By Samantha Sheen, AML Director Europe, ACAMS
26 August, 2016

UK’s New Financial Crime Reporting Requirement – Rejected and Exited Relationships

“Torture Numbers and they’ll confess anything” – Gregg Easterbrook

Introduction

On 29 July 2016, the FCA released the final rules and time scale for the implementation of its new financial crime return (“REP-CRIM”). The first REP-CRIMS will need to be completed in 2017 on a “best endeavours basis”. Because of this, the FCA will not publish an aggregate view of the data reported in the REP-CRIMs for the first reporting cycle.

In this blog, my comments will focus on the data requested concerning refused and exited business relationships. 

Refused New Relationships & Exited Existing Relationships (collectively, “Rejected Business”)

In the last several years, international reviewer interest has grown about how financial institutions deal with Rejected Business from an AML perspective. For example, in the 2013 report on the effectiveness of customer due diligence (“CDD”) measures in the Cypriot banking sector, the evaluators observed that, “It would also be valuable, for the banks’ own risk management purposes, to record rejected business more systematically, with particular emphasis on reasons for rejection” (para 19). The fact that the REP-CRIM includes data concerning Rejected Business therefore comes as no surprise.

REP-CRIM and Rejected Business

The main points in the REP-CRIM that deal with Rejected Business can be summarised as follows:

Question 18: Please provide the number of customer relationships refused or exited for financial crime reasons during the reporting period. (Refused and exited relationships are split into distinct fields.)

Guidance: ‘Refused’ relationships refers to the number of customers the firm did not take on where financial crime was the principal driver behind the decision. It would not include those cases where an application did not proceed because, for example, the customer lacked appropriate documentary evidence of identity or who failed Immigration Act 2014 checks. It does include cases where a customer has refused to provide source of wealth or funds information.

Guidance: ‘Refused’ relationships includes applications escalated to and rejected by management due to financial crime concerns. 

Guidance: ‘Relationships exited’ refers to customers where financial crime was the principal driver in deciding to cease business with them. This would cover criminal behaviour where it has a financial element, e.g. benefits fraud.

Note: The data requested is not intended to include cases where the decision is based on ‘reputational risk’.

Initial Considerations for Financial Institutions

  1. Where to Input the Data

    Financial institutions who have not previously collected data about Rejected Business should start thinking about how they will go about doing this, whether this can be done using existing systems and how those systems might differ across its different lines of business.

  2. Capture of the Data in the Business Risk Assessment?

    Financial institutions who have already undertaken an AML business risk assessment may need to consider whether Rejected Business data was considered as part of the assessment. If not, the assessment methodology may need to be updated and the assessment outcomes refreshed once the data is available.

  3. How to Record the Reasons for Rejecting Business

    In my time as a regulator, our on-site inspection process included a review of Rejected Business. I was amused at the wording adopted by some businesses to avoid drawing attention to the AML reasons a relationship was rejected: ‘Business cost exceeded reward’ (Translation: ‘This relationship has too many AML high risk characteristics and exceeds our risk appetite’). Or, ‘Customer’s objectives are no longer compatible with those of the business’ (Meaning: ‘Allegations of possible criminal conduct by the customer can’t be discounted so we exited this relationship just to be on the safe side’).

    Rather than invite the regulator to second-guess its reasons for refusing or exiting relationships, financial institutions should consider establishing simple categories for Rejected Business and prepare written guidance on how to explain AML concerns based upon which the business relationship was refused or exited.

  4. Opportunities to Leverage Rejected Business Data – Evidence of Effectiveness

    Rejected Business data provide a financial institution with a clearer picture of whether its CDD onboarding procedures work as intended. It may also provide some assurance about the effectiveness of training given to frontline staff about the CDD requirements and when new business should be refused or escalated to senior managers for further consideration. This data may also allow institutions to verify whether monitoring controls and KYC review outcomes are being appropriately handled where exiting an existing relationship is warranted.

  5. Opportunities to Leverage Rejected Business Data – Affirming AML Risk Appetite

    Rejected Business data can also provide an indication about whether the AML risk appetite of the business is reflected in the risk profile of those who make up the Rejected Business.

    In its 2014 assessment of Guernsey’s compliance with the 40+9 FATF Recommendations, the Moneyval assessment team observed: “The authorities should encourage financial institutions to define more clearly in their overall risk appetite statements where they would find it appropriate, based on an assessment of risk, to reject or terminate a business relationship”. (para 669)

    If Rejected Business is made up of customers whose risk profiles appear unrelated to the institution’s AML risk appetite, there may be a need to revisit the business risk assessment or assess whether that appetite has not been clearly incorporated into the institution’s AML policies and procedures.

    Where existing relationships have been terminated, Rejected Business data may help the institution to verify whether its AML risk appetite is reflected in the business that it keeps and those relationships which it has ended.

  6. Look Downstream – Suspicious Activity Reports (“SARs”) and Disclosures

    One would expect that the FCA will be interested in comparing the number of Rejected Business cases to the number of SARs filed about them. The compliance function should consider analysing Rejected Business data relative to the number of SARs received and, in turn, the number of SARs disclosed to the authorities. Additional review may be needed where there is a marked difference between the Rejected Business figures and onwards SAR reporting.

Conclusion

Institutions should ultimately see this as an opportunity to undertake a meaningful assessment on a quantitative basis of how it manages Rejected Business, and how those activities reflect its overall AML risk appetite.

Links to more information