Name: The Financial Conduct Authority (FCA)
Role: Financial regulator
Country: the UK
Year of foundation: 2013
The FCA is one of the stringiest and yet most respected regulators worldwide. Along with the Bank of England, it supervises financial businesses in the UK, such as banks, credit firms, electronic money institutions, insurers, and many more. See the full list of reporting entities under the section ‘firms’ on the FCA’s website.
The activity of the regulator can be divided into two major blocks:
Now, we’ll move on to the laws that form the legal basis for the FCA’s activity.
The FCA’s AML requirements are based on several domestic and international laws. Here are the principal ones:
The UK anti-money laundering regulation is based on the international requirements. In particular, the European 4th and 5th Anti-Money Laundering Directives are transposed into the national law. However, the country will not implement the upcoming 6th AMLD.
To ensure the stability of the market and the protection of consumers, the FCA collaborates with a number of regulators, primarily the Bank of England and the Treasury. See the full list of other organizations that the FCA works with.
AML compliance entails the prevention of money laundering, terrorist financing, fraud, and other financial crimes. Here is a breakdown of the procedures that the FCA enforces:
Senior management is responsible for overseeing the company’s money laundering risks. The management is required to acquire so-called ‘financial crime management information’ from other company members. This information includes the assessment of the risks that the business is exposed to, the efficiency of their mitigation, the number and nature of new business relationships and more. For additional insights, please refer to the ‘Financial Crime Management Information’ section in the Financial Crime Guide.
Every company that complies with the ML Regulations is required to appoint a nominated officer. Businesses that are regulated by the FCA must also select a Money-Laundering Reporting Officer (MLRO). Duties of the nominated officer and the MLRO are different: a nominated officer reports money laundering cases, while an MLRO manages the company’s AML compliance with the FCA rules. One member of staff can be both a nominated officer and an MLRO.
The FCA requires companies to ongoingly monitor the implementation and relevance of all these procedures. How a business performs its AML compliance duties must also be regularly assessed through internal and external auditing.
A company can seek the help of a service provider in carrying out its KYC duties.
“Applying CDD measures involves several steps. The firm is required to verify the identity of customers and, where applicable, beneficial owners. The purpose and intended nature of the business relationship must also be assessed, and if appropriate, information on this obtained.” (The JMLSG’s guide on Prevention of money laundering/ combating terrorist financing, §5.3.1.)
As part of any KYC procedure, Customer Due Diligence (CDD) must be carried out. This can either be simplified or enhanced, depending on the situation.
A company applies CDD when:
The list of information that needs to be collected for CDD differs for natural persons and legal persons.
The FCA prescribes slightly different CDD requirements for each type of business (state-owned firms, public sector companies, etc.), so it is always recommended to refer to the JMLSG guide section dedicated to the relevant type.
Both legal and natural persons should be checked against various watchlists such as the UK government’s financial sanctions list and trade sanctions list, the European Commission’s list of high-risk third countries and the Treasury’s list of high-risk countries & countries towards which enhanced due diligence is required. Although the screening of customers against all these sanctions lists is not a legal requirement, the FCA still highly recommends doing so to avoid breaches of the sanctions regime.
If a company cannot apply CDD or be satisfied with the results of the check (for instance, when it cannot obtain information about the beneficial owner), the company must not engage in a business relationship.
“The firm identifies the customer by obtaining a range of information about him. The verification of the identity consists of the firm verifying some of this information against documents or information obtained from a reliable source which is independent of the customer.” (The JMLSG’s guide, §5.3.2.)
CDD consists of identification (i.e., getting to know who this individual or company is) and verification (i.e., making sure that the individual or company is who they claim they are).
Verification can be conducted based on identity documents (a passport, driving license, etc.) or some information received from a reliable and independent source (e.g., written assurance from the company that has dealt with the customer).
The FCA permits digital identity verification. When seeking the help of a KYC service provider, a company must ensure that the provider is reliable in terms of its technology and policies. Some of the major requirements for a provider include: 1) Registration with the Information Commissioner’s Office (or an equivalent) to store personal data; 2) Access to a wide range of information sources, and 3) transparency.
Companies can apply a less strict version of due diligence check called Simplified Due Diligence (SDD), when the risk of coming across money laundering or another financial crime is low. For example, conducting SDD may be an option when a business deals with a publicly owned enterprise or an individual from a lower-risk country. Credit or financial institutions that are subject to the 4th AML Directive and companies listed on a regulated market are also among the list of lower-risk factors. See all of the factors at §5.4.2. of the JMLSG guidance.
However, the presence of one or even several such factors does not automatically mean that a company can apply SDD. A really thorough estimation is needed to conduct this check, so in reality, businesses undertake it quite rarely.
During SDD, companies are able to tone down the extent and timing of the measures that they take. It is up to the business to decide how exactly it conducts this simplified check. However, all SDD procedures must be outlined in the AML compliance policy. In addition, each application case must be comprehensively recorded.
When businesses encounter high-risk factors for money laundering, they must apply a further check, in addition to CDD, that is much more thorough. This procedure is called Enhanced Due Diligence (EDD). Below, you can find some of the most common high-risk factors:
EDD must also be conducted for any other situation that presents a high possibility of money laundering. See the full list of cases in which an enhanced check is needed here. However, not all of these factors will automatically result in the need to conduct EDD. For instance, it is possible not to apply an enhanced check for domestic PEPs if there are no other ‘red flags.’
Generally, EDD requires companies to obtain more information about the individual or the company to be fully satisfied that they are who they claim they are. EDD usually includes an understanding of a customer’s reputation, an examination of their source of wealth and source of funds, in addition to independent internal and external intelligence reports (for very high-risk cases). For more insights, please refer to the Regulations 2017, 2019, and the Financial Crime Guide that provides examples of good and poor CDD practices.
The FCA requires companies to file three main types of reports:
Let’s dive deeper into each type.
This is a report on a company’s procedures and safeguards for preventing financial crime. It, above all, includes information about customers and AML compliance. Check out the submission form.
Person in charge of the submission: MLRO.
Authority to submit to: FCA.
Means of submission: online via the FCA website.
Time: annually, at the end of a financial year or within 60 business days of the company’s latest accounting reference date.
Here you can find thorough guidance on the submission requirements.
This is an internal report on the company’s AML compliance. It overviews AML procedures and internal safeguards and provides then with recommendations for their improvement. Although a Money-Laundering Reporting Officer (MLRO) is obliged to file this report, there is no specific format as to how it must be done.
Person in charge of the submission: MLRO.
Authority to submit to: the senior management of the company.
Means of submission: any.
The JMLSG suggests using this framework as a reference.
Under the Proceeds of Crime Act 2002 (POCA), every company that is subject to the FCA must report any suspicious activity that they detect.
Person in charge of the submission: a nominated officer.
Authority to submit to: the National Crime Agency (NCA).
Means of submission: reports can be submitted online via the NCA SAR Online System.
Time: as soon as the suspicion has arisen.
For successful reporting, any company needs an AML compliant system of data recording, which we’re going to discuss in the next section.
“Record keeping is an essential component of the audit trail that the ML Regulations and FCA Rules seek to establish in order to assist in any financial investigation and to ensure that criminal funds are kept out of the financial system, or if not, that they may be detected and confiscated by the authorities.” (The JMLSG’s guide, §8.2.)
Here, we’ll briefly talk you through the requirements for the recording and storage of data.
Data to record: AML policies, results of due diligence checks, records for transactions (information about payers and payees for wire transfers), SARs and other reports, information on the established business relationship and offered services, in addition to communication with customers (telephone calls, emails, SMS, etc.).
Recording requirements: store scans or electronic forms of the documents.
Retention period: five years after the relationship with the customer ends or after an occasional transaction. There is no need to keep records of ordinary transactions, which were performed within a business relationship, for more than ten years.
The personal data of customers must be possessed only to comply with AML requirements.
Here is a list of the misconducts the FCA has the authority to sanction:
The FCA has the following powers to impose sanctions for non-compliance (breach, market abuse, etc.): 1) publish a statement; 2) impose a financial penalty; 3) withdraw a company’s license; 4) suspend an individual of their functions.
There is no set limit to the fine that the FCA can impose. Instead, the regulator examines every case and calculates the amount based on its 5-step approach (see DEPP 6.5 Determining the appropriate level of financial penalty).
In addition to fine imposition, the regulator can engage in criminal prosecution. While insufficient AML compliance can result in a fine and/or a prison term of up to two years, actual money laundering offenses can, in the most severe of cases, lead to 14 years of imprisonment.
For more information, please check out the FCA’s guide on enforcement.
Here, we have brought to your attention some compliance-related materials about the FCA that may be of use.
The primary resource for understanding the FCA’s activity and requirements is the FCA Handbook.
Please check out the list below for more information on financial crimes compliance:
Below, you can find some comprehensive guidance on suspicious activity reporting:
Here are a couple of materials that can help you to better understand the regulator’s enforcement activity.