How to change in response to changing threats

Speech by Sarah Pritchard, Executive Director of Markets, and Executive Director of International, at XLOD Global New York – The Future of Non-Financial Risk & Control across the 3 Lines of Defence. 

Speaker: Sarah Pritchard, Executive Director of Markets, and Executive Director of International
Event: XLOD Global New York – The Future of Non-Financial Risk & Control across the 3 Lines of Defence 
Delivered remotely from London: 16 May 2023
Note: This is a drafted speech and may differ from the delivered version


  • The FCA has been working with celebrity influencers and their agents to clamp down on promotions of illegal or risky financial products.
  • Those working on the first line of defence need to frequently review the risks and threats to customers and whether their controls are equipped to deal with them.
  • Some firms do not have adequate sanctions controls and are overly reliant on third-party providers.

Finfluencers re-united

Choosing a career in fighting financial crime means choosing a life of purpose but not usually one of publicity.

So imagine my surprise when I found myself on the Daily Mail’s celebrity-focused ‘sidebar of shame’ alongside a former Love Island star.

To be fair, it is linked to the MoneyMail section and covered the FCA’s campaign to warn financial influencers – celebrity ‘finfluencers’ – not to get sucked into promoting illegal or inappropriately risky financial products.

We know that many consumers look to social media for advice on financial services so that is where we need to be too, which is why we now have a presence on TikTok, Facebook and Instagram as well as on more traditional channels.

In many ways, finfluencers and the business front line have a lot in common. They are – unwittingly in the case of the former – the first line of defence and gatekeepers between consumers and potential criminals.

It is the first line that will understand the business and know how to creatively reduce risk. Fighting financial crime shouldn't be left just to second or third lines. First line is always the best defence against threats.

As threats change, we change

As threats change, firms also need to change the way they respond to them.

In our hyper-connected world, there is unprecedented speed of change thanks to technology which brings both opportunities and risk.

That is why regulators need to get involved – and fast – when we are alerted to a potential threat on the horizon.

It was only a few weeks ago that we worked closely with other regulators in the hours leading up to the rescue deal of Silicon Valley Bank in the UK by HSBC.

The transaction stopped wider contagion and meant that depositors’ money was kept safe.

While technology can present threats, and increase the speed of transmission, it can also offer solutions and more effective defences. Technology can provide quicker and more innovative ways to solve difficult problems including those which previously could take thousands of human-powered hours to unpick.

We at the FCA strive to take a dynamic and creative approach to the changing threats, tackling harm at the source. We did this just a few days ago, for example, by bringing in talent agents and teaming up with influencers over the real risks involved in promoting financial products.

Making an unlawful financial promotion is a criminal offence that carries a maximum sentence of 2 years imprisonment and an unlimited fine.

Using machine learning, we also scrape more than 100,000 websites every day, taking down hundreds of those that looked like scams and in 2022, issuing 1,800 warnings about potential scam firms – 400 more than the previous year.

We’ve also been working with big tech platforms and social media to tackle illegal financial promotions. We have persuaded platforms such as Google, Bing and Meta to introduce revised advertising onboarding processes. They now ban paid for adverts for UK financial services that are not approved by an FCA authorised firm.

We expect more to be done, particularly thanks to the provisions in the upcoming Online Safety Bill that could see uploaded harmful content removed quickly.

And the scope of our financial promotions work looks set to be extended to any firm or influencer anywhere in the world if they are targeting UK consumers, once legislation comes forward.

These measures have already protected and will further protect the UK public by reducing the opportunity for fraudsters to advertise their scams as legitimate business. For example, since Google introduced its policy, we have seen close to a 100% reduction in paid for scam ads.  

Super-charging the fight against financial crime

We have super-charged our priority to prevent and reduce financial crime as part of our business plan.

At the UK’s Financial Conduct Authority, we are already one of the most prolific enforcers of anti-money laundering rules.

We recently fined Santander more than 107 million pounds over anti-money laundering breaches.

Since 2010, thanks to our actions on Anti-Money Laundering (AML) failings, we have seen more than a billion pounds in fines levelled against firms.

I wanted to talk about us at the FCA first before we turned to firms as we like to practice what we preach and lead by example.

But enough about us, now it is over to the firms, the ones who are the first line of defence.

How should firms adapt their front-line controls?

