The coronavirus pandemic has presented a number of well documented cross-sector challenges. The transition to remote working and a rise in volume of queries has led to increasing operational pressures; as firms strive to continue to service their customers.
However, the Financial Conduct Authority (FCA) has clearly articulated, that while it recognises the operational challenges that many firms are currently facing, relaxing financial crime systems and controls should not be seen as a means of alleviating pressure. In a recent statement it emphasised that:
...firms should not seek to address operational issues by changing their risk appetite. For example, firms should not change or switch-off, current transaction monitoring triggers/thresholds, or sanctions screening systems, for the sole purpose of reducing the number of alerts generated to address operational issues.'
Rather, it seems that firms must be more vigilant than ever, as criminals look to take advantage of the coronavirus pandemic and the circumstances surrounding it.
The Financial Action Task Force (FATF) has identified a number of emerging risks, such as the advertising and sale of counterfeit medicines, fundraising for fabricated charities, investment and product cons as well as an increase in email and SMS phishing scams.
Resourcing challenges during the coronavirus
With potentially reduced human resource capacity and a host of other matters competing for time and resource, firms must consider how they can remain effective in detecting and preventing financial crime.
Efficient and effective financial crime systems and controls, and an appropriately risk-based approach to customer onboarding and ongoing monitoring are therefore more important than ever, as firms must make sure that they use the resources that they have available effectively.
Taking a risk-based approach
A robust business-wide risk assessment plays a key role in helping firms to determine and understand the risks to which they are exposed and in implementing policies and procedures that are relevant and commensurate to these risks.
This should help firms to maintain awareness of their key risk areas and to target resources more effectively.
Firms should also look to ask themselves crucial questions, such as:
|①||Are our customer identity verification processes sufficiently robust and risk-based? Are front line staff clear on whose identity needs to be verified and how identity should be verified?
With many bank branches and offices closed due to public health and safety measures there is increasing need for customers to be verified remotely and for firms to have appropriate flexibility in their approach to facilitate this (while still ensuring alignment to regulatory requirements).
|②||Is appropriate and high quality Know Your Customer (KYC) information/documentation gathered and centrally stored for all customers?|
Information should be accessible, accurate and up to date. In our work with firms, we have frequently seen quantity of data prioritised over quality and a lack of qualitative analysis of the information gathered. Emphasis should be on knowing your customer and therefore consideration should be given to which information will best enable you to further understand your customer and the nature of the business relationship.
We have also seen issues arise where firms employ multiple systems that do not interact, leading to inconsistent customer records. This can have significant knock-on effects, such as incorrect understanding of client risk and wasted time requesting information that is already held elsewhere.
|③||Do our customer risk assessment processes capture relevant risk factors?|
For example, do our risk assessment processes account for the risks associated with specific products, services, jurisdictions and customer types? And are factors appropriately weighted when calculating risk and assigning risk-classifications? If not, risk may be either over or under-estimated; leading to a lack or over-application of Enhanced Due Diligence (EDD) and ongoing monitoring measures.
|④||Are our EDD measures appropriate and effective?|
Do they help us further understand the risks associated with a particular business relationship, to facilitate effective decision-making? Such as, whether to onboard a customer or how ongoing monitoring should be conducted. We often see firms applying a 'tick-box' approach to EDD and would urge firms to instead further consider the risks they are looking to understand/mitigate when applying EDD.
|⑤||Are our ongoing monitoring measures sufficiently tailored?|
Are, for example, Transaction Monitoring (TM) thresholds too generic to effectively highlight risks? This can lead to swamping TM teams with low quality alerts, which take up precious time and resource to resolve.
The evolution of financial crime
Firms need to ensure that their processes are not unnecessarily arduous, but that the systems and controls in place are proportionate and effective both in highlighting and mitigating risk.
However, this is not a simple undertaking, and the current coronavirus pandemic highlights an additional significant and ongoing challenge for firms-the evolving nature of criminal activity and methods used to disguise proceeds of crime.
As in much the same way that viruses evolve and adapt, becoming resistant to existing treatments, so do criminals. Those seeking to launder criminal proceeds or finance terrorism adapt their methods to evade thresholds and work to exploit any weaknesses in firms’ systems. This is a particular challenge in an increasingly complex and digital world.
This raises a key question for firms:
How can we ensure that our financial crime systems and controls remain appropriate in an ever-changing environment?
Staying alert and sensitive to emerging risks and seeking to understand threats as they develop is a crucial component. Designing and implementing robust financial crime controls is not a one-time activity, and review of controls cannot be prescriptively scheduled. Firms should maintain awareness of emerging risks, relevant to their sector, business type, products and services, the jurisdictions in which they operate and their customer base, and should look to adapt and enhance controls which aim to mitigate new threats as they emerge.
Particularly at present, Law Enforcement Agencies (LEAs), Financial Intelligence Units (FIUs) and Regulators are working together to identify, monitor and communicate changes to the risk landscape and to provide further guidance for firms. For example, the FCA has highlighted that it is working with law enforcement such as the National Economic Crime Centre (NECC) and will be sharing information on coronavirus related financial crime as new risks emerge
Firms should be alert to such broadcasts and ensure that the potential implications are assessed within the context of their business and swift mitigating actions taken.
Firms will also need to make sure that appropriate measures are in place in respect of staff training and awareness, in order that front line staff are equipped to identify and manage new threats.
These are undoubtedly challenging times for firms, and while some may need to delay or re-prioritise activities, such as ongoing customer due diligence reviews, any such steps must still be aligned to the legislative framework for anti-money laundering (AML) and counter terrorist financing (CTF) and should be carefully weighed up against the associated risks.
Firms may wish to assess the efficiency and effectiveness of existing controls and, in particular, the extent to which they employ an appropriately risk-based approach. This will assist in ensuring that the resources available are used effectively and are appropriately targeted. Firms should also be alert and responsive to new and emerging threats as criminals look to exploit circumstances created by coronavirus.
For more information, please contact Paul Jennings.