This case is in our view a good example of the FCA analysing the effectiveness of a firm's AML policies, controls and procedures in granular detail, over the lifecycle of a customer relationship (from initial CDD through ongoing monitoring), and across a series of different functions at the firm / lines of defence.  While this approach reflects the approach the FCA has taken in previous cases, this was a matter where the FCA found extensive and serious breaches.  Its reasoning provides a number of useful reminders and learnings.  We would pick out the issues below.

Part of the FCA's reasoning for imposing an increased fine in this case was that it had conducted a periodic assessment of the Firm's AML systems and controls in 2014, and identified issues for the Firm to address. The Firm was required to complete a risk mitigation program. In 2016, the FCA conducted a re-assessment and found not only that some of the issues previously identified had not been adequately addressed, but also that there were a series of new issues.  The Firm and the FCA agreed a Voluntary Requirement (VREQ) restricting it from certain operations for a period.

In its calculation of the penalty, the FCA reasoned that an aggravating factor was that the Firm had been put on notice about the FCA's concerns in 2014, but had not invested significant resources to improve its controls and address matters until the FCA's subsequent assessment exercise in 2016.

The FCA found that the Firm had a number of relevant policies and procedures, including an AML policy. However there was evidence that, while the AML policy had periodically been reviewed, it had not been amended substantially for considerable periods of time, despite the legal and regulatory environment changing materially over the same periods.  The FCA found that the Firm had not taken appropriate steps to ensure that it remained up-to-date. 

The FCA conducted a detailed review of the AML policy against prevailing legislative requirements and found that it was deficient because, among other matters: 

• it did not refer to individual client risk assessments, or mandate a risk-based approach to the application of CDD measures, or provide that the intensity or frequency of CDD measures should vary based on the risk posed by each client, or prohibit the continuing of a business relationship with a client when it was not possible to apply CDD measures;
• it did not mandate obtaining information on the purpose and nature of the business relationship to enable the Firm to assess (on an ongoing basis) whether the transactions and activities carried on for a client were consistent with its expectations;
• it failed to highlight obvious money laundering risks e.g. from high risk jurisdictions;
• it made no reference to examining sources of wealth;
• it failed to refer to EDD or PEPs either in name or substance;  
• it failed to cover counter-terrorist financing (CTF) risk;
• it failed to refer to the requirement to conduct on-going monitoring;
• it failed to ascribe responsibilities to specific staff and officers, in particular between the MLRO and front-line and compliance staff; and
• it contained incorrect and out-of-date references to legislation and regulatory guidance. 

The FCA made similar criticisms of the Firm's other policies, controls and procedures including aspects of its Compliance Manual and Account Opening Policies and Procedures.

The FCA's reasoning highlights material issues with the firm's approach to CDD, ongoing monitoring, internal reviews, and record keeping.  For example: 

• the FCA found that the Firm had no documented process to determine the money laundering risks presented by each of its customers prior to the FCA's 2014 assessment. A process which the Firm later started to use (in November 2014) lacked sufficient specificity to be useful.  For example, it mentioned jurisdiction risk but failed to identify high risk jurisdictions or concepts of incorporation, residence, or domicile. The process also allowed certain PEPs to bypass EDD, contrary to the MLRs. It also did not apply to clients onboarded before then and did not take into account the risks presented by those clients until the FCA's visit in June 2016, when the Firm was required by the FCA to carry out revised risk assessments for every customer. The Firm had, however, attested to the FCA in September 2014 that its risk assessment framework was compliant;
• during one of its visits in 2016, the FCA found that there was no evidence of source of wealth or source of funds being obtained in respect of one of the PEPs. It also found that limited EDD had been conducted on a high-risk client file, there was a lack of evidence that adverse media checks had been conducted, and it found that the Firm had failed to identify the fact that the ultimate beneficial owner of a corporate account client was a PEP. In March 2016, the Firm's compliance staff noted it did not have an EDD process in place for PEPs but no new policy was implemented until after the FCA's June visit;
• although the Firm used a software program to conduct ongoing monitoring, a significant backlog of thousands of unreviewed cases had built up. This issue was compounded by poor quality information being entered onto the system;
• the Firm provided records demonstrating that some AML training had been delivered to staff, but these were limited. In 2014 and 2015 there was also no record of the content of the training package so the FCA could not assess whether that had been suitable.  

This matter contains some useful learnings with respect to the effectiveness of the internal audit function - the third line of defence for most firms.  The FCA found that the Firm's internal auditors had made a number of relevant findings over time, which were not acted on by management.  These included findings that:

• the firm's AML policies were not being updated; and
• there was a backlog of 3,500 open KYC cases.

However, the FCA also found that aspects of the internal audit function's approach were not sufficient to meet regulatory requirements.  In particular, the FCA took the view that some of the internal audit function's RAG (red-amber-green) ratings were inappropriate, in that they understated the seriousness of the issues.  In the FCA's view, this gave "misplaced assurance" to senior management.

The FCA's decision contains some useful commentary with respect to a firm's MLRO reports.  Whilst the production of such reports is a regulatory requirement, and such reports have been reviewed and referenced in previous FCA enforcement actions, this case includes a number of indications of what the FCA expects them to contain.  This may be useful to other firms, given that the legal and regulatory requirements in relation to such reports are relatively unspecific (see for example SYSC 6.3.7G, which refers to the 'operation and effectiveness' of AML systems and controls).

The FCA's findings in this case suggest that it expects MLRO reports to contain: 

• material that aligns with the firm's own AML policy – i.e. the MLRO reports should contain what the firm's policy says they should contain; 
• an assessment of the state of the firm's AML systems and controls,  including an evaluation of their effectiveness and accurate identification of any areas of weakness or potential improvement; 
• relevant information about breaches, any actions taken to address them, and the results of any internal or external audits; 
• material which is accurate – the FCA highlighted for example that some passages had been copied and pasted from year to year apparently without update or assessment of whether they reflected reality;
• details of AML training provided to staff, including its content, frequency, and effectiveness; and
• remedial actions taken by the firm to address the issues identified, and information about any attestation to the FCA as to compliance. This would demonstrate the firm's commitment to resolving any identified weaknesses and improving its AML systems and controls.  

It seems clear, from the FCA's approach, that it expects MLRO reports to be transparent and provide a true reflection of the firm's AML systems and controls, without downplaying or concealing issues that could present regulatory risks.