An FCA regulated firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with the firm's obligations for countering the risk that the firm might be used to further financial crime.
A firm must ensure policies and procedures include systems and controls that: (1) enable it to identify, assess, monitor and manage money laundering risk; and (2) are comprehensive and proportionate to the nature, scale and complexity of its activities.
Example risks, include:
Compliance activity does not inform senior management on the effectiveness, or otherwise, of financial crime systems and controls
Inadequate scoping or implementation of review activity when testing financial crime systems and controls
Blinkered compliance focusing on minimum regulatory standards, or assurance personnel lacking financial crime experience
Arrangements which demonstrate senior management engagement in managing financial crime risk:
Acknowledging internal skills and capability (e.g. knowledge or resource) and as necessary, engaging external expertise to support internal arrangements
Management approved review plans which articulate the respective role and remit of Internal Audit and Compliance, when testing the firm’s AML arrangements