Challenger banks criticised by regulator for weakness in financial crime controls

• United Kingdom

• Fraud and financial crime
• Financial services
• Financial services - Retail finance

04-05-2022

Last week saw the publication of FCA’s new multi-firm analysis of the financial crime controls across a selection of challenger banks, with a number of interesting trends emerging from the review. In this article from Greg Brandman, Ruth Paley and Adam Berry, we take a look at the key takeaways and provide some advice on next steps.

The FCA has undertaken a review of financial crime controls at several challenger banks, publishing its analysis in a report, here, on Friday 22 April. It found that challenger banks need to improve how they assess financial crime risk, with some failing to adequately check their customers’ income and occupation, and others operating without customer risk assessments. The FCA warned of the need to avoid a trade-off between quick and easy account opening processes, and robust financial crime controls.

What are challenger banks?

Whilst the term ‘challenger bank’ doesn’t have a universally agreed definition, these banks are generally considered to be a sub-sector of retail banks, looking to win traditional high street bank market share through the use of technology and more up-to-date IT systems. Many of these are ‘digital banks’ which are characterised by the following:

• they primarily offer personal current accounts;
• they operate without a branch network; and
• they provide services through smartphone apps.

Who was included in the review and what did it cover?

The FCA review included six challenger banks covering 8 million customers, including several digital banks. It sought to assess challenger banks that provide similar products to traditional retail banks and so e-money issuers and payment services providers were excluded. However, these firms should nevertheless carefully review and consider the FCA’s findings as their products present very similar risk profiles to those of digital retails banks.

As the FCA sets out in its review, challenger banks are exposed to several financial crime risks. In particular, there is a risk that criminals may be attracted to the fast onboarding process that these banks advertise, in order to use money mule networks to move funds between bank accounts to disguise their criminal origins. In addition, where these challenger banks promote the ability to open accounts very quickly to attract customers, there is a risk that information gathered at the account opening stage is insufficient to identify higher risk customers.

The review covered:

• governance and MI
• P&Ps
• risk assessments
• high risk customers
• CDD and ongoing monitoring
• communication, training and awareness.

 Summary of key observations

• Good practices were identified, including the innovative use of technology to identify and verify customers at speed – including video selfies, mobile phone geolocation data, and photo images of the customer’s passport. However, the weaknesses found are creating an environment for more significant risks of financial crime to occur both when customers are onboarded and throughout the customer journey
• financial crime control resources, processes and technology must be commensurate with a bank’s expansion. Financial crime controls must be continuously assessed as fit for purpose as the business develops and grows
• the FCA discovered some profound weaknesses in CDD:
  • most challenger banks did not obtain details about customer income and occupation, and therefore information about the purpose and intended nature of the customer relationship was incomplete;
  • some were not consistently applying EDD or documenting it as a formal procedure to apply in higher risk circumstances, e.g. when managing PEPs; and
  • some had customer risk assessments that were not well developed and lacked sufficient detail. Some did not even have a customer risk assessment in place
• with regard to TM, the FCA noted inconsistent or inadequate rationale used for discounting alerts, inadequate resourcing of alert reviews and deficiencies in timely completion of review activities
• an increase in the volume of SARs from challenger banks, exiting customer relationships for financial crime reasons, alerted the NCA and FCA to systemic concerns about the adequacy of these banks’ CDD and EDD checks when onboarding these customers (raising questions about how they were cleared for onboarding in the first place). Concerns about the quality of SARs were also presented, and blocks were not always applied during the DAML period
• financial crime change programmes were not always being managed effectively, with inadequate oversight and a lack of pace of implementation which meant that the challenger banks’ control frameworks were not able to keep up with changes to the business models.

Outcomes and advice

Some challenger banks established remediation programmes as a result of the FCA review, and others were subject to Skilled Person appointments following the FCA’s findings. The regulator also noted instances of significant financial crime control failures where the challenger bank failed to notify it. For example, Internal Audit in one challenger bank identified that several areas of the firm’s financial control framework were not fully compliant with the MLRs. The FCA noted the need to comply with Principle 11 of the FCA’s Handbook to disclose appropriately anything relating to the firm of which it would reasonably expect notice – this was plainly one such example. The FCA’s observations include descriptions of conduct which would almost certainly amount to breaches of the MLR including the failure to implement a customer risk assessment, the failure to apply EDD where appropriate, the failure to manage PEP relationships correctly and deficiencies in the quality of SARs and TM alert discounting. It’s not surprising that the FCA’s overall tone in the report was one of distinct concern.

Next steps

The FCA laid down ‘next steps’ for the challenger bank community. These include the following:

• consider the observations and findings in the FCA’s review and use them to enhance the firm’s financial crime arrangements. Challenger banks should apply a risk-based approach to AML controls and also continuously make sure the firm’s financial crime controls remain fit for purpose as the business develops and grows. The FCA expects financial crime control resources, processes and technology to be commensurate with a bank’s expansion.
• ensure the firm’s CRA and EDD measures adapt to the risk of sanctions evasion, including appropriate identification of UBOs. The FCA’s reviews were conducted in 2021, predating the significant recent expansion of sanctions against Russia and Belarus. Although the FCA’s focus on sanctions was limited, the main financial crime and money laundering controls it assessed equally apply to firms’ management of sanctions, specifically in respect of the risks that firms are utilised for sanctions evasion. Our latest sanctions briefing can be found here.
• review the Treasury’s NRA to ensure appropriate consideration of money laundering and terrorist financing risks as part of the firm-wide risk assessment, which is viewed by the regulator as the  backbone of a firm’s AML compliance arrangements, and must be comprehensive and proportionate to the nature, scale and complexity of a firm’s activities. Challenger banks, whichoften have a particularly agile business model, should be especially careful to keep risk assessment frameworks updated so they reflect any changes to the firm’s business models and products
• consider the FCA’s Dear CEO letter to retail banks on common control failings identified in AML frameworks. These common themes and the need to address identified gaps equally apply to challenger banks. which applies equally to challenger banks and address gaps in AML frameworks. Our briefing on the FCA’s Dear CEO letter can be found here.
• whilst it’s admittedly lengthy, challenger banks should make sure they’re familiar with the main guidance produced by the Joint Money Laundering Steering Group (JMLSG). In our experience, different parts of the business will focus on different aspects of the guidance but there’s no substitute for checking policy and procedure against this detailed document where questions of application arise.
• prepare to give the FCA an update on the firm’s financial crime frameworks, as part of monitoring compliance with the MLRs against a backdrop of changing financial crime risks. A desktop mapping exercise of AML P&Ps against the MLR is always a good place to start, and can be further enhanced by a file review component. Firms should also keep in mind obligations under Principle 11 to disclose to the FCA appropriately anything relating to the firm of which it would reasonably expect notice.