REP-CRIM data results: the good, the bad and the ugly
Executive summary
Since 2017, the FCA has been requesting firms to provide an annual Financial Crime Data return, known as the REP-CRIM. This report is to be completed by banks, mortgage lenders, building societies and other firm types that fall into the scope identified within the FCA’s Handbook (SUP 16.23). In 2020, the FCA consulted on increasing this scope from 2,500 to 7,000 firms; these include FSMA authorised firms falling within the scope of the MLRs which either hold client money or assets or carry out activity that poses a higher money laundering risk. All payment institutions are now captured within the scope of the FIN-CRIM return with the exception of firms that only hold the permission to carry out money remittance or account information or payment initiation activity, Electronic Money Institutions, Multilateral Trading Facilities (MTFs), Organised Trading Facilities (OTFs) and cryptoasset exchange providers and custodian wallet providers.
Over the past three years, the FCA has been collating this data to complement its risk-based financial crime supervision business plan for 2021/2022. The statistics show the changes, varied approaches and attitudes firms are taking to demonstrate their commitment to meeting their regulatory obligations as set out in the Money Laundering Regulations 2017 (MLRs).
From the REP-CRIM reports, it is apparent firms are demonstrating adherence to the MLRs and overall, are understanding their individual financial crime risk appetites. The FCA highlighted areas such as true match PEP data, SAR reporting (internal and external), sanction screening, the amount of compliance staff members within a firm’s operations department and firms’ approaches to high-risk scenarios.
What is the data telling us?
Politically Exposed Persons (PEPs)
After analysing the REP-CRIM reports, the FCA found that the amount of ‘true match PEPs’ firms had on their platform was dramatically reduced. In the 2017/2018 reports, a total of 111,000 PEPS were being serviced across the captured industries. However, in 2019/2020, 89,437 PEPs were reported to be active on the firm’s platform. The FCA highlighted that the stark comparison is a result of the amendments made to the FCA guidance and therefore, as per the REP-CRIM return guidance UK PEPs are not required to be reported as PEP customers.
Overall, this is a good demonstration that firms understand Regulation 35 (12)(a) of the MLRs and the FCA’s guidance on PEPs and are reporting this data accordingly.
Suspicious Activity Reporting (SARs)
External SAR reporting to the NCA has increased by circa 22% over the years reported on. The data shows a steady increase in both internal and external SAR reporting across all the captured financial sectors. Roughly 50% of the internal SARs were externally reported to the NCA. This is a consistent trend over the past three years, which is a testament to adequate training provided to first and second lines of defence within firms. Nevertheless, when the data by each sector is reviewed, there are noticeable differences e.g., within the retail lending sector 204,374 internal SAR reports were filled and only 28% of those were externally reported. Could this be an area of concern or is there a legitimate reason for a lower amount of external SAR reports submitted in comparison to the amount of internal reports made?
Further to the above, there has been a decrease in SAR reporting in relation to the Terrorism Act 2000. This could be due to a genuine decrease in firms being used to fund terrorist financing, however, there is an argument that questions whether compliance staff members know how to recognise the funding of terrorism. Terrorist financing networks are very sophisticated and terrorist funding can easily go undetected before it becomes detrimental.
Firms are very aware of the “placement, layering and integration” phases of money laundering, and should be provided with adequate training to understand the part of that process that would potentially involve their business. However, are they able to recognise the terrorist financing phases of “raise, store, move and use”? Can you be confident that your business is not being used to finance terrorism?
Fraud
As part of the REP-CRIM report, the FCA has included gathering data on the most predominant frauds relevant to the firms that completed this section of the report. This section of the report is voluntary and roughly 50% of firms complete it.
The below lists the top three fraud concerns for the past three years of REP-CRIM reporting:
1. Phishing
2. Identity Fraud and Identity Theft
3. Computer hacking or other
The above does not cover all industry types; however, it is a good starting point to understand the various types of fraud that firms are experiencing.
Over the years, we can see that the methods of successful fraud attempts have not changed. Despite the efforts from banking institutions investing heavily in TV ads and online marketing, unfortunately, fraudsters (like most criminal organisations) are always a couple of steps ahead and the tried and tested methods still work. When firms were asked who they believed was the primary victim, firms reported that 51.5% of the fraud they have identified has been committed, or attempted to be committed, on the regulated entity itself.
When the data was further broken down to show who the primary victims were i.e. the customer or the regulated entity, it showed an interesting mixture of who the intended fraud was aimed at. This raises the question – how well do firms protect their platform?
With more and more companies moving their infrastructure to an online offering, this highlights the importance of firms implementing suitable controls to both prevent and detect fraudulent activity. If questioned in an audit of your firm’s financial crime infrastructure, “what fraud controls does the firm have in place”, how confident would you be and what evidence would you have to support your answer?
Conclusion
The FCA report collated firms’ data and summarised the insight gained over the years and provides a good insight of what firms are actually doing on the ground. Although, the REP-CRIM report does not capture all industry types/entities that are regulated by the FCA, it is a good starting point to understanding what types of financial crime-based challenges the larger banking institutions are facing. It is a prime opportunity to consider if or how these challenges can have an impact on your firm’s risk appetite and future business ideas.
Attempts to use the financial services industry to the benefit of criminals are here to stay. It is your responsibility as a regulated entity to ensure you are abiding by your regulatory obligations and demonstrating that you are implementing adequate controls and taking a risk-based approach to prevent your platform from being used as a vehicle to support illicit activity. This can include ensuring your firm has a clear outlined AML/CTF business risk assessment, adequate and proportionate controls, and effective training programmes in place.
How can we help you?
If you’d like to know more about our wide range of financial crime services, please feel free to contact one of our knowledgeable financial crime specialists. Contact us today on 0207 436 0630 – or email info@thistleinitiatives.co.uk.