NEWS: FCA UPDATES THE FINANCIAL CRIME GUIDE (FCG)

WHITE COLLAR EXECUTIVES SHOULD READ THIS TO AVOID PRISON & INSOLVENCY

The Financial Conduct Authority (FCA) unleashed policy statement PS24/17 on 29 November 2024 ‘finalising’ its most recent updates to the FCG. This article highlights the most significant changes you should be aware of i.e. Sanctions, MLR Monitoring, Crypto and duties to your customer.

KEY CHANGES

1. SANCTIONS: Breaches of UK or international sanctions should already be reported to the Office of Financial Sanctions Implementation (OFSI) AND the FCA. The updated guidance seeks to  address this industry wide omissions in this. Specifically:

   
   

   1. SCOPE: Principle 11 (PRIN 2.1.1R); firms are expected to notify the FCA if they or “their group companies, approved persons,  senior management functions, appointed representatives and agents” are targets of UK sanctions or those of another country or jurisdiction. The obligation is the same regardless for electronic money institutions, payment services firms, crypto asset business (Annex 1). Simply put, if you or anyone whom does business for you is a target of a sanction, the FCA expects you to report it. 

      
      

   2. REPORTING: SUP 15.3: It is curious feature of UK Financial Services legislation that the drafting is designed to induce a breach rather than prevent it. For example; in line with SUP 15.3 the FCG now only states that firms should “consider” notifying the FCA of suspected sanctions breaches. It is however, the experience of every solicitor that the FCA always expects the consideration of notification AND it always expects notification to follow consideration. Simply put, if you or anyone whom does business for you is the target of a sanction, notification to the FCA is NOT optional.

      
      

   3. RESPONSIBILITY: Senior Managers are now expressly expected to take “clear responsibility for managing sanctions risks” and be “actively engaged in the firm’s approach to addressing the risk of non-compliance with UK sanctions”  as well as remediate any identified gaps. What this means is that Senior Managers should have known and fixed the gap prior to it being a problem. 

      
      

2. MONEY LAUNDERING & TERRORISM FINANCING: The expectations of the digital area personified in the FCG Transaction Monitoring requirements. First, the FCG has finally been brought inline with  s.188 Economic Crime and Corporate Transparency Act 2023 insofar as information sharing has finally been recognised. Transaction monitoring is expected to take a holistic view of customer behaviour including recording the reasons behind decommission of automated systems. Interestingly, the FCA stops short of good practice examples and instead lists poor practice such as weak control frameworks, overreliance on threshold-based TM i.e. (machine says report) and poorly calibrated systems. As for AI, it merely acknowledges its existence and commits to exploring its potential. 

   
   

3. PROLIFERATION FINANCING (PF): Intrinsically linked to money laundering and terrorism financing, PF but now receives its own its own explicit mention. Specifically, firms must integrate their PF Risk Assessments into those required pursuant to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, update and amend their processes accordingly. While not placed in its own chapter, Financial Action Task Force and HM Government guidance is already referenced in the FCG in any event.

   
   

4. DATA SECURITY: The genuinely useful part of the guidance relates to the data security chapter. There has been added a self-assessment questions on backing up, updating and testing critical systems + data but more importantly, restoring services after cyber [attacks] (incorrectly referred to as ‘incidents’). Further examples of good and poor practice relating to basic data security steps including testing, encryption, third-party vetting, training and system restoration including links to publicly available guidance to assist firms. There is also some helpful guidance as to what is meant by restoring your systems in a “timely manner.”

   
   

5. YOUR CRYPTOCURRENCY/CRYPTOASSET BUSINESS: Substantial amendments have been made to the FCG concerning the risk of crypto-transactions. Specifically, the FCG does not shy away from the limitations of blockchain as a risk assessment tool (the blockchain having taken on a mythos of its own). Nor does it recoil from the now standard-need for ‘Enhanced’ Due Diligence’ made real by VPNs, mixers and privacy coins. Practical examples of how businesses can manage risk associated with self-hosted wallets and DeFi platforms have also been included and for the avoidance of doubt, crypto businesses MUST include sanction checks.

