The UK's Financial Conduct Authority is about to gauge anti-money-laundering controls at a smattering of asset management firms. In this article we ask an expert how best to deal with an impending visit.

The firms will be subject to half-day visits from regulators. As is always the case with such visits, the FCA sends out a letter approximately a week in advance. This week's letter states specifically that this is part of the FCA’s routine work with smaller regulated firms, so no firm is, as yet, in any trouble. The visit will consist of interviews with members of staff and the regulators might also ask the firms to "walk them through" their control systems.

Compliance Matters spoke to Ms Sani Jackson, a director at the regulatory agency of Optima Partners, about the things that the recipients of the letter have to expect. One item on the letter's agenda was governance and management information. The latter, otherwise known as MI, can be either anecdotal or quantified and pertains to information that someone collects about the way a firm works. It may be about customers, staff, calls, visits, meetings, sales, opinions, parts of a process, predictions etc. All information relevant to a firm, from whatever source, even from inside people's heads, can be described as MI. When asked whether the word 'governance' related to corporate governance, the rules for which are found in the Combined Code of which the FCA is the ultimate custodian, Sani Jackson said: "No, I expect them to focus on on SYSC, the systems and controls part of the rulebook. They will look at the responsibilities of the board, senior management and various committees. This time it will be all to do with financial crime. SYSC 6.3 [the part of the rulebook which, among other things, calls for the appointment of an 'AML director'] states that the highest board members, or members of the governing committee, must be apprised of money-laundering matters at least once a year. We are talking about the money laundering reporting officer's (MLRO's) annual report, which must be submitted to the board and signed off. There is no requirement to send this report off to the FCA."

The FCA is likewise bound to explore is each firm's policies and procedures, its 'due diligence,' its continual monitoring and the way it identifies highly risky or sanctioned individuals or entities. It will also look at risk assessments. When asked whether this meant such things as country risk for politically-exposed persons or PEPs, Sani Jackson said: "No, it's about risk across the board, all the firm's financial crime exposures. They will look at the money-laundering risks that your regulated and unregulated business is running, at the money-laundering risks posed by your clientèle, your channels, your vendors, your trading counterparties, anybody who makes payments to you and anybody to whom you make payments.

Another area for inspection will be "communication, training and awareness." Compliance Matters asked Ms Jackson what 'communication' meant and she replied: "how you communicate to people that certain entities have to be sanctioned, how to stop trading a Venezuelan bond, that sort of thing."

How many software vendors might the regulators want a small private bank to use when scanning the popular press for prospective customers' adverse reputational information? Ms Jackson explained: "The FCA is an outcomes-based regulator. I don't think they have any expectations as such. It all depends on how much you hold in assets under management, how many clients you have, how many people are working at the bank. It's debatable whether you need a Thomson Reuters World-Check system. If an external system is appropriate, that's fine."

It seemed telling that Ms Jackson had not heard of the FCA's famous blacklist of 95 jurisdictions whose existence Denis O'Connor brought to light in 2014 through his freedom-of-information request. When the FCA made this list public it provoked not a little outcry about its apparent inconsistencies (the Cayman Islands were on it, while the British Virgin Islands, Aruba, Curaçao and Gibraltar were not). 95 states make up almost half of the world's total, with 101 others existing at the time. As criticism from law firms and offshore centres mounted and it seemed as though ridicule was just around the corner, the regulator decided to withdraw the list from public view, no longer publishing it on its website. A year later Compliance Matters heard that it was still applying it quietly on visits, but the fact that a seasoned consultant of the present day has never heard of it suggests that it might have fallen into desuetude.

Another feature of the beginning of a thematic review is the FCA's demand for pre-visit information in every case. In this particular AML review it includes:

• extracts from current and relevant policies and procedures relating to money-laundering controls and financial sanctions;
• copies of the most recent AML/sanctions business-wide risk assessments to help the FCA gauge the extent to which the firm applies a risk-based approach and assesses the level of risk to which it is exposed;
• the two most recent annual reports by the MLRO;
• internal or external reports, including audit reports, produced in the last three years which cover AML or financial sanctions; and
• a list of current customer-PEPs and of other highly risky relationships with customers, the aim being to help the FCA select and review files. The list should include each customer's name, the date on which his account was opened, the type of account, the reasons for his 'highly risky' status, and his country of domicile, residence and (where appropriate) incorporation.

When asked for tips that might benefit firms as they submit this information, Ms Jackson said: "They are not trying to catch firms out. They want to look at the design of the controls, the policies and procedures, the way in which the rules are interpreted. Usually they interview a couple of board members, a couple of MLROs, and someone junior - perhaps someone who onboards clients. They might ask the junior person how long it has been since his last money-laundering training."

When pressed for more tips, she said: "You have a week after receiving your letter if it is a thematic review. I do not advise you to prep your staff for the visit; there is no substitute for having got it right in the first place. Make your onboarding policies watertight - this is the famous first line of defence that everybody talks about. For the second line, ask yourself if you do sample-based client reviews. Look at the area of source of funds and source of income. If he's high risk, are you really doing an assessment every year? If you uncover bad things in the week before the visit, tell the regulator about them and make sure that you have a remediation plan in place.

"I don't know how many firms they are visiting. Remember that they are coming in a week - they're not doing a deep dive. Their visit could be as short as half a day. They might be as few as two - I have heard of only two people coming before."

This begged another question: does the FCA ever 'embed' regulators at a firm to keep an eye on their day-to-day operations, in the way that the Australian regulator has promised to do at Australia's top four banks, or the way in which the US Office of Foreign Assets Control embedded its two famously myopic officials at HSBC during its epic money-laundering years? Ms Jackson said: "Not that I know of. Sometimes, with one of the systemically important firms that the FCA regulates, there is a dedicated FCA supervisor who comes in once a month (this is at the largest firms only) or the bank has to conduct periodic meetings with the regulators, during which they ask for information (this is at firms that are not large enough to have a dedicated person). I think the latter used to be called "close and continuous meetings."

Nobody knows how long the FCA will continue with these visits. With this in mind, firms might want to take this opportunity to review their records, policies, procedures and management information in relation to money laundering. The FCA conducted a similar thematic review on this subject towards the end of 2017 and there is no guarantee that firms it reviewed then will not receive a visit this time.

* Sani Jackson can be reached at sani.jackson@optima-partners.com or on 07496 367 937