First published on Thomson Reuters Regulatory Intelligence on the 20th of December 2016
What was great yesterday is average today and poor tomorrow. I think these words sum up the constantly evolving nature of regulation and the pace of change that firms are currently contending with when it comes to financial crime:
- The obligation to adhere to the Bribery Act 2010
- The Office of Financial Sanctions Implementation (OFSI) was established earlier this year
- The advent of the Senior Managers and Certification Regime
- The implementation of the Fourth Money Laundering Directive due in June 2017
- The General Data Protection Regulation (GDPR) that will be implemented in May 2018
- The new corporate offence of failure to prevent economic crime having been proposed by government
In its Business Plan, the FCA highlighted financial crime as one of its key priority areas of focus. Robust governance and effective risk management frameworks are no longer ‘nice-to-haves’ but ‘must-haves’.
In a shifting social, political and regulatory landscape, how can firms turn the subjective risks they are exposed to into an objective corporate view, and make sure that the business and its customers are protected on an ongoing basis?
Performing an effective risk assessment
The answer is a robust, proportionate and documented financial crime risk assessment. But what makes a risk assessment robust and proportionate? Without relevant guidance, the subjective nature of financial crime regulation can lead to an inconsistent approach.
There are three key elements which help your firm mitigate financial crime risk:
1. Cultural alignment
From the very top of a firm to the frontline, everyone needs to understand the serious threat that financial crime poses and the board need to ensure that this understanding is incorporated into their strategy.
Our recent research with a cross section of financial services firms found that, in most cases, they are confident they understand the risks that financial crime poses. In fact, on average across banks and building societies, consumer credit, wealth and asset management, general insurance and life and pensions firms, 86% felt their boards understood the risks involved.
However, our research also highlighted that one of the key issues for compliance teams was obtaining sufficient time with business heads and other first-line stakeholders; clearly a challenge in an increasingly busy world with competing priorities for time and resource.
Some key culture-related questions firms need to consider to reassure themselves of their approach include:
- Do you have a culture that encourages employees to behave in the way the firm expects and empowers them to speak out when they see issues arising?
- Do MLROs / risk experts have clear lines of communication with the board to raise any concerns – and are there any obstacles to these conversations?
- Do you operate a clear ownership structure around your risk assessment? Are financial crime responsibilities and accountabilities clearly defined? Are they compliant with the Senior Managers Regime?
- Do you have a meaningful and clearly defined risk appetite statement aligned to scenarios relevant to your firm?
- Do you have an effective training programme in place for financial crime that is aligned to key messages coming from the top of the organisation?
2. Creating a robust risk assessment framework
Firms must understand and categorise the types of risks they face and address them appropriately. Typically this would include principal risks - including strategic, operational, regulatory, credit and legal – as well as their associated sub-risks.
How a firm designs its financial crime risk assessment methodology will very much depend on the complexity of the organisation, the nature of its services and the markets in which it operates.
As well as categorising risk, firms must apportion responsibility of the oversight of ongoing risks appropriately within the business. Specifically, senior management are the owners of the risk environment – at least, they will be accountable for any breaches that occur. Typically today, the ownership of the risk framework is delegated to the compliance or risk team. This was highlighted by our research, which found that 78% of firms delegated design, development, initiation, refresh and recordkeeping to their compliance team. Firms should ensure that the balance doesn’t shift too far. Compliance have a role to play but senior management and first line should have a clear line of sight, responsibility and accountability.
Having delegated ownership of the risk assessment, the next challenge firms face is deciding what to take account of. Our research highlighted that some firms incorporated all areas of financial crime within one generic assessment. Whilst firms can adopt this approach, these assessments were typically found to be more general in nature, lacking the level of detail associated with more discrete assessments.
In terms of good practice, a financial crime risk assessment should explicitly address (in a level of detail that is appropriate to the nature of your business) the following:
- Anti-money laundering and counter terrorist finance
- Anti-bribery and corruption
- Information / data security
In our engagement with firms, only 7% had undertaken a risk assessment specifically incorporating all five of these elements.
3. Building an effective operating model
A robust operating model is key to establishing an environment that is conducive to ongoing compliance.
The environment in which firms operate – be it internal or external – is forever changing. Therefore, systems and controls not only need to be in place to counter the risk that the firm may be used as a vehicle for financial crime, but they should also be subject to challenge by both senior management and internal audit to ensure they remain effective.
In assessing and further developing their control environment, firms should consider whether they have:
- Established the most effective management information (MI) and data to give the board the clearest possible view (what MI is required should be reconsidered periodically to ensure its effectiveness)
- Ensured policies and procedures remain compliant with the changing environment, and are adequately communicated to the business
- Ensured their monitoring of controls is robust
- Engaged staff in surveys to assess the environment in the organisation, and act on the findings
- Considered the frequency and level of training that is necessary to ensure staff continue to understand their responsibilities and whether everyone in the organisation understands the part they have to play in mitigating financial crime risk
In addition to these factors, a culture of recordkeeping is imperative. If a firm documents their justifications and the relevant evidence for decisions, they will be able to articulate and demonstrate an environment of effective risk management.
Ensuring protection where it is needed
In a world of ever-evolving criminal threat, where tackling financial crime is high on the agenda for both regulators and law enforcement agencies, effectively assessing risk is essential.
Firms are faced with the challenges of articulating and instilling a culture of compliance, establishing an effective operating model and creating a risk assessment framework and monitoring system that is proportionate, comprehensive and appropriate to its activities.
As every firm is unique, a one-size-fits-all risk assessment template does not exist. Instead, firms should pursue a tailored, risk-based approach, to which there are many benefits above and beyond limiting potential exposure to criminality and preventing regulatory penalties.
Huntswood has released a report on financial crime risk assessments. Based on research with a cross section of firms, the report offers guidance, outlines good practice and highlights practical steps that firms can take to embed a proportionate, pragmatic and dynamic approach.