Surveying the financial crime landscape in the UK: insights across the market from the annual financial crime return
04 April 2019
The UK’s Financial Conduct Authority (the FCA) has published the first set of aggregated results from its new annual survey of over 2,000 firms on financial crime.
Firms within the UK and across Europe may find the insights helpful when considering the adequacy of their identification of high-risk customers and management of suspicious activity reporting by comparing their own management information against industry-wide trends and averages reported in the survey. It also offers a window into market participants’ views on forwardlooking trends into 2019 for expected financial crime risks (both by activity type and by country) and action being taken by law enforcement to combat these risks. Financial crime remains high on the FCA’s agenda. In addition to enforcement action and rhetoric, the FCA’s understanding of the scope of financial crime threats in the UK has been bolstered by the responses to the financial crime return (termed the “REP-CRIM” by the FCA). Since 31 December 2016, the FCA has required over 2,000 firms subject to the UK Money Laundering Regulations, including all UK banks and building societies, to submit an annual financial crime data return.
In November 2018, the FCA published its first industry wide report analysing the aggregated financial crime threats and trends identified in the survey responses.
The results provide a useful overview across the surveyed firms of: (i) the number and nature of high-risk customer relationships maintained in the UK; (ii) ongoing work within those firms to combat financial crime; and (iii) industry perceptions on specific fraud and country risks.
Statistics on the overall number of high-risk customers in the UK
The respondent firms had a customer base consisting of approximately 549m relationships, of which only 120,000 involved ‘politically exposed persons’ (PEPs) (an overall share of 0.02% of total customers) and 1.6m other ‘high-risk customers’ (an overall share of 0.29% of total customers).
It is possible that the FCA could use this industry-wide data to target firms for additional supervision in terms of AML controls. For instance, the FCA could focus on an individual firm with high-risk or PEP customer shares exceeding these industry-wide averages or, on the other hand, falling significantly below what might be expected for a firm of that size (and therefore potentially evidencing inadequate identification of high-risk customers). Adequate identification and management of high-risk customers has remained a key focus in the FCA’s 2017/18 annual report, with enforcement activity taken in June 2018 against Canara Bank.
Current industry activity in tackling financial crime
- Resourcing costs: Combatting financial crime continues to impose a heavy compliance resourcing cost on the UK financial services industry. Based on the survey results, over GBP650m is spent per year in “dedicated staff time to combat fraud, laundering and other financial crimes”, with collective employment of 11,500 full-time staff in financial crime roles. The actual costs incurred were acknowledged by the FCA to likely be significantly higher when accounting for support costs such as information technology expenditure.
- Suspicious activity reporting and interaction with law enforcement: the Money Laundering Reporting Officers within the surveyed firms handled 923,000 internally escalated suspicious cases in the 12-month reporting period. Following investigations, 363,000 suspicious activity reports (almost 40%) were then filed externally by firms with the UK National Crime Agency (the NCA), together with over 2,100 terrorism-related suspicious activity reports.
In terms of the information flow in the other direction, law enforcement agencies submitted 123,000 investigative orders in the reporting period and imposed 16,000 restraint orders (only a quarter of which were new) on bank accounts to freeze funds suspected of containing criminal property.
Only a small percentage (approximately 1%) of SARs filed with the NCA resulted in the NCA taking enforcement action, in possible evidence of ‘over reporting’ within the sector. The OECD has criticised the UK for the low level of corruption enforcement activity resulting from the current SARs regime. Given the large volume of SARs filed on a daily basis, and many being of ‘low quality’, investigation authorities face a challenge in detecting where the real risks lie. The large volume also indicates a tendency in the financial services sector to over report suspicions.
Industry perceptions of risks: cybercrime at the forefront
As part of the survey, firms were asked about the type of fraud risk they considered to be of highest concern. The top two risks may come as little surprise: identity fraud/identity theft and phishing were of top concern across the industry following high-profile attacks and press coverage. While these and other frauds enabled by new technology (such as hacking and malwareenabled fraud) were widely perceived by firms to be rising both in volume and as a matter of concern, firms also remained focused on long-established forms of crime including account takeover, application fraud and card fraud.
The report has been followed by a further FCA report on Cyber and Technology Resilience: Themes from cross-sector survey 2017 – 2018. On 27 November 2018, Megan Butler, Executive Director of Supervision at the FCA, warned that the FCA saw “no immediate end in sight” to the rise in cyber attacks affecting UK financial services. She continued that “all the trends […] suggest an increasing threat to UK customers, and financial markets”. Firms reported an 18% increase in cyber incidents in the year ending October 2018, but Butler noted that underreporting is likely still an issue and that some businesses may not appreciate the level of risk posed by cyber attacks. The FCA has shown a particular interest in combatting cyber risks by emphasising (and enforcing) the need to implement appropriate systems and controls. In its recent Cyber and Technology Resilience report, the FCA confirmed that, pursuant to Principle 11 of the FCA Handbook, financial services firms are expected to report “major technology outages and cyber-attacks”. A firm should therefore consider whether any cyber crime incident is ‘material’, namely whether it affects a large number of customers and/or results in significant loss of data, availability or control of the firm’s IT systems, unauthorised access to information and communication systems or malicious software on those systems. In such cases, the firm should report the cyber crime to the relevant regulators within an appropriate timeframe.
In relation to country risk, Iran, Panama and Russia were the three countries most often classified as ‘high risk’ by surveyed firms based on the risk of financial crime, followed by Iraq and Laos. The FCA emphasised that the industry rankings of country risk based on the survey results do not reflect the FCA’s views and may be of limited application, given that some firms may not have performed a risk assessment of certain jurisdictions. Despite this caveat, when viewed alongside other publicly available indexes relating to jurisdictional risk, for example the Transparency International’s Corruption Perceptions Index, firms may find this useful guidance on the general views taken by their peers on country risk.
What is this likely to mean in terms of regulatory focus in 2019?
The FCA expects that this financial crime report data will allow it to more accurately identify firms with the highest exposure to money laundering risks. It can therefore target its resources to prevent the most harm to the UK’s financial markets. Rob Gruppetta, Head of the Financial Crime Department at the FCA, explained in a speech on 19 November 2018 that the FCA is moving to a “more data-driven, predictive place” where it has “started experimenting” with “supervised supervision” of firms. The annual return data can be combined with other data about firms to identify those firms with areas of particular strength or weakness, which could potentially be replicated or remediated throughout the industry.
This report reflects only the first year of data collected from the UK financial services industry and it is by its nature difficult to obtain accurate figures on financial crime. However, the trends and common concerns should assist UK (and perhaps European) firms in benchmarking their views and potentially improving their monitoring and prevention of financial crime. Although the FCA collected data only within the UK, the results may reflect wider trends at a European level.
For instance, the European Banking Authority’s recent risk assessment, published in December 2018, highlighted that almost 90% of EU banks reported cyber risks and data security as key operational risk drivers, a rise from 55% in 2017. Gruppetta also noted in his speech that the financial crime report provides an opportunity for regulators to benchmark their views against industry-wide perceptions. As the data pool grows each year, we hope to identify possible future industry drivers from the patterns that emerge.