Money laundering through the markets: The FCA publishes updated guidance

On 23 January 2025, the Financial Conduct Authority (the "FCA") published updated guidance on "Assessing and reducing the risk of Money Laundering Through the Markets" ("MLTM") (here).

This guidance renews and refreshes the earlier risk assessment of MLTM and risks documented in the FCA's 2019 thematic review on the subject. Wholesale broker firms remain the focus of this work, with the FCA highlighting their important role in maintaining the effectiveness of the UK wholesale markets. This new guidance is intended to assist these firms to continue to improve their controls to ensure that they meet the required standards.

The guidance is also likely to be of interest to financial services firms more broadly given the detailed guidance as to good and bad practice (including through case studies) and the FCA's expectations in relation to financial crime prevention.

The guidance addresses the following:

1. the FCA's observations on how MLTM risk presents in the market;
2. the FCA's expectations in relation to business-wide AML risk assessments, customer risk assessments, KYC and customer due diligence, governance and oversight, transaction monitoring, suspicious activity reporting (SARs), training, resourcing and policies and procedures; and
3. notes the FCA's expectations as to next steps for firms.

MLTM risk in the market

MLTM refers to the use of capital markets to launder funds obtained through criminality, with the effect that the funds thereafter appear legitimately generated from trading activity.

The wholesale broker sector has been an area of focus for the FCA in relation to AML, owing to the heightened risk that brokers are vulnerable to exploitation for MLTM purposes. The FCA have also focused on identified weaknesses in the financial crime controls in place in the sector. They note, for example:

• concerns related to limited governance, accountability and poor culture;
• failure to understand financial crime risks of wholesale brokers;
• underinvestment in systems, controls and training;
• control functions are not properly resourced or empowered to effectively challenge the business; and
• the misperception that firms that are not authorised to hold/control client money under CASS permissions have limited or no responsibilities for mitigating financial crime.

The guidance therefore seeks to identify best and poor practice for such firms and thereby promoting the development of the sectors' financial crime controls.

The FCA note that firms' use of risk typologies outlined in its 2019 thematic review have remained largely unchanged. Similarly, firms continue to consider risk typologies difficult to spot in isolation, with the FCA emphasising the importance of considering customer activity in light of business/money laundering risks and combined with other KYC information, transaction monitoring ("TM") alerts and other KYC information. While a small number of risk indicators occur with prevalence, the FCA note the need for firms to be alive to the potential for such risk indicators to evolve over time.

The FCA's expectations

Business-wide risk assessments ("BWRA")

The FCA highlight the importance of the BWRA to firms' understanding of the risks faced by them, enabling them to develop proportionate and effective systems and controls to manage and mitigate financial crime risks.

While the FCA identify some examples of good practice in the completion of BWRA, the primary focus was on examples of poor practice.

Noted examples of good practice included:

• consideration of specific risks related to the business model;
• inherent risks, mitigating factors, controls and residual risks are properly considered and documented;
• financial crime related risks and typologies are used to assess the risks of new products and services;
• annual red flag analysis covering relevant risk typologies is mapped against the products offered by the firm; and
• explaining steps taken to mitigate and manage risks within their appetite.

Conversely, the FCA identified the following poor practices:

• several instances where senior managers were unable to adequately explain the financial crime risks facing their firm, and how these were mitigated by the systems and controls in place;
• instances where firms prohibited services to entire groups or types of customers without appropriate "rationale, consideration or justification". In such circumstances, the FCA consider that the firm should adopt a risk-based approach with suitable controls, rather than wholesale de-risking without sufficient rationale;
• business risks being too broadly defined and assessed, which the FCA considered reflected a lack of understanding of risk across the business;
• no defined methodology for assessing known and emerging risks; and
• no consideration of Terrorist Financing and Proliferation Financing risks in the BWRA.

Customer risk assessments ("CRA")

The FCA's review identified that most firms were performing the CRA process to the expected standard, whereby they considered a variety of risks factors and in many cases, weighted their calculations. However, weaknesses were identified in the documentation of this process. The FCA noted that most firms failed to document the CRA methodology in their policies and procedures or appropriately document the rationale for decisions being taken, which led to the potential for inconsistency of application. The FCA found instances where all ‘name give-up’ business model clients (off-exchange deal between parties at mutually acceptable terms, before passing names to each client so that they can conclude the transaction bilaterally) and regulated entities were automatically assigned as low risk and simplified due diligence (SDD) carried out, regardless of other risk factors. The FCA also saw firms basing the CRA solely on customer jurisdiction and limited consideration of other risk factors or information received.

The FCA noted regulated entities automatically being assigned as low risk and simplified due diligence applied despite the presence of other risk factors.

Examples of poor practices included:

• CRA scores predominantly based on one risk factor, for example, jurisdiction;
• waiting for periodic reviews or file refreshes to update risk ratings where new information and changes to risks have been identified; and
• PEPs considered high-risk as a starting point, regardless of whether they are domestic or foreign PEPs, resulting in a lack of appropriate and risk-based EDD.

Know your customer ("KYC") and customer due diligence ("CDD")

The FCA again highlighted a range of good and poor practices in the identification, collection and verification of customer information, with the FCA highlighting the importance of KYC and CDD to manage risk factors and provide a meaningful basis for subsequent customer activity and monitoring.

