The FCA doesn’t routinely gather information from firms about financial crime, the risks they are exposed to or how they manage those risks.
Scrutiny of specific firms has previously involved ad-hoc data requests, usually relating to firms’ systems and controls. The FCA has asserted that the lack of data they receive in this area prevents them from taking a truly risk-based approach to financial crime in line with global standards, yet this is their ultimate aim.
With the introduction of a new reporting form (REP-CRIM) and accompanying rules, this is about to change.
The FCA will soon require firms to submit annual data on their operating jurisdictions, customers (including their country of residence, the number of politically exposed persons (PEPs) and the number of customers exited relationships for financial crime reasons), suspicious activity reports (SARs), prevalent fraud typologies and how many of their staff work within financial crime roles.
Much has been said about the details of the requirements, the reaction of firms, whether they will be prepared for their first submission (which may be as soon as March 2017 for those with an accounting reference date (ARD) of 31 December 2016) and how the FCA will analyse and use the data.
Key points from the consultation
There were a number of recommendations carried across from the original consultation, with a few amendments. The final rules are as follows. On the 31st of December 2016, the FCA Handbook will be updated accordingly to reflect these requirements:
- All firms subject to the Money Laundering Regulations 2007 will be affected, except for retail investment intermediaries, mortgage intermediaries, investment firms, consumer credit firms (entirely excluding those with limited permission), and electronic money institutions with revenue of less than £5m
- A firm is only required to submit data relating to the part of their business subject to the Money Laundering Regulations 2007
- The FCA plans to bring in pure general insurers and intermediaries into scope at a later date
- The report must be submitted within 60 business days of the firm's ARD
- Given the retrospective nature of the data collection, firms will only be required to report on a ‘best endeavours basis’ for the first reporting period. Furthermore, the FCA will not be publishing the first set of aggregated data
- Firms must use the form provided by the FCA, which will be found in the Supervision Manual (SUP) 16 Annex 42AR (page 7 of PS16 / 19), and submit it via the FCA website. The FCA proposes to automate the collection of this information using GABRIEL
- Firms may submit their data on a group basis (a change from the proposals in the original consultation) as long as all of the firms in that group have the same ARD. To emphasise, data must not contain information from organisations who are not required to complete REP-CRIM
- Firms will only need to assess the risks within the jurisdictions they currently operate in or have established as high risk within the last two years
- Firms will only need to incorporate relationships with introducers that directly introduce customers or clients to the firm under an agency or broker agreement in return for a direct or indirect fee, commission or other monetary benefit into their reporting
- Firms are required to highlight their top 3 frauds most relevant to their business although completion of these questions is not mandatory
Considerations for firms
Firms should be asking themselves some straightforward questions at this stage:
- Which aspects of the firm / group will be subject to the requirement and what are their applicable submission dates?
- Is the required data currently available? Will it need to be requested from third-party AML service providers? How accurate is the data?
- Will you be aligned with your peers? Might you be an outlier?
- Does the firm have existing reporting processes that could be utilised?
- How do you ensure clear and robust governance of the requirement?
- Who is responsible for completion and sign-off and what is the process?
- What additional resource will be needed to report on an on-going basis?
- How will reporting inform the business on an ongoing basis?
- How can aggregate data from the FCA reports be utilised and will it inform your risk assessment?
Currently 1,400 firms are subject to the UK Money Laundering Regulations 2007, with this number likely to increase with the UK’s implementation of the fourth anti-money laundering directive (4AMLD) in June next year.
Much of the data required within REP-CRIM is likely to already exist within firms, and ensuring it is all brought together consistently and accurately will be the challenge. Some firms may well find this easier than others. That said, questions and challenges will inevitably arise during implementation; although there is much clarification in the final reporting rules, a lot is still left to interpretation.
The data will be actively used by the FCA to drive its risk-based supervisory work and will also give the FCA good insight as to each firm’s own assessment of risk.