A recent blogpost by Arctic Intelligence detailed how a letter by the Financial Conduct Authority (FCA) has exposed companies’ poor quality of business risk assessments.
The FCA’s Dear CEO Letter – published in May – found that the quality of business risk assessments (BRA) were, in their words, ‘poor’ and were not up to the mark of where they should be.
The FCA went on to call on banks to ‘take the necessary steps to gain assurance that your firm’s financial crime systems and controls are commensurate with the risk profile of their firm and meets the requirements of the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017’.
So where were the weaknesses for companies? According to the FCA, first of all there failed to be sufficient detail on the financial crime risks to which a business is exposed. There was also a failure to adequately evidence the assessment of the strength of mitigating controls and a failure to record the rationale support conclusions drawn on the company’s residual risk level. It was also discovered that group level BRAs failed to take account of financial crime risks specific or present in the UK.
However, Arctic Intelligence believes that these findings present an opportunity to conduct an important BRA review. The firm underlined BRA failings found in the letter, including how inherent financial crime risks originally assessed that had changed over time were neither identified nor assessed in companies’ BRA, while second line testing were not being fed into the BRA process, which led to controls being assessed as more effective than they actually were.
In addition, a meeting of risk had occurred where changes to inherent risks meant that the overall control framework had stopped mitigating the risks as originally intended. The BRA model used was also not designed to consider regional differences in financial crime-inherent risks or were too convoluted to adjust to incorporate them.
The resulting risks caused by these failings, Arctic claim, may mean banks are more exposed to financial crime risk than they are willing to accept. The company added that the main cause behind these shortcomings may have been that these changes were not identified or considered as part of a company’s BRA review process.
Arctic said, “Preparing a good BRA can be a challenge. It’s a bit like mixing cement. It needs the right composition of ingredients to create a sturdy, reliable foundation. Get the mix wrong and there’s going to be problems. While a BRA will (hopefully) not cause your house to collapse, it does require careful planning, design, calculation, and delivery to be the value-added tool it’s intended to be.” The company added that a BRA forms the very foundation upon which a financial crime compliance programme rests.
Call to action
What is the call to action of the FCA letter? Arctic believes the call to action requires that banks undertake measures to address gaps – for example, control framework improvements.
According to the firm, incorporating such information as part of a BRA review demonstrates to a regulator that your bank undertook the analysis required by the FCA letter and recognises the link between work needed and the financial crime control framework used to mitigate its inherent financial crime risks.
The move to incorporate the information will also show that a bank understands how the analysis may influence the overall results of its BRA and has taken steps to update it and also shows the bank has taken account of whether the outcome of the analysis changed the bank’s overall financial crime risk appetite and if so, what that will mean in practice.
How often should business risk assessments by reviewed? While the Joint Money Laundering Steering Group suggests once a year at least, this might not be the case for all companies – as if changes occur that could impact the results of a BRA, a more frequent review may be required.
However, Arctic’s 2021 Benchmark Report earlier this year found that almost 70% of respondents said the BRA process took them up to six months to complete due to its complexity. Meanwhile, over 50% of the respondents to the report review their BRA once a year while 13% do so every two years. This, the company claimed, can leave a bank with an unmitigated financial crime risk exposure that grows over months before it is detected and assessed.
The report also discovered that many controls identified by regulated firms in the BRAs which required work had been assessed as not yet tested or required some form of improvement.
How can companies make it easier to manage these types of risks posed by weak BRA strategies? Arctic believes managing these kinds of risks can be made easier by converting the BRA process into a ‘programmatic’ one. This it believes allows a bank to focus on analysis and not spend the majority of its time on spreadsheet management and manual data entry.
Furthermore, by transforming the process into a more automated one allows for variations to be incorporated around inherent financial crime risks that are regionally different across a bank’s group, without needed complex ‘mathematic gymnastics’, and can also provide a means to track planned control changes and their resolution in one single tool. It can additionally facilitate a data-driven outcome that can be easily explained and generated at any time to the FCA.
Find the full blogpost here.
Copyright © 2021 RegTech Analyst
Copyright © 2018 RegTech Analyst