Examples of identified good practice included:

• independently verifying documentation received and adverse media;
• firm’s compliance staff met with the client’s compliance officers and other Senior Executives at the client’s offices to discuss and understand their systems, controls, processes and procedures as part of the KYC process;
• 4-eyes checking of onboarding materials before approval; and
• re-completing onboarding KYC process after a period of non-trading.

Examples of poor practice included:

• the nature and purpose of the account, expected account activity and payment methods not being understood or documented;
• account approval audit trails and rationale are not stored on customer files;
• "give-up" or regulated clients subjected to simplified due diligence irrespective of risk factors;
• backlogs of periodic KYC reviews;
• applying enhanced due diligence to all customers regardless of risk; and
• screening being completed after the customer had been onboarded.

Governance and oversight

The FCA commented positively on their observation that firms appear to recognise the importance of strong governance and oversight to support the effectiveness of systems and controls in this area. The use of customer onboarding committees and risk committees to discuss risks, decisions and challenges were common-place, as were tabled risk discussions as standing Board agenda items.

In smaller firms, the FCA noted challenges associated with assigning SMF roles to individuals who could, by virtue of their role, impact the effective execution of AML/financial crime duties and process. The need to ensure conflicts of interest were appropriately managed was highlighted, particularly in circumstances where individuals hold Head of Compliance/Partner (SMF16/27) and MLRO/COO (SMF 17/24) roles.

However, poor practices identified included:

• arrangements not in place to make sure possible conflicts of interest are managed, independence maintained, and duties carried out effectively for SMF role holders;
• insufficient ML/financial crime knowledge and awareness held by SMF role holders; and
• management discussions, decisions, approvals and actions are not documented.

Transaction Monitoring ("TM")

The review highlighted challenges experienced by firms in identifying suspicious activity due to, for example: lack of transparency and visibility of transactions; the scale of false positives which impact the firm's ability to investigate alerts; and the volume of trades when compared against the scalability of solutions and resources.

Larger firms appeared more advanced in the use of technology-based solutions, and firms that used only manual TM processes may face challenges with the assessment and determination of relevant TM rules and scalability of such an approach, as well as with appropriate resourcing to review activity. TM alerts relevant to capital markets remain limited.

The FCA highlighted the need for firms not to view transaction monitoring in isolation, but rather to consider TM alerts alongside KYC information, proactive intelligence-led analysis, hidden or linked relationships, changes in UBOs and other relevant information which may help identify suspicious activity.

Poor practices identified included:

• attitudes that market knowledge and experience alone will enable effective identification of suspicious activity;
• trade surveillance ("TS") and TM alerts are not considered in KYC CDD processes, reviews and recorded on customer files as part of a cyclical process;
• unscalable manual solutions given the level of firm resourcing and business growth;
• insufficient risk-based justification for not completing TM for all types of business;
• only considering the risk of ML from a TS alert if a STOR is raised;
• TS/TM controls mostly focusing on identifying market abuse; and
• front and middle office are not working together to identify suspicious activity.

Investigations and suspicious activity reports ("SAR")

The low level of submitted SARs in the wholesale broker sector was noted by the FCA, who referred to statistics published by the NCA which suggest that nearly 75% of wholesale broker firms have not submitted a SAR to the NCA in a five-year period.

The FCA provided examples of good and poor practice which should be borne in mind by firms. A risk of confirmation bias was highlighted by the FCA, who noted that firms believe that they are unlikely to identify suspicious activity and submit SARs on the basis that they only see one side of the trade and believe their clients are low risk.

Poor practices identified included:

• details of SAR analysis and outcomes are insufficiently documented; and
• SARs raised are not considered in KYC, customer risk ratings and staff training.

Training, resourcing and policies and procedures

The expectation that firms have appropriate levels of resourcing to support the effective operation of their systems and controls and that training is appropriate to the role performed and the risks the business is exposed to. The FCA also emphasised the importance of ensuring policies and procedures are up to date and appropriate to the business.

In this regard, FCA identified good practices, which include:

• enhancing generic training with business and role-specific content;
• cross-training TM, TS, AML and front office teams on relevance risks, typologies and case studies;
• using "near misses" data to identify and deliver additional training; and
• disseminating key points from regulatory communications (e.g., Dear CEO letters, Final Notices and regulatory changes) to all staff.

Conversely, poor practices identified include:

• insufficient resourcing with reference to number of customers and business growth;
• relying on individuals' experience and knowledge instead of documenting policies and procedures; and
• training not being completed on time or not escalated to management for action.

Next steps

The expectation from the FCA is clear; firms are expected to review their systems, controls and MLTM awareness and training in light of his guidance to ensure they meet the required standard and are effective in combating financial crime.

The FCA view this work as collaborative and note the need to raise awareness of MLTM and the identification and reporting of suspicions within the sector.

Conclusion

This updated guidance is likely to be of assistance to firms seeking to navigate the ever-increasing complexity of the financial crime landscape. It is also a clear signal from the FCA that this sector, and financial crime more generally, continues to be an area of focus.

The publication of this guidance follows further recent focus in the sector, seen in the FCA's publication of its findings from its multi-firm review of payment services and account providers use of the National Fraud Database and money mule account detection tools to trace the proceeds of fraud across payments networks (here).

The FCA's close interest in this area means that further thematic work, coupled with potential robust enforcement action, is likely.

We recommend firms in this sector should consider this guidance closely and ensure that systems and controls are reviewed in light of it to ensure compliance with the identified best practice.

Author: David Capps, partner