assessments-holistic-dynamic