A hessian bag with "AML" inscribed on its front, a hand holding a magnifying glass, a model of a bank facade, and coins scattered on a desk.

Image: Getty Images

With AML compliance at the top of the FCA’s enforcement agenda for this year, we highlight important focus points for banks and other regulated firms operating in the UK. By Ruby Hamid, Anthony Asindi, Matthew Russell and Tristan Bramble of law firm Ashurst.

The Financial Conduct Authority (FCA) has kicked off its 2023 focus on anti-money laundering (AML) with fines against two banks for AML compliance failures. This follows enforcement action against six further regulated firms or individuals in the past 12 months for failures related to AML systems and controls. 

A unifying theme across the FCA’s recent decisions is the identification of AML compliance failures in the absence of direct evidence that money laundering has occurred. Principle 3 of the FCA’s Principles for Business requires a regulated firm to “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”. 

The breadth of Principle 3 permits the FCA to sanction firms for compliance failures in relation to their AML systems and controls, without identifying specific breaches of the UK Money Laundering Regulations.

We foresee the FCA continuing to take the approach of examining the risk of money laundering, created by inadequate systems and controls, rather than focussing on whether criminal activity has, in fact, occurred.

Five key takeaways

1. Risk assessment

A recurring theme is the FCA’s expectation for banks and other regulated firms to be able to produce evidence of their assessment of the money laundering risk posed by individual customers. The regulator views the risk assessment as a key tenet of a firm’s AML compliance framework.

Failure to maintain records of historical risk assessments and customer risk designations was highlighted by the FCA in a number of Final Notices, in addition to inconsistencies in the approach of regulated firms to risk-rating their customers. The FCA has emphasised that customer risk designations should be based on individual assessments rather than broad views derived from a customer’s geographic location. 

Similarly, customer risk ratings should be reviewed periodically to ensure the frequency at which each risk level is monitored does not become a limiting factor in the accuracy of a risk assessment.

The FCA has stressed that risk assessments are a component of AML compliance frameworks in their own right and distinct from the additional measures required where customers pose a higher risk from a politically exposed person (PEP) or sanctions perspective. The FCA has been critical of firms where it was found that they had no formal risk assessment of customers, except for PEPs and individuals linked to sanctioned countries.

Area for action: Banks and other regulated firms should take a cost-effective but dynamic approach to mitigating risk such as deploying tailored risk assessments that can be calibrated for changes to the shape, size, and offerings of the firm. 

Ultimately, a regulated firm should be able to stand behind its risk assessment. Not only should it articulate where the genuine risks are within the organisation, but it should be clear what action is being taken and the rationale for doing so in light of the risks.

2. Customer onboarding and screening

A common criticism of banks and other regulated firms is their failure to carry out adequate customer due diligence (CDD) and enhanced due diligence (EDD) at the point of onboarding a customer. 

In a recent Final Notice, the FCA found that a bank relied on due diligence carried out by group entities in other states in the knowledge that the required standards under the UK Money Laundering Regulations would not be met. Similarly, the FCA criticised another bank for failing to adequately establish the source of funds and wealth of higher-risk customers. 

Area for action: Banks and other regulated firms should ensure that their AML framework is proportionate. Key controls such as onboarding and screening need to address the actual risks that demand any heightened security. EDD, for example, doesn’t just mean doing more – rather, any additional steps need to be informed by the specific risks that have been identified.

3. Ongoing monitoring

The requirement for banks and other regulated firms to have ongoing regard to their regulatory requirements and the expectations of the FCA was reiterated in recent Final Notices.

In particular, the FCA has criticised firms for failing to adequately follow up on outstanding CDD and EDD document requests, and has called out firms who have prioritised opening accounts with new customers over the periodic review of existing accounts.

The FCA has made clear its expectation that regulated firms should have ongoing consideration to guidance and other decisions it publishes in relation to financial crime failures. Recent Final Notices have referred expressly to other Notices or guidance on AML weaknesses, and have criticised firms for failing to have regard to this body of information when addressing their own compliance frameworks.

Area for action: Banks and other regulated firms should ensure that adequate ongoing monitoring procedures are embedded throughout the business. Opening new accounts will generate revenue, but failing to review existing accounts does not help the firm to grow safely. The latter must be prioritised to understand the evolving risk already within the firm, alongside new business.

4. Training

Adequate training of staff in relation to financial crime risks and regulations was identified as a weakness in recent Final Notices. For example, in relation to one bank, the FCA found that:

  • induction AML training was not specific to its products and customers, and tailored training was not offered based on an individual’s role or responsibilities;
  • the bank did not maintain an AML training log; and
  • the inadequate training formed the background to other failures identified in relation to risk assessments, due diligence and ongoing monitoring.

More generally, the FCA has expressed concern that inadequate training leads to employees with due diligence responsibilities having insufficient knowledge of the relevant regulatory requirements to effectively carry out their role.

Area for action: Banks and other regulated firms should make sure that training is effective, robust and commercially relevant. When training is tiresome and unnecessarily onerous, it loses its effect and creates a risk of neglect. The Senior Managers and Certification Regime holds named senior staff accountable, but the FCA will call out regulated firms where it considers that employees more generally have insufficient knowledge of regulatory requirements.

5. Effective remediation

Another recurring theme is the failure of banks and other regulated firms to effectively implement remedial improvements in response to historical reviews of their AML systems and controls. A number of recent enforcement decisions involved internal and external compliance reviews which identified the original compliance failures that formed the basis for the sanction in the Final Notice. The FCA drew attention to the fact that failures which formed the basis of its decisions had been identified and addressed inadequately on previous occasions by a number of firms.

For example, the FCA criticised regulated firms where they failed to take adequate steps to address compliance deficiencies which were identified during historical reviews of AML systems and controls. In particular, the FCA stressed that it expects remedial action plans to be followed through to completion, and criticised firms for leaving key actions unresolved.

Area for action: Banks and other regulated firms should uplift risk considerations in a targeted manner, which is proportionate to cost, capacity, and organisational structure. This targeted uplift will avoid instances of repeat offence from failure to effectively implement required remedial improvements to AML systems and controls. 

A fit-for-purpose programme, which is defensible and prepared for audit, will keep key elements such as ongoing monitoring and training at the forefront of the compliance agenda.

Ruby Hamid is a partner and Anthony Asindi is an associate in the dispute resolution practice of Ashurst, and Matthew Russell is a partner and Tristan Bramble is an executive at Ashurst Risk Advisory.



All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker

For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Request a demonstration to The Banker Database

Join our community

The Banker on Twitter