First published on Thomson Reuters Regulatory Intelligence on 7 May.
The anti-money laundering (AML) and market abuse landscapes have continued to be turbulent over the last 18-24 months, and this trend is set to continue. The financial services industry has needed to navigate extensive changes in regulation and regulatory expectations and understand evolving enforcement trends, threats, such as the ongoing issues brought about by the COVID-19 pandemic, and technological developments, such as fintech and regtech.
In this article, we highlight some of the key industry challenges faced by firms from a UK perspective, including highlighting solutions which could be used to help tackle these and what this all means for the roles and responsibilities of money laundering reporting officers (MLROs), compliance and surveillance teams.
There has been a raft of recent legislative and regulatory changes in the UK AML space, including the Fifth and Sixth EU Anti-Money Laundering Directives, as well as the adoption of the UK’s independent AML framework post-Brexit. The regulatory remit has expanded to include more types of firms, such as crypto asset exchanges and custodian wallet providers, letting agents and art market participants. Additionally, the bar has been raised higher for those already in-scope - for example, certain trusts need to register on the UK’s Trust Registration Service by 22 March 2022.
On the horizon there is also upcoming reform to the UK’s Suspicious Activity Reporting regime and Companies House register to enhance corporate transparency, support domestic and international investigations and contribute towards the global fight against white collar crime.
There are many challenges for firms to contend with just to remain compliant. Therefore, the ability to effectively horizon scan, identify control framework gaps and prioritise enhancements to resolve these is even more crucial now than ever.
In terms of enforcement, firms continue to face scrutiny regarding the extent to which they have addressed financial crime risks effectively and this remains a key area of enforcement focus for the FCA. For example, most recently, in March 2021 the FCA commenced its first criminal prosecution in respect of alleged breaches of the UK Money Laundering Regulation 2007 requirements in relation to conducting risk sensitive due diligence and ongoing monitoring of transactions.
Enforcement in this area highlights the need to both design and operate robust systems and controls, and periodically test these to gain evidence that the expected outcomes are being achieved. Failures to learn lessons from enforcement action is often treated as an aggravating factor, particularly where the same failures have been repeated and lessons learned have not been thoroughly integrated back into the firm. We anticipate that the increase in regulatory requirements and expectations is likely to place senior managers under the spotlight if there is evidence of a failure to take reasonable steps to prevent an AML failing within their remit.
Use of technology
The regulators continue to endorse the use of technology, especially to support the adoption of a risk-based approach to AML compliance, noting that the serious consequences in getting these things wrong can be a daunting prospect for firms. However, as criminals continue to become more tech-savvy and sophisticated (both in general and as a direct result of the COVID-19 pandemic), firms’ solutions to prevent and deter them need to keep pace with these changes.
There are multiple considerations to take into account when deciding on a suitable technological solution, such as commercial, operational, regulatory and risk management factors. Firms must appreciate that they may require a diverse range of tech solutions to address specific and unique AML challenges within their operating environment. They must also consider that any proposed tech solution will need to co-exist and integrate with existing IT and data infrastructure, and be able to explain how the solution implemented contributes to the material reduction in residual risk exposure for the firm.
We have also seen significant recent regulatory shifts in relation to market abuse. Most notably, in January 2021 the EU Market Abuse Regulation (MAR) was onshored into UK law, meaning in a post-Brexit world, UK markets and financial instruments remain subject to broadly the same requirements and protections as previously. Firms are, however, expected to review the onshored UK MAR requirements to identify certain substantive changes which may require process changes, such as reporting requirements.
Current and horizon challenges
The regulators have published guidance outlining areas for concern. For example, as we continue to navigate the global COVID-19 pandemic and rely heavily on remote working protocols, it has been made clear that office and working from home arrangements should be equivalent in terms of inside information controls and firms need to consider whether more can be done to remotely supervise staff and foster a positive culture of compliant conduct. Recent enforcement cases have highlighted the ongoing risks of individuals sharing inside information acquired through the course of their work for financial gain, and the need for firms to take these risks into account when implementing effective systems and controls.
The monitoring of communication has become even more vital, especially in the context of home working. Consideration needs to be given to the ability of firms to access, retain and monitor communications where required, or whether additional controls or precautionary measures, such as training, are needed - especially pertaining to informal encrypted messaging systems used on personal devices. Firms should also consider whether compliance and surveillance teams can introduce additional practical steps to enhance their virtual presence, such as virtual drop in sessions or more frequent spot checks.
Firms should consider whether inside information processes should be updated, including to facilitate the early identification of inside information and taking into account the latest guidance (for example, the FCA’s Delayed Disclosure Review in November 2020 expressed concern about the low volume of notifications over an 18 month period after the new regime was introduced).
Notably, market volatility continues to present a challenge and, as a result, regulators including the FCA have further enhanced their market monitoring tools. Firms therefore need to re-visit how to adapt their systems to deal with market volatility and other developments in the trading environment, including the appropriate calibration of surveillance systems and generation of alerts.
From an AML perspective, the complexity of the MLRO role is even greater than it has been previously. Increasingly, MLROs need not only excel in the compliance arena and possess a strong working knowledge of their local AML framework and legislative trends, but also demonstrate leadership, technological, negotiation and horizon scanning skillsets. In the current climate, this means that finding and retaining a suitable candidate can be a serious resourcing challenge.
MLROs also need to foster a proactive, open and two-way dialogue with the regulators to understand how evolving supervisory strategies and approaches are likely to affect reviews, inspections and investigations.
It has widely been established that investment in technology is crucial. However, MLROs should target the right technology, using specific use cases as a starting point to bring in solutions which are tailored to the firm’s needs.
Throughout a firm’s AML control framework design and implementation, MLROs may benefit from gaining external advice and assurance to help provide third-party checks and balances, and insights into market practices for the firm.
In terms of market abuse, with the continuation of working from home arrangements it is vital for compliance and surveillance teams to consider how controls need to be adapted to effectively monitor and identify poor practice, particularly in the context of work related communications.
There is no doubt that increasingly senior management will be held to account for practices undertaken on their watch, therefore firms may want to consider what support can be offered to relevant individuals in terms of ongoing training and additional steps such as internal reviews, particularly following specific incidents. Conducting lessons learned reviews may be particularly useful in providing reassurance regarding the adequacy of controls and assist in evidencing reasonable steps.
Finally, firms would benefit from closely monitoring the outcomes of enforcement action, including where this can be used to help support internal learning as well as process and control enhancements, and foster closer alignment between regulatory expectations and market practice.