Financial crime and customer redress: red flags for retail banks

On 29 June 2021 the FCA published a ‘Dear CEO’ letter to retail banks concerning common weaknesses in key areas of their financial crime systems and control frameworks. It followed hot on the heels of the Lending Standards Board’s 16 June 2021 warning that insufficient progress has been made by banks to provide reimbursement to customers who fall victim to Authorised Push Payment (APP) fraud. These two developments reflect different facets of the same overarching issue: what steps retail banks are taking as gatekeepers to the financial system to prevent financial crime and address the consequences of it. A failure to get to grips with this issue can present significant risks for a bank; an obligation to compensate customers who fall victim to fraud may arise, regulators may wish to investigate controls or treatment of customers, and money laundering may take place.

FCA Dear CEO Letter

Following a recent review of retail banks, the FCA has identified the following as areas of common weakness in key areas of their financial crime systems and control frameworks:

1. Governance and Oversight - the FCA has found that (i) firms often blur responsibilities between the first line business roles and second line compliance, (ii) the key controls of UK regulated branches or subsidiaries of overseas firms are often determined and run by the Head Office/Group functions and firms are often overly reliant on ready-made controls, frameworks, and products, and (iii) firms are not always able to evidence sign-off by senior management in certain high-risk scenarios.

2. Risk Assessments - the quality of business-wide risk assessments (BWRAs) is poor e.g. in some instances there is insufficient detail on financial crime risks. In addition, customer risk assessments (CRAs) are often too generic and overlook issues linked to tax evasion and corruption.

3. Due Diligence - the FCA often identifies instances where customer due diligence (CDD) measures are not adequately performed or recorded. Further, the FCA has found that some firms’ approach to enhanced due diligence (EDD) is weak and doesn’t always mitigate the risks posed by the customer. The FCA expressed particular concern around failures to carry out proper source of wealth and source of funds analysis where appropriate, including in scenarios where such steps are not mandated by legislation but the origins of a customer’s monies are a key risk to the bank.

4. Transaction Monitoring the FCA has found that (i) for branches and subsidiaries of overseas firms, there are often group-led transaction monitoring solutions which have not been calibrated appropriately for the business activities and underlying customer base of the UK regulated entity, (ii) some firms’ transaction monitoring systems are based on arbitrary thresholds, (iii) there is a lack of understanding of the technical set up of the transaction monitoring systems, and (iv) the rationales supporting the discounting of transaction monitoring alerts require strengthening.

5. Suspicious Activity Reporting - the FCA often finds instances where the process by which firms’ employees can raise internal SARs to the nominated officer is either unclear, not well documented, or not fully understood by staff.

Firms are required to complete a gap analysis against each of the areas of common weaknesses by 17th September 2021. The FCA expects the gap analysis to be carried out by senior managers of sufficient seniority, and the FCA will likely ask firms to demonstrate the steps that they have taken in due course.

Lending Standards Board’s report

The CRM Code (the Code) is a voluntary code which sets out consumer protection standards to reduce APP fraud. The Code presently has eighteen signatories and is administered by the Lending Standards Board (the LSB).

The Code provides for steps that banks must take in order to reduce the risk of APP fraud, including steps to prevent, detect and respond to APP fraud. The Code also provides for banks to reimburse customers who have fallen victim to APP fraud in certain circumstances, including where the bank has failed to take the mandated steps to prevent fraud.

The LSB’s 16 June 2021 report assessed banks’ progress against required actions from the LSB’s earlier thematic review concerning customer reimbursement. It found progress against those action had not been as the regulator expected, as well as identifying further areas of concern.

The LSB’s thematic review, published in April 2020, highlighted four key areas of improvement. These related to consistency around the reimbursement processes, identification of vulnerability, effective warnings, and record keeping. The LSB has found that these key areas have not been fully addressed since its initial review, and the LSB has also identified further areas of concern. These include claim investigations exceeding the time requirements outlined in the Code, inconsistency in information given to victims of scams, and disproportionate responsibility being put on customers who make a claim.

As well as issues with individual firms’ application of the Code, the LSB has stated that systemic failings are present, and that work must be undertaken by signatory firms without delay to ensure the best outcomes for customers.

Comment

The FCA Dear CEO Letter and the LSB’s report concern different discrete issues. They are, however, closely linked. As gatekeepers to the financial system banks are expected to take steps to reduce financial crime and, increasingly, they are also expected to compensate victims of financial crime. Civil liability towards customers who have fallen victim to APP fraud is often difficult for claimants to establish. Such claims are, however, materially assisted if it can be shown that the bank’s financial crime systems and controls were inadequate. The Code provides that such inadequacies should give rise to compensation and the customers of non-signatory banks may point to the code as establishing the relevant standard of care owed by banks to customers.

Inadequacies in financial crime systems and controls, or those concerned with the treatment of customers, may also attract attention from regulators and could result in financial penalties in excess of the value of claims for compensation from customers. Such inadequacies also increase retail banks’ exposure to criminal liability, particularly in light of the FCA’s recent turn towards a greater use of its criminal prosecution powers in relation to money laundering offences. Compliance failures also increase banks’ exposure to ‘failure to prevent’ offences, whereby the only defence is having adequate procedures in places. Currently this applies only to bribery and/or the facilitation of tax evasion, but a consultation is currently ongoing which may result in the extension of corporate failure to prevent liability to all economic crime, including fraud. Accordingly, retail banks have good reason to focus on their processes for reducing the risk of financial crime and for dealing with its consequences.