Key points from the FCA's Financial Crime Guide updates

Following its April 2024 consultation, the Financial Conduct Authority made changes to its financial crime guide, or FCG, effective from late November. In this article, written for Law360, Emma Radmore and Laura Wiles take a look at key points arising from the FCA's changes.

As explored further here, the updates reflect the FCA's learnings on sanctions systems and controls following Russia's invasion of Ukraine. They also highlight expectations on firms in relation to proliferation financing, set out guidance on transaction monitoring systems, and include clarifications on the consumer duty and anti-money laundering requirements for crypto-assets businesses.

The guide has been part of the FCA's Handbook of Rules and Guidance since 2011, and the FCA wants to ensure it remains a useful resource for firms. It hopes that the changes help businesses to understand the regulator's expectations, determine the adequacy of its financial crime systems and controls, and resolves any issues it might find during this assessment.

The guide, as its name suggests, contains only guidance, no rules. It gives firms overall guidance on what their holistic approach to compliance should be, and then provides further detail in chapters specific to particular financial crime prevention laws and regulatory expectations.

Key changes

Sanctions systems and controls

The FCA conducted extensive assessments of firms' sanctions systems and controls following Russia's invasion of Ukraine, and has updated the relevant chapter of the guide to reflect these learnings.

Respondent feedback welcomed the clarification that FCA expectations apply not only to firms that are authorised by it under the Financial Services and Markets Act 2000, but also to e-money and payment institutions and crypto-asset firms that fall under the FCA's supervisory remit.

These bodies also approved of the new guidance on senior management accountability and new self-assessment questions. For clarity and consistency, the FCA has further updated some of the terminology used in the chapter, including replacing the term "sanctioned countries" with "sanctioned jurisdictions," and referring to "sanctions targets" rather than individuals or entities subject to sanctions.

The FCA also clarifies the scope of the guide, and its application beyond the U.K., particularly for non-U.K. sanctions frameworks. While the guide caters to the U.K. financial sanctions framework, the reporting guidance in FCG 7.1.5 now makes clear that it sets the notification expectation for firms that are the target of U.K. sanctions, or sanctions by other countries or jurisdictions.

Other helpful clarifications include:

• Distinguishing between the U.K. sanctions list published by the government, which gives details of those designated by regulations made under the Sanctions and Anti- Money Laundering Act 2018, and explains which sanctions measures apply to these persons or ships — and the consolidated list maintained by the office of financial sanctions, which sets out financial sanctions targets designated by the United Nations and the U.K
• Confirming that firms should report suspect sanctions breaches, including those that result from significant failure in the firm's systems or controls to the FCA in line with Principle 11 and SUP 15.3.8G(2), namely in an open and cooperative way, disclosing to the FCA appropriately anything relating to the firm that the regulator would reasonably expect notice
• Making clear where the good and poor practice examples in FCG 7.2.3 relate specifically to automated, rather than manual, screening
• Removing text that suggested that an Office of Financial Sanctions license would be required to retain customers who are designated persons
• Making a number of changes to the governance and risk assessment sections, such as in a risk assessment good practice example, which now describes a firm that "performs lessons learned exercises following material sanctions developments to improve its readiness to respond to future events," as the FCA intends for the idea of "lessons learned" to be proportionate and relevant to the firm.

Future revisions to the chapter may include examples of good and poor practice, including for senior management responsibility and management information, guidance on screening, further references to the new office of trade sanctions implementation and trade sanctions, and adding case studies to help firms evaluate systems and controls.

Proliferation financing

Proliferation financing is now explicitly referenced throughout the guide where appropriate. In particular, it now highlights the 2022 amendment to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which requires firms to conduct proliferation financing risk assessments.

However, there is no chapter in the guide dedicated to proliferation financing. Some respondents asked for a clearer division between the proliferation financing and sanctions chapters of the guide, but as yet, the FCA does not see a justification for separating these chapters. This is particularly due to the current lack of case studies specific to proliferation financing. As the regulator obtains further information on how firms are implementing risk assessments, we may expect to see this distinction reconsidered further down the line.

Guidance on transaction monitoring systems

Respondents welcomed the FCA's drafting on a proportionate approach to using technology in transaction monitoring. The guide now features key guidance on how to implement and monitor transaction monitoring systems, including supporting responsible innovation and new technological approaches.

The guidance sets out self-assessment questions, examples of good and poor practice, and a case study on weaknesses the FCA found in HSBC Holdings PLC's transaction monitoring systems. This ultimately resulted in the regulator imposing a fine on the firm of approximately £64 million ($78.3 million).

