Financial crime risk assessments need to be ‘holistic’ and ‘dynamic’

David Heffron and Nicholas Kamlish, financial crime regulatory experts at Pinsent Masons, were commenting after the Financial Conduct Authority (FCA) identified shortcomings with the business-wide risk assessment (BWRA) and customer risk assessment (CRA) systems and controls in place at some firms following a “multi-firm” review.

Examples of poor practice it cited include firms putting too narrow a focus on “fraud or generic risks”, and paying insufficient attention to other risks like money laundering, sanctions, corruption or terrorist financing.

“We saw firms oversimplify the risks they are exposed to [and] fail to explain how each risk affects the firm,” the FCA added.

The regulator also said that firms’ risk assessments are “missing quantitative analysis” and, in some cases, that firms had assessed their business as being at low risk, or that their controls were effective, without “appropriate evidence” to substantiate that rating.

Further findings from the review – which involved building societies, platforms, custody and fund service providers, payments providers, and wealth management firms – found problems with the way some firms mitigate risk.

In this regard, the FCA said it found examples of failures by firms to ensure CRAs keep pace with the growth of their businesses, as well as gaps in recording actions taken in response to the risk assessments. In other cases, the review found, a lack of thought was given to whether controls were appropriate before product or service offerings were expanded.

The way firms manage financial crime risks identified in their assessments also came in for criticism. The FCA said examples of poor practice included a lack of evidence of senior oversight and lack of testing of risk assessment processes.

However, the FCA did also highlight examples of good practice. This included firms having “integrated dynamic risk assessments into their financial crime frameworks” and linking their risk assessment findings to the business’ broader appetite for risk and wider compliance processes.

Heffron said: “An important point to remember in relation to financial crime risk assessment is that it needs to be holistic, with an eye on the wider context. In particular, while preventing fraud is obviously vital, regulated firms and their leadership must not lose sight of money laundering, terrorist/proliferation financing, sanctions and bribery risks.”

“Further, firms must bear in mind that financial crime risk assessments do not exist in a vacuum: they must inform and be linked to due diligence, ongoing monitoring and other risk controls, including operational resilience arrangements. The FCA’s review will be salutary reading for professional services firms expecting to fall within the FCA’s anti-money laundering supervisory remit,” he said.

Kamlish added: “The FCA’s message from this review and recent cases is clear: financial crime risk assessment is not a ‘one shot’ process. The regulator expects firms to ensure that business and customer risk assessments remain dynamic and responsive to emerging risks and regulatory requirements, with appropriate and evidenced senior management challenge, governance and oversight.”

“Firms which do not keep their risk assessments up to date, especially when they have expanding customer types and products, can expect skilled person reviews, requirements on permissions (VREQs/OIREQs) and potentially enforcement investigations,” he said.

The review is part of wider supervisory work the FCA has been undertaking in line with the objective in its 2025-2030 strategy to fight financial crime. The FCA sees regulated firms as “a vital line of defence against the criminal misuse” of financial services and expects them to adopt proportionate and effective controls to mitigate relevant financial crime risks.