FCA criticises how firms manage risks

UK financial firms can do more to explain how they manage risks to their business, according to the Financial Conduct Authority. Following a review of risk assessment processes, the FCA encourages firms to use its findings to improve their systems and controls.

Firms must understand the risks that apply to their business and have robust financial crime systems and controls to manage those risks. To test compliance with these requirements, the FCA has carried out a multi-firm review focusing on business-wide risk assessment (BWRA) and customer risk assessment (CRA) processes.

In its review the FCA found that few firms are tailoring the BWRA to their specific business. Examples of poor practice include:

• Generic or oversimplified risks in BWRAs

• No quantitative analysis

• Unclear processes for identifying and assessing risks

• Missing records

• Lack of evidence of senior oversight

The FCA also highlights examples of good practice, such as:

• Documenting how risks are managed

• Plans to grow the capacity of compliance and financial crime functions to align with the firm’s growth strategy

• Formal tracking of BWRA actions

• Quarterly reviews of risk assessment models and processes

• Evidence of challenge from committees and the Money Laundering Reporting Officer

The FCA examined BWRA and CRA systems and controls at a selection of payments and e-money firms, building societies, custody and fund providers and wealth management firms. The review follows similar findings from earlier this year on how payments firms manage risks and the FCA’s rejection of a cryptoasset registration application due to an under-developed BWRA.

The FCA promises to continue monitoring firms through its supervisory work to make sure they consider the points raised by its review to drive improvements and reduce risk across the industry.