FCA priorities for payment firms March 2023: Implications for fraud and AML professionals

What’s happened? 

On March 16th, the Financial Conduct Authority (FCA) issued a “Dear CEO” letter to payments firms authorized or registered under the Payment Services Regulations 2017, and Electronic Money Regulations 2011. 

In it, Matthew Long, the FCA’s Director of Payments and Digital Assets said the regulator remains “concerned that many payments firms do not have sufficiently robust controls and that as a result, some firms present an unacceptable risk of harm to their customers and to financial system integrity. We consider that the risk of customer harm is heightened by the tightening economic conditions and the cost-of-living crisis.”

The letter is framed around three core outcomes payment firms must achieve: 

1. Ensure your customers’ money is safe.
2. Ensure your firm does not compromise financial system integrity.
3. Meet your customers’ needs, including through high-quality products and services, competition and innovation, and robust implementation of the FCA Consumer Duty.

Implications for fraud and AML professionals 

Many of the FCA’s points – especially related to objectives two and three – center on issues related to fraud, money laundering, and sanctions. Here, we explore those in more detail and highlight actionable steps firms can take to help ensure they are compliant. 

Priority 1: Money Laundering & Sanctions

The FCA states that “All firms that are subject to the UK’s Money Laundering Regulations must have in place systems and controls to identify, assess, monitor and manage money laundering risk. These must be comprehensive and proportionate to the nature, scale, and complexity of a firm’s activities. With regard to economic and financial sanctions, firms must ensure that they operate effective systems and controls, in order to identify and manage any sanctions exposure and risk, associated with their customers and business activities.”

Common issues identified in the regulator’s work with firms over the last two years focused heavily on issues related to control, governance, record keeping, and the risk-based approach. Specifically, these included:

• Failure to carry out and/or to evidence adequate know your customer (KYC)/due diligence.
• Business-wide risk assessments that are not supported by a robust and effective methodology.
• Failure to regularly review and refresh risk assessments and control frameworks in an evolving threat landscape.
• Policies and procedures that are insufficiently detailed and tailored to firms’ business models.
• Failure to maintain and evolve the control framework, in line with or ahead of business growth.
• Failure to ensure name screening solutions from third-party providers are appropriately and adequately calibrated to meet their business requirements.
• An inability to reasonably justify and/or verify why a sanction screening solution does not generate alerts against certain names on the UK’s Office of Financial Sanctions Implementation list.

The FCA states that it expects firms to: 

• Ensure that anti-money laundering systems and controls are effective and commensurate with the risks in the business, including as it grows over time. 
• Conduct regular reviews to assess compliance with anti-money laundering obligations and sanctions requirements, and to work swiftly to remediate weaknesses identified. 
• Comply with responsibilities under the Proceeds of Crime Act 2002 and Terrorism Act 2000 through accurate and timely submissions of Suspicious Activity Reports (SARs) and regularly review themes from your SARs reporting.

What does this mean for your firm?

During the initial implementation process, we recommend that our clients make a detailed determination, based on their business model and related requirements, of the way they wish to configure their screening solution. Factors to consider include:

• The nature of their customers — For example, are their products offered to businesses or individuals? What geographies are covered for residence or trading activity? Is a customer risk-rating mechanism in place, allowing the firm to direct some, but not all, of their customers through an Enhanced Due Diligence process?
• Consistency and completeness of the data being sent for screening —  Is there consistency and predictability in the formatting of country names, dates of birth, prefixes, etc? Where there is more than one named individual associated with an account, how are several names being bifurcated before submission for screening? How are special characters being processed, etc?

Firms should ensure that the customer names submitted to any screening solution are derived using automated checks against official/state-issued identity documentation, as opposed to user-inputted. Implemented correctly, this can have a significant positive impact on the number of false positives emitted from name screening tools. ComplyAdvantage offers a high degree of configurability via various algorithmic levers which can help support false positive reduction in a structured onboarding process.

Once these steps have been taken, firms should devise tests for their screening solution by running name sets through the solution in a test environment, as part of their wider risk and control assessments. 

Test sets should be formatted to reflect live customer environments as closely as possible, including the variants firms would expect to see as a result of the processes they have put in place in that environment.