Changes update the guide to reflect the variety of transaction monitoring systems currently in use, including those that work on a transaction-by-transaction or unusual-transactions basis, and includes an example of good practice to remind firms to test and update system parameters to be sure that whatever approach they take will help to identify suspicious activity.

The FCA clarifies that these FCG 3.2.5A expectations will apply to both manual and automated transaction monitoring, unless specified otherwise. In a further proportionality amendment, it has also modified one of the poor practice examples so that it describes a scenario whether a firm fails to "check that a counterparty is monitoring customer activity", rather than "verify," which respondents suggested was unduly restrictive.

Simultaneously providing guidance on governance and welcoming innovation, the FCA has also added a new good practice example of firms keeping records of the way they train any artificial intelligence they use, and the process for making adjustments — specifically how the interpretable model can be maintained.

AML obligations for crypto-asset businesses

The guide has broad application: it is not only relevant for firms that are authorised financial services firms subject to the regulations, but also for firms that are supervised by the FCA under them, such as non-consumer lenders and crypto-asset businesses — the latter have been subject to the registration requirement since 2020. The guide now makes clear that crypto-asset businesses should refer to the guide.

The guide is intended, in principle, to be sector-agnostic, focusing rather on elements of financial crime controls and specific risks. Although the FCA acknowledges that some sections are more relevant to certain firms and sectors than others, it refers respondents who suggested creating a new subchapter for crypto-asset firms, and others looking for sector-specific guidance, to its supervisory findings, other publications and portfolio letters.

Consumer Duty obligations

Financial institutions and their advisers will be well aware of the consumer duty, which as of July 31 is in force for all products, and which should therefore be well embedded within firms' business models, systems and controls.

As a reminder, the duty introduced an outcomes-based approach to consumer protection, setting increased expectations on firms' treatment of retail customers, applicable throughout the life cycle of a product or service, from development to distribution and post-sale.

Respondents highlighted instances where the guide might conflict with the duty, including circumstances where concerns about unfair client treatment may conflict with the requirement for thorough due diligence, asset freezing and a risk-based approach.

The guide now includes cross-references to the FCA's rules and the non-handbook guidance for firms on the duty to assist with balancing duty obligations against financial crime obligations.

The FCA clarifies that the duty does not override other requirements, and that if financial crime requirements actions prescribe certain actions, firms must comply. However, the duty means firms should think carefully about the approach they take to meeting their financial crime prevention obligations.

The guide now makes clear that firms should consider whether their systems and controls are consistent with their duty obligations.

Other changes

The FCA has added some further examples to the data security chapter. It also encourages firms to share data and information, following the changes in the Economic Crime and Corporate Transparency Act 2023 that disapply civil liability for breaches of confidentiality when firms share information to combat economic crime.

The FCA also makes consequential changes to replace expired links, updates outdated references to EU rules, and refreshes case studies based on more recent FCA enforcement notices.

Practical takeaways

Financial crime remains a top priority for the FCA, and it will not hesitate to take action against firms whose systems and controls are not up to its expectations, even if the firm has not actually been used as a vehicle for financial crime. The FCA expects firms to review and understand the changes made to the guide, and consider if any amendments are necessary to their existing financial crime systems and controls.

This might include adjustments to internal policies, monitoring systems, training or governance. However, this is not a one-size-fits-all regime, so some firms may have less mature financial crime prevention regimes and require more tailored arrangements to their structure and business activities.

In line with the increased expectations on firms under the consumer duty, the FCA also says that it expects firms to have a heightened awareness of what constitutes good and poor practice, and, ultimately, it wants to see improved compliance, with supervised firms able to demonstrate that they have considered the guide.

So, although the key is for firms to assess their policies, procedures, systems and controls against the changes and new examples, this could also provide an opportunity for a wider review, a check that policies remain overall fit for purpose, and consideration for whether staff training needs to be refreshed.

Reducing and preventing financial crime is a key priority in the FCA's 2022-2025 strategy. The changes proposed, and made, to the guide focus on areas where the FCA identified a need for further guidance to clarify its expectations of firms.

What's next?

In terms of further developments, we can certainly expect the FCA to consider fraud, AI and machine learning in detecting financial crime. The policy statement notes that some respondents specifically requested more detailed guidance on authorised push payment scams, synthetic identity fraud and digital fraud.

The FCA plans to review relevant chapters of the guide, with a particular focus on authorised push payment fraud, in future updates.