The FCA are continuing to press the challenger bank sector to improve its approach to anti-money laundering and sanctions compliance. Today they published the findings of a review conducted on a sample of challenger banks in 2021 and highlighted a number of areas where they see a need for improvement:

Customer risk assessment and customer due diligence -  FCA found a number of firms did not have any or adequate customer risk assessments in place and this compromises their ability to assess the level of CDD/EDD required. A specific concern emerges around many firms not obtaining basic information such as customer occupation or income in order to inform customer risk assessments

Change management - it seems largely tech-based firms are struggling to meet FCA expectations on the management, oversight and control of financial crime change programmes, One interesting question (not touched on by the FCA) is the extent to which this might stem in part from a difference in culture between traditional banks and tech companies: The latter tend to manage projects in a very different way from traditional project management used by incumbents, using "Agile" methods for example. Challengers may need to innovate further to find a way of marrying some of the advantages of Agile with the needs to satisfy regulators and other stakeholders on control. However, it should not be assumed that traditional programme management is the only answer. 

Suspicious activity reports and defence against money laundering requests - the FCA findings suggests some challengers have either not properly understood the circumstances in which SARs and/or DAMLs are required under the legislation (and are over or under-reporting as a result) and/or that some firms' procedures and controls are not configured correctly to ensure compliance. Perhaps most interesting is the FCA's examination of DAML reports as an indicator that customers should never have been onboarded in the first place.

Self-reporting - the FCA is concerned that some firms are not reporting to the FCA significant failures in their financial crime controls, as required by Principle 11 and the associated rules and guidance, which require firms proactively to notify the FCA of such matters.

The FCA suggests that the review has resulted in a number of Skilled Person appointments under section 166 FSMA (or equivalent powers) which will involve much more detailed independent third party review of policies, procedures, systems and controls at those firms concerned - at considerable additional cost to the firm.

For firms in the challenger/fintech sector who have so far escaped such scrutiny now is a good time to review how their own financial crime controls are operating given the lessons emerging from this review and more generally. The priority attaching to this area since the FCA conducted their review has only increased - especially with the significant additional demands in respect of sanctions compliance driven by the response to Russia's invasion of Ukraine.