Firms should also ask vendors about the speed at which they can update their sanctions lists. In a tense, fragile geopolitical environment, new sanctions are likely to continue to be issued at pace and unpredictably, meaning that receiving updates as close to real-time as possible will be critical to ensure continued compliance with regulatory requirements.

Priority 2: Fraud 

The FCA notes it has seen “elevated fraud rates” in some payment and electronic money institutions. It notes the cost-of-living crisis as a potential driver of additional fraud. As a result, firms must “take action now to address weaknesses in their systems and controls to prevent fraud.” Common issues identified include:

• Insufficient emphasis on mitigating the risk of fraud against customers and insufficient customer education relating to fraud prevention.
• A lack of engagement with industry information-sharing bodies.
• Weaknesses in firms’ anti-fraud systems and controls.
• Backlogs that have led to fraud reports from consumers not being actioned within a reasonable timeframe by relevant staff.
• A high proportion of customer accounts being used to receive the proceeds of fraud.

The FCA has a clear sense of urgency around fraud, stating firms must “take immediate action” to protect customers against fraud, and ensure their firm is “not being used to receive the proceeds of fraud.” Firms are instructed to:

• Review internal risk appetite statements, policies, and procedures to ensure that these adequately address the risk of fraud to customers.
• Regularly review fraud prevention systems and controls to ensure that these are effective.
• Maintain appropriate customer due diligence controls at the onboarding stage and on an ongoing basis to identify and prevent accounts from being used to receive proceeds of fraud or financial crime.

What does this mean for your firm?

The combination of the economic downturn and the relentless adoption of new technologies provides fertile ground for new fraud typologies. That makes access to intelligent, real-time fraud detection information critical. It also means anti-fraud technologies that were effective even 12 months ago may now need to be renewed, to ensure they’re sufficiently capable of keeping up with the fast-paced world of fraud. The reality is, fraudsters will be the first adopters of any new technology, and firms need to work with partners who are capable of keeping pace.

At ComplyAdvantage, we approach fraud and AML holistically with our clients. Across both categories, a common challenge we see is a reliance on static rules to detect fraud. A better approach is to deploy a model that dynamically adapts to criminal behavior while, crucially, providing analysts with clear reasons when alerts are created. 

It’s notable that the FCA explicitly called out alert backlogs in its letter. We work with clients to deploy machine learning algorithms that can help them to prioritize alerts based on the risk they present. This enables them to be filtered, sorted and allocated more efficiently. This enhances our clients’ risk-based approach while making sure their analysts’ time is being used effectively. 

Another best practice is to be network-driven. Complex fraud cases are rarely the result of a lone actor, but legacy systems will focus on screening and monitoring individuals. A more effective strategy leverages AI to identify links between accounts – whether related to an individual(s) or an organization(s) – to help clients identify the true scale of the problem. 

We also work with our clients to support emerging payment types and to take advantage of the richer, structured data that ISO 20022 brings with it. It’s set to be introduced into the Clearing House Automated Payments System (CHAPS) on June 19th, 2023. The Bank of England states explicitly that it expects improved fraud and financial crime detection to be a key benefit of this transition. To learn more about how the migration to ISO 2022 can enhance your financial crime risk management, book a meeting with our team here.

But even with the best regtech and compliance team, fighting fraud takes a village. That’s why it is critical firms find ways to share information and knowledge. This could be through participation in data-sharing initiatives like CIFAS, working with technology and data vendors who monitor and respond to emerging criminal typologies, or participating in regulator consultations. 

Finally, we know that it’s next to impossible for compliance officers to keep on top of new developments alongside competing work demands and day-to-day responsibilities. That’s why we regularly publish our analysis and research on key trends and new regulations. We’re also regularly hosting and attending industry events to facilitate discussions between practitioners. You can find all our latest thought leadership content on our website. 

Next steps

The FCA states that firms should ensure their board or executive committee review and consider which risks apply to them, and take appropriate action. It warns firms it will expect them to “explain the actions it has taken in response to this letter on request.”

Finally, the FCA notes that its wider strategy for 2022-25 has a strong focus on reducing and preventing financial crime, with a key plank of this being a commitment to act “earlier and more assertively in dealing with problem firms.” It notes it will “remove or sanction” organizations that “cannot or will not meet our standards.”