“Although we have observed examples of effective control frameworks and good practice, we are disappointed to continue to identify, across some firms, several common weaknesses in key areas of firms’ financial crime systems and control frameworks. […] The consequences of poor financial crime controls in a high-risk sector such as retail banking are significant. It can lead to criminals abusing the financial system to launder the proceeds of crime, supporting further criminal activity and damaging the integrity of the UK financial market.” (FCA’s Dear CEO Letter to Retail Banks, May 2021[1])

It is estimated that the proceeds of crime as a result of money laundering are more than £100 billion per year in the UK alone, with an acknowledgement that this amount could be understated due to large volumes of money laundering going undetected (National Crime Agency, 2019)[2].

In May 2021 the FCA issued a “Dear CEO” letter, addressed to all UK retail banks, to tackle the common failings identified in money laundering and terrorist financing control frameworks across the industry. The letter shares common themes arising out of the FCA's recent assessments of retail banks' financial crime systems and controls and reinforces senior management accountability for financial crime risk mitigation. The FCA have requested that all retail banks undertake a gap analysis of their financial crime controls by 17 September 2021 in order to understand areas of weakness and help them strengthen their control framework.

What does this mean for UK Retail Banks?

As highlighted in its letter, the FCA has deemed that compliance controls and processes are areas in which retail banks have been underperforming. All too often, these controls are too generic, and not tailored to the specific financial crime risks faced by an organisation—they may help to demonstrate compliance, but they are not effective at reducing financial crime.

While the controls put in place meet regulatory requirements, these may not be aligned to the risk profile of the bank and its customers. As these controls are not fit-for-purpose, they may attempt to identify, or manage risks that simply do not exist, thus creating waste, whilst potentially failing to mitigate true financial crime risk.

Failure to ensure appropriate controls are in place may result in the proceeds of crime flowing through the bank and/or facilitation of the financing of terrorism, both of which can lead to substantial fines and significant reputational damage.

Where are the gaps?

By now, most retail banks would have undertaken their gap analyses and identified any weaknesses within their compliance framework.

Through our experience of undertaking gap assessments across the retail banking sector, we have identified a number of common failings across the industry, which are in line with the requirements (and findings) of the FCA. Most of these gaps come from organisations putting controls in place to appear “compliant” without necessarily tailoring these to fit their risk exposure.

FCA Requirement


Common gaps

Governance and Oversight

  • Senior management need to establish suitable oversight, appropriate assessment of financial crime risks pertinent to their bank and ensure suitable methods are in place for detecting financial crime
  • Lack of independence and clarity of responsibilities between the first and second lines of defence, restricting risk ownership in the first line and preventing effective review and challenge of first line controls by the second line of defence
  • “Ready-made” controls, frameworks and products, particularly surrounding centralised sanctions screening or transaction monitoring do not take into account the bank’s specific customer and product base
  • Senior management sign-off in high-risk scenarios is often lacking, with an inadequate governance committee responsible for key decision making

Customer Risk Assessment

  • Firms must look at assessing customer risk based on the business and jurisdiction that the firm and its customers operate in
  • Customer risk assessments should make sure to assess all underlying factors when risk assessing a customer including product risk, geographic risk, industry risk and inherent customer risk
  • Risk assessments are commonly too generic to address the various types of risk exposures and justification for risk ratings may be inadequate
  • There is often a need for strengthening the documentation of key risks and focusing on assessing the aggregate risk profile of individual customers

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

  • Firms are expected to mitigate financial crime risks through implementing appropriate measures to verify the customer's identity. In addition, firms are expected to collect additional information on higher risk customers both at onboarding and on a periodic basis (or if a trigger event occurs)
  • Firms must determine the extent of their CDD requirements using a risk-based approach, depending on the type of customer, business relationship, product or transaction and undertaking enhanced due diligence (EDD) on higher risk customers when required
  • CDD measures are often inadequately performed, particularly with regards to obtaining information on the purpose and intended nature of a customer relationship and with regards to making assessments of the information received
  • EDD process are often not suitable for mitigating the risks posed by particular high-risk customers. This is especially notable when evidencing an adequate assessment of source of wealth (SOW) and source of funds (SOF), with an insufficient understanding of these distinct requirements commonly seen

Transaction Monitoring

  • Firms are expected to monitor transactions to assess whether these sit within a customer’s expected activity and in line with the risk appetite of the bank. This will help determine whether there are reasonable grounds for knowing or suspecting that ML or TF may be taking place
  • Transaction monitoring systems can be implemented and managed at a group-wide level and may not be sufficient for a localised bank’s specific activities and customers
  • The scenarios applied do not always respond to the specific risks of the firm. This is frequently seen when banks use ready-made solutions, without much thought being put into how applicable these are to their product and customer base
  • Scenario thresholds can be set based on vendor defaults without considering the expected levels of behaviour of underlying customers

Suspicious Activity Reporting (SARs)

  • Retail banks are required to report any instances in which they know, suspect or have reasonable grounds for knowing or suspecting that a customer is engaging in money laundering or terrorist financing. This should be through the nominated officer or appointed delegate
  • Bank employees unaware of the requirement to avoid “tipping off” customers
  • Poorly articulated processes and procedures for conducting financial crime investigations and submitting SARs to the NCA
  • Unclear process for raising ‘manual’ SARs outside of automated transaction monitoring

Compliant by Design

Becoming compliant by design

Retail banks need to ensure that they have a risk-first approach in order to manage gaps in their financial crime control framework and align to FCA requirements. In summary, this can be achieved through:

  1. Better understanding how financial crime is actually carried out – the typologies and associated red flags
  2. Understanding which of these typologies can be carried out through your organization and, therefore, constitute genuine inherent risks
  3. Using these risks as the basis for your FC program and designing controls which can tackle them head on

As the prevalence of financial crime continues to grow regulators are demanding more than just the appearance of compliance. A smarter approach needs to be taken to effectively deter and detect financial crime, inhibiting the ability of criminals to abuse banking services and profit from illicit gains.

If you would like to find out more about how we can help you, please contact Victoria Kelly.

[1] https://www.fca.org.uk/publication/correspondence/dear-ceo-letter-common-control-failings-identified-in-anti-money-laundering-frameworks.pdf (PDF, 142 KB)

[2] https://www.nationalcrimeagency.gov.uk/news/national-economic-crime-centre-leads-push-to-identify-money-laundering-activity


Related Insights

Subscribe to our Financial Services Newsletter

Get industry news and trending topics direct to your inbox each month

Subscribe now

Contact us

Find out what we can do for you...

Get in touch

Does kindness in business pay?

Find out in our Economics of Kindness series