The pixel Skip to content

FCA Challenger Banks Review: Financial Crime Risk Assessment and Controls in Challenger Banks

Home > Perspectives > FCA Challenger Banks Review: Financial Crime Risk Assessment and Controls in Challenger Banks


The Financial Conduct Authority (FCA) recently published the results of its review of 6 UK challenger banks, conducted during 2021. Common weaknesses identified by the regulator include:

  • Failing to meet the obligation under Principle 11 to notify the FCA of significant financial crime control failures.
  • Underdeveloped or yet-to-be-implemented customer risk assessment (CRA) frameworks.
  • Not obtaining customers’ income and occupation details at onboarding. 
  • No formal enhanced due diligence (EDD) procedures, or inconsistent application of EDD. Reliance on transaction monitoring (TM) systems to identify higher risk customers.
  • Ineffective management of TM alerts, with under-resourcing of relevant teams, as well as inconsistent and inadequate rationale for discounting alerts and investigation notes lacking basic information and holistic assessments.
  • Inadequate oversight and slow pace of implementation for financial crime change programmes, meaning challenger banks’ control frameworks were not able to keep up with changes to the business models.
  • Poor quality of SARs reported to the NCA, in particular a lack of specificity and rationale for submissions.

The FCA’s review also produced positive findings, most notably the effective use of data and information in identification, verification and monitoring of customers. The regulator praised challenger banks’ innovative use of video selfies, mobile phone geolocation data, and photo images of the customer’s passport to mitigate risks.

Why it matters to our clients

The review is instructive for a wide range of firms, not least as a timely reminder to abide by Principle 11 and make the regulator aware of anything relating to the firm of which it would reasonably expect notice. The finer details will be of interest to all retail banks, with the FCA noting the similarity between incumbent and challenger retail banks, and making explicit reference to the Dear CEO letter it sent to such institutions in May 2021. The broader fintech sector should also take notice, as it may be set for increased regulatory scrutiny in the coming months and years. The FCA’s Business Plan for 2022/23 tells us that crypto is a key focus, but UK e-payment companies may also attract attention after almost 40% were flagged as a money laundering risk in a December 2021 Transparency International report.

In recent years, deficient CRA frameworks have been a common theme in FCA publications and enforcement actions across Europe and the US. In part, this reflects the CRA’s importance as the cornerstone of an FCC programme. The May 2021 Dear CEO letter called on firms to implement nuanced CRA methodologies which factor in the different types of risk exposure associated with individual customers, rather than relying on generic scoring models. Moreover, the current geo-political climate dictates that sanctions risk should not be overlooked when assessing customer risk.

While the CRA is fundamental to a risk-based approach (RBA), a firm’s RBA as it relates to high risk customers – like PEPs – needs to be codified in formal EDD procedures.  This document should set out the additional steps which must always be taken to mitigate the heightened financial crime risks presented by such customers.  Adherence to these procedures should then be monitored through periodic testing. 

Further, firms should be collecting customers’ income and occupation details as part of CDD. Although arguably not a regulatory requirement, the FCA has made clear its expectations and JMLSG guidance recommends that this information is obtained at onboarding. These data points are prerequisites for a holistic assessment of customer risk as well as key determinants of expected customer activity, which is, in turn, vital to the effective operation of a TM system.

Staff responsible for investigating TM alerts and filing SARs should be appropriately trained and have access to procedures with clear instructions on what to include in discounting and investigation notes and submissions to the FIU. SARs are opportunities for the private sector to make a real and immediate difference in the fight against financial crime, but FIUs need to know the reasons for suspicion as well as relevant facts in order to do their job effectively.

Another takeaway from the review is that firms should increasingly be leveraging technology to ensure their financial crime systems and controls are commensurate with their risk profile. This extends beyond identification technology and geo-location: the FCA itself is seeking to become a ‘data-led regulator’ and confirmed in its latest Business Plan that it is exploring uses of AI and machine learning.  There are opportunities for firms to benefit from a similar openness to new technology, but effective governance and proper management are required for enhancements to financial crime programmes. Clear project plans are essential, and should set out timelines, key milestones, and accountable senior managers. 

How Exiger Can Help

Exiger has extensive experience of working with entities across regulated industries to provide solutions to the most complex due diligence challenges. We are equipped to assist financial institutions, corporates and fintechs in remaining compliant with UK regulations as they evolve.

The risk landscape is constantly changing. Hear about the latest with Exiger.