Explore the findings from our survey on financial crime controls in corporate finance firms (CFFs), including areas for improvement and good practice.
1. What we did and why
CFFs play an important role in maintaining the integrity and competitiveness of UK capital markets. They connect business and enterprise to sources of capital and are vital to the growth and success of the UK economy.
The CFFs portfolio currently includes around 440 firms with a wide range of business models.
We recently reviewed the CFFs portfolio, focusing on the over 300 firms that are not required to submit financial crime data regulatory returns. We wanted to:
- Gather firms’ own assessment of the financial crime risks they face.
- Interview senior staff at a selected sample of firms to take a closer look at the anti-financial crime frameworks they operate.
- Publish areas for improvement and good practice.
We surveyed 303 CFFs not currently required to submit financial crime data returns to the FCA, of which 270 (89%) responded. Of these 270, 31 respondents (11%) were principal firms with appointed representatives (ARs).
We then interviewed senior staff at a small subset of firms who were selected to cover a wide range of survey responses.
These findings reflect what firms told us. They are not the results of a review by us of the firms’ anti-money laundering systems and controls.
2. Who this applies to
Corporate finance firms.
3. What we found
Results from the survey indicated that approximately two-thirds of the responding firms may not be compliant with the Money Laundering Regulations in 1 or more elements of their anti-financial crime control frameworks. However, we also found evidence of some widespread good practice.
Here are some high-level findings.
Key areas for improvement
Lack of business-wide risk assessment
31 respondents (11%) reported that they had no documented business-wide risk assessment.
Five of these were principal firms, representing 16% of the principal firms that responded.
Missing evidence of customer due diligence
28 respondents (10%) reported that they did not retain documented evidence of customer due diligence.
Three of these were principal firms, representing 10% of the principal firms that responded.
Gaps in risk assessments for appointed representatives
Of the 31 respondents that were principal firms, 90% reported they have clear policies governing the financial crime risks inherent in their ARs.
However, 9 of these firms (29% of principal firms) reported that they do not actually assess the financial crime risks inherent in their ARs, with 2 firms (6%) having reported they do not:
- Monitor their ARs’ compliance with financial crime regulations.
- Conduct on-site visits or audits.
These areas requiring improvement suggest that many firms may not be complying with their obligations under the Money Laundering Regulations.
Areas of good practice
Regular reporting to senior management
262 respondents (97%) stated that they regularly report to senior management on financial crime matters.
Using a form to assess customer risk
194 respondents (72%) reported that they use a customer risk assessment form.
Twenty of these were principal firms, representing 65% of the principal firms that responded.
Risk registers and management information
Some of the firms that we interviewed indicated that they regularly assess and document the risks to which the firm is exposed, making their business-wide risk assessments a live register of risks and mitigating measures.
Others also indicated using detailed management information to strengthen financial crime controls.
4. Our observations
Business-wide risk assessment
We found that 31 firms (11%) who responded to our survey, including principal firms, did not have a documented business-wide risk assessment.
Reminder for firms
You must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which your firm is exposed.
You must have a documented business-wide risk assessment, under the Money Laundering Regulations.
Customer risk assessment (CRA)
Most firms we spoke to during interviews reported that they build enduring and close business relationships with their clients. This enables them to develop a good understanding of the nature and requirements of those clients. However, survey responses show that 73 firms (27% of all respondents) reported that they did not use a customer risk assessment (CRA) form. This practice was even more common among responding principal firms, with 11 (35%) of them reporting that they did not use a CRA form.
Reminder for firms
You must have documented assessments of the risks posed by your clients, under the Money Laundering Regulations.
Firms cannot just rely on close relationships with clients to develop an understanding of client risk.
Customer due diligence and enhanced due diligence
Most firms we spoke to said they had a good understanding of their clients due to extensive and sustained engagement. However, 28 firms (10%) reported that they do not retain documented information for customer due diligence (CDD).
Strong and long-standing client relationships are central to many CFFs’ business models. However, these relationships cannot replace up-to-date written records of due diligence, including customer screening.
Reminder for firms
You must maintain records of CDD and, where appropriate, enhanced due diligence (EDD), under the Money Laundering Regulations.
Ongoing monitoring
You must conduct ongoing monitoring of your customers, both in terms of scrutinising transactions and keeping records relating to due diligence up to date. This is a requirement under the Money Laundering Regulations.
Many firms reported that they do not deal with client funds, so transaction monitoring may be less applicable to their business relationships. However, firms should consider the sources of all funds they receive, for example engagement fees and other administrative payments.
Firms must also conduct periodic reviews of their business relationships with clients, ensuring that their due diligence remains up to date.
Oversight of appointed representatives (ARs)
Nine principal firms (29%) stated that they do not conduct financial crime risk assessments of their ARs, and 6 principal firms (19%) do not assess the effectiveness of their oversight and control mechanisms for AR financial crime risks.
Some of these firms disclosed that they do not carry out on-site visits or other audits of their ARs.
Others revealed that they lack anti-financial crime policies that specifically cover their ARs. Among this group, many firms also admitted that they do not independently investigate the reports they receive from ARs concerning financial crime controls or incidents.
Two principal firms (6%) reported that they do not have processes to monitor their ARs’ compliance with financial crime regulations.
Three principal firms (10%) reported that they do not conduct EDD on high-risk clients.
Additionally, some firms indicated that their ARs do not verify the source of investors’ funds.
Reminder for firms
Our rules require firms to adequately oversee the regulated activities carried out by ARs, to prevent harm to consumers and the market.
Firms should set up and implement specific policies and procedures to manage the financial crime risks associated with their ARs, including:
- financial crime risk assessments
- on-site visits or audits (where appropriate)
5. Next steps
Our survey findings provide valuable insight into how CFFs mitigate the risks of financial crime they face.
We will use the survey data as we supervise the CFFs portfolio and intervene where firms fall short, in line with our objective to fight financial crime.
We expect all responding firms to consider these findings and address any gaps in their financial crime control frameworks.
We are writing to many firms falling short of regulatory expectations to set out the prompt remedial action we expect. We will follow up with some of these firms in due course to understand what remedial actions they have taken.