In November 2016, the Financial Conduct Authority (FCA) issued a booklet entitled ‘Consumer credit: Protecting your business from financial crime’. The regulator says that its contents are particularly aimed at credit firms who are new to FCA oversight.
The booklet begins by saying that firms in all areas of consumer credit, and indeed all firms regulated by the FCA, have a high-level obligation to put in place systems and controls to reduce the risk of the firm being used to facilitate financial crime.
It then goes on to say that the FCA’s detailed money laundering regulations do not apply to most types of credit firm. They apply however to most firms that enter into credit agreements as a lender. Exceptions include firms that only offer fixed sum credit with deferred payments of less than 12 months; and firms offering cheque cashing, currency exchange or money transmission services. Firms in the latter category are subject to the supervision of HM Revenue & Customs for money laundering purposes.
Firms that are subject to the detailed FCA money laundering rules must appoint a Money Laundering Reporting Officer (MLRO). This individual must be a senior manager with the skills and experience to assess money laundering risks, to decide if transactions are suspicious and to know how to respond to reports of suspicious activity. The MLRO must report to the firm’s board on at least an annual basis on the effectiveness of the firm’s money laundering systems and controls.
Firms subject to the detailed rules are also required to consider money laundering risk whenever they:
• Develop new products
• Start doing business with new customers
• Change their business profile
Firms are expected to conduct an assessment of the financial crime risks posed by their business model, and to repeat this risk assessment on a regular basis.
All authorised firms should also have documented anti-money laundering procedures, and staff should be trained on the contents of this procedure, and on how to report a suspicious transaction.
Senior management must take responsibility for establishing and maintaining effective financial crime controls, and must keep up to date with financial crime issues.
Financial crime risks also exist as a result of the fact that authorised firms need to hold customer data. Firms must therefore have written data protection procedures and must have systems in place to ensure the security of customers’ data with which they are entrusted. Again, a senior manager should take responsibility for data security issues.
Examples of good data security practice, as mentioned in the booklet, include:
• Having individual user accounts for all systems containing customer data
• Restricting access to areas where customer data is stored
• Encrypting customer data which is held in electronic form
Finally, firms are reminded of the need to maintain evidence of verification of a customer’s identity for five years after the end of the business relationship with that customer.
The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.