PRA: financial crime compliance function must be sufficiently senior

The PRA has written to regulated firms (1-page / 287KB PDF) in support of a recent opinion on the interaction of AML and CTF compliance with prudential supervision, issued by the European Banking Authority (EBA). In its letter, it said that it would continue to monitor firms' compliance with their AML and CTF compliance responsibilities as part of its broader supervision of firms.

The PRA said that its requirement for firms to have "robust governance arrangements" in place extends to AML and CTF systems and controls. It is of the view that the senior manager allocated the Financial Conduct Authority (FCA) prescribed responsibility for financial crime under the Senior Managers Regime (SMR) be of "sufficient seniority to perform the role effectively".

The PRA also emphasised firms' responsibility for ensuring that members of their management body and senior management are "of sufficiently good repute, and possess sufficient knowledge, skills and experience, to perform their duties" at all times. It intends to share the information in its letter with the FCA, it said.

Regulatory law expert David Hamilton of Pinsent Masons, the law firm behind Out-Law, said that the letter was "a useful prompt for firms to assess whether their financial crime systems and controls would pass a resourcing 'litmus test'."

"In evaluating the effectiveness of corporate compliance programmes, regulators and law enforcement agencies throughout the world - and across all business sectors - routinely assess whether those responsible for compliance have sufficient seniority, resourcing and autonomy to discharge their obligations," he said. "The US Department of Justice's recent guidance document, 'Evaluation of Corporate Compliance Programs' (19-page / 267KB PDF), is an important example."

"As the EBA's opinion, upon which the PRA's 'dear CEO' letter is based, indicates, the financial regulatory authorities will assess firms' compliance frameworks at all stages of the regulatory process, including authorisation, ongoing supervision, targeted supervisory reviews and evaluations and, if necessary, enforcement," he said.

The SMR and related certification regime (together the SMCR) took effect in the banking sector in March 2016 and was extended to insurers in December 2018. It will be further extended to FCA solo-regulated firms from December 2019.

The SMR requires regulated financial firms to assign responsibility for certain areas of the business, including financial crime compliance, to named senior individuals, who must be approved by the regulators. The certification regime requires firms themselves to annually assess the fitness and propriety of staff in certain roles. The regime also incorporates additional conduct rules, applicable to all staff other than those in ancillary roles.

Financial regulation expert Andrew Barber of Pinsent Masons said: "While directed at firms prudentially regulated by the PRA, the Dear CEO letter is also a timely reminder of the importance of the management of financial crime functions in FCA solo regulated firms moving to the SMCR."

"Managers carrying on the 'financial crime' prescribed responsibility will need to be able to discharge their designated function without the risk of others being able to control or influence their operations. Senior managers not at board level must have authority to do what is required to ensure the financial crime function delivers on all the firm's regulatory obligations," he said.