   
   

6. YOUR CONSUMER DUTY: Finally, in a refreshingly moral approach to financial crime, the FCA has established there is a duty to consumers to try and prevent financial crime by appropriately managing risk. This overarching principle has now been incorporated into the FCG alongside helpful recommendations such as supporting your customer when they are reporting fraud concerns. In an exciting twist, this duty has been spread across the non-Handbook Guidance for Firms on Consumer Duty (FG22/5) which requires firms to consider FCA Principle 2, cross-cutting obligations and consumer duty overcome provisions under PRIN 2A.2.

The remainder of the changes largely relate to EU Regulations where still applicable and various cross-references to foreign jurisdictions.

REMINDER: WHAT IS THE FCA HANDBOOK AGAIN?

In the wake of the 2008 crash, the UK’s Financial Services Authority was rebranded the FCA. Charged once again with the correct functioning and governance of the UK’s considerable global financial markets it had neglected, the Financial Services and Markets Act 2000 clarified the brand new FCA's role as  (1) to Protect Consumers, (2) Enhance the Integrity of the UK Financial System and (3) promote healthy competition.

As an independent branch of the treasury, the FCA has the power to unilaterally increase the fees of the approximate 50’000 business and 48’000 firms it regulates. But its primary threat to business, firms and individuals engaged in finance is the FCA's investigatory, criminal, civil and regulatory enforcement powers. To seem transparent and fair, all the rules and guidance the FCA expects to be followed are published in one frequently updated consolidated document, ‘the FCA Handbook.’

SO THE FCG IS PART OF THE FCA HANDBOOK RIGHT? - No

The part of the Handbook that provides practical assistance and guidance for financial crime, is published separately in the FCG. This states that the FCG is not part of the Handbook. However; the Handbook expects you to follow the FCG and if you don’t, you will be punished according to the Handbook.  

Simply put and befitting London, the FCA sells the chess board and pieces separately, but you need both to play the finance game.

SCOPE

The FCA expects firms to demonstrate that they have considered the finalised FCG and thereafter, promptly evaluated and updated their own systems accordingly. This applies to all FCA financial crime supervised firms and those supervised pursuant to the Money Laundering, Terrorist Financing and Transfer of Funders (Information on the Payer) Regulations 2017.

RESOURCES

Below we provide a complete list of resources and contact groups pertinent to financial crime and sanctions, particularly in London:

1. The FCA Handbook can be accessed by clicking here.

   
   

2. The FCG can be accessed by clicking here.

   
   

3. The Office of Financial Sanctions Implementation (OFSI) can be contacted by clicking here.

   
   

4. The Russian Embassy in London can be accessed clicking here.

COMMENT

The updated FCG should be welcomed by all those regulated by the FCA as it provides much needed guidance on the practices the FCA expects to be employed while providing practical 'mythbusting' examples of those usually deemed infallible (such as the blockchain). Any regulated body will need to show that the updated guidance has been considered and changes implemented accordingly.

However, it does raise more than 1 eyebrow that in 2024, the FCA saw the need to write into the FCG firstly, that firms should be acting promptly to restore systems after cyber 'incidents' (aka Russian Hacks). And Secondly, that they should be supporting their customers trying to report fraud to them.

Beginning with the former, if you have been sitting in a dark room waiting for the next windows update to restore your systems or alternatively, that is a job for Monday, the FCG would suggest you have incurred some liabilities. As for the latter, if you did not think you needed to support a customer reporting a fraud concern prior to this update, please contact a solicitor immediately. You may have breached the terms of your insurance policies which can affect cover and incur personal liabilities in addition to those laid out in the Handbook. We shall also be glad to provide a few pointers on how to repair the relationship with your neglected and betrayed, formerly loyal customer.