Adapting front line controls

Financial crime controls are most effective if they are calibrated to the current threats and risk. If you work on the first line of defence, how often do you review the threats and risks to your customers and the controls you have in place to mitigate against them?

Do you ask yourself how your company identifies potential threats to your customers?

Is there feedback between your customer call centres where they may be reporting potential scams or fraud?

Are you updating and revisiting your controls in light of these changes in threat? Are you raising customers’ awareness to the risks and how they can spot scams? How do they tell a genuine email from your firm versus a phishing email?

These are important questions to ask – because in doing so, you will ensure that your firm is effective at adapting to changing threats of financial crime. And this is important, because at the heart of this is ‘confidence.’

All of us want to be able to do business with financial services in confidence, and to trust that effective systems exist to protect from risks of scams and fraud.  

While the FCA will continue to do its part, your firms are part of the front line, and within that you are the front line too. We must all play our part to be successful.  

In the UK, we have the Consumer Duty coming into force at the end of July. We will be asking firms to demonstrate that financial products or services are designed to provide good outcomes for consumers. This should be front-loaded into the design of the product, and capable of travelling through the supply chain and in the sales and after sales service, making sure that the pricing is fair, and that the communication is clear.  

The Consumer Duty will make firms consider many things upfront, rather than waiting for things to unravel. 

If you are operating in the UK, are you asking yourself how the Consumer Duty applies in the context of financial crime? Are you thinking about how financial crime risks can be reduced when new products are designed, and do you operate your financial crime controls in a sufficiently agile way to enable them to respond to changing patterns in threat that your customers may be reporting?

Sanctions systems

The war in Ukraine and the way that international regulators and governments rallied together to bring in swift sanctions showed how quickly complex controls can be rolled out. 

We have been using a new synthetic data tool that allows us to directly test firms systems for screening names that are on the UK’s Office of Financial Sanctions Implementation (OFSI) consolidated sanctions list. The data tools allow us to test and focus our response, enabling us to be more targeted in our actions and to identify systemic weaknesses at pace.

We have rolled that out to many firms over the last year and will increase its use this year. We also have a similar tool to test payments systems in the late stages of development and hope to roll that widely out shortly. 

Through our sanctions screening tool work, we have found a few gaps in firms’ sanctions testing.

For example, governance and oversight of sanctions systems and controls was not clear or effective in some firms.

We saw that most firms are over-reliant on their third-party providers, and they are not properly making sure that their systems are tailored to meet business requirements.

In some cases, systems were not able to generate alerts against known names on the sanction’s list issued by OFSI.

Most firms were able to demonstrate that their systems incorporated some form of fuzzy matching logic that took into account different variables but this was with varying degrees of success in generating alerts.

Some firms had systems that generated a high percentage of false positives, that made the new process inefficient and raised the risk of errors.

That said, some firms showed us they had controls in place to measure the effectiveness of their systems parameters and threshold through sample testing and tuning. These firms had more effective systems and controls – capable of adapting to changing risk. 

The systems that work are not just plug and play – they are calibrated to the customer base and risk. 

Plug and play does not work

If you are a new firm or using new technology, you have the best opportunity to calibrate it and make it as effective as it can be rather than those who have to retrofit their systems. 

But it does not mean calibrate and then plug and play forever more. You have to keep fine tuning. 

So, I would ask again – as the first line, how often do you review and calibrate the way you are working as threats change? 

If you are in the first line, do you know how frequently your controls are reviewed and adapted? Do you review your controls whenever patterns of fraud or other threats change - like the partnership that needs to exist between first and second LOD in firms to fight financial crime and build confidence in the financial system? 

At the FCA we have been working with UK and global partners to drive a whole system response to financial crime and intelligence sharing. We have been working with government and crime agencies on the Economic Crime Plan 2. We have also brought together partners including the National Economic Crime Centre (NECC), industry and government to strengthen anti-money laundering measures in Post Offices. 

Through the Office for Professional Body Anti-Money Laundering Supervision (OPBAS), we are driving for more effective anti-money laundering supervision of lawyers and accountants. 

Internationally, we are working with the global alliance of regulators, IOSCO, on a fintech task force.

We can never leave crime spotting to just one team, one organisation or one department, whether that be legal, compliance or other experts.

It takes all of us working together, coalescing towards a common goal - to protect our markets, our economies, and our people from harm - to retain confidence.