Where does it all start to go wrong? The answer, too often, is right at the top of the organisation. When we are called upon to review a financial services firm for a regulator in response to financial crime concerns, the pattern of failings most commonly starts at board level.
Welcome to the second edition of our Financial Crime Quarterly. We hope you’ll find these pages packed with topics of interest, all drawn from our latest work in the field. Now read on…
The responsibilities of the directors of a financial institution towards financial crime are becoming ever more onerous. Backed up by both changes to the Companies Act and the Senior Managers and Certification Regime (SM&CR), the pecuniary, career and occasionally custodial penalties for getting it wrong reach all the way to the lofty heights of non-executive directors. As a board member, what is expected of you?
Well, a good starting point is for the firm to have a clear and current holistic assessment of the risks the business is exposed to and a formal appetite statement for each class. Whilst boards seem to find some kinds of risks easy to understand, the concept of having an ‘appetite’ for financial crime risk strikes some as perverse. And yet, every time we do business with a third party, we are exposing ourselves to the risks inherent in that business, and amongst those risks is potential exposure to financial crime. A third party might present financial crime risk to us as a result of the jurisdiction in which they sit, the domicile of their Ultimate Beneficial Owner, the industry they belong to, the pattern of their trading activity, any Politically Exposed Persons (PEPs) in controlling positions and many other factors. And it is not a risk limited to our counterparties. When we deal with intermediaries, correspondent banks, brokers and others, we are often reliant on their controls and procedures, without ever having taken the time to review and assess them.
Having in place a Customer Risk Assessment (CRA) methodology is a key part of our risk appetite. As we manage the lifecycle of a client from onboarding to offboarding, we need due diligence in line with our CRA which is rigorously applied and kept up to date. Only then can we know what percentage of our clients are high, medium and low risk. Only then do we know for our high-risk clients what drives their risk. Do we need to adjust our portfolio to balance out these risks? Are our controls sufficient for the spectrum of
business that this represents? Are we operating inside our stated appetite?
This kind of vital Management Information (MI), which is essential to demonstrate that the board understands the risks it runs, is too often entirely absent from board packs. Financial crime is a risk consigned to the Compliance Committee or worse still, almost entirely owned by the second Line of Defence and the MLRO. If this describes your situation, and you can’t readily answer the sort of questions raised above for your client base, then you almost certainly have a serious regulatory problem brewing. As we learnt in the case of Commerzbank and the FCA in June, it was sufficient that controls were inadequate for a £37m fine to be raised. The existence of any financial crime was not the determining factor. And, as we delve into this issue, do reach out to us if you have a view on how such threats (and opportunities) might affect your organisation.
You can also read Issue 1 of our Financial Crime Quarterly here.