Ensuring the firms we regulate are effective in preventing financial crime, such as money laundering and sanctions evasion, remains a key priority. This includes testing the financial crime controls of new business models as they enter the UK financial industry. We outline here the key findings, including examples of good practice and areas of improvement observed, from our recent review of financial crime controls at several challenger banks.
Why we conducted this review
The UK’s 2020 National Risk Assessment of money laundering and terrorist financing (the NRA) raised the risk that criminals may be attracted to the fast onboarding process that challenger banks advertise, particularly when setting up money mule networks. Money mules are people who, often without knowing it, have been recruited as money laundering intermediaries for criminals and criminal organisations. The money mules transfer stolen funds between accounts, often in different countries, on behalf of others.
In addition, where these challenger banks promote the ability to open accounts very quickly to attract customers, there is a risk that information gathered at the account opening stage is insufficient to identify higher risk customers.
Given these risks, we reviewed the financial crime controls at a sample of challenger banks that compete with the longer-established, traditional retail banks. Our review of challenger banks helped us to make our own assessment, in addition to the NRA, of the financial crime risks to which challenger banks may be exposed.
Our reviews were conducted in 2021, predating the significant expansion of sanctions against Russia in recent months. Although our focus on sanctions was limited, the main financial crime and money laundering controls we assessed equally apply to firms’ management of sanctions, specifically in respect of the risk that firms are utilised for sanctions evasion.
This review supports our strategy to publicise the findings of our financial crime assessments to raise awareness of financial crime risks among the financial industry.
Who this applies to
We are targeting this review at Money Laundering Reporting Officers and industry practitioners working in financial crime roles.
What we did
There is no universally agreed definition of the term ‘challenger banks’. But the NRA describes a sub-sector of retail banks that aim to reduce the market concentration of traditional high street banks through the use of technology and more up-to-date IT systems. Some firms may be more established, although others are smaller recent entrants to the retail banking market, including some online-only banks.
Our recent Strategic Review of Retail Banking Business Models describes ‘digital banks’ (a subset of ‘challenger banks’) as recent entrants to the UK financial markets. This sub-set of retail banks have some common features in their business models:
- they primarily offer personal current accounts
- they operate without a branch network, and
- they provide financial services through smartphone apps
The number of personal current accounts operated by this sector has increased rapidly over recent years.
As part of our review, we focused on challenger banks that were relatively new to the market and offered a quick and easy application process. Our sample selection included 6 challenger retail banks, which primarily consist of digital banks – over 50% of the relevant firms. Our sample covered over 8 million customers. As the focus of our review was assessing challenger banks that provide a similar product offering to traditional retail banks, we excluded e-money issuers and payment services providers.
Our review of financial crime controls covered:
- governance and management information
- policies and procedures
- risk assessments
- identification of high risk / sanctioned individuals or entities
- due diligence and ongoing monitoring
- communication, training and awareness
Following our review, the challenger banks where we identified material issues established remedial programmes to address our concerns. This may result in them potentially rejecting a larger number of new customers at onboarding. Where banks are reviewing their existing customer book, this may also result in challenger banks exiting banking relationships with customers.
Where appropriate, we have also used a range of regulatory tools, including appointing skilled persons, to mitigate the risks we identified.
What we found
Overall, as set out in the NRA, we remain of the view that there are limited differences in the inherent financial crime risks faced by challenger banks, compared with traditional retail banks.
The NRA highlights that many challenger banks depend on rapid customer growth for survival. But this must not come at the detriment of complying with customer due diligence (CDD) obligations as set out in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs).
Summary of our observations
- Our financial crime reviews found some evidence of good practice, for example innovative use of technology to identify and verify customers at speed. However, we found more needs to be done by the challenger banks sector as a whole in light of the areas of improvement we identified. The weaknesses we found create an environment for more significant risks of financial crime to occur both when customers are onboarded and throughout the customer journey. Challenger banks are requested to review these findings and make improvements where necessary.
- We would expect financial crime control resources, processes and technology to be commensurate with a bank’s expansion. Challenger banks should apply a risk-based approach to anti-money laundering (AML) controls and also continuously make sure their financial crime controls remain fit for purpose as their business develops and grows.
- We found weaknesses in CDD. For example, most challenger banks did not obtain details about customer income and occupation, resulting in an incomplete assessment of the purpose and intended nature of a customer’s relationship with the bank.
- Some challenger banks were not consistently applying enhanced due diligence (EDD) and were not documenting it as a formal procedure to apply in higher risk circumstances, for example when managing politically exposed persons (PEPs).
- Some had customer risk assessment frameworks that were not well developed and lacked sufficient detail. Some did not even have a customer risk assessment in place.
- We found ineffective management of transaction monitoring alerts. For example, inconsistent or inadequate rationale used for discounting alerts.
- The UK Financial Intelligence Unit (UKFIU) within the NCA noted a substantial increase in the volume of Suspicious Activity Reports (SARs) reported by challenger banks as banks exit customer relationships for financial crime reasons. This raises concerns about the adequacy of these banks’ CDD and EDD checks when onboarding these customers. We also had concerns about the quality of SARs reported to the NCA.
- We found weaknesses in the effective management of financial crime change programmes. This included inadequate oversight and a lack of pace of implementation which meant that the challenger banks’ control frameworks were not able to keep up with changes to the business models.
For more on what we found, see the Key Findings section.
Challenger banks should keep evaluating their approach to identifying and assessing the financial crime risks they are exposed to. They need to ensure that they develop their defences against financial crime as their customer base grows and/or they expand into new business areas. This is so their control framework remains fit for purpose.
We will continue to monitor firms’ compliance with their anti-money laundering obligations. This includes ensuring firms meet their requirements to identify their sanctions exposure and take the appropriate steps when exposure is established.
As next steps, if you are a challenger bank, you should:
- consider the key observations and broader findings we are highlighting here to review and enhance your firm’s financial crime frameworks
- ensure your customer risk assessment and enhanced due diligence measures adapt to the heightened risk of sanctions evasion, including but not limited to the identification of ultimate beneficial ownership in higher risk corporate structures
- review the Treasury’s NRA to ensure your firm has appropriately considered money laundering and terrorist financing risks as part of your risk assessment
- see our Dear CEO letter to retail banks on common control failings identified in AML frameworks; these common themes and the need to address identified gaps equally apply to challenger banks
- refer to the guidance produced by the Joint Money Laundering Steering Group (JMLSG), and
- be prepared to give us an update on your firm’s financial crime framework as part of monitoring compliance with the MLRs against a backdrop of changing financial crime risks
Good practices we identified
We saw the following good practices:
- Effective and innovative uses of data and information challenger banks collected to mitigate risks. These included non-traditional approaches to identify, verify and monitor customers – such as video selfies, mobile phone geolocation data, and photo images of the customer’s passport.
- Evidence of stand-alone financial crime policies and procedures which firms regularly updated and which were tailored to the financial crime risks their business could give rise to.
- Some challenger banks mitigating fraud risk by incorporating additional monitoring for known fraud typologies at onboarding and as part of account monitoring. This included Credit Industry Fraud Avoidance System (CIFAS) checking, as well as checks on customers using multiple devices to manage their accounts.
Although we saw these good practices, much more needs to be done overall to ensure that all firms in the challenger banks sector are identifying and appropriately managing financial crime risk.
Areas that need improvement
Customer risk assessment (CRA)
In some challenger banks we found that the CRA framework was not well developed and lacked sufficient detail. Some challenger banks did not even have a customer risk assessment in place.
Customer risk assessments are essential to ensure that the risks a customer relationship presents to a firm are captured. Without a customer risk assessment, a firm can’t ensure that due diligence measures and ongoing monitoring are effective and proportionate to the risks posed by its individual customers.
All firms subject to the MLRs must have in place systems and controls to identify, assess, monitor and manage money laundering risk. These must be comprehensive and proportionate to the nature, scale and complexity of a firm’s activities.
A firm must also keep its customer risk assessment framework updated so it reflects any changes to its business model and products.
Customer due diligence (CDD) and enhanced due diligence (EDD)
The challenger banks we assessed fulfilled the basic identification and verification requirements of the MLRs. But most did not obtain full customer information (for example income and occupation details) to determine their customer’s risk. As a result, they were unable to sufficiently assess the purpose and intended nature of the customer’s relationship with them. This meant they were unable to get a complete picture of the risk associated with the relationship, which ultimately made their transaction monitoring less effective.
Some challenger banks failed to have the required CDD procedures at the customer on-boarding stage, instead relying on their transaction monitoring systems to identify higher risk customers. No matter how good a transaction monitoring system is, firms must still comply with the relevant CDD requirements. Moreover, inadequate CDD will mean a less effective transaction monitoring system.
At some challenger banks, EDD was not being consistently applied and was not documented as a formal procedure. In one example, the challenger bank did not have a clear process for identifying and applying EDD to high-risk customers that are not politically exposed persons (PEPs). This meant it did not have the capability to identify customers that may present a high or higher risk of money laundering or terrorist financing and therefore couldn’t mitigate those higher risks effectively.
We expect all firms subject to the MLRs to ensure they identify and collect the relevant information needed to have a complete picture of all the financial crime risks, including fraud, associated with the customer relationship. This is to manage potential risk indicators and to provide a meaningful basis for subsequent monitoring.
Financial crime change programmes
We recognise that the challenger banks we assessed have grown substantially in recent years while at the same time, some have enhanced their financial crime framework. However, in some challenger banks, we noted weaknesses in the management of financial crime change programmes. This included inadequate oversight and a lack of pace in implementation, meaning the challenger banks’ control frameworks were not able to keep up with changes to their business models.
While managing financial crime change programmes, we expect firms to have clear project plans for control enhancements outlining key milestones, accountable executives and delivery dates. Senior management should also be tracking projects and ensuring that key deadlines are being met.
In addition to the accountable executive of a change programme, the Risk Committee, the Audit Committee and CEO should be involved in overseeing material developments to these programmes, helping to ensure that appropriate governance and challenge takes place.
Ineffective transaction monitoring alert management
Our review found inadequate handling of transaction monitoring alerts, including:
- inconsistent and inadequate rationale for discounting alerts by alert handlers
- a lack of basic information recorded in the investigation notes
- a lack of holistic reviews of the alerts
We also found examples of transaction monitoring alerts not being reviewed in a timely manner due to inadequate resources being put in place. This affected the challenger banks’ ability to make Suspicious Activity Reports (SARs) as soon as is practicable, as required under the Proceeds of Crime Act 2002. We also saw examples where banks identified fraudulent activity, but investigations were either incomplete or not adequately documented.
A firm must have adequate resources in place to holistically consider customers’ activity as part of its review of transaction monitoring alerts. This should include reviewing what the firm knows about the customer, including previous alerts and information it collected on the customer, including income, the nature and purpose of account and payment references.
There has been a substantial increase in the volume of SARs and Defence Against Money Laundering (DAML) reports that challenger banks have submitted to the UK Financial Intelligence Unit (UKFIU) at the National Crime Agency (NCA). However, the SARs reports are often for very low amounts and therefore less likely to result in law enforcement action.
In relation to DAMLs, firms have sent a significant number of reports to the UKFIU when exiting customers that do not fit their documented risk appetite. Our findings indicated that these customers shouldn’t have been onboarded and that better controls and risk assessment may have identified them sooner.
Additionally, in some challenger banks once a DAML is submitted there are occasions where the appropriate blocks are not being applied, allowing a subject to continue transacting despite the reporting institution seeking a DAML and awaiting a response from the UKFIU. This is because there is a disconnect between the relevant function receiving court orders and processing SARs, and the relevant compliance teams.
Finally, the quality of SARs some challenger banks submit to the UKFIU needs to improve. For example:
- some challenger banks provide a lot of transactional data without clarifying why these transactions are suspicious
- some SARs are not specific enough about the circumstances that gave rise to a suspicion of money laundering
- some SARs are incorrectly used to report fraud and/or send information about predicate offences, rather than suspicious activity related to the specific activity that creates reasonable suspicion of funds being the proceeds of crime
Firms should refer to the appropriate UKFIU publications when making a disclosure under POCA 2002 in conjunction with the guidance issued by the JMLSG and the FCA’s Financial Crime Guide. We also remind firms to consider their obligations for customer safeguarding through more appropriate channels, such as Action Fraud.
Principle 11 Notification
We discovered instances where there have been significant financial crime control failures and the challenger bank failed to notify us. For example, Internal Audit in one challenger bank identified that several areas of the firm’s financial control framework were not fully compliant with the MLRs.
We remind firms of their obligations under Principle 11 of the FCA’s Handbook to disclose to us appropriately anything relating to the firm of which we would reasonably expect notice.