FCA’s latest findings on good and poor practice: risk assessment processes and controls

The FCA has just published its latest findings of good and poor practices relative to risk assessment requirements. These findings are based on the regulator's recent multi-firm review of business-wide risk assessment and customer risk assessment processes (BWRA and CRA respectively), which forms part of its general financial crime supervisory work.

Regulatory focus

The focus here is on financial crime risk and how regulated firms:

• identify it;
• understand it;
• mitigate it; and
• manage it.

Who these findings apply to

These findings apply to all regulated firms, to Money Laundering Reporting Officers (MLROs), to Senior Managers and to others who may be working in a professional capacity within the industry and who bear responsibility for the prevention of financial crime in some way. 

Sources of the findings

The FCA has undertaken research and analysis of the approaches taken to BWRA and CRA processes and controls throughout a range of firms including:

• platforms;
• payments; and
• wealth management firms.

Findings

Identifying, understanding and assessing risk

The FCA found that few firms are “identifying relevant risks and tailoring the BWRA to the specific business” and had specific concerns around some firms not being able to “explain sufficiently how they are managing and mitigating identified risks”.

The FCA is looking for documentary evidence of:

• Comprehensive risk assessments with risks assessed by business area and overall results combined into a BWRA which considers both inherent and residual risks and control effectiveness;
• Thorough reassessment of the BWRA every year; and
• Bespoke risk assessments that reflect a firm and its products and customers.

What will concern the FCA:

• Focusing on generic risks or oversimplifying risks;
• Failing to take note of specific risks;
• Failing to explain how specific risks impact the firm;
• Not including both qualitative and quantitative risk assessments;
• A lack of clarity on how risks are identified and assessed; and
• Conclusions that are not supported by appropriate evidence.

Mitigating risk

The FCA found that financial crime risk is often considered in different business areas of firms but that there is little evidence of how the combined efforts are joined up.

What the FCA is looking for:

• Planning to adequately resource compliance and financial crime functions in alignment with growth strategy;
• An “overall risk-based approach”;
• Tracking of actions and recommendations to “mitigate or reduce the overall risk”'; and 
• Representation of the MLRO throughout the different business areas to articulate the relevant financial crime risks and the measures needed to support a firm in dealing with them. 

Indicators that will concern the FCA include failures to:

• Develop the CRA in line with growth;
• Keep adequate documentary records of actions;
• Assign ownership to actions; and
• Rapid expansion without commensurate controls being implemented. 

Managing risk

The FCA has noted more awareness by senior management of fraud risks compared to other financial crime risks. It notes that many firms “recognise the importance of appropriate governance and oversight to ensure risk awareness and thorough risk assessments” with most documenting and sharing risk assessments, and “better firms” keeping records of their deliberations, changes, approvals, testing and reviews of relevant controls and processes. 

Indicators of good practice include:

• Documentary evidence of appropriate challenge to risk assessments, appropriate information being provided to senior management, tracking of trends, recommendations and actions;
• CRAs that link to business continuity plans;
• Fully and clearly documented risk assessment methodologies;
• Regular reviews of and updates to risk assessments which are capable of responding to emergent risks and changes to regulatory requirements;
• A holistic and joined-up approach to the identification and assessment of risks.

Matters of concern for the FCA include failures to:

• Document the full process of the BWRA including “discussion, challenge and approval”;
• Understand “financial crime risk” in the broadest sense;
• Carry out enough testing and review of risk assessment processes; and
• Be sufficiently dynamic and keep risk profiles current. 

Conclusions

All firms should take note of the FCA's findings as it will inevitably utilise them in order to “drive improvements and reduce risk across the industry”. 

You can read more thought-leadership like this by subscribing to our monthly financial services regulation update by clicking here. You can meet our financial services experts by clicking through to our financial services team page here.  

We expect firms to already be complying with existing requirements, specifically, to: - Understand the risks your business is exposed to. - Have robust financial crime systems and controls to manage and mitigate those risks. We encourage firms to consider our findings and suggestions within the context of their firm and continue to review your risk-based approach to systems and controls.

https://www.fca.org.uk/publications/good-and-poor-practice/risk-assessment-processes-and-controls-firms-our-findings