Why Firms Are Still Struggling with FWRAs – And How to Get It Right

It has been nearly ten years since the FCA released its Thematic Review (TR14/16) How Small Banks Manage Money Laundering and Sanctions Risk in November 2014, which highlighted critical deficiencies in financial crime systems and controls. The report emphasised the essential role that firm-wide risk assessments (FWRAs) play in preventing money laundering, terrorist financing (TF), and other financial crimes. Despite the report’s findings, subsequent FCA Dear CEO letters, and enforcement actions, firms continue to be fined for breaches of Principle 3—failing to establish and maintain adequate systems and controls to prevent financial crime.

In the last decade, FCA scrutiny, fines, and regulatory actions, such as those involving Santander and Guaranty Trust Bank, consistently reveal the same underlying issues with FWRAs. This raises a crucial question: Why are firms still falling short despite regulatory attention and guidance?

The Persistent Issues with Firm-Wide Risk Assessments

Let’s revisit the key findings from TR14/16. The FCA highlighted that a comprehensive FWRA is fundamental for identifying and managing money laundering, terrorist financing, sanctions, and proliferation risks that a firm faces. This risk-based approach should inform and tailor the firm’s financial crime system and controls. However, over half of the small banks assessed had conducted a thorough FWRA, relying instead on individual customer risk assessments. This left them blind to broader, systemic risks that affect the firm as a whole.

Fast forward to October 2024, and the same issues persist, as evidenced through recent Dear CEO letters, FCA thematic reviews, and fines that continue to expose these common failures:

• Narrow Focus: Many firms still concentrate solely on AML risks, neglecting other financial crime threats such as sanctions, bribery, corruption, tax evasion, and proliferation financing. Despite explicit FCA guidance and the requirements of the Money Laundering Regulations and JMLSG Part 1 Guidance, firms fail to consider the full spectrum of financial crime risks.
• Ineffective Methodologies: A significant number of firms fail to properly document their FWRA methodologies or rely on incomplete and insufficient approaches that do not adequately capture both inherent and residual risks. This lack of a clear, structured methodology leaves firms unable to accurately assess the full scope of their financial crime exposure. As a result, they struggle to implement effective controls, leading to gaps in risk management, reduced regulatory confidence, and an increased vulnerability to financial crime.
• Failure to Inform the Control Framework: FCA and industry Financial Crime Audit trends continue to highlight that many firms do not integrate their FWRAs into their overall control frameworks. A well-executed risk assessment should form the basis for setting customer due diligence (CDD) systems and controls, transaction monitoring framework and governance structures. Yet, this integration is often missing.
• Outdated Risk Assessments: Risk assessments should be regularly updated to account for changes in the firm’s business models, new product offerings, or emerging financial crime threats. However, many firms fail to refresh their risk assessments, leaving them vulnerable to new risks.
• Lack of Effective Training: Another persistent issue is that until now, firms have lacked practical, outcome-focused training on how to design, develop, and implement an effective FWRA. While the regulatory requirements are clear, the industry has struggled with how to operationalise them—until GCAL’s new program.

Recent Enforcement and Audit Findings: A Troubling Pattern

Enforcement actions, such as those taken against Guaranty Trust Bank (UK) Limited and Al Rayan in 2023, illustrate the ongoing gaps in firms’ FWRAs and controls. These firms were fined not just for AML failures but also for insufficient training, which is often a symptom of a poorly executed FWRA. Without a proper assessment of financial crime risks, staff lack the knowledge and tools to mitigate risks, resulting in ineffective controls.

Similarly, the FCA’s fine against Santander in December 2022 highlighted systemic failings under Principle 3, particularly in relation to risk management systems and oversight by senior managers. Principle 3, which mandates that “firms take reasonable care to organise and control their affairs responsibly with adequate risk management”, is supported by the Senior Management Arrangements, Systems & Controls (SYSC) provisions in the FCA Handbook. Without a risk-informed framework, financial crime prevention policy, controls and procedures are likely to fail, as seen in these recent FCA fines.

Why FWRA Is the Cornerstone of Effective Financial Crime Prevention

For firms to effectively manage financial crime risks, they need a robust, outcome-driven FWRA that goes beyond regulatory box-ticking. A well-implemented FWRA should achieve the following:

• Identify and Assess All Relevant Risks: Firms must assess risks beyond just AML. This includes money laundering, sanctions, terrorist financing, bribery, corruption, tax evasion, and proliferation financing. The FWRA should cover all risk factors, including customer types, geographies, products, services, and transaction volumes.
• Use a Structured Methodology: Firms should develop a well-documented and transparent methodology that identifies both inherent risks and measures how well existing controls mitigate those risks. By assessing residual risks, firms can refine their controls and ensure their effectiveness.
• Integrate Findings into the Control Framework: FWRAs should inform broader financial crime controls, from CDD Policy, Controls and Procedures (PCPs) and transaction monitoring to training programs and governance structures. Effective integration is critical to ensure controls are risk-based and targeted where they are most needed.
• Leverage Appropriate Data Sources: An effective FWRA requires using a variety of data sources, including national risk assessments (like the UK’s 2020 National Risk Assessment), FATF evaluations, and FCA thematic reviews. Many firms rely on internal data, missing broader geographic or industry-wide risks.

GCAL’s Solution: Outcome-Driven Training for Effective FWRA

At GCAL, we’ve created a comprehensive solution designed to help firms tackle these persistent challenges with FWRAs. Our Financial Crime Risk Assessment Compliance Certificate offers training specifically designed for financial crime professionals at all levels to help them develop, and complete an effective FWRA.

Here’s what sets our program apart:

• Comprehensive Risk Awareness and Identification: Our course goes beyond AML to cover all relevant financial crime risks, including bribery, tax evasion, and proliferation financing. Firms will learn to assess risks holistically, taking into account various factors like customer types and transaction volumes.
• Mastering a Structured FWRA Methodology: We guide firms through developing a robust methodology for assessing both inherent and residual risks. Learners gain practical tools and frameworks to test the effectiveness of their controls.
• Interactive, Hands-On Learning: Our course isn’t just theoretical. Participants practice assessing risks using our interactive FWRA tool, allowing them to apply their learning in real-world scenarios. This outcome-driven approach ensures professionals are fully equipped to develop and implement FWRAs that deliver tangible results.
• Leveraging Data-Driven Insights for Risk Management: Participants will be trained to utilise a variety of internal and external data sources—such as national risk assessments and FATF reviews—to inform their FWRAs. This ensures they can develop a full and accurate picture of their firm’s financial crime risks and effectively direct resources to high-risk areas.

Time for Change: Elevating Industry Standards on Financial Crime Risk Assessments

Firms cannot afford to continue making the same mistakes. The FCA has made it clear that FWRAs are not just a regulatory requirement but a critical tool in combatting financial crime. With the right training and tools, firms can finally get this right. With increasing regulatory scrutiny and nearly a decade of FCA warnings, it’s time for the industry to raise the bar on financial crime risk assessments.

To learn more about how we can help, visit  GCAL’s FWRA Compliance Certificate and take the first step toward strengthening your firm’s financial crime risk management framework or contact us at info@greatchatwellacademy.com.