By Rachel Cook, Associate at Peters & Peters LLP
Enshrined within its Handbook, the Financial Conduct Authority (“FCA”)has a statutory obligation to protect and enhance the integrity of the UK financial system. To date, the FCA has not routinely gathered information on financial crime, but that has now changed through the introduction of Annual Financial Crime Reports (“REP-CRIM”).
Who is affected?
Most regulated firms (i.e. those subject to the Money Laundering Regulations 2007) will have to submit a REP-CRIM to the FCA sixty days after their Annual Reporting Date (“ARD”). For those firms whose ARD fell on 31 December 2016, today (27 March 2017)marks the deadline by which they have to file their first one.
Some regulated firms are not required to submit a REP-CRIM, including credit unions, peer-to-peer lending platform operators, authorised professional firms, firms with a Part 4A Permission that is limited to certain credit activities, and firms with a revenue of less than £5 million as at their last ARDs, if their Part 4A Permissions meet certain tests (Chapter 16.23 of the FCA Handbook contains the exempt firms).
The reporting process
A REP-CRIM will include information on the firm’s internal risk procedure and specific information on areas of risk within the firm. The underlying rationale for REP-CRIMself-reporting is to provide the regulator with greater data to facilitate its policing of financial crime: more data will allow the FCA better to ensure the effective deployment of its specialist resources in executing its policing role and supervisory strategy.
REP-CRIM supplements the FCA’s ad hoc information-requesting powers conferred by the Financial Services and Markets Act 2000, as well as Principle 11 of the FCA Handbook. Principle 11 requires regulated firms to provide factually accurate and complete information.Failure fully to comply may render a firm guilty of an offence under Section 398 of the 2000 Act.Therefore, it is important that the information provided within a REP-CRIM is both accurate and complete.
A firm need only submit information that relates to the parts of its business subject to the 2007 Regulations. If a group includes more than one firm, a single REP-CRIM can be submitted to satisfy the requirements of all of the firms within the group.
The new reporting requires some firms to confirm that they have complied with relevant immigration rules, including status checks on potentially disqualified persons, i.e. individuals without the requisite leave to enter or remain in the UK.The REP-CRIM also requires detailed numerical data and information on financial crime risks relevant to the submitting firm, including:
- The jurisdictions in which the firm operates at the end of the reporting period and the jurisdictions that the firm has identified as high-risk within the past two years(whether operating there or not at the end of the reporting period)
- The total number of relationships with Politically Exposed Persons (“PEPs”) and also the total number of customer relationships with individuals within those jurisdictions that have been identified as high-risk
- The total number of refused and/or terminated relationships
- Compliance Information
- The total number of Suspicious Activity Reports (“SARs”) reported both to the National Crime Agency and internally, as at the end of the reporting period
- The number of investigative and restraint court orders received as at the end of the reporting period
- Firms must advise whether they have automated systems to cross-reference relevant sanctions lists, advise as to the number of “true” customer sanctions matches, and report whether they conduct repeat screenings of existing customers
The provision of the above information is mandatory and must be provided by those firms required to do so. Beyond the required information, it is at the firms’ discretion whether further information is provided in the REP-CRIM. For example, it is not mandatory to provide information on fraudulent activities, but firms are encouraged by the FCA to identify the top three frauds which they believe are most prevalent and of which the FCA should be aware. Firms can also indicate if the frauds identified remain constant or have increased or decreased.
The REP-CRIM can be submitted online through the GABRIEL reporting system and the FCA has reassured firms that any financial crime disclosures will not result in triggering the ‘tipping off’ offence in the Proceeds of Crime Act 2002, as the defence in section 333D (disclosure to the relevant supervisory authority) will apply. In this first year of the new requirement to report, firms will be able to submit the data on a “best endeavours basis” as the FCA recognises that there will be initial teething problems.
Sceptics of the new REP-CRIM have suggested that the FCA is more interested in enforcement than data collection.They view this new self-reporting measure as counter-intuitive since firms are required subjectively to assess and report on their internal risk procedures, which they fear might result in them being investigated. For example, the FCA may question why a firm has raised fewer SARs than its peers and deploy resources into investigating. This presents a concern for firms as they may be expected to build a case against themselves. The alternative, not providing the information, is to risk being sanctioned for not filing complete and factual data – in itself a criminal offence.
Contrary to these concerns, the FCA notes that there has been a general acknowledgement and willingness from the industry as to the need to provide better quality information, particularly regarding actual and potential financial crime risk within FCA regulated firms. It remains to be seen whether the FCA uses the collected information as basis to investigate firms whose internal risk procedures are perceived to be insufficient. Certainly, the REP-CRIM will act as an incentive to firms to ensure their internal procedures are robust.
Specifically, firms may be concerned about whether they should provide the voluntary information on fraudulent activity, especially if, for example, it involves disclosing a fraud by an internal employee. Firms will also be concerned about whether their response is similar to or widely different from that of competitor firms. There will be a desire to ensure that their response is not conspicuously different form their competitors’ response.
In light of the onerous reporting requirements and the potential risk of sanction if internal risk procedures are insufficient, it is possible that relevant firms (particularly financial institutions such as banks) may refuse to enter new arrangements, or may even exit existing client relationships, with PEPs, high-risk individuals, those residing in identified high-risk jurisdictions, those on sanctions lists and those who have court orders against their names, so as to avoid FCA investigation. The impact on the market remains to be seen but if firms become more risk-adverse, it appears that the logical outcome is that they will be less inclined to offer services to such individuals.