Recent AML fines issued to two financial firms in January 2023 illustrates that financial crime compliance remains central to the FCA’s enforcement agenda.
In this article, artificial intelligence providers Elephants Don’t Forget analyse why organisations will have to start re-evaluating their compliance programmes following FCA enforcement.
The fines – which come off the back of additional enforcement action against six further regulated firms or individuals in the past 12 months for failures related to AML systems and controls – add weight to the FCA’s mounting purpose to target firms who fail to put adequate governance, systems and controls in place to effectively counter financial crime risks.
‘Inadequacy of training for staff’ was identified as a central theme after being specifically referenced as a recurring weakness in the regulator’s summary of reasons for final notice action in both instances.
In one instance, the FCA found that:
- Induction AML training was not specific to the firm’s products and customers, and tailored training was not offered based on an individual’s role or responsibilities.
- The firm did not maintain an AML training log; inadequate training was cited as the foundational component that resulted in other failures being identified in relation to risk assessments, due diligence and ongoing monitoring.
In general, the FCA voiced concerns that inadequate training for staff charged with due diligence responsibilities resulted in them having insufficient knowledge of the relevant regulatory requirements to carry out their role.
Are firms meeting FCA expectations?
The FCA expect firms to be actively engaged in assessing and addressing competency-based risks associated with financial crime. Poor practice – as defined by financial crime risk guidance issued by the regulator – states that risk is directly manifested by employees not being able to follow, understand or access relevant policies and procedures; financial crime competence not being regularly reviewed; reparative action not being undertaken, and risk identification processes being reactive, not proactive.
The inadequacy of firms’ training regimes has also been on the regulator’s radar over the last two years. For example, 45 per cent of final notices issued by the FCA in 2021 identified deficiencies in firms’ training programmes, highlighting a reliance on inadequate or a ‘one-size-fits-all’ approach to training employees, or a culture where employees did not complete mandatory training.
In addition to this, 100% of final notices issued involved criticisms of firms’ policies and procedures, specifically highlighting how firms’ employees failed to comply with them, how firms failed to monitor compliance with these, and/or failed to take adequate action to address known instances of non-compliance.
Assessing feedback from the frontline
In May 2022, Elephants Don’t Forget polled 299 compliance and risk professionals in a financial crime webinar hosted in conjunction with financial services consultants, Bovill.
Poll results found that the top three areas where firms felt they were not confident they were meeting FCA expectations were concerned with:
- Ensuring that senior managers can articulate the risk and controls in a clear manner (68 per cent)
- Lack of real-time compliance data to manage financial crime risks (66 per cent)
- An inability to design and deliver training to identify and manage future threats (38 per cent)
Are compliance measuring what matters?
Research suggests that a third of UK banks spend around five per cent of their annual revenue on compliance per year. Collectively, £28.7billion is spent annually by firms on AML compliance costs alone. Spending by UK firms is also expected to rise and exceed £30billion this year, reflecting increasing board-level concerns over financial crime risks, enhanced regulatory scrutiny and reputational impacts.
As pressure on compliance increases, firms obviously need to assess whether ‘doing more of the same thing’ is an effective strategy to counter increasing risks; especially when the regulator persistently continues to highlight the drivers of training failures that are apparent within the industry.
The ‘true’ cost of compliance
We know that the ‘true’ cost of compliance is often wholly underestimated. Especially when it comes to the thousands of valuable productive employee hours being unnecessarily wasted on ineffective compliance training regimes; often a series of uninspiring, one-size-fits-all, box-ticking routines that serve to fuel an increase in compliance fatigue, encourages disengagement with required regulatory learning and – crucially – provides no leading, real-time indicators of competency-based risks for the employer.
Relying on a single-point-in-time pass mark for staff – after they have sat through a generic e-learning AML module and answered a 10-question quiz at the end (presumably passing with flying colours after a number of re-sits) – does not result in employees – especially new recruits – having sufficient knowledge of relevant regulatory requirements to carry out their roles. The FCA’s summary of reasons for issuing final notice action to these firms in January 2023 stresses this point.
Questionable employee compliance assurance
In addition, the current methodology for evaluating the quality and effectiveness of employee compliance training is questionable from an assurance perspective too. Evidence indicates that the most common way firms deem the efficacy of their training is by measuring completion rates and – if 90 – 95 per cent of employees complete training – the programme is regarded as a success.
The fact is that this a major year from a UK regulatory reform perspective – and compliance is also under fire from numerous geopolitical fronts. There will be competing demands on a firm’s resources at present, so it is appreciated that there needs to be a level of pragmatism involved when assessing strategies and approaches to staff training.
However, the underlying rationale that might be underpinning your focus – and budget allocation in 2023 – may well be on ensuring you get access to outcomes-based, leading metrics. In short: measuring compliance outcomes, not hours spent or completion rates.
Re-evaluating compliance programmes
With financial crime, organisational culture, consumer duty and vulnerable customers all significant topics on the regulatory agenda, firms could well find their compliance programmes becoming more closely scrutinised. If completion rates are a primary measure of evaluating the success of your training programme at present – it might well be a good time to re-evaluate your approach.
Looking through a pragmatic lens however, it is probable that most firms will continue to default to the lowest-cost-to-serve, single-point-in-time assessment modality; simply electing to tick the training box rather than using it as a key enabler to genuinely shore up their defence lines and improve outcomes. Historically, principle-based regulation has not been a catalyst for fast and dramatic change – and it does seem to take an increased level of individual FCA scrutiny to force specific firms to re-evaluate their strategies.
Yet, objectively, these recent enforcement actions do go some way to illustrate that the regulator is willing to show its teeth and hold senior management accountable for failings to implement and address weaknesses in their systems and controls.
Now, with the regulator becoming more sophisticated in its use of technology and data to monitor firms – and when there is ever-increasing pressure to demonstrate how firms are countering financial crime risks, making improvements to culture, employee conduct and consumer outcomes – firms may want to explore their options to provide them with a greater level of evidence and comfort that they are focused on the metrics that genuinely